SlideShare uma empresa Scribd logo

Preparing for the AI Act - 5 years into GDPR enforcement

Aurélie Pols
Aurélie Pols

Starting off from a recent fine from the Berlin Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI) around obligations for automated decision making (art. 22 of the GDPR), this presentation will walk the audience through how teams collaborate around compliance obligations. Risk with respect to processing of personal data continues to increase since the ink dried on the GDPR in 2016. Enforcement as of 2018 has signaled a need for companies to act responsibly with their data processing operations. While data governance is surely not the sexist job of the XXI st century and data self-service is on everybody’s mind, the increased complexity of integrated data systems requires collaboration. You possibly know who your companies’ data protection officer is. Or not. Let’s talk about who could be responsible for what, how privacy-by-design consensus can be reached and where technology plays a role in preparing for an accountable, increasingly automated and risk mitigated, future.

Direito
1 de 34
Baixar para ler offline
Preparing for the AI Act 5 years into GDPR enforcement 1
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Data Governance & Privacy Engineer 2 AURELIE POLS, DATA GOVERNANCE & PRIVACY ENGINEER • DPO for mParticle (Customer Data Platform) – contractor (USA, New York) • Founder – Aurélie Pols & Associates • Group expert member for the Observatory on the Online Platform Economy (E03607) – EU Commission •Guest professor DPO certification courses Maastricht University, faculty of law (NL) & Solvay Business School Brussels (B) • Board Member European Center On Privacy and Security, Maastricht University (NL) • Ethics Advisory Group (EAG) – European Data Protection Supervisor (EDPS) Towards a digital ethics • Former Vice-chair P7002 – Data Privacy Process – IEEE • Speaker/writer/consiglieri: Mobile World Congress, SWSX, Strata (+ Hadoop World), IAPP, Piwik, AT Internet, industry associations, AdTech & MarTech vendors, … 2003: OX2 Co-founder Webanalytics.be 2008: Sold to Digitas LBi (Publicis) Data is the New infrastructure – Privacy is the New Green – Trust is the New Currency Dutch nationality, French mother tongue, works in English, lives in Spain
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – In a nutshell 3
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Harmless GenAI? 4 Source: elpais.com/opinion/2023- 09-25/la-pornografia-sintetica-es- propaganda.html Las niñas de Almendralejo sentirán vergüenza por algo que no han hecho, incluso cuando todo el mundo sabe que no es verdad. “The girls in Almendralejo will feel shame for something they have not done, even when everyone knows it is not true.” Hay que estar atentos porque la degradación y deshumanización de un colectivo suele anunciar episodios de violencia masiva. Es la justificación preventiva de lo que va a pasar a continuación. “We must be vigilant because the degradation and dehumanisation of a collective often heralds episodes of mass violence. It is the pre-emptive justification for what will happen next.”
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – The basis of European democracy: The Charter 5
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Add the TFEU* and you get? A living instrument The law is a living instrument, eternally under construction 6 * TFEU = Treaty of Functioning of the EU
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – 7
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – The journey in the EU + int. started with Convention 108 8 Source: https://www.coe.int/en/web/data-protection/convention108/background
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – While in the US – forwarding thinking also! 9 Source: https://www.fpc.gov/fair-info-practice-principles/
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – GDPR and ePrivacy address art. 8 and 7 of the Charter 1 0 Source: https://www.europarl.europa .eu/charter/pdf/text_en.pdf The GDPR is the evolution of the 1995 Data Protection Directive ePrivacy dates back to 2002, the Telecoms package and has incorporated consent for “cookies” in 2009. The ePrivacy Regulation remains in trialogue to this date
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – High level: opt-in vs. opt-out laws Comparing roles in 2 major privacy laws: GDPR is a horizontal law, which took 5 years to mature, is enshrined within EU law (Charter + TFEU), enforced by supervisory authorities CCPA was originally proposed as a ballot proposition by a privacy group known as Californians for Consumer Privacy. 1 1 CCPA/CPRA GDPR Business Data controller Service provider Data processor 3rd party/data broker Joint controller Accountability Fundam ental right Lim ited rights Data to support growth
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Building on top (or next to) the GDPR ● In terms of competition ○ The Platform to Business Directive ○ The DMA => gatekeepers ● In terms of consumer protection ○ Directive on Consumer Rights (CRD) ○ The DSA => VLOPs ● The AI Act falls under Trust and Safety 1 2
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Governance obligations in the EEA ● GDPR: ○ Broad scope of personal data => beyond PII, what is NOT PD? + accountability ○ Abidance to principles + lawful basis ○ Defined roles + obligations ● ePrivacy (interaction between art. 5(3) and GDPR) ○ Wider material scope (any information) and not just PD ○ BUT narrower situational scope: only triggered for terminal equipment… ○ And then yes, those consent banner, for better or worse? Personal opinion: which remain rather uninteroperable due to lack of purpose classification 1 3
