FPF’s Year in Review 2024
With contributions from Judy Wang, Communications Intern
2024 was a landmark year for the Future of Privacy Forum, as we continued to grow our privacy leadership through research and analysis, domestic and global meetings, expert testimony, and more – all while commemorating our 15th anniversary.
Expanding our AI Footprint
While 2023 was the year of AI, 2024 was the year of navigating how AI was used in practice and its influence across policy and emerging technologies. FPF further expanded its AI with the launch of FPF’s Center for Artificial Intelligence.
The FPF Center for AI supports FPF’s role as the leading pragmatic and trusted voice for those who seek impartial, practical analysis of the latest challenges for AI-related regulation, compliance, and responsible use.
Earlier this month, the Center officially launched its first report, “AI Governance Behind The Scenes: Emerging Practicers For AI Impact Assessments,” which examines the key considerations, emerging practices, and challenges that arise in the evaluations companies use to identify and address potential risks associated with AI models and systems.
Check out some other highlights of FPF’s AI work this year:
- Detailed the complex policy, legal, and technical challenges posed by California’s AB 1008.
- Produced a new report on confidential computing and how it differs from other PETs, as well as an in-depth analysis of its sectoral applications and policy considerations.
- Presented the Government of Singapore with the inaugural Global Responsible AI Leadership Award for the country’s pragmatic work in establishing frameworks for AI regulation and governance. The award also granted privacy experts Jim Halpert and Patrice Ettinger its Career Achievement Award and Excellence in Career Award.
- Updated our Generative AI internal compliance document with new content addressing organizations’ ongoing responsibilities, specific concerns (e.g., high-risk uses), and lessons taken from recent regulatory enforcement related to these technologies.
- With the enactment of the Digital Personal Data Protection Act (DPDPA), provided five ways the DPDPA could shape the development of AI in India.
- Examined the current state of governance frameworks for generative AI systems in five countries in the Asia-Pacific (APAC) region: Australia, China, Japan, Singapore, and South Korea.
- Highlighted the African Union AI Continental Strategy and how it centers AI governance as a foundational aspect for the successful development and deployment of AI in the continent.
- Released a new webpage of listed FPF resources related to the EU AI Act and two new infographics; the Governance Architecture and Implementation Framework and a Comprehensive Implementation & Compliance Timeline.
- Published a Two–Page Fact Sheet overview of The Council of Europe’s (CoE) Framework Convention on Artificial Intelligence and Human Rights, Democracy, and the Rule of Law (Framework Convention on AI).
- Highlighted key takeaways from Brazil’s Autoridade Nacional de Proteçao de Dados Pessoais (ANPD) decisions regarding legal questions and assessment criteria for processing personal data for AI training.
- Unveiled a new report on emerging trends in U.S. state AI regulation.
- Summarized key elements of the Colorado AI Act and identified significant observations about the law.
Bringing Our Expertise Across the Globe
2024 continued to be pivotal for our global experts, as they followed privacy developments across the Asia Pacific, Europe, Latin America, and Africa. We also participated in key events in Brussels, South Korea, France, Tokyo, and Tel Aviv.
Europe
FPF brought together European data protection experts through high-level convenings, blogs, and reports. We developed key takeaways from the Commission’s second Report on the GDPR, with an overview and analysis of the findings from various stakeholders, including DPAs, and a new key resources page covering all aspects of the EU AI Act. At CPDP.ai, a multi-stakeholder comparative panel, we explored what we can learn from regional and international approaches to AI regulation and how these may facilitate a more global, interoperable approach to AI laws. Finally, we held our 8th Annual Brussels Symposium in collaboration with the Brussels Privacy Hub of Vrije Universiteit Brussel (VUB), where lively in-person discussions took place covering this year’s topic, “Integrating the AI Act in the EU Data Governance Ecosystem: Bridging Regulatory Regimes.”
The Asia-Pacific
FPF’s APAC office entered its fourth year of continued growth and became a main component of our global research. We provided a comprehensive analysis of strategy documents and key regulatory actions of the DPAs in 10 jurisdictions, published or developed in 2023 and 2024, setting out regulatory priorities for the following years. This includes Australia, China, Hong Kong, the Special Administrative Region of China (SAR), Japan, Malaysia, New Zealand, the Philippines, Singapore, South Korea, and Thailand.
In July, FPF participated in Personal Data Protection Week 2024 (PDP Week), an event organized and hosted by the Personal Data Protection Commission of Singapore, examining emerging technologies, including generative AI, India’s landmark data protection legislation, and PETs. Our second annual Japan Privacy Symposium in conjunction with the 62nd Asia-Pacific Privacy Authorities (APPA) Forum, was a big success. In cooperation with the Personal Information Protection Commission of Japan (PPC), the Japan DPO Association, and S&K Brussels, this year’s Symposium featured a keynote speech from Commissioner OHSHIMA Shuhei, which focused on emerging data protection and privacy trends in Japan.
