Global technology regulation – a story of the impossible?

RAID (Regulation of AI, Internet & Data)’s Editorial & Conference Director, Ben Avison, reports from Computers, Privacy & Data Protection (CPDP) 2022 in Brussels

At CPDP 2022, a selection of regulators, legislators and multinational technology companies met with strong voices from outside these major institutions to grapple with concerns that are as universal in their impact as they are difficult to resolve.

One such voice came from Alexander Hanff, advisor to European Commission and the European Parliament, who got to the heart of the privacy debate. "If we constantly monitor everybody, what does that mean for our children and grandchildren – will they have free choice, will they be free people? It’s important that we raise that awareness of privacy within organisations – if we don't, the future for our grandchildren is already lost."

The AI Act

In his address to the conference, European Commissioner for Justice Didier Reynders highlighted the importance of trust to the adoption of AI. "I'm confident trust in AI technology will boost its uptake in Europe. The future AI Act will set the standard for a more robust, ethical and fair technology."

The technology industry has been focusing hard for many years on how to resolve issues around privacy and safety. For example, Google's AI principles that were set out in 2013 are very aligned with the AI Act, according to the company’s EU Government Affairs and Public Policy Manager, Sylwia Giepmans-Stepien.

And Google Cloud Security’s Vice President Engineering, Wieland Holfelder reminded us: "There is no privacy without security. To keep user data private, we need to make sure we keep it secure."

Cornelia Kutterer, Senior Director, European Government Affairs at Microsoft said: "The AI Act is not only about safety; it aims to protect fundamental rights more broadly. What's missing is how we ensure the technical requirements actually do this."

Frederico Oliveira da Silva of the European Consumer Organisation (BEUC) said: "The AI act doesn't go as far it should. We applaud the instrument, but it needs to go further.

"The AI act relies heavily on the New Legislative Framework (NLF), a regulatory approach the EC has used over the years to regulate product safety. Applying this approach has limitations."

"AI is a double-edged sword," said Eva Maydell MEP. "Online platforms provide new spaces for people to gather at an unprecedented pace where misinformation can spread. All you need is one or two people, a message and an AI system that has the potential to multiply this message in seconds. We also know that AI can timely and efficiently take down such content."

Nicola Aitken, Content Policy Manager at Meta explained how effective content moderation requires a mix of human teams and community review in addition to AI.

Also under discussion was how the advertising-led model of the internet might need to evolve. "The future of the web is not a place without advertising; its a place where advertising takes place without the level of tracking that happens now," said Udbhav Tiwari, Policy Advisor at Mozilla.

Data flows

Technology companies also demonstrated a strong sense of propriety in the use of data. Apple, for example, aims to minimise data, collecting no more than it needs to. "That leads us to do things like processing data locally on the user’s device, so Apple never owns the data," said Erik Neuenschwander, User Privacy Manager at Apple. "We can also process data in centres separate to the operating systems. Those principles drive us to create designs that have great features and great privacy."

While handling the transit of data between companies and customers is a manageable task, the flow of data between jurisdictions poses greater challenges – and it is crucial for the global economy.

"In the EU we have a strong rule that the rights of people travel with their data. It’s not easy when you look at the massive flows of data," said Věra Jourová, Vice President of the European Commission for Values and Transparency. "When people suggest a new protectionism, I have to reject it."

Europe’s greatest data trading relationship is with the US. "The US is a special category taking into account the massive volume of data that flows there," Jourová said.

But the transatlantic relationship contains unresolved legislative challenges. European Data Protection Supervisor Wojciech Wiewiórowski said: "No legal solutions have been provided so far. any new deal will have to provide sufficient guarantees to widespread protection. Free and stable international data flows should ensure a very high level of data protection."

One pragmatic but ambitious solution, proposed by Graham Greenleaf of the University of New South Wales, would be for the EU to manage the US relationship individually, and to assign the world with some degree of commonality so it could be approached as a single 'bloc'.

The regulation of global data flows might be a story of the impossible, according to Ana Brian Nougrères, United Nations Special Rapporteur on the Right to Privacy, for two reasons: "Data doesn't have a standard value. And privacy and cultural aspects can be different in different corners of the world."

Meanwhile, there is a strong will for companies to provide solutions. "We are starting to see a lot of fragmentation in the globally open flow of data," said Julie Brill, Corporate Vice President and Deputy General Counsel for Global Privacy and Regulatory Affairs at Microsoft.

"I don't think the only answer is data residency; there are a lot of solutions. There are a lot of interests at play, but there are a lot of companies around the world that want hyperscale superfast provision of services so they can succeed in the businesses they provide globally."

CPDP took place on 23-25 May. The next RAID (Regulation of AI, Internet and Data) conference is set for October 13th. To find out how to get involved, contact [email protected] and register here: https://www.raid.tech/register