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – A word on the DSA And section 230 on the other side of the pond… 1 4
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – DSA Transparency database: take downs at scale Summary statistics on the statements of reasons submitted by providers of online platforms to the Commission, https://transparency.dsa.ec.europa.eu/analytics Note: the spike is Google Shopping
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – On the DMA iOS17 evolutions are welcome as DPO interested in (mobile) SDKs Puzzled? Start here https://developer.apple.com/videos/play/wwdc2023/10060 1 6
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Note however that industry initiatives are not always law How Apple defines tracking: “Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.” From https://developer.apple.com/app-store/user-privacy-and-data-use/ 1 7
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Link between the GDPR and the AI act: art. 22 1 8
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Why am I telling you this? 1 9 Source: https://www.datenschutz-berlin.de/pressemitteilung/computer-sagt-nein/ AI enforcement is already here
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Are fines the real risk? It’s the visible part of the iceberg Powers of SAs in art. 58: 1. Warnings &/or reprimands 2. Comply with DSRs 3. Bring processing operations into compliance 4. Communicate data breaches 5. Ban on processing &/or suspension of data flows 6. Withdraw certification 2 0
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – What am I responsible for as DPO? 21 Data subject Data controller Data processor Sub- processor It depends? The GDPR defines roles: 1. Data controller 2. Data processor Understand who you are Collaborate to support signals And fundamental rights? B2C (+ B2B) B2B B2B Privacy Notices Lawful basis Data Subject Rights MSA SOW T&C
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Translate this into AI? 2 2 Source: https://storage02.forbrukerradet.no/media/2023/06/generative-ai-rapport-2023.pdf
Please regulate AI Privacy AI whitewashing Excuse me? 23
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Getting our feet back on the ground 1. For an EEA company (+UK for now), all personal data processing falls under the GDPR 2. For prescriptive data, this means data processing obligations => accountability 3. For probabilistic data, this means ADM obligations ie a. Art 22 “the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” b. Art 13 to 15 “the existence of ADM, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.” 2 4
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Common AI harms? 1. Physical harms 2. Economic harms 3. Reputational harms 4. Psychological harms 5. Autonomy harms 6. Discrimination harms 7. Relationship harms 8. Loss of opportunity 9. Social stigmatization and dignitary harms 2 5 Source: https://epic.org/wp- content/uploads/2023/05/EPIC- Generative-AI-White-Paper-May2023.pdf
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Know thy systems As part of GDPR compliance preparation, your company should 1. Know which systems process personal data – as a data controller/processor/joint controller 2. Make sure these systems have been vetted: security + privacy! 3. Abide by the obligations of the GDPR in terms of accountability – grounded in each department: HR, marketing, customer support, … Ø Includes re-use of personal data for potentially other purposes? 4. List personal data used within art. 30 obligations (ROPA) 5. Be transparent with customers about how their data is used + enforce their rights (DSR mechanisms) 2 6
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Which often means drawing data flows 2 7 Source: https://www.rosenthal.c h/downloads/VISCHER- AI-KB-Approach.pdf
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Imperfect systems and dynamic challenges The reality however shows that 1. Systems remains imperfect as they rarely include purpose, lawful basis 2. Data/product teams don’t really talk to privacy counsel/DPOs, do they? 3. DPOs don’t really get data science/technology, do they? 4. Deleting data is hard? And how do you prove it? 5. How transparent do you need to be? 6. What is fair? 7. Are we there yet? 8. How about undergoing systematic privacy/ data protection impact assessments? (DPIA) 2 8
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – With AI, the table got even more crowded! 2 9 Source https://crfm.stanf ord.edu/2023/06/ 15/eu-ai-act.html
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Because AI (ironically!) brings back IP challenges 3 0 Source: https://www.theverge.co m/2023/1/17/23558516/ ai-art-copyright-stable- diffusion-getty-images- lawsuit
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – And discussions about 💵 / 💶 / 💷 / 💴 Source: https://www.theverge.com/20 23/9/25/23884679/getty-ai- generative-image-platform- launch
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – In conclusion what do we see? 1. More reliance on data by society, more regulation, evolving enforcement => risk? depends on culture 2. More granularity of controls between actors, including data subjects => Privacy by Design + education! 3. More transparency around data processing operations, explainability obligations between actors 4. Increased global coordination (AIAct based on OECD guidelines) & also more lobbying 3 2
MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – 33
Thank you for your attention Email: Aurelie.pols@protonmail.com The recovering dataholic turned Privacy Engineer 34

