5 Ways to Be a Top Dog in Data Privacy

Data Privacy Day, or Data Protection Day in Europe, is recognized annually on January 28 to mark the anniversary of Convention 108, the first binding international treaty to protect personal data. To raise awareness for the day and promote best practices for data privacy, we’ve partnered with Snap to create a Data Privacy Day Snapchat Lens that lets you choose what type of privacy pup best reflects your personality. Check it out by scanning the Snapchat code! 

dpd lens

Once you’ve determined which privacy pup you are, learn more about protecting your privacy with these 5 quick, easy steps.

1. Share your Information with Websites and Apps you Trust

Today, almost everything we do online involves companies collecting personal information about us. When we’re subscribing to marketing emails, making online purchases, filling out surveys, or even applying for jobs online, websites are collecting more information than ever before, and we’ve become accustomed to sharing personal information daily. However, it’s important to be cautious and trust a website or app before sharing any personal information with it.  

There are a few ways to evaluate a website or app before sharing personal information. The first is to check the website’s url and domain name. Confirm that both the name of the website is spelled properly, and the domain name ending in .org, .com, .edu, or .gov, which are typically (but not always) more credible. Next, you can look for clear information about the leaders of the organization and their contact information on the website. If that information isn’t available, or is difficult to find, be cautious because you may not know who will be responsible for your personal information. Lastly, take a few minutes to evaluate a company’s privacy policy. The policy should clearly state the company’s full name, explain how they will be using your information, and may include information about the security measures in place. Many states also require companies to let you submit a data access request, and it’s helpful to check that the company is complying with their state law and displaying that information. 

2. Update your passwords and multi-factor authentication regularly 

Password re-use is one of the top ways that unwanted eyes can get into your accounts: once one service where you used a password is breached, criminals will likely try the same username and password combination on other services just to see if it works. To get a sense of the scale of the risk, you check your info on web service “Have I Been Pwned” (available at haveibeenpwned.com), which allows you to enter your email address and see what data breaches that email has been included in. 

Because of the risks involved in recycling passwords, using unique passwords is an essential step for keeping personal information private. You can also consider utilizing a password manager. Password managers save passwords as you create and log in to your accounts, often alerting you of duplicates and suggesting the creation of a stronger password.  And no, the name of your dog is not a strong password.

For example, if you use an Apple product when signing up for new accounts and services, you can allow your iPhone, Mac, or iPad to generate strong passwords and safely store them in iCloud Keychain for later access. Some of the best third-party password managers can be found here.

When possible, you should also utilize multi-factor authentication along with a password. This extra step ensures that simply inputting a compromised password is not enough to provide access to your account without an extra step, typically the connection of a device like a yubikey or submission of a numeric code sent to a phone number, e-mail address, or authentication application on your phone. While some forms of multi-factor authentication may be more protective and more resilient than others, any choice will significantly increase the security in comparison to a password alone. You can see how easy it is to set up multi-factor authentication on Snapchat using their easy-to-understand articles, available online.

3. Respect other peoples’ privacy

It’s important to be mindful about the information you share and see on social media. Consider the reach of your own posts, and avoid sharing anything you wouldn’t want to be saved or widely shared, whether it’s about you or someone else. Many social media sites like Instagram, Facebook, and Snapchat allow you to share images and chat with a closed group or limited number of friends, and it’s important to honor when someone chooses to keep information non-public when they share it in closed or private settings.  Don’t screenshot or reshare private stories or messages from others. 

4. Review all social media settings 

Many social media sites include options on how to tailor your privacy settings to limit how data is collected or used. Snap provides privacy options that control who can contact you and many other options. Start with the Snapchat Privacy Center to review your settings. You can find those choices here.

Snap also provides options for you to view any data they have collected about you, including account information and your search history. Downloading your data allows you to view what information has been collected and modify your settings accordingly. 

Instagram allows you to manage various privacy settings, including who has access to your posts, who can comment on or like your posts, and manage what happens to posts after you delete them. You can view and change your settings here.

TikTok allows you to decide between public and private accounts, allows you to change your personalized ad settings, and more. You can check your settings here.

X allows you to manage what information you allow other people on the platform to see and lets you choose your ad preferences. Check your settings here.

Facebook provides a range of privacy settings that can be found here.

In addition, you can check the privacy and security settings for other popular applications such as Reddit and Pinterest here. Be sure to also check your privacy settings if you have a profile on a popular dating app such as Bumble, Hinge, or Tinder.

What other social media apps do you use often? Check to see which settings they provide!

5. Use incognito settings to keep personal information about you hidden

Many browsers and apps allow you to turn on a setting that lets you continue to use the service without sharing as much personal information as you normally would. 

On Chrome, you can browse the web more privately using incognito mode. To activate, open Chrome, under “More,” click “New Incognito Window.”

Using Safari, you can choose “private browsing” by opening Safari, clicking “File” and then “New Private Window.” If you have the app, you can choose to always browse privately by clicking “Settings” and then for the option “Safari opens with” pop-up menu, choose “a new private window.” 

Mozilla also has options for using Firefox in “private browsing mode.” Click Firefox’s menu button, and then click “New private window.” You can also choose to always be in private browsing mode by choosing “Use custom settings for history” from the Firefox’s menu and checking the “Always use private browsing mode” setting. 

Browsers like DuckDuckGo and Brave also default to private browsing mode. You can read more about DuckDuckGo’s anonymous browsing settings here, and Brave’s privacy protections here.  

Using Snapchat, you can turn on Ghost Mode. While using it, your location won’t be visitable to anyone, including friends you may have previously shared your location with on Snapchat’s Snap Map. To turn it on, open the Map, tap the ⚙️ button at the top of the map screen, toggle Ghost Mode to on, and select how long you’d like to enable Ghost Mode. 

If you’re interested in learning more about one of the topics discussed here or other issues driving the future of privacy, sign up for our monthly briefing, check out one of our upcoming events, or follow us on X, LinkedIn, or Instagram

FPF brings together some of the top minds in privacy to discuss how we can all benefit from the insights gained from data while respecting the individual right to privacy.

What to Expect in Global Privacy in 2025

Next year, in 2026, we will celebrate a decade after the adoption of the GDPR, a law with an unprecedented regulatory impact around the world, from California to Brazil, across the African continent, to India, to China, and everywhere in between. The field of data protection and privacy has become undeniably global, with GDPR-inspired laws (from a lesser to a bigger degree) adopted or updated in many jurisdictions around the world throughout the past years. This could not have happened in a more transformative decade for technologies relying on data, with AI decidedly getting out of its winter, and “connected-everything,” from cars to eyewear, increasingly shaping our surroundings. 

While jurisdictions around the world were catching up with the GDPR or gearing their own approach to data protection legislation, the EU leaped in the past five years towards comprehensive (and sometimes incomprehensible) regulation of multiple dimensions of the digital economy: AI itself, online platforms through intermediary liability, content moderation and managing systemic risks on very large online platforms and search engines, online advertising in electoral campaigns, digital gatekeepers and competition, data sharing and connected devices, data altruism and even algorithms used in the gig economy. 

