Highlights of the IAPP Europe Data Protection Congress 2023

This blog was originally posted on 22nd November, 2023. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY ANI NOZADZE, REGULATORY & REQUIREMENTS COMPLIANCE SPECIALIST, COMPLIANCE & RISKS

IAPP Europe Data Protection Congress 2023

Organised by the International Association of Privacy Professionals, this year’s Data Protection Congress took place in Brussels on 15-16th November 2023. The Congress brought together more than 3000 data protection professionals and other stakeholders to discuss issues such as navigating varying global data protection regulations, building governance strategies, as well as adapting to new technologies, such as artificial intelligence.

Highlights of the various panel discussions and breakout sessions are discussed below.

Privacy by Design Implementation in Product Development

Data-driven products and services create value on the market, however, data protection regulations, such as the EU General Data Protection Regulation (GDPR) require privacy by design for consumer goods and services. Privacy by design necessitates the adoption of appropriate measures that provide effective implementation of the data protection principles, both at the time of the determination of the means of personal data processing, and at the time of the processing itself. Implementation of privacy by design might create a challenge for manufacturers while they try to stay on track with product development plans.

Among other tools and processes that can assist, the panelists discussed the ISO 31700-1 standard which establishes high-level requirements for privacy by design to protect data throughout the lifecycle of a consumer product. Whilst this standard does not contain specific methodologies that companies can adopt for privacy controls, it provides guidance that can help them implement the overall requirements. The discussants also encouraged the audience to look at privacy by design as a business enabler rather than merely a regulatory requirement, as having privacy assurances and commitments provides companies with a competitive advantage.

Cross-border Transfers of Personal Data

With more countries adopting restrictions on personal data transfers outside their own jurisdiction, and due to divergence in regulatory requirements, it becomes challenging for companies to navigate legislation and stay compliant.

Some recommendations from professionals practicing in the privacy field to overcome these challenges include the following:

Prioritising jurisdictions to meet cross-border transfer requirements;
Using standard contractual clauses for data transfers, and in this regard adopting a consistent approach with the assistance of intercompany agreements and vendor agreements;
Standardising overall data governance while having customizable tools in place for additional, varying or emerging requirements;
Utilising additional safeguards such as anonymisation and pseudonymisation to reduce risks;
While conducting transfer impact assessments, assessing the government’s powers of data access with a realistic risk-based approach;
Ensuring collaboration between various departments (legal, IT, business development teams, etc.) within the company.

EU Commission’s Plans on International Data Transfers

In his keynote speech at the closing plenary session of the Data Protection Congress, the European Commissioner for Justice, Didier Reynders spoke about how putting in place a trans-Atlantic framework for data transfers was a priority after the Court of Justice of the EU (CJEU) had invalidated the EU-US Privacy Shield. However, now that this has been achieved with the adoption of the EU-US Data Privacy Framework (DPF) in July 2023, the focus will shift to other efforts in cross-border data flows. Before revealing the Commission’s further plans, Reynders said that the DPF addresses concerns of the CJEU that led to the invalidation of the Privacy Shield and that it is a stable and effective mechanism for data transfers. A few months in, the DPF is coming to life with approximately 2,500 companies certified under it as well as the recent appointments to the Data Protection Review Court.

Reynders mentioned that the European Commission is working on new adequacy decisions with several partners, one of which is Brazil. He also said the EU Commission report evaluating the existing adequacy decisions is to be published imminently. Taking into account the UK’s upcoming reform of the data protection rules, Reynders also said the EU Commission might revisit the UK adequacy deal.

Data Protection as part of ESG

Discussions during the session on privacy as part of Environmental, Social and Governance (ESG) made it evident that data protection can affect all three pillars of ESG. As an example, data minimisation and avoiding extensive data processing reduces the use of energy and supports the environment; providing appropriate consent management and data subject rights forms part of the social side of ESG; and privacy by design and defending against data breaches helps organisations demonstrate responsible governance. A suggestion from the panelists is to include and/or link what a company does in terms of data protection into the ESG report.

Another session discussed the evolving role of Data Protection Officers (DPOs) and mentioned the additional tasks that the DPOs might need to undertake, including helping companies review risks stemming from new technologies, as well as engaging company boards so that sustainable risk management strategies are adopted and implemented.

Artificial Intelligence Front and Centre

As artificial intelligence (AI) is becoming part of our daily lives, the challenges associated with it come to surface as well. Together with fraud, misinformation and intellectual property rights, one of the main concerns includes privacy implications. A large number of sessions at the Congress addressed these concerns, with topics ranging from generative AI to AI governance.

A keynote address by Juliana Castro Varon of Cita Press highlighted that technology is evolving faster than laws and regulations. In this context, ethics become important.

Commissioner Reynders reiterated that even when the highly anticipated EU AI Act is adopted, and with other data-related EU legislation coming into force, GDPR will still be fully applicable to data protection-related matters.

A panel session on the UK’s approach to data and AI governance stressed that collaboration between businesses and regulators is highly important; and that companies should not look at the legal requirements as just a compliance headache, since having strong privacy protection policies will help them build consumer trust and improve their competitiveness on the market.

Some advice from industry leaders around AI includes putting into place AI governance policies, establishing ethics evaluation councils, providing appropriate transparency and giving employees sufficient training on the acceptable use of AI within the company.