Recomendados

AI Roles and Risk for election year 2024
AI Roles and Risk for election year 2024AI Roles and Risk for election year 2024
AI Roles and Risk for election year 2024
Aurélie Pols
 
For Superweek 2022: discussing risk using IAB's TCF
For Superweek 2022: discussing risk using IAB's TCFFor Superweek 2022: discussing risk using IAB's TCF
For Superweek 2022: discussing risk using IAB's TCF
Aurélie Pols
 
Creative destruction & Privacy Whitewashing: where does risk lie?
Creative destruction & Privacy Whitewashing: where does risk lie? Creative destruction & Privacy Whitewashing: where does risk lie?
Creative destruction & Privacy Whitewashing: where does risk lie?
Aurélie Pols
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
John Nas
 
Storm on the Horizon: Data Governance & Security vs. Employee Privacy
Storm on the Horizon: Data Governance & Security vs. Employee PrivacyStorm on the Horizon: Data Governance & Security vs. Employee Privacy
Storm on the Horizon: Data Governance & Security vs. Employee Privacy
Aurélie Pols
 
ePrivacy Directive, a 10 steps framework to be as compliant as possible for m...
ePrivacy Directive, a 10 steps framework to be as compliant as possible for m...ePrivacy Directive, a 10 steps framework to be as compliant as possible for m...
ePrivacy Directive, a 10 steps framework to be as compliant as possible for m...
Aurélie Pols
 
Impact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesImpact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economies
EquiGov Institute
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
Lumension
 

Recomendados

AI Roles and Risk for election year 2024
AI Roles and Risk for election year 2024AI Roles and Risk for election year 2024
AI Roles and Risk for election year 2024
Aurélie Pols
 
For Superweek 2022: discussing risk using IAB's TCF
For Superweek 2022: discussing risk using IAB's TCFFor Superweek 2022: discussing risk using IAB's TCF
For Superweek 2022: discussing risk using IAB's TCF
Aurélie Pols
 
Creative destruction & Privacy Whitewashing: where does risk lie?
Creative destruction & Privacy Whitewashing: where does risk lie? Creative destruction & Privacy Whitewashing: where does risk lie?
Creative destruction & Privacy Whitewashing: where does risk lie?
Aurélie Pols
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
John Nas
 
Storm on the Horizon: Data Governance & Security vs. Employee Privacy
Storm on the Horizon: Data Governance & Security vs. Employee PrivacyStorm on the Horizon: Data Governance & Security vs. Employee Privacy
Storm on the Horizon: Data Governance & Security vs. Employee Privacy
Aurélie Pols
 
ePrivacy Directive, a 10 steps framework to be as compliant as possible for m...
ePrivacy Directive, a 10 steps framework to be as compliant as possible for m...ePrivacy Directive, a 10 steps framework to be as compliant as possible for m...
ePrivacy Directive, a 10 steps framework to be as compliant as possible for m...
Aurélie Pols
 
Impact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesImpact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economies
EquiGov Institute
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
Lumension
 
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic ApproachCloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
SLA-Ready Network
 
Cours CyberSécurité - Privacy
Cours CyberSécurité - PrivacyCours CyberSécurité - Privacy
Cours CyberSécurité - Privacy
Franck Franchin
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
Symantec
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?
Faidepro
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
Jes Breslaw
 
WP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTIONWP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTION
John Pinson
 
Customers in the cloud pulse final
Customers in the cloud pulse finalCustomers in the cloud pulse final
Customers in the cloud pulse final
FLUZO
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
Cédric Laurant
 
EU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh NetworksEU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh Networks
Alberto Peñaranda Echevarría
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
Altimeter, a Prophet Company
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
Automatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy StandardsAutomatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy Standards
automatskicorporation
 