Against this backdrop, I asked my colleagues in FPF’s offices around the world, who passionately monitor, understand, and explain legislative, regulatory, and enforcement developments across regions, what we should expect in 2025 in Global Privacy. From data-powered technological shifts and their impact on human autonomy, to enforcement and sectoral implementation of general data protection laws adopted in the past years, to AI regulation, cross-border data transfers, and the clash of online safety and children’s privacy, this is what we think you should keep on your radar:

1. AI becoming ubiquitous will put self-determination and control in the center of global privacy debates

“Expect AI to become ubiquitous in everything we do online,” signals Dr. Rob van Eijk, FPF Managing Director for Europe. This will not only bring excitement for tech enthusiasts but also a host of challenges, heightened by the expected increase in consumers using AI agents. “The first challenge is maintaining personal autonomy in the face of technological development, particularly regarding AI,” weighs in Rivki Dvash, Senior Fellow with ITPI – FPF Israel. 

Rivki foresees two prominent dimensions of this topic: first, at the ethical level, and second, at the regulatory level, particularly concerned “with the limits of the legitimacy of the use of AI while trying to contour the uniqueness of a person over a machine and the desire to preserve personal autonomy in a space of choice.” “What does it mean to be a human in an Agentic AI future?” is a question that Rob says will ignite a lot of thinking in the policy world in 2025. This makes me think of an older paper from Prof. Mireille Hildebrandt, “Privacy as Protection of the Incomputable Self: From Agnostic to Agonistic Machine Learning” (2019), where she described a framework that could “provide the best means to achieve effective protection against overdetermination of individuals by machine inferences.”

I expect the idea of “control” over one’s persona and personal information in the world of Generative and Agentic AI to increasingly permeate and fuel regulatory debates. In its much-expected Opinion on AI systems and data protection law published over the Holidays, the European Data Protection Board (EDPB) identified “the interest in self-determination and retaining control over one’s own personal data” as chief among individuals’ interests that must be taken into account and balanced, both when personal data is gathered for the development of AI models and with regards to personal data processed once the model is deployed. 

Putting self-determination and control at the center of AI governance will not be just academic. For instance, the EDPB asked for an “unconditional opt-out from the outset,” “a discretionary right to object before the processing takes place” for developing and deploying AI systems, “beyond the conditions of Article 21 GDPR,” in order for legitimate interests to be considered as a valid lawful ground legitimizing consentless processing of personal data for AI models. 

Rob adds that in 2025, we will see users “becoming increasingly reliant on AI companions for decision-making, from small choices like what to watch on streaming services to larger life decisions.” He highlights what will be one of the key privacy and data protection implications of all this: “AI companions will get unprecedented access to sensitive personal data, from financial transactions to private conversations and daily routines.” Protecting sensitive data in this context, especially with inferences broadly recognized as being covered by such enhanced safeguards under data protection law regimes, will be a key challenge that will keep privacy experts busy this year.

But the ideas of “control,” “self-determination,” and “autonomy” in relation to one’s own personal data are particularly fragile when it comes to non-users or bystanders whose data is collected through another person’s use of a service or device. This is one of the big issues that Lee Matheson, FPF Deputy Director for Global Privacy, sees as defining an enforcement push from Data Protection Authorities (DPAs) from Canada to Europe this year, particularly as it relates to Augmented Reality and connected devices: “It’s a cross-cutting technology that implicates lawful bases for collection/processing, AI and automated decision-making (particularly facial recognition), secondary uses, and data transfers (as unlike smartphones, activity is less likely to be kept on-device). I think a particular focus could be on how to vindicate the rights of non-user data subjects whose information is captured by these kinds of devices.”

2. Three different speeds for AI legislation: Moderation in APAC, Implementation in Europe, Acceleration in Latin America

AI governance and data protection are closely linked, as shown above, which makes AI legislation a particularly poignant topic to follow. “Whether through hard or soft law approaches, preventing significant fragmentation of AI rules globally will be high on the agenda,” observes Bianca-Ioana Marcu, FPF Deputy Director for Global Privacy. Bianca has been closely following initiatives of international organizations and networks in the AI governance space throughout the last year, like the efforts of the UN, the OECD, or the G7 in this space, and she believes that in 2025, “international fora and the principles and guidelines agreed upon within such groups will act as the driving force behind AI standard-setting.” Bianca adds that we might see efforts towards “harmonizing regional data protection rules in the interests of supporting the governance and availability of AI training data.” I can see this happening, for instance, across economic regions in Africa, or even at the ASEAN level.

As for legislative efforts around the world targeting AI, the team identifies three different speeds. In the Asia-Pacific (APAC) region, Josh Lee Kok Thong, FPF Managing Director for APAC, foresees a “possible cooling down” of the race to adopt AI laws and other regulatory efforts. “There will be signs of slight regulatory fatigue in AI governance and regulatory initiatives in APAC. This is especially so among the more mature jurisdictions, such as Japan, Singapore, China, and Australia. Rather than developing new headline regulatory or governance initiatives, efforts are likely to focus on the development of tools for evaluation and content provenance,” he says. Josh notes that jurisdictions across APAC will be closely watching how the implementation of the EU AI Act unfolds, as well as the US regulatory stance towards AI under President Trump’s administration before deciding what steps to take.

In contrast, Latin America will likely move full speed ahead toward AI legislation. Maria Badillo, Policy Counsel for Global Privacy, explains that “this year will mark significant progress on initiatives to govern and regulate AI across multiple countries in Latin America. Brazil has taken a leading role and is getting closer to adopting a comprehensive law in 2025 after the Senate’s recent approval of the AI bill. Other countries like Chile, Colombia, and Argentina have introduced similar frameworks.” Maria says that this will happen mainly under the influence of the EU AI Act, but also from Brazil’s AI bill. 

When it comes to AI legislation, the EU is catching its breath this year, focusing on the implementation of the EU AI Act, which was adopted last year and whose application starts rolling out in a month. Necessary Codes of Conduct – like the one dedicated to general purpose AI, implementing acts, and specific standards are expected to flow within the next 18 months or so. But this year, we will certainly see the first signs of whether this new law will successfully achieve its goals. A good indicator will be observing in practice the intricate web of authorities tasked by the EU AI Act with oversight, implementation, and enforcement of the law. “The lack of a one-stop-shop mechanism and the presence of several authorities in the same jurisdiction will be a first test of the efficiency of the AI Act and the authorities’ ability to coordinate,” highlights Vincenzo Tiani, Senior Policy Counsel in FPF’s Brussels office. 

Meanwhile, it is expected that DPAs will gain a more prominent role in enforcing the law on matters at the intersection of the GDPR with the various new EU acts regulating the digital space, including the EU AI Act. “DPAs will be increasingly called to step up and drive enforcement actions on a broad number of issues also falling under other EU regulatory acts, but which involve the processing of personal data and the GDPR,” says Andreea Serban, FPF Policy Analyst in Brussels. This will be particularly evident regarding AI systems, after a first infringement decision in a series of complaints surrounding ChatGPT was issued by the Italian DPA, the Garante, at the end of 2024. 

The space in AI governance that the GDPR occupies will visibly expand this year, including into issues where copyright is considered central. Vincenzo explains that “the licenses provided by newspapers to providers of LLMs, at least so far, do not cover the protection of personal data contained therein.” The Italian DPA has already raised the flag on this issue.