Data Privacy in Latin America
The fourth edition of the Computers, Privacy, and Data Protection Conference Latin America (CPDP LatAm) was held in Rio de Janeiro, Brazil, where FPF organized a panel on the adoption and deployment of privacy-enhancing technologies in the region. The LATAM team also published an Issue Brief analyzing the regulatory strategies and priorities of data protection authorities (DPAs) in Latin America.
We dissected “neurorights,” a set of proposed rights that specifically protect mental freedom and privacy, which have captured the interest of many governments, scholars, and advocates, which is very apparent in Latin America. FPF looked into several countries that are actively seeking to enshrine these rights in law, including Chile, Mexico, and Brazil.
The African Continent
We gave an overview of harmonization efforts in regional and continental data protection policies in Africa and the role of Africa’s 8 Regional Economic Communities (RECs) and submitted comments to the Nigeria Data Protection Commission (NDPC) on the proposed General Application and Implementation Directive (GAID).
Federal and State U.S. Legislation
FPF played a critical role in informing both federal and state government entities on protecting data privacy interests.
We provided recommendations and filed comments with the following:
- U.S. Department of Transportation in response to their request for information on opportunities and challenges of AI transportation and again in response to the National Highway Traffic Safety Administration (NHTSA) and the DOT Advanced Notice of Proposed Rulemaking regarding advanced impaired driving prevention technology.
- Federal Trade Commission (FTC) in response to its request for comment on the Children’s Online Privacy Protection Act (COPPA) proposed rule, again in response to the FTC’s Supplemental Notice of Proposed Rulemaking as well as in response to its request for comment on the Children’s Online Privacy Protection Act (COPPA) proposed rule.
- Office of Management and Budget (OMB) regarding the agency’s Request for Information on how privacy impact assessments (PIAs) may mitigate privacy risks exacerbated by AI and other advances in technology and again to Request for Information (RFI) regarding responsible procurement of AI in government.
- Department of Justice (DOJ) regarding the Advance Notice of Proposed Rulemaking on Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern (ANPRM).
- Bureau of Industry and Security (BIS) and the United States Department of Commerce’s (DOC) Advanced Notice of Proposed Rulemaking (ANPRM) in response to securing the information and communications technology and services supply chain of connected vehicles.
- California Civil Rights Council in response to their proposed modifications to the state Fair Employment and Housing Act (FEHA) regarding automated-decision systems (ADS) and again regarding their Proposed Modifications to the Employment Regulations Regarding Automated-Decision Systems.
- Federal Communications Commission (FCC) in response to the FCC’s Notice of Proposed Rulemaking (NPRM) on the use of artificial intelligence (AI) to generate content for political advertisements and again in response to the Notice of Inquiry (NOI) on technologies that can alert consumers that they may be interacting with an AI-generated call based on real-time phone call content analysis.
- New York State Senate to inform forthcoming rulemaking for the implementation of a pair of bills aimed at creating heightened protections for children and teens online.
- D.C. Council Committee on Health gave feedback on the role of consent in the Consumer Health Information Privacy Protection Act of 2024 (“CHIPPA”).
2024 saw an expansion of comprehensive privacy laws across U.S. states, including Rhode Island, Vermont, Minnesota, New Hampshire, and New Jersey. Colorado’s adoption of the Global Privacy Control (GPC) as an Universal Opt Out Mechanism (UOOM) was a critical development for vendors, publishers, advertisers, and users, and the state is also the first to enact state AI legislation. Maryland passed the Maryland Online Data Privacy Act (MODPA) as well as the Maryland Age-Appropriate Design Code Act” (Maryland AADC).
Following Connecticut’s lead last year, Virginia and Colorado both amended their state privacy laws to add specific online protections for kids’ data. FPF also examined genetic privacy laws from Montana, Tennessee, Texas, and Virginia and to show how they compare to FPF’s widely adopted Best Practices for Consumer Genetic Testing Services.
This year also marked the 14th annual Privacy Paper for Privacymakers Award on research for policymakers in the U.S. Congress, U.S. federal agencies, and international data protection authorities. The event was kicked off at Capitol Hill, featuring an opening keynote by U.S. Senator Peter Welch (D-VT). FPF honored winners of internationally focused papers in a virtual conversation the following week.
Youth & Education
In 2024, federal and state policymakers continued to work on legislation that protects children online, including the Kids Online Safety and Privacy Act (KOSPA) and the California Age-Appropriate Design Code Act (AADC). FPF’s work includes a breakdown of bills related to children’s online safety and a checklist designed for K-12 schools to help vet generative AI tools.