Ubi global study 2013 content list
Ubi global study 2013 content listUbi global study 2013 content list
Ubi global study 2013 content list
Cambridge Mobile Telematics
 
Qubole GDPR Security and Compliance Whitepaper
Qubole GDPR Security and Compliance Whitepaper Qubole GDPR Security and Compliance Whitepaper
Qubole GDPR Security and Compliance Whitepaper
Vasu S
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next steps
The Economist Media Businesses
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
Paul Richards
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
Keith Purves
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
Symantec
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL security
Samo Zavašnik
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with Varonis
Angad Dayal
 
IAPP - Skills For Minimizing Privacy Risk in Data Science Product and Service...
IAPP - Skills For Minimizing Privacy Risk in Data Science Product and Service...IAPP - Skills For Minimizing Privacy Risk in Data Science Product and Service...
IAPP - Skills For Minimizing Privacy Risk in Data Science Product and Service...
Aurélie Pols
 
Women in STEM for IE Girl Up Club
Women in STEM for IE Girl Up Club Women in STEM for IE Girl Up Club
Women in STEM for IE Girl Up Club
Aurélie Pols
 

Mais conteúdo relacionado

Semelhante a Preparing for the AI Act - 5 years into GDPR enforcement

delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
Jes Breslaw
 
WP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTIONWP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTION
John Pinson
 
Customers in the cloud pulse final
Customers in the cloud pulse finalCustomers in the cloud pulse final
Customers in the cloud pulse final
FLUZO
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
Paul Richards
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
Keith Purves
 

Semelhante a Preparing for the AI Act - 5 years into GDPR enforcement (20)

Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic ApproachCloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
 
Cours CyberSécurité - Privacy
Cours CyberSécurité - PrivacyCours CyberSécurité - Privacy
Cours CyberSécurité - Privacy
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
 
WP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTIONWP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTION
 
Customers in the cloud pulse final
Customers in the cloud pulse finalCustomers in the cloud pulse final
Customers in the cloud pulse final
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz..."Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
 
EU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh NetworksEU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh Networks
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 
Data protection
Data protectionData protection
Data protection
 
Automatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy StandardsAutomatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy Standards
 
Ubi global study 2013 content list
Ubi global study 2013 content listUbi global study 2013 content list
Ubi global study 2013 content list
 
Qubole GDPR Security and Compliance Whitepaper
Qubole GDPR Security and Compliance Whitepaper Qubole GDPR Security and Compliance Whitepaper
Qubole GDPR Security and Compliance Whitepaper
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next steps
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL security
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with Varonis
 

Mais de Aurélie Pols

Interoperability in Digital will take a Global Village
Interoperability in Digital will take a Global VillageInteroperability in Digital will take a Global Village
Interoperability in Digital will take a Global Village
Aurélie Pols
 
The GDPR is here. So do you know what the courts are saying?
The GDPR is here. So do you know what the courts are saying?The GDPR is here. So do you know what the courts are saying?
The GDPR is here. So do you know what the courts are saying?
Aurélie Pols
 
CPDP: Data ownership, Innovation and Privacy: looking for an approach on both...
CPDP: Data ownership, Innovation and Privacy: looking for an approach on both...CPDP: Data ownership, Innovation and Privacy: looking for an approach on both...
CPDP: Data ownership, Innovation and Privacy: looking for an approach on both...
Aurélie Pols
 
GDPR and the aftermath: what are we building towards?
GDPR and the aftermath: what are we building towards?GDPR and the aftermath: what are we building towards?
GDPR and the aftermath: what are we building towards?
Aurélie Pols
 
Who Goes There? Demystifying Digital Identity for All (1/2)
Who Goes There? Demystifying Digital Identity for All (1/2)Who Goes There? Demystifying Digital Identity for All (1/2)
Who Goes There? Demystifying Digital Identity for All (1/2)
Aurélie Pols
 

Mais de Aurélie Pols (20)

IAPP - Skills For Minimizing Privacy Risk in Data Science Product and Service...
IAPP - Skills For Minimizing Privacy Risk in Data Science Product and Service...IAPP - Skills For Minimizing Privacy Risk in Data Science Product and Service...
IAPP - Skills For Minimizing Privacy Risk in Data Science Product and Service...
 