Countervailing some of the biggest risks of Generative AI beyond the processing of personal data will keep regulators across Europe busy, be they DPAs, the European Commission’s AI Office, or other national EU AI Act implementers. Dr. Desara Dushi, Policy Counsel in our Brussels office, anticipates “a sharp focus on controlling the use of synthetic data that fuels harmful content, with the rise of advanced emotional chatbots and the proliferation of deepfakes.” This could happen through “more robust and specific guidelines targeting generative AI’s risks.”

3. International Data Transfers will come back on top of the Global Privacy agenda

As I anticipated last year in my 2024 predictions, international data transfers started intertwining with the broader geopolitical goals of countries caught in the AI race. This trend will become even more visible in 2025, when we expect that issues related to international data transfers will come back to the top of the Global Privacy agenda, fueled this time not only by the geopolitics of AI development, but also by the broader dynamic between a new European Commission in Brussels and a new administration in Washington DC. 

“I think transatlantic data transfers issues will be brought back to center stage in the dynamics of EU’s implementation of digital regulations like the DSA and the DMA on one side, and the priorities of the new administration in the US on the other side,” foresees Lee Matheson, who is based in our Washington DC office and who closely follows international data transfers. But, this time around, the pressure on the continuity of data flows between the US and the EU might first come from the US side. 

Lee thinks we should follow closely what happens with Executive Order (E.O.) 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” an instrument adopted last year which bans transfers of bulk sensitive data of Americans outside of the U.S. in specific circumstances and only towards designated countries of concern (currently China, Iran, Russia, Venezuela, Cuba and North Korea). The Executive Order could be left as is, amended, repealed, or replaced by the new administration in Washington. But an interesting point Lee raises is that “E.O. 14117 and its associated DOJ Rules, in particular, provide a framework that could be extended to additional jurisdictions.” 

On the other hand, the General Court of the CJEU started early this year with a decision that recognized plaintiffs can obtain compensation for non-material damage if their personal data have been transferred unlawfully, in a case involving transfers made by the European Commission to the U.S. before the Data Privacy Framework became effective. This clarification made by the Court could increase the appetite for challenging the lawfulness of international data transfers. In part due to pressure on more traditional data transfer mechanisms, Lee thinks “the world will see alternative systems for international data transfers, such as the Global Cross Border Privacy Rules system, become substantially more prominent.” 

Indeed, transatlantic data flows will only be one of many cross-border data flow stories to follow. “We may well see continuing fragmentation of the cross-border data transfer landscape globally and in APAC into clusters of likeminded jurisdictions, ranging from those like Singapore and Japan that are working to promote trusted data flows (especially through initiatives like the Global CBPRs) to those like Indonesia, India, and Vietnam that have recently renewed their interest in adopting data localization measures,” adds Dominic Paulger, FPF Deputy Director for APAC, from our Singapore office. He also thinks that geopolitical and regulatory trends in the US and the EU will affect dynamics in APAC. “While there will be tension between data localization requirements in some jurisdictions, navigating the right balance will be crucial in shaping both regulatory strategies and business practices across the region in 2025,” concludes Sakshi Shivhare, Policy Associate for FPF APAC. 

4. Convergence of youth privacy and online safety will take the spotlight around the world

Convergence of children’s and teen’s privacy and online safety issues into new legislative action, regulatory initiatives, or public policy measures is being emphatically highlighted as a top issue to watch in 2025 by my colleagues across APAC, India, EU, and, to some extent, Latin America. 

Dominic explains that jurisdictions in APAC are increasingly incorporating online safety provisions into data protection laws, with some focusing on age verification or age-appropriate design requirements. This highlights tensions between real concerns about young people’s online safety and the substantial privacy risks that are posed by age assurance technologies and related mandates. Experts have raised the need for more cross-cutting conversations to identify and address privacy and security risks created by regulatory efforts. He expects the focus on youth safety to continue throughout 2025, “especially following Australia’s recent ban on social media use for under-16s.” This approach has been criticized by some youth safety and privacy experts while being lauded by others. Several jurisdictions, including Singapore, are considering emulating this model, and many more will be watching to see how it plays out. 

“The dialogue around online youth safety will likely intensify in the EU as well, with a notable focus on children’s overall well-being and how that intersects with youth privacy rights,” foresees Desara, who comes to FPF’s Brussels office with extensive research and policy work in this space. “The narrative may broaden to encompass a more holistic approach to child protection, leading toward ‘child rights by design’ requirements,” she adds. 

The Child Sexual Abuse Regulation (CSAR) proposal in the EU will continue to be the subject of fierce debate in 2025. The CSAR debate has been characterized by proponents noting the measure’s noble goals and critics characterizing the proposal as technically unworkable and certain to undermine core privacy and security measures. Desara concludes: “With early insights emerging from the UK’s Online Safety Act, the ongoing intersection of privacy and youth safety promises to be a defining issue in the year ahead.”   

5. We have a new law, now what? Implementation and groundwork for enforcement will be central in APAC, LatAm, Africa, and EU

Several jurisdictions across all regions will focus on starting the implementation of recently adopted data protection laws. Perhaps this is most visible in the APAC region, which “is seeing a significant maturation of data protection frameworks,” as Sakshi Shivhare notes. Examples include “the promulgation of India’s DPDPA Rules, the phased implementation of Malaysia’s PDPA amendments, the much-awaited finalization of implementing regulations for Indonesia’s PDP Law, and the implementation of Australia’s first tranche of Privacy Act amendments,” explains Josh Lee. 

This year, significant attention will be paid to India’s DPDPA Implementing Rules. “With the draft rules now released, attention will shift to public consultations and how the government addresses feedback,” notes Bilal Mohamed, FPF Policy Analyst based in New Delhi. He points out that some of the key concerns discussed so far relate to “the possible reintroduction of data localization norms, (Rules 12(4) and 14) and the practical concerns with the implementation of Verifiable Parental Consent,” also adding to two of the trends we identified above related to international data transfers and children’s privacy and online safety. “Together, these shifts suggest that 2025 will be pivotal for creating a more cohesive, though not necessarily uniform, privacy landscape across APAC,” concludes Sakshi.

Jurisdictions across Africa will face similar challenges this year. Mercy King’ori, FPF Policy Manager for Africa, based in Nairobi, thinks we should expect “more sectoral regulations as controllers and processors continue to seek clarity on the practical implementation of legal provisions in most data protection laws across the continent. This is the continuation of a trend from 2024 where DPAs have been identifying gaps in the implementation of the laws and proposing regulations and guidelines in data-intensive sectors such as education, marketing, and finance.”

She adds that, in parallel, DPAs are dealing with an increasing number of complaints: “The rise of complaints has been due to heightened awareness of data subject rights and DPAs eager to push for compliance with national data protection regimes. The move towards enforcing compliance has even seen DPAs initiate assessments on their own volition, such as South Africa’s Information Regulator leading to enforcement notices and penalties.”

Secondary or implementing regulations are also expected to drive the agenda in Latin America, with a priority on “protecting children’s data, data subject rights, and processing of personal data in the context of AI,” points out Maria Badillo. She specifically notes that “active DPAs in the region, such as those from Brazil and Argentina, have identified AI regulation, exercise of data subject rights, and processing of children’s data among the priority areas for developing secondary regulations and guidance in 2025.” 

