Every year the world’s privacy regulators, together with interested non-profits, gather for an annual week-long conference. Those of us in the private sector are permitted to attend for the first half of the week before the assembly moves into closed session. This year’s event was in Jersey, next year’s is in South Korea – it is genuinely global.
These open sessions are often illuminating. Less for the specific content and more for the insight they bring into the concerns of regulators and the direction of travel. Combine this with the chance, at a large but surprisingly intimate event, to get up close and personal with regulators from across the globe and one comes away with some pretty clear themes.
AI, naturally, took top billing. What we learned, though, was that no-one really knows what to do about it yet, and indeed that many still do not know what it really is or how it works. Regulatory discussion is still mostly high-level and high-minded; my own personal take was that the EU AI Act is already generating some buyer’s remorse as we recognise how difficult it will be to operate in practice and the risk that it both produces a chilling effect on EU AI competitiveness and also fails actually to manage the risks arising from the use of new technologies to process personal data. At the same time, there is real alarm about the risks and the danger of genies being released from bottles without the means to return them. We continue to be in ‘watch this space’ mode, but I suspect 2025 will see more concrete action, especially as the EU AI Act, for all its faults, heads towards implementation and enforcement.
International transfers were also in focus, but with a much more commercial mindset than before. I think everyone was glad to have moved on from the ‘Schrems era’ when transfers to the US were at the same time unlawful, ubiquitous and unavoidable. Attention is now on widening the reach of adequacy, with Brazil and Kenya both likely to receive positive news soon. In general, and in combination with the AI zeitgeist, I would say that EU regulators were keen to avoid data protection being the enemy of commerce as the region faces continued economic headwinds.
Emerging markets also took a turn on the stage; last year the Caribbean was a focus – sadly none of their regulators, apart from the Bermuda Information Commissioner (the outgoing host), made it to Jersey This time the spotlight shone on Africa and Latin America; with this the year that even the DRC, with all of its other headaches, passed a data protection law. Actions such as this make it clear that there is real momentum behind the emerging global consensus on the need for effective regulation. It is important, I think, to note that these regimes are neither also-rans nor watered down – and that in many cases they protect many more data subjects than those in EU countries. In the five years since 2019, we have moved from 10% of the world’s population being covered by privacy laws to 79%, with most of the remainder having laws somewhere in the legislative process.
Another common thread was the issue of regulatory complexity – sparked in part by the AI issue, and in part by Mario Draghi’s report on EU competitiveness, which points out the number of laws (over 100) and regulators (more than 270) that touch on some aspect of personal data processing within the EU. This is a common theme in our own work, both in reconciling core data protection law between multiple jurisdictions and also navigating potential conflicts between privacy, financial regulation, freedom of information, government access to data and a myriad of other rules. While there is surface appetite for simplification, we know that issues of national pride and personal fiefdom often prevent the realisation of this particular dream, so it seems unlikely that the landscape will do anything other than become yet more complicated over time.
There was some discussion around cultural sensitivities and variances. While a good deal of this was couched in terms of ‘indigenous privacy’ and the specific privacy concerns and challenges for indigenous communities, it acknowledged the wider issue that the regulatory principles which are propagating globally as countries draw on the GDPR as a source text originated in Europe and drew from European ideas about citizenship, rights and the relationship of the individual to the state and to their fellows. Our future world of borderless data needs to understand that not all cultures share all of these views, and that neither the European position nor the GDPR itself are inherent gold standards.
Next year’s GPA will therefore be fascinating – South Korea is a thoroughly developed and supremely technologically sophisticated economy, with EU adequacy and a leading role in Asia-Pacific cross-regional privacy, but it is also culturally very different from the European model and poised to provide real insight into what it means for privacy as the world’s economic centre of gravity continues to move East.