FPF published a blog in August that contextualized the Kids Online Safety and Privacy Act (KOSPA), which includes two bills that gained significant traction in the Senate in recent years: the Kids Online Safety Act (KOSA) and Children and Teens Online Privacy Protection Act (“COPPA 2.0”).
In July, we explored how the California Age-Appropriate Design Code Act (AADC) catalyzed conversations in America around protecting kids and teens online. We also analyzed the implications of the CA AADC and the evolving landscape of children’s online privacy.
As children spend more time online, lawmakers have continued introducing legislation to enhance the privacy and safety of kids’ and teens’ online experiences beyond the Children’s Online Privacy Protection Act (COPPA) framework. FPF analyzed the status quo of knowledge standards under COPPA and provided key observations on the current knowledge standards in various state privacy laws.
We also released a checklist and accompanying policy brief designed specifically for K-12 schools to help them vet generative AI tools for compliance with student privacy laws, outlining key considerations when incorporating generative AI into a school or district’s edtech vetting checklist.
With young people adopting immersive technologies like extended reality (XR) and virtual world applications, companies have expanded their presence in digital spaces, launching brand experiences, advertisements, and digital products. FPF analyzed recent regulatory and self-regulatory actions related to youth privacy in immersive spaces while also pulling out key lessons for organizations building spaces in virtual worlds.
Diving Deeper into Privacy Enhancing Technologies (PETs) Research and Large Language Models (LLMs)
2024 also marked further exploration into Privacy Enhancing Technologies (PETs) with FPF’s establishment of the PETs Research Coordination Network (RCN) and the creation of the PETs Repository. Additionally, we further explored large language models (LLMs) and whether or not they contained personal information.
In February, the National Science Foundation (NSF) and the Department of Energy (DOE) awarded FPF grants to support its establishment of a Research Coordination Network (RCN) for Privacy-Preserving Data and Analytics. FPF’s work will support developing and deploying Privacy Enhancing Technologies (PETs) for socially beneficial data sharing and analytics.
In July, FPF also launched the Privacy-Enhancing Technologies (PETs) Research Coordination Network (RCN), bringing together a group of cross-sector and multidisciplinary experts dedicated to exploring PETs’ potential in AI and emerging technologies and stewarding their adoption and scalability. Building on these initiatives and other efforts, FPF launched the PETs Repository, a webpage that consolidates available resources and developments around the development and deployment of PETs.
FPF further delved into LLMs to explore if they contain personal data. If they do, what requirements must companies follow for processing personal data for training AI models? Recent analysis focused on Brazil’s Autoridade Nacional de Proteçao de Dados Pessoais (ANPD) and issuing a preliminary decision on the legal basis for processing personal data in LLMs. We also wrote a blog on California’s recently passed Assembly Bill 1008 applying CCPA privacy rights to LLMs and whether personal data exists in an AI model. An online discussion in a LinkedIn Live featuring FPF experts also delved into LLMs and personal data.
Facilitating Privacy Thought Leadership Home and Abroad
To celebrate the milestone of 15 years, FPF convened leading data protection regulators and FPF members at our 15th Anniversary Spring Social. The event also marked the transition of FPF Board Chairman Christoper Wolf, recognizing his founding role at FPF and many years of leadership. We welcomed our new Board Chair, Alan Raul.
High-level engagement from the year included:
- Our first DC Privacy Forum: AI Forward, accompanied by the launch of FPF’s new Center for Artificial Intelligence.
- In May, FPF received a sub-award on the National Science Foundation (NSF) SafeInsights project, a five-year, $90 million research and development (R&D) infrastructure grant for inclusive education research.
- FPF also grew its presence in Australia by co-hosting an online discussion on Privacy, Security, and Online Safety for Young People in Australia with the Australian Strategic Policy Institute (ASPI).
- The Research Coordination Network (RCN) for Privacy-Preserving Data Sharing and Analytics was launched with a virtual kick-off and White House Roundtable events. The Virtual Kick-off event featured over 40 global experts who helped shape the RCN’s work for the next three years. Hosted by the White House Office of Science and Technology Policy, we began a collaborative effort to advance PETs and their use in developing more ethical, fair, and representative AI.
The above is only a partial list of FPF initiatives from the year but highlights some of our major achievements. We thank all those who contributed, participated, advised and supported. Continue to follow FPF’s work by subscribing to our monthly briefing and following us on LinkedIn, Twitter/X, and Instagram. On behalf of the FPF team, we wish you a very Happy New Year and look forward to what’s to come in 2025!