Women in STEM for IE Girl Up Club
Women in STEM for IE Girl Up Club Women in STEM for IE Girl Up Club
Women in STEM for IE Girl Up Club
 
Interoperability in Digital will take a Global Village
Interoperability in Digital will take a Global VillageInteroperability in Digital will take a Global Village
Interoperability in Digital will take a Global Village
 
The GDPR is here. So do you know what the courts are saying?
The GDPR is here. So do you know what the courts are saying?The GDPR is here. So do you know what the courts are saying?
The GDPR is here. So do you know what the courts are saying?
 
CPDP: Data ownership, Innovation and Privacy: looking for an approach on both...
CPDP: Data ownership, Innovation and Privacy: looking for an approach on both...CPDP: Data ownership, Innovation and Privacy: looking for an approach on both...
CPDP: Data ownership, Innovation and Privacy: looking for an approach on both...
 
GDPR and the aftermath: what are we building towards?
GDPR and the aftermath: what are we building towards?GDPR and the aftermath: what are we building towards?
GDPR and the aftermath: what are we building towards?
 
Who Goes There? Demystifying Digital Identity for All (1/2)
Who Goes There? Demystifying Digital Identity for All (1/2)Who Goes There? Demystifying Digital Identity for All (1/2)
Who Goes There? Demystifying Digital Identity for All (1/2)
 
Data is the new infrastructure, Privacy is the new green, Trust is the new cu...
Data is the new infrastructure, Privacy is the new green, Trust is the new cu...Data is the new infrastructure, Privacy is the new green, Trust is the new cu...
Data is the new infrastructure, Privacy is the new green, Trust is the new cu...
 
How digitization challenges our values as citizens
How digitization challenges our values as citizens How digitization challenges our values as citizens
How digitization challenges our values as citizens
 
Technical Consequences of the Data Subject's Rights
Technical Consequences of the Data Subject's RightsTechnical Consequences of the Data Subject's Rights
Technical Consequences of the Data Subject's Rights
 
From GDPR to ePrivacy: what does it mean to the advertising sector?
From GDPR to ePrivacy: what does it mean to the advertising sector?From GDPR to ePrivacy: what does it mean to the advertising sector?
From GDPR to ePrivacy: what does it mean to the advertising sector?
 
State of EU legislation: GDPR & ePrivacy for Superweek
State of EU legislation: GDPR & ePrivacy for SuperweekState of EU legislation: GDPR & ePrivacy for Superweek
State of EU legislation: GDPR & ePrivacy for Superweek
 
The Great GDPR MyData Debate - Aurelie Pols - Keynote
The Great GDPR MyData Debate - Aurelie Pols - KeynoteThe Great GDPR MyData Debate - Aurelie Pols - Keynote
The Great GDPR MyData Debate - Aurelie Pols - Keynote
 
The Data Subject First? Decoding the GDPR at StrataData
The Data Subject First? Decoding the GDPR at StrataDataThe Data Subject First? Decoding the GDPR at StrataData
The Data Subject First? Decoding the GDPR at StrataData
 
Brussels data science - Privacy Engineering for Big Data & Data Science
Brussels data science - Privacy Engineering for Big Data & Data ScienceBrussels data science - Privacy Engineering for Big Data & Data Science
Brussels data science - Privacy Engineering for Big Data & Data Science
 
Sibos INNOTRIBE Digital Ethics
Sibos INNOTRIBE Digital EthicsSibos INNOTRIBE Digital Ethics
Sibos INNOTRIBE Digital Ethics
 
Data Accountability & Consumer Trust
Data Accountability & Consumer TrustData Accountability & Consumer Trust
Data Accountability & Consumer Trust
 
Superweek 2016 Would You Lie to Your Physician?
Superweek 2016 Would You Lie to Your Physician?Superweek 2016 Would You Lie to Your Physician?
Superweek 2016 Would You Lie to Your Physician?
 