Even the EU will have implementation fever this year – which is to be expected after intense lawmaking of everything digital and data during the first von der Leyen Commission. “In 2025, we should see a policy shift, prioritizing the application and implementation of existing frameworks, like the EU AI Act, the DSA, the DMA, and so forth, rather than proposals of new legislation,” points out Andreea Serban, who also notes recent messaging in Brussels signaling a decreased focus on regulation, especially in the aftermath of the Draghi report

This is indeed how the Brussels agenda reads, but it shouldn’t be a surprise if new legislation, like the Digital Fairness Act, will make its way as an official proposal as soon as this year. And with other files like the CSAR still on the legislative train, or the constant “hide and seek” with the ePrivacy Regulation, the Brussels legislation machine might slow down, but it will not halt. 


6. Bigger public policy debates will end up shaping global privacy: from “Innovation v. Regulation,” to checks and balances over government access to data

The “Innovation v. Regulation” dichotomy has been omnipresent in the European public debate since the publication of the Draghi report last year, even as some are positing this is a false choice (see Anu Bradford or Max von Thun). 

“With a new European Commission taking the reins in Brussels, and with political tides changing across the EU, the innovation versus regulation debate will continue to polarize the digital policy community. Repercussions will be felt in discussions regarding not only the application and enforcement of the DSA and the DMA but also for data protection law as we await new GDPR enforcement rules,” explains Bianca-Ioana Marcu. However, she suggests that this debate might be louder than having effects in practice, as Brussels will move ahead with its regulatory agenda of the new Commission. It is clear, though, that Brussels may experience a “shift towards promoting EU competitiveness,” as Andreea framed it, and that this will impact, even if incrementally, all the “digital agenda” files. 

While most of the attention in India might be focused on the DPDPA Implementing Rules, promoting the country’s competitiveness is a bigger goal for many, which could result in regulatory changes supporting it. Bilal signals that there are interesting data-sharing initiatives coming up at a sectoral level. “For instance, MeitY plans to launch an IndiaAI datasets platform to provide high-quality datasets (non-personal data) for AI developers and researchers. Similar initiatives are underway in sectors such as healthcare, e-commerce, and agriculture,” he says. These initiatives are quite similar to the EU Data Spaces, which are also expected to advance. “It will be fascinating to see how these initiatives align with the DPDPA, and how this shapes the definition of ‘non-personal data’ in India,” adds Bilal.

One last bigger public policy debate that may impact concrete data protection this year remains the checks and balances over government access to personal data. For instance, Rivki, based in our Tel Aviv office, highlights that this year she expects the privacy community to confront the long-term privacy consequences of the exceptional measures taken by the government during the war, such as storage of fingerprints in databases or authorization of intrusion into security cameras without consent. The privacy community will likely be focused to “ensure that any measures implemented during this period do not persist or become the new standard for privacy,” she says. 

Government access to data shapes up to also be top of mind in policy debates in India, with Bilal noting that “on a broader scale, constitutional challenges related to government exemptions under the DPDPA may surface in the Supreme Court once the implementing rules are officially notified.” 

7. A dark horse prediction and further reading

Before ending the round-up of issues to follow in 2025 in Global Privacy, I will make my dark horse prediction: The reopening of the GDPR might appear more convincingly on the regulatory agenda this year, once the procedural reform is done. What seemed almost sacrilegious a couple of years ago will now look more likely, especially in the light of DPAs becoming active in enforcing the GDPR on AI systems, and eventual hiccups of non-DPA enforcers applying the digital strategy package at the intersection with GDPR provisions.

Finally, for a good understanding of what the year might bring to US policymaking, check out this analysis by Jules Polonetsky, FPF CEO, for TechPolicy Press, “2025 May be the Year of AI Legislation: Will we see Consensus Rules or a Patchwork?,” as well as FPF Senior Director for U.S. Legislation Keir Lamont’s blog, “Five Big Questions (and Zero Predictions) for the US State Privacy Landscape in 2025.” 

For media inquiries reach out to [email protected].

Twelve Privacy Investments for Your Company for a Stronger 2025

FPF has put together a list of Twelve Privacy Investments for Your Company for a Stronger 2025 that reflects on new perspectives on the work that privacy teams do at their organizations. We hope there is something here that’s useful where you work, and we’d love to hear other ideas and feedback.

Privacy Investments for Your Company for a Stronger 2025

CEO Jules Polonetsky: 2025 May be the Year of AI Legislation: Will We See Consensus Rules or a Patchwork?

In 2024, lawmakers across the United States introduced more than 700 AI-related bills, and 2025 is off to an even quicker start, with more than 40 proposals on dockets in the first days of the new year. In Washington D.C., a post-election reshuffle presents unique opportunities to address AI issues on a national level, with one party controlling the White House and both houses of Congress. But, while Congress has shown strong interest in AI generally, the 119th Congress seems more likely to prioritize other tech issues, such as online speech and child safety, over regulating the consumer protection aspects of AI.

Read the full op-ed by Jules Polonetsky published January 10, 2025 on Tech Policy Press.

FPF’s Year in Review 2024

With contributions from Judy Wang, Communications Intern

2024 was a landmark year for the Future of Privacy Forum, as we continued to grow our privacy leadership through research and analysis, domestic and global meetings, expert testimony, and more – all while commemorating our 15th anniversary

Expanding our AI Footprint 

While 2023 was the year of AI, 2024 was the year of navigating how AI was used in practice and its influence across policy and emerging technologies. FPF further expanded its AI with the launch of FPF’s Center for Artificial Intelligence.

The FPF Center for AI supports FPF’s role as the leading pragmatic and trusted voice for those who seek impartial, practical analysis of the latest challenges for AI-related regulation, compliance, and responsible use.

Earlier this month, the Center officially launched its first report, “AI Governance Behind The Scenes: Emerging Practicers For AI Impact Assessments,” which examines the key considerations, emerging practices, and challenges that arise in the evaluations companies use to identify and address potential risks associated with AI models and systems.

Check out some other highlights of FPF’s AI work this year: 

Bringing Our Expertise Across the Globe

2024 continued to be pivotal for our global experts, as they followed privacy developments across the Asia Pacific, Europe, Latin America, and Africa. We also participated in key events in Brussels, South Korea, France, Tokyo, and Tel Aviv

Europe 

FPF  brought together European data protection experts through high-level convenings, blogs, and reports. We developed key takeaways from the Commission’s second Report on the GDPR, with an overview and analysis of the findings from various stakeholders, including DPAs, and a new key resources page covering all aspects of the EU AI Act. At CPDP.ai, a multi-stakeholder comparative panel, we explored what we can learn from regional and international approaches to AI regulation and how these may facilitate a more global, interoperable approach to AI laws. Finally, we held our 8th Annual Brussels Symposium in collaboration with the Brussels Privacy Hub of Vrije Universiteit Brussel (VUB), where lively in-person discussions took place covering this year’s topic, “Integrating the AI Act in the EU Data Governance Ecosystem: Bridging Regulatory Regimes.”

The Asia-Pacific 

FPF’s APAC office entered its fourth year of continued growth and became a main component of our global research. We provided a comprehensive analysis of strategy documents and key regulatory actions of the DPAs in 10 jurisdictions, published or developed in 2023 and 2024, setting out regulatory priorities for the following years. This includes Australia, China, Hong Kong, the Special Administrative Region of China (SAR), Japan, Malaysia, New Zealand, the Philippines, Singapore, South Korea, and Thailand. 

In July, FPF participated in Personal Data Protection Week 2024 (PDP Week), an event organized and hosted by the Personal Data Protection Commission of Singapore, examining emerging technologies, including generative AI, India’s landmark data protection legislation, and PETs. Our second annual Japan Privacy Symposium in conjunction with the 62nd Asia-Pacific Privacy Authorities (APPA) Forum, was a big success. In cooperation with the Personal Information Protection Commission of Japan (PPC), the Japan DPO Association, and S&K Brussels LPC, this year’s Symposium featured a keynote speech from Commissioner OHSHIMA Shuhei, which focused on emerging data protection and privacy trends in Japan.

Data Privacy in Latin America

The fourth edition of the Computers, Privacy, and Data Protection Conference Latin America (CPDP LatAm) was held in Rio de Janeiro, Brazil, where FPF organized a panel on the adoption and deployment of privacy-enhancing technologies in the region. The LATAM team also published an Issue Brief analyzing the regulatory strategies and priorities of data protection authorities (DPAs) in Latin America. 

We dissected “neurorights,” a set of proposed rights that specifically protect mental freedom and privacy, which have captured the interest of many governments, scholars, and advocates, which is very apparent in Latin America. FPF looked into several countries that are actively seeking to enshrine these rights in law, including Chile, Mexico, and Brazil.

The African Continent

We gave an overview of harmonization efforts in regional and continental data protection policies in Africa and the role of Africa’s 8 Regional Economic Communities (RECs) and submitted comments to the Nigeria Data Protection Commission (NDPC) on the proposed General Application and Implementation Directive (GAID).

Federal and State U.S. Legislation

FPF played a critical role in informing both federal and state government entities on protecting data privacy interests.

We provided recommendations and filed comments with the following:

2024 saw an expansion of comprehensive privacy laws across U.S. states, including Rhode Island, Vermont, Minnesota, New Hampshire, and New Jersey. Colorado’s adoption of the Global Privacy Control (GPC) as an Universal Opt Out Mechanism (UOOM) was a critical development for vendors, publishers, advertisers, and users, and the state is also the first to enact state AI legislation. Maryland passed the  Maryland Online Data Privacy Act (MODPA) as well as the Maryland Age-Appropriate Design Code Act” (Maryland AADC)

Following Connecticut’s lead last year, Virginia and Colorado both amended their state privacy laws to add specific online protections for kids’ data. FPF also examined genetic privacy laws from Montana, Tennessee, Texas, and Virginia and to show how they compare to FPF’s widely adopted Best Practices for Consumer Genetic Testing Services

This year also marked the 14th annual Privacy Paper for Privacymakers Award on research for policymakers in the U.S. Congress, U.S. federal agencies, and international data protection authorities. The event was kicked off at Capitol Hill, featuring an opening keynote by U.S. Senator Peter Welch (D-VT). FPF honored winners of internationally focused papers in a virtual conversation the following week. 

Youth & Education

In 2024, federal and state policymakers continued to work on legislation that protects children online, including the Kids Online Safety and Privacy Act (KOSPA) and the California Age-Appropriate Design Code Act (AADC). FPF’s work includes a breakdown of bills related to children’s online safety and a checklist designed for K-12 schools to help vet generative AI tools.

FPF published a blog in August that contextualized the Kids Online Safety and Privacy Act (KOSPA), which includes two bills that gained significant traction in the Senate in recent years: the Kids Online Safety Act (KOSA) and Children and Teens Online Privacy Protection Act (“COPPA 2.0”). 

In July, we explored how the California Age-Appropriate Design Code Act (AADC) catalyzed conversations in America around protecting kids and teens online. We also analyzed the implications of the CA AADC and the evolving landscape of children’s online privacy. 

As children spend more time online, lawmakers have continued introducing legislation to enhance the privacy and safety of kids’ and teens’ online experiences beyond the Children’s Online Privacy Protection Act (COPPA) framework. FPF analyzed the status quo of knowledge standards under COPPA and provided key observations on the current knowledge standards in various state privacy laws.

We also released a checklist and accompanying policy brief designed specifically for K-12 schools to help them vet generative AI tools for compliance with student privacy laws, outlining key considerations when incorporating generative AI into a school or district’s edtech vetting checklist. 

With young people adopting immersive technologies like extended reality (XR) and virtual world applications, companies have expanded their presence in digital spaces, launching brand experiences, advertisements, and digital products. FPF analyzed recent regulatory and self-regulatory actions related to youth privacy in immersive spaces while also pulling out key lessons for organizations building spaces in virtual worlds. 

Diving Deeper into Privacy Enhancing Technologies (PETs) Research and Large Language Models (LLMs)

2024 also marked further exploration into Privacy Enhancing Technologies (PETs) with FPF’s establishment of the PETs Research Coordination Network (RCN) and the creation of the PETs Repository. Additionally, we further explored large language models (LLMs) and whether or not they contained personal information. 

In February, the National Science Foundation (NSF) and the Department of Energy (DOE) awarded FPF grants to support its establishment of a Research Coordination Network (RCN) for Privacy-Preserving Data and Analytics. FPF’s work will support developing and deploying Privacy Enhancing Technologies (PETs) for socially beneficial data sharing and analytics. 

In July, FPF also launched the Privacy-Enhancing Technologies (PETs) Research Coordination Network (RCN), bringing together a group of cross-sector and multidisciplinary experts dedicated to exploring PETs’ potential in AI and emerging technologies and stewarding their adoption and scalability. Building on these initiatives and other efforts, FPF launched the PETs Repository, a webpage that consolidates available resources and developments around the development and deployment of PETs. 

FPF further delved into LLMs to explore if they contain personal data. If they do, what requirements must companies follow for processing personal data for training AI models? Recent analysis focused on Brazil’s Autoridade Nacional de Proteçao de Dados Pessoais (ANPD) and issuing a preliminary decision on the legal basis for processing personal data in LLMs. We also wrote a blog on California’s recently passed Assembly Bill 1008 applying CCPA privacy rights to LLMs and whether personal data exists in an AI model. An online discussion in a LinkedIn Live featuring FPF experts also delved into LLMs and personal data.

Facilitating Privacy Thought Leadership Home and Abroad   

To celebrate the milestone of 15 years, FPF convened leading data protection regulators and FPF members at our 15th Anniversary Spring Social. The event also marked the transition of FPF Board Chairman Christoper Wolf, recognizing his founding role at FPF and many years of leadership.  We welcomed our new Board Chair, Alan Raul. 

High-level engagement from the year included:

The above is only a partial  list of FPF initiatives from the year but highlights some of our major achievements. We thank all those who contributed, participated, advised and supported. Continue to follow FPF’s work by subscribing to our monthly briefing and following us on LinkedIn, Twitter/X, and Instagram. On behalf of the FPF team, we wish you a very Happy New Year and look forward to what’s to come in 2025!

OAIC’s Dual AI Guidelines Set New Standards for Privacy Protection in Australia

On 21 October 2024, the Office of the Australian Privacy Commissioner (OAIC) released two sets of guidelines (collectively, “Guidelines”), one for developing and training generative AI systems and the other one for deploying commercially available “AI products”. This marks a shift in OAIC’s regulatory approach from enforcement-focused oversight to proactive guidance. 

The Guidelines establish rigorous requirements under the Privacy Act and its 13 Australian Privacy Principles (APPs), particularly emphasizing accuracy, transparency, and heightened scrutiny of data collection and secondary use. Notably, the Guidelines detail conditions that must be met for lawfully collecting personal information publicly available online for purposes of training generative AI, including through a detailed definition of what “fair” collection means. 

This regulatory development aligns with Australia’s broader approach to AI governance, which prioritizes technology-neutral existing laws and voluntary frameworks while reserving mandatory regulations for high-risk applications. However, it may signal increased regulatory scrutiny of AI systems processing personal information going forward. 

This blog post summarizes the key aspects of these Guidelines, their relationship to Australia’s existing privacy law, and their implications for organizations developing or deploying AI systems in Australia.

  1. Background: AI Regulation in Australia and the Role of OAIC

Australia, like many jurisdictions globally, is currently in the process of developing its approach to AI regulation. Following a public consultation on “Safe and Responsible AI in Australia” in 2023, the Australian Government issued an “Interim Response” outlining an approach that seeks to regulate AI primarily through existing, technology-neutral laws and regulations, prioritizing voluntary frameworks and soft law mechanisms, and potentially reserving future mandatory regulations for high-risk areas. This stands in contrast to the European Union’s AI Act, which introduces a comprehensive regulatory framework covering a broader range of AI systems.  

While the Australian Government has been giving shape to the country’s overall approach to AI regulation, several Australian regulators, as part of the Digital Platform  Regulators (DP-REG) Forum, have been closely following developments in AI technology, co-authoring working papers on large language models (2023) and more recently, multimodal foundation models (2024). 

The OAIC issued its first ever guidance on complying with the Privacy Act in the context of AI in a DP-REG working paper on multimodal foundation models released in September 2024.  It followed up the next month with two sets of more detailed guidelines that provide practical advice for organizations on complying with the Privacy Act and the APPs in two important contexts:

Both Guidelines are complementary, acknowledging and referring to each other, while addressing distinct phases in the AI lifecycle and different stakeholders within the broader AI ecosystem. However, they are not intended to be comprehensive. Instead, they aim to highlight the key privacy considerations that may arise under the Privacy Act when developing or deploying generative AI systems.

  1. The Guidelines Recognize Both AI’s Benefits and Significant Privacy Risks

Both Guidelines acknowledge AI’s potential to benefit the Australian economy through improved efficiency and enhanced services. However, they also emphasise that AI technologies’ data-driven nature creates substantial privacy risks that must be managed carefully. Key risks highlighted include:

To address these risks, both Guidelines emphasize that it is important for organizations to adopt a “Privacy by Design” approach when developing or deploying AI, and conducting Privacy Impact Assessments to identify and mitigate potential privacy impacts throughout the AI product lifecycle.

  1. The Guidelines Establish Rigorous Accuracy Requirements 

Organizations are required under APP 10 to take reasonable steps to ensure personal information is accurate, up-to-date, and complete when collected, and also relevant when used or disclosed. 

Both Guidelines emphasize that the accuracy obligation in APP 10 is vital to avoid the risks that may arise when AI systems handle inaccurate personal information, which range from incorrect or unfair decisions, to reputational or even psychological harm.

For AI systems, identifying “reasonable steps” under APP 10 requires organizations to consider: 

The Guidelines emphasize that generative AI models in particular present distinct challenges under APP 10 because they are trained on massive internet-sourced datasets that may contain inaccuracies, biases, and outdated information which can be perpetuated in their outputs. The probabilistic nature of these models also makes them prone to generating plausible but factually incorrect information, and their accuracy can deteriorate over time as they encounter new data or their training data becomes outdated.

To address these challenges, the Guidelines recommend that organizations should implement comprehensive measures, including thorough testing with diverse datasets, robust data quality management, human oversight of AI outputs, and regular monitoring and auditing. The key theme is that organizations must take proactive steps to ensure accuracy throughout the AI system’s lifecycle, with the stringency of measures proportional to the system’s intended use and potential risks.

  1. The Guidelines Make Transparency a Core Obligation Throughout the AI System Lifecycle

The OAIC’s guidelines also establish transparency as a fundamental obligation throughout the lifecycle of an AI system. Notably, however, the guidelines see transparency as an obligation that operates on multiple levels. 

The transparency obligation is rooted in APP 1, which requires organizations to manage personal information openly and transparently (including by publishing a privacy policy), and APP 5, which requires organizations to notify individuals about how their personal information is collected, used, and disclosed.

The Guidelines emphasize that in an AI context, privacy policies must provide clear explanations of how AI systems process personal information and make decisions. When AI systems collect or generate personal information, organizations must give timely and specific notifications that provide individuals genuine insight into how their information is processed and empower them to understand AI-related decisions that affect them.

To support this transparency framework, organizations must invest in comprehensive staff training to ensure employees understand both the technical aspects and privacy implications of their AI systems, enabling them to serve as knowledgeable intermediaries between complex AI technologies and affected individuals. This human oversight is to be complemented by regular audits and monitoring, which help organizations maintain visibility into their AI systems’ performance, address privacy issues proactively, and generate the information needed to maintain meaningful transparency with individuals.

  1. The Guidelines Place Heightened Scrutiny on Data Collection and Secondary Use 

The Guidelines underscore the need for heightened scrutiny on data collection practices under APP 3 and the secondary use of personal information under APP 6 in the AI context. The Guidelines also emphasize that organizations may face distinct challenges across different collection methods. 

With regard to challenges in data collection methods, the AI Developer Guidelines highlight that the collection of training datasets that may contain personal information through web scraping – defined as “the automated extraction of data from the web” – raises several concerns under APP 3

Notably, the Guidelines caution that developers should not automatically assume that information posted publicly can be used to train AI models. Rather, developers must ensure that they comply with APP 3 by demonstrating that: 

  1. Individuals’ reasonable expectations
  1. The sensitivity of the information; 
  1. The intended purpose of the collection, including the intended operation of the AI model; 
  1. The risk of harm to individuals;
  1. Whether the individuals concerned intentionally made the information public; and
  1. The steps the developer will take to prevent privacy impacts, including deletion, de-identification, and mechanisms to increase individuals’ control over how their information is processed; and 

The Guidelines therefore do not prohibit the collection of training data through web scraping, but they lay out detailed requirements that must be fulfilled to lawfully do so. Notably, the Guidelines define what “fair” collection of personal data through web scraping requires, bringing forward several dimensions to consider, from individuals’ perception of the collection and attitude when making the information public, to intrinsic characteristics of the information collected, to extrinsic assessments of risks of harm, to technical and organizational measures that are privacy-enhancing. The Guidelines acknowledge that organizations may face significant challenges in meeting many of these requirements. 

Further, the Guidelines note that many of the above considerations under APP 3 also apply to third-party datasets. The Guidelines therefore recommend that organizations seeking to rely on such datasets conduct thorough due diligence regarding data provenance and the original circumstances in which the information was collected. 

By contrast, when organizations seek to use their existing datasets to train AI models, the main consideration under the Guidelines is complying with APP 6, which governs secondary use of personal information. This principle requires organizations to either obtain informed consent or carefully evaluate whether AI training aligns with individuals’ reasonable expectations based on the original collection purpose. 

Throughout all methods, organizations must adhere to the principle of data minimization, limiting collection of personal information to what is strictly necessary, and must also consider techniques like de-identification or the use of synthetic data to further reduce risks to individuals.

  1. The AI Product Guidelines Require Organizations to Pay Attention to Privacy Throughout  the Deployment Lifecycle 

The AI Product Guidelines advocates for a “privacy by design” approach that integrates privacy considerations throughout the AI product lifecycle. 

They specifically call on organizations to conduct thorough due diligence before adopting AI products. Recommended steps include assessing the appropriateness of these products for their intended use, evaluating the quality of training data, understanding security risks, and analyzing data flows to identify parties that can access inputted information.

In the deployment and use phase, organizations must exercise strict caution when inputting personal information into AI systems, particularly systems that are provided to the public for free, such as AI chatbots. They emphasize the need to comply with APP 6 for any secondary use of personal information, minimizing data input, and maintaining transparency with individuals about how their information will be used. 

While the AI Product Guidelines primarily focus on APPs 1, 3, 5, 6, and 10, they also emphasize that several other APPs may play crucial roles, depending on how the AI product is being used. These APPs include: 

  1. Looking Ahead: The Guidelines Signal Increased Privacy Scrutiny for AI

The OAIC’s guidelines represent a significant step in regulating AI use in Australia that not only aligns with broader Australian government initiatives, such as the Voluntary AI Safety Standard, but also reflects a broader global trend of data protection authorities issuing rules and guidance on AI governance through existing privacy laws. 

The OAIC’s guidelines establish a foundation for privacy-protective AI development and deployment, but organizations must remain vigilant as both the technology and regulatory requirements continue to develop. The release of the Guidelines may hint at increased regulatory scrutiny of AI systems that process personal information, meaning that organizations that develop or deploy such systems will need to carefully consider their obligations under the Privacy Act and implement appropriate safeguards. 

Insights from the Second Japan Privacy Symposium: Global Data Protection Authorities Discuss Their 2025 Priorities, from AI, to Cross-Regulatory Collaboration

The Future of Privacy Forum (FPF) hosted the Second Japan Privacy Symposium (Symposium) in Tokyo on November 15, 2024. The Symposium brought together leading data protection authorities (DPAs) from around the world to discuss pressing issues in privacy and data governance. The Symposium featured in-depth discussions on international collaboration, artificial intelligence (AI) governance, and the evolving landscape of data protection laws.

event recap blog template (1)

The Symposium kickstarted the Personal Information Protection Commission of Japan’s (PPC) Japan Privacy Week, and was an official side-event of the 62nd Asia-Pacific Privacy Authorities (APPA) Forum (APPA 62). FPF is grateful for the collaboration and support from the PPC, the Japan DPO Association, and S&K Brussels LPC.

In this blog post, we share some of the key takeaways from the Symposium. 

Japan Privacy Symposium features global privacy regulators in Tokyo

The Symposium welcomed an esteemed line-up of speakers. Commissioner Shuhei Oshima from the PPC delivered the opening keynote. In his keynote, Commissioner Oshima shared about the PPC’s regulatory priorities for 2025. These included cross-border data transfers and the Data Free Flow with Trust initiative, as well as further collaboration with the G7 DPAs and bilaterally with various international regulators. 

Following the keynote, Gabriela Zanfir-Fortuna, Vice-President for Global Privacy at FPF moderated a panel on the regulatory strategies of APAC and global DPAs in 2024 and beyond. Gabriela was joined by Philippe Dufresne, Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada, Ashkan Soltani, Executive Director of the California Privacy Protection Agency (CPPA), Dr. Nazri Kama, Commissioner, Personal Data Protection Commissioner’s Office of Malaysia (PDPD), Thienchai Na Nakorn, Chairman, Personal Data Protection Committee of Thailand (PDPC), and Josh Lee Kok Thong, Managing Director for Asia-Pacific at FPF. 

Regulators in APAC have some common priorities, such as cybersecurity and cross-border data transfers

The panel kicked off with highlights from a recent report published by FPF’s APAC office, “Regulatory Strategies of Data Protection Authorities in the Asia-Pacific Region: 2024, and Beyond”, presented by Josh. In line with similar FPF work focusing on the EU, Latin America and Africa, the report provides a comprehensive analysis of strategy documents and key regulatory actions of DPAs in 10 major jurisdictions in Asia-Pacific, as well as an overview of key trends in the region.

There are three top common priorities for APAC’s major DPAs:

  1. First, cybersecurity and data breach responses, with 90% of the DPAs included in the Report prioritising this. However, jurisdictions are at various stages of implementing measures in these areas, while enforcement approaches also differ significantly.
  1. Second, cross-border data transfers, which are a priority for 80% of APAC DPAs. Jurisdictions are similarly taking a diversity of approaches, from taking a leading role in international initiatives, such as the Global Cross-Border Privacy Rules (CBPR) System (for instance, Japan and Singapore), to promoting the use of standardized contractual clauses (for instance, China, Japan and Singapore).
  1. Third, AI governance, with 70% of regulators prioritising this. Some have developed comprehensive policy frameworks and regulations for AI, while others have focused on issuing guidelines or addressing AI within existing regulatory structures.

Cross-regulatory and cross-border collaboration is a shared priority for regulators in APAC and beyond

During the panel discussion, one top regulatory priority surfaced was on cross-border collaboration. Commissioner Dufresne emphasized the importance of international cooperation in addressing privacy challenges. “At the OPC, we will continue to be focused on topics such as international collaboration,” he noted. Commissioner Dufresne discussed the OPC’s efforts to collaborate with domestic and international partners, including other regulators in fields such as competition, copyright, broadcasting, telecommunications, cybersecurity, and national security. “Data protection is key to so many of those things,” Commissioner Dufresne said. “It touches other regulators, so working very closely is something we’ve been discussing, including at the G7.”

Expanding regional and international collaboration was similarly a key priority for Malaysia. Commissioner Nazri noted that Malaysia’s PDPD had visited fellow regulators in the UK, EU, Japan, South Korea and Singapore. The PDPD had also just joined the APPA Forum, as well as the APEC Cross-Border Privacy Enforcement Arrangement (CPEA). Going forward, Commissioner Nazri noted that the PDPD would be “moving towards” applying for the Global Cross-Border Privacy Rules (CBPR) certification system. The PDPD is also taking steps towards meeting the EU’s adequacy requirements, with Commissioner Nazri expressing hope that Malaysia would attain EU adequacy “in the next two years.”

Similarly, Chairman Thienchai from Thailand’s PDPC noted that it had sent delegations to attend Global CBPR workshops, and that the PDPC could also be applying to be a member of the Global CBPR system soon. 

Regulators are balancing between AI innovation and risk, while managing an ever-growing pool of AI-related issues

AI remains a top concern for regulators worldwide. Commissioner Dufresne stated that ensuring the protection of privacy in the context of emerging and changing technology is a key priority for the OPC. “Certainly, generative AI and other emerging technologies like quantum computing and neurorights are changing the landscape,” he said. “We need to use innovation to protect data.”

He emphasized the importance of leveraging technology to protect privacy, noting that AI can be used as a tool against threats like deepfakes. The OPC is also looking to work with cross-regulatory partners to address issues such as synthetic media. “We’re looking to work with cross-regulatory partners in identifying specific areas and seeing what are the common areas or perhaps different areas of privacy and competition with a specific topic like synthetic media,” he explained.

California’s CPPA has also been at the forefront of rule-making and enforcement actions pertaining to AI and automated decision-making challenges. In this regard, Director Soltani observed that “there is no AI without PI (personal information).” The CPPA has thus had to develop deep expertise in AI while acting as California’s privacy regulator. Besides focusing on rule-making, the CPPA has been conducting enforcement sweeps in various sectors, starting with the connected vehicle sector. 

The task of applying data protection laws to AI and issuing relevant industry guidance is also one that Thailand’s PDPC is working on. Chairman Thienchai noted that the PDPC had “established a working group study” on how AI is impacting the protection mechanism under Thailand’s Personal Data Protection Act, with results expected in the first quarter of 2025. Thailand’s PDPC is also working to issue guidelines on the intersection of AI and the PDPA. The guidelines could state, for instance, that in using personal data to train AI systems, developers have to do so on an anonymised basis. 

Regulators continue to work on implementing updates to data protection laws to deal with new and emerging challenges

A third theme that emerged from the panel discussion was how regulators were planning to continue working on updates to their data protection laws – and implementing them – in 2025.

For California’s CPPA, Director Soltani highlighted that his agency was deeply engaged in rule-making, especially in these areas: (a) cybersecurity, where companies in California will be required to perform and submit cybersecurity assessments to the CPPA; (b) data protection impact assessments or risk assessments, where companies will be required to perform such assessments including where they deploy AI tools; and (c) automated decision-making technologies and AI. Director Soltani also highlighted the ongoing work of implementing aspects of the California Consumer Privacy Act (CCPA). For instance, with the CPPA’s Data Broker Registry, the CPPA is working on setting up a one-stop shop by January 2026, where Californians will “have the ability to go to one place and request that all of their data be deleted from all of these companies.”

For Malaysia, Commissioner Nazri provided an update on recent amendments to Malaysia’s Personal Data Protection Act (PDPA) that were passed in late-2024. “The amendment was presented to our national parliament in July this year and was officially approved on July 31,” he noted. Commissioner Nazri noted several key changes to the PDPA, including:

Commissioner Nazri also noted that the PDPD would be issuing 19 new documents in tranches throughout 2025. Specifically, these were nine pieces of subsidiary legislation, two circulars (or Commissioner’s Orders), seven guidelines, and one standard. Commissioner Nazri further shared that work was ongoing to re-formulate the PDPD into an independent Commissioner’s Office. 

For Thailand, while Thailand had passed its PDPA in 2021, Chairman Thienchai noted that Thailand’s PDPA contained a review requirement to update the law if necessary. Chairman Thienchai thus noted that the PDPC would be working in 2025 to introduce a proposal to amend the PDPA “to catch up with the global community.” Further, Chairman Thienchai acknowledged challenges with data breaches, especially in the public sector, and emphasized the need for coordination among agencies. “We have to coordinate with other agencies to improve the enforcement mechanism in the PDPA,” he said.

Finally, the PDPC is prioritizing cross-border data transfers. “We issued some subordinate laws related to cross-border transfers and we adopted ASEAN Model Contractual Clauses (MCCs) and also EU Standard Contractual Clauses (SCCs) in our subordinate laws,” Chairman Thienchai explained, concluding with an update that his office is “promoting ASEAN MCCs with the Thai Chamber of Commerce.”

Conclusion

The second edition of the Japan Privacy Symposium showcased the shared challenges and priorities among global data protection authorities. From AI governance to cross-regulatory collaboration and legal reforms, the Symposium highlighted the need for continued dialogue, cooperation, and information-sharing. 

Following the Symposium, FPF was also honored and privileged to have been invited to participate in speaking opportunities during the closed and public sessions of APPA 62. In particular, Gabriela moderated a session on AI governance and regulation, while Josh spoke on a panel on balancing innovation and data protection.

FPF remains committed to facilitating these important conversations and advancing the discourse on privacy and emerging technologies globally.

Five Big Questions (and Zero Predictions) for the U.S. State Privacy Landscape in 2025

In the enduring absence of a comprehensive national framework governing the collection, use, and transfer of personal data, state-level activity on privacy legislation has been on a consistent upward trend since the enactment of the California Consumer Privacy Act in 2018. With all 50 U.S. states scheduled to be in session in 2025, stakeholders are anticipating yet another year of expansion and divergence across the state privacy landscape. It is still too early to predict which states will adopt or amend their privacy laws so instead this article explores the five big questions set to shape American privacy law in the coming year.

  1. Will a new consensus emerge on data minimization (and would it change anything)? 

State privacy laws have traditionally incorporated the principle of data minimization by prohibiting data processing beyond what is reasonably necessary to accomplish the purposes that are disclosed to a user. Consumer advocates have long objected to this approach, arguing that it incentivizes companies to bury broad disclosures in dense privacy notices, resulting in little, if any, heightened protection. This year, in a potentially paradigm-shifting move, the Maryland Online Data Privacy Act became the first state comprehensive law to attempt to depart from the typical data minimization standard by placing new limits on the collection and use of data tied to the activities necessary to provide a specific product or service requested by a consumer. My colleague Jordan Francis has called the classic approach “procedural data minimization” and the Maryland approach “substantive data minimization.” 

While Maryland is the only comprehensive state privacy law to adopt a substantive data minimization approach, proposals in Vermont and Maine that came close to enactment this year contained similar language. Heightened data minimization provisions are also elements of recent sectoral laws including the Washington State My Health My Data Act, the New York Child Data Protection Act, and the Virginia Child Data Privacy Amendment. Taken together, these frameworks portend a new trend toward substantive data minimization standards; however, their statutory requirements vary in subtle but consequential ways. Distinctions include whether new minimization standards (1) apply to the collection or the processing of data, (2) limit data processing to what is “reasonably” necessary, “strictly” necessary, or just plain “necessary” to provide a requested product or service, and (3) are subordinate to other bases for using personal data, such as a list of “permissible purposes” (e.g. protecting data security) or if consistent with consumer consent. 

The emergence of substantive data minimization requirements in state privacy laws represents an attempt to depart from the much maligned “notice and consent” approach to consumer privacy law. However, the ultimate impact of these emerging standards is not yet clear, and is expected to be largely shaped by future trends in interpretation, implementation, and enforcement. Consider the following, yet unanswered, questions about these “necessity” data minimization standards:

  1. Will data brokers face renewed scrutiny?

Perhaps the biggest surprise of the 2024 cycle has been the lack of legislative activity directly focused on the information collection and sharing practices of data brokers. The third party collection and sale of sensitive data, including health and location information, has been the subject of several high profile media investigations and is increasingly cited as a potential threat to national security. However, this year no new states passed data broker specific privacy laws and very few such bills were even introduced.

The scarcity of state level attention is even more noticeable when considering national efforts. New restrictions and enforcement concerning the brokering of personal information was one of the few privacy topics on which federal policymakers were particularly active this year. For example, the Biden Administration’s Executive Order 13873, the Protecting Americans Data from Foreign Adversaries Act, and the Federal Trade Commission’s litigation against Kochava and settlements with Gravy Analytics and Mobilewalla

However, privacy legislation constraining the activities of data brokers could be set for a comeback in 2025 and lawmakers have a number of options they could pursue. In November, a coalition of data brokers decisively lost a bid to strike down New Jersey’s Daniel’s Law, which empowers certain government employees to request the removal of personal information from public websites. Furthermore, data broker registry laws are now in effect – and increasingly being enforced – in California, Texas, Oