Reflections from the IAPP Data Protection Congress

Last week, I - along with my colleagues from our data protection, privacy, and cyber team - attended the IAPP Data Protection Congress in Brussels where we joined some very insightful sessions including, in particular, on the expectations for US digital policy under the new administration, balancing the Data Act with GDPR, and privacy in clinical trials. There were also more than a few sessions on the intersection of privacy and AI governance. 

Some key takeaways from the event include:

• There has been much speculation around the new administration and how this might affect the executive order (EO) signed by President Biden which paved the way for the EU-US Data Privacy Framework (DPF). For now, it seems that it will be 'business as usual' and there is no reason to believe there will be an immediate attempt to overhaul the DPF. There is of course a possibility that the Trump administration may view the EO as a concession to the EU that is overly restrictive on the US security authorities and that there may be attempts to row back from this position, but this does not appear to be a priority. Interestingly, the EDPB has recently published its first review of the DPF which noted that it had been successfully implemented but identified areas for improvement. It will be interesting to see whether the DPF withstands the next review. 
   
• Another new EU digital regulation is being proposed. This one will protect consumers from deceptive design practices, social media addiction, and online tracking - watch the space for the EU Digital Fairness Act. They certainly like to keep us on our toes.
   
• There was some lively discussion about the interpretation across the EU of how to meet the requirements of GDPR in the context of the Clinic Trials Regulation (CTR).  Clearly, there is a lack of a harmonised approach to interpretation which will present practical challenges.  A code of conduct for harmonising practices around the EU is expected early next year. Bristows will also hold a roundtable on this issue in the New Year - please get in touch with us for details if you are interested in attending.
   
• Legitimate Interests (LI) is usually going to be the most appropriate lawful basis for processing personal data to train AI models. However, many countries outside the EU do not recognise this lawful basis and rely on consent models. There is also a perception that LI is not a strong lawful basis. There is going to be a need to destigmatise LI and to educate companies on how to effectively rely on it!
   
• Article 20 GDPR has been something of a failure - the EU Data Act should make data portability easier for users of connected products and avoids some of the administrative steps required under Article 20 (e.g. checking the other side has a lawful basis).
   
• It is now clearer than ever that 'Data Lawyer' no longer just covers data protection and privacy. The close relationships and interconnectivity with other regulations on cyber, AI, and online safety means that we are all going to need to keep evolving like Pokémon!