Multi-tasking teams within cyber security departments
Multi-tasking teams within cyber security departmentsMulti-tasking teams within cyber security departments
Multi-tasking teams within cyber security departments
 
BIG DATA IN BUSINESS Implement and use Big Data to your organization’s advantage
BIG DATA IN BUSINESS Implement and use Big Data to your organization’s advantageBIG DATA IN BUSINESS Implement and use Big Data to your organization’s advantage
BIG DATA IN BUSINESS Implement and use Big Data to your organization’s advantage
 

Último

Starbucks Corp. v. Sardarbuksh Coffee Co.
Starbucks Corp. v. Sardarbuksh Coffee Co.Starbucks Corp. v. Sardarbuksh Coffee Co.
Starbucks Corp. v. Sardarbuksh Coffee Co.
aniruddhabamal
 
Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...
Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...
Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...
Leks&Co
 

Último (18)

Application of Doctrine of Renvoi by foreign courts under conflict of laws
Application of Doctrine of Renvoi by foreign courts under conflict of lawsApplication of Doctrine of Renvoi by foreign courts under conflict of laws
Application of Doctrine of Renvoi by foreign courts under conflict of laws
 
Indian Partnership Act 1932, Rights and Duties of Partners
Indian Partnership Act 1932, Rights and Duties of PartnersIndian Partnership Act 1932, Rights and Duties of Partners
Indian Partnership Act 1932, Rights and Duties of Partners
 
7 Basic Steps of Trust Administration.pdf
7 Basic Steps of Trust Administration.pdf7 Basic Steps of Trust Administration.pdf
7 Basic Steps of Trust Administration.pdf
 
Dandan Liu is the worst real estate agent on earth..pdf
Dandan Liu is the worst real estate agent on earth..pdfDandan Liu is the worst real estate agent on earth..pdf
Dandan Liu is the worst real estate agent on earth..pdf
 
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
 
indian evidence act.pdf.......very helpful for law student
indian evidence act.pdf.......very helpful for law studentindian evidence act.pdf.......very helpful for law student
indian evidence act.pdf.......very helpful for law student
 
Solidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South AfricaSolidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South Africa
 
REVIVING OUR STAR GOD IMAGES FROM MARRYING OUR 4 HOLY LAWS OF STAR GODS
REVIVING OUR STAR GOD IMAGES FROM MARRYING OUR 4 HOLY LAWS OF STAR GODSREVIVING OUR STAR GOD IMAGES FROM MARRYING OUR 4 HOLY LAWS OF STAR GODS
REVIVING OUR STAR GOD IMAGES FROM MARRYING OUR 4 HOLY LAWS OF STAR GODS
 
A Brief Introduction About Katelyn Prost
A Brief Introduction About Katelyn ProstA Brief Introduction About Katelyn Prost
A Brief Introduction About Katelyn Prost
 
Starbucks Corp. v. Sardarbuksh Coffee Co.
Starbucks Corp. v. Sardarbuksh Coffee Co.Starbucks Corp. v. Sardarbuksh Coffee Co.
Starbucks Corp. v. Sardarbuksh Coffee Co.
 
Justice Advocates Legal Defence Firm
Justice Advocates Legal Defence FirmJustice Advocates Legal Defence Firm
Justice Advocates Legal Defence Firm
 
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxPRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
 
DNA Testing in Civil and Criminal Matters.pptx
DNA Testing in Civil and Criminal Matters.pptxDNA Testing in Civil and Criminal Matters.pptx
DNA Testing in Civil and Criminal Matters.pptx
 
dandan liu need to rot when she dies..pdf
dandan liu need to rot when she dies..pdfdandan liu need to rot when she dies..pdf
dandan liu need to rot when she dies..pdf
 
Everything You Should Know About Child Custody and Parenting While Living in ...
Everything You Should Know About Child Custody and Parenting While Living in ...Everything You Should Know About Child Custody and Parenting While Living in ...
Everything You Should Know About Child Custody and Parenting While Living in ...
 
Embed-1-4.pdf Decision of the High Court
Embed-1-4.pdf Decision of the High CourtEmbed-1-4.pdf Decision of the High Court
Embed-1-4.pdf Decision of the High Court
 
Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...
Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...
Supreme Court Regulation No. 3 of 2023 on Procedure for Appointment of Arbitr...
 
Rights of Consumers under Consumer Protection Act, 1986.
Rights of Consumers under Consumer Protection Act, 1986.Rights of Consumers under Consumer Protection Act, 1986.
Rights of Consumers under Consumer Protection Act, 1986.
 

Preparing for the AI Act - 5 years into GDPR enforcement

  • 1. Preparing for the AI Act 5 years into GDPR enforcement 1
  • 2. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Data Governance & Privacy Engineer 2 AURELIE POLS, DATA GOVERNANCE & PRIVACY ENGINEER • DPO for mParticle (Customer Data Platform) – contractor (USA, New York) • Founder – Aurélie Pols & Associates • Group expert member for the Observatory on the Online Platform Economy (E03607) – EU Commission •Guest professor DPO certification courses Maastricht University, faculty of law (NL) & Solvay Business School Brussels (B) • Board Member European Center On Privacy and Security, Maastricht University (NL) • Ethics Advisory Group (EAG) – European Data Protection Supervisor (EDPS) Towards a digital ethics • Former Vice-chair P7002 – Data Privacy Process – IEEE • Speaker/writer/consiglieri: Mobile World Congress, SWSX, Strata (+ Hadoop World), IAPP, Piwik, AT Internet, industry associations, AdTech & MarTech vendors, … 2003: OX2 Co-founder Webanalytics.be 2008: Sold to Digitas LBi (Publicis) Data is the New infrastructure – Privacy is the New Green – Trust is the New Currency Dutch nationality, French mother tongue, works in English, lives in Spain
  • 3. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – In a nutshell 3
  • 4. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Harmless GenAI? 4 Source: elpais.com/opinion/2023- 09-25/la-pornografia-sintetica-es- propaganda.html Las niñas de Almendralejo sentirán vergüenza por algo que no han hecho, incluso cuando todo el mundo sabe que no es verdad. “The girls in Almendralejo will feel shame for something they have not done, even when everyone knows it is not true.” Hay que estar atentos porque la degradación y deshumanización de un colectivo suele anunciar episodios de violencia masiva. Es la justificación preventiva de lo que va a pasar a continuación. “We must be vigilant because the degradation and dehumanisation of a collective often heralds episodes of mass violence. It is the pre-emptive justification for what will happen next.”
  • 5. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – The basis of European democracy: The Charter 5
  • 6. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Add the TFEU* and you get? A living instrument The law is a living instrument, eternally under construction 6 * TFEU = Treaty of Functioning of the EU
  • 7. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – 7
  • 8. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – The journey in the EU + int. started with Convention 108 8 Source: https://www.coe.int/en/web/data-protection/convention108/background
  • 9. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – While in the US – forwarding thinking also! 9 Source: https://www.fpc.gov/fair-info-practice-principles/
  • 10. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – GDPR and ePrivacy address art. 8 and 7 of the Charter 1 0 Source: https://www.europarl.europa .eu/charter/pdf/text_en.pdf The GDPR is the evolution of the 1995 Data Protection Directive ePrivacy dates back to 2002, the Telecoms package and has incorporated consent for “cookies” in 2009. The ePrivacy Regulation remains in trialogue to this date
  • 11. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – High level: opt-in vs. opt-out laws Comparing roles in 2 major privacy laws: GDPR is a horizontal law, which took 5 years to mature, is enshrined within EU law (Charter + TFEU), enforced by supervisory authorities CCPA was originally proposed as a ballot proposition by a privacy group known as Californians for Consumer Privacy. 1 1 CCPA/CPRA GDPR Business Data controller Service provider Data processor 3rd party/data broker Joint controller Accountability Fundam ental right Lim ited rights Data to support growth
  • 12. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Building on top (or next to) the GDPR ● In terms of competition ○ The Platform to Business Directive ○ The DMA => gatekeepers ● In terms of consumer protection ○ Directive on Consumer Rights (CRD) ○ The DSA => VLOPs ● The AI Act falls under Trust and Safety 1 2
  • 13. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Governance obligations in the EEA ● GDPR: ○ Broad scope of personal data => beyond PII, what is NOT PD? + accountability ○ Abidance to principles + lawful basis ○ Defined roles + obligations ● ePrivacy (interaction between art. 5(3) and GDPR) ○ Wider material scope (any information) and not just PD ○ BUT narrower situational scope: only triggered for terminal equipment… ○ And then yes, those consent banner, for better or worse? Personal opinion: which remain rather uninteroperable due to lack of purpose classification 1 3
  • 14. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – A word on the DSA And section 230 on the other side of the pond… 1 4
  • 15. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – DSA Transparency database: take downs at scale Summary statistics on the statements of reasons submitted by providers of online platforms to the Commission, https://transparency.dsa.ec.europa.eu/analytics Note: the spike is Google Shopping
  • 16. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – On the DMA iOS17 evolutions are welcome as DPO interested in (mobile) SDKs Puzzled? Start here https://developer.apple.com/videos/play/wwdc2023/10060 1 6
  • 17. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Note however that industry initiatives are not always law How Apple defines tracking: “Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.” From https://developer.apple.com/app-store/user-privacy-and-data-use/ 1 7
  • 18. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Link between the GDPR and the AI act: art. 22 1 8
  • 19. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Why am I telling you this? 1 9 Source: https://www.datenschutz-berlin.de/pressemitteilung/computer-sagt-nein/ AI enforcement is already here
  • 20. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Are fines the real risk? It’s the visible part of the iceberg Powers of SAs in art. 58: 1. Warnings &/or reprimands 2. Comply with DSRs 3. Bring processing operations into compliance 4. Communicate data breaches 5. Ban on processing &/or suspension of data flows 6. Withdraw certification 2 0
  • 21. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – What am I responsible for as DPO? 21 Data subject Data controller Data processor Sub- processor It depends? The GDPR defines roles: 1. Data controller 2. Data processor Understand who you are Collaborate to support signals And fundamental rights? B2C (+ B2B) B2B B2B Privacy Notices Lawful basis Data Subject Rights MSA SOW T&C
  • 22. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Translate this into AI? 2 2 Source: https://storage02.forbrukerradet.no/media/2023/06/generative-ai-rapport-2023.pdf
  • 23. Please regulate AI Privacy AI whitewashing Excuse me? 23
  • 24. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Getting our feet back on the ground 1. For an EEA company (+UK for now), all personal data processing falls under the GDPR 2. For prescriptive data, this means data processing obligations => accountability 3. For probabilistic data, this means ADM obligations ie a. Art 22 “the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” b. Art 13 to 15 “the existence of ADM, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.” 2 4
  • 25. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Common AI harms? 1. Physical harms 2. Economic harms 3. Reputational harms 4. Psychological harms 5. Autonomy harms 6. Discrimination harms 7. Relationship harms 8. Loss of opportunity 9. Social stigmatization and dignitary harms 2 5 Source: https://epic.org/wp- content/uploads/2023/05/EPIC- Generative-AI-White-Paper-May2023.pdf
  • 26. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Know thy systems As part of GDPR compliance preparation, your company should 1. Know which systems process personal data – as a data controller/processor/joint controller 2. Make sure these systems have been vetted: security + privacy! 3. Abide by the obligations of the GDPR in terms of accountability – grounded in each department: HR, marketing, customer support, … Ø Includes re-use of personal data for potentially other purposes? 4. List personal data used within art. 30 obligations (ROPA) 5. Be transparent with customers about how their data is used + enforce their rights (DSR mechanisms) 2 6
  • 27. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Which often means drawing data flows 2 7 Source: https://www.rosenthal.c h/downloads/VISCHER- AI-KB-Approach.pdf
  • 28. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Imperfect systems and dynamic challenges The reality however shows that 1. Systems remains imperfect as they rarely include purpose, lawful basis 2. Data/product teams don’t really talk to privacy counsel/DPOs, do they? 3. DPOs don’t really get data science/technology, do they? 4. Deleting data is hard? And how do you prove it? 5. How transparent do you need to be? 6. What is fair? 7. Are we there yet? 8. How about undergoing systematic privacy/ data protection impact assessments? (DPIA) 2 8
  • 29. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – With AI, the table got even more crowded! 2 9 Source https://crfm.stanf ord.edu/2023/06/ 15/eu-ai-act.html
  • 30. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – Because AI (ironically!) brings back IP challenges 3 0 Source: https://www.theverge.co m/2023/1/17/23558516/ ai-art-copyright-stable- diffusion-getty-images- lawsuit
  • 31. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – And discussions about 💵 / 💶 / 💷 / 💴 Source: https://www.theverge.com/20 23/9/25/23884679/getty-ai- generative-image-platform- launch
  • 32. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – In conclusion what do we see? 1. More reliance on data by society, more regulation, evolving enforcement => risk? depends on culture 2. More granularity of controls between actors, including data subjects => Privacy by Design + education! 3. More transparency around data processing operations, explainability obligations between actors 4. Increased global coordination (AIAct based on OECD guidelines) & also more lobbying 3 2
  • 33. MEASURESUMMIT 2023 aurelie.pols@protonmail.com © prepared by Aurélie Pols for Aurelie Pols & Associates – 33
  • 34. Thank you for your attention Email: Aurelie.pols@protonmail.com The recovering dataholic turned Privacy Engineer 34