By Sophie Chase-Borthwick, Calligo’s Global Data & Governance Lead
From the increasing importance of ethical AI principles, to the EU’s all-encompassing data strategy – including the first law on AI by a major regulator, anywhere – and US President Joe Biden’s new transatlantic data agreement, much has been bubbling away in the world since my previous revision of The Data Privacy Periodic Table.
Here I delve into the whys and wherefores of any changes I’ve made since then – in the form of Update 8.
Fundamental Principles of Data Protection – some newcomers…
Acting FAST on ethical AI
The Alan Turing Institute developed the ‘FAST Track Principles’ to support a responsible environment for data innovation, in particular when understanding Artificial Intelligence ethics and safety. To reflect the importance of ‘ethical AI’ (as demonstrated by the ICO’s collaboration with the Institute) I have added Accountability and Sustainability for the first time.
While Sustainability is the only element that’s really unique to AI, Fairness and Transparency (moved, but not new) have and always will be fundamental to data privacy. I had considered Accountability to be almost too obvious and intrinsic a component of privacy to have its own place. But, as a nod to my opinion that the FAST Track Principles should become industry standards, here it is. After all, FST certainly doesn’t have the same ring to it.
While I can’t go into huge detail here about each one, I urge anyone who hasn’t read up on FAST to do so now – and embed the principles into every aspect of AI project delivery.
“As inert and program-based machinery, AI systems are not morally accountable agents. This has created an ethical breach in the sphere of the applied science of AI that the growing number of frameworks for AI ethics are currently trying to fill. Targeted principles such as fairness, accountability, sustainability, and transparency are meant to ‘fill the gap’ between the new ‘smart agency’ of machines and their fundamental lack of moral responsibility.”The Alan Turing Institute: Understanding Artificial Intelligence Ethics and Safety
Moved, but not downgraded
34 & 35
Lawfulness and Necessity have made way for FAST. Far from downgraded, they’ve merely moved a little within the same elemental area. But, Relevancy has been removed altogether. In my opinion, this is more than covered by Necessity and there’s no need to double up on similar principles.
Retention becomes the industry norm…
We welcome Retention to the table – this echoes the fact that this has become more of an industry standard term.
Highly unstable, yet fascinating Future Developments…
And now for the fast-moving, highly unstable elements: the future developments that are shaping the world’s data privacy parameters and legislation.
US legislation limbo…
To the United States and various US Bills – starting with President Joe Biden’s new transatlantic data agreement in principle with the European Union.
We’ve been here twice before – with similar proposals previously thrown out. Although it doesn’t seem to be going anywhere fast, this is hugely important, due to the rocky recent history of EU-US data flows – following the invalidity of the Safe Harbor and subsequent Privacy Shield framework.
Above all, greater certainty is needed for the vast amount of companies that regularly exchange data between Europe and the US.
Then there’s the ADPPA – the American Data Privacy and Protection Act – a bill designed to regulate how organizations collect, process, manage, and even securely store personal information or “covered data.” The US does not yet have a comprehensive privacy law that creating such safeguards. The ADPPA has bipartisan support, but also faces opposition from privacy advocates and business groups.
After an initial flurry of excitement, how and when these laws will pass is up in the air. In the meantime, individual states are focusing on their own data laws.
“We have agreed to unprecedented protections for data privacy and security for our citizens. This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and in the United States and help companies, both small and large, compete in the digital economy.”Joe Biden, US President, March 25, 2022
Retroactively enforceable California Privacy Rights Act
Staying with US Bills, but moving specifically to California state now, and the CPRA comes into law after January 2023, technically speaking. But – and there’s a big but – companies need to be compliant retroactively. The second the law goes live, businesses can be fined for any non-compliance issues dating back to January 2022. Forewarned is definitely forearmed in this case.
Across the Atlantic…
To Europe and the EU Data Strategy. Its tagline is: ‘Making the EU a role model for a society empowered by data’. But this is so much more than the EU’s General Data Protection Regulation. It’s about the entire data landscape; a large regulatory umbrella under which the future of Europe’s data protection sits. Having said that, policymakers are far from finished in creating this broader regulation.
The new laws that will be incorporated into this holistic strategy will include, among others: The Data Act – aiming to create rights and responsibilities on how valuable forms of data are shared; The Data Governance Act – to create a “common European data space” and “single market for data” – boosting innovation while respecting the values of privacy; and the AI Act – the first law on AI by a major regulator, anywhere.
Importantly, none of these acts should be viewed in isolation. It’s a positive development that the EU is treating data as an asset (like physical infrastructure). Sewing all the various initiatives together in this way – data protection, governance, AI and also fair markets – is a savvy, cohesive approach, in my opinion.
However, it’s hard to know how effective this strategy will be when it comes to improving data development, given the EU currently lags behind on AI / ML. It remains to be seen if this will level the playing field, or create yet more red tape.
“People, businesses and organisations should be empowered to make better decisions based on insights from non-personal data, which should be available to all.”European Commission
State of flux
In post-Brexit UK, the new UK-GDPR is nearly identical to the EU-GDPR. However, it is UK legislation independent of the EU. The UK has already performed a consultation process to see what data protection in the UK should look like in the future – and therefore new developments need to be monitored closely as they unfold.
First it was Apple’s move to block third-party cookies that conduct cross-site tracking on Safari, then Google announced they will do the same in 2023. But, with these changes making things difficult for advertisers and small publishers, what will adtech look like in the future?
Having passed its latest draft of the Personal Data Protection Bill over to the parliament in November 2021, the bill, now referred to as the Data Protection Bill or DPB as it now contains several provisions on non-personal data, has been pulled from consideration for parliament to draft entirely fresh language.
The Personal Data Protection Law (PDPL) is the first of its kind to be passed in Saudi Arabia. The protection rules were first published in September 2021 and they are due to come into effect in March 2023.
The Data Privacy Periodic Table is entirely unique to Calligo and is an ongoing project, contributed to by the entire industry. We encourage anyone who’s interested to get involved. I consider all comments when creating the next update.If you have any thoughts you’d like to share or want to discuss anything featured in more detail, you can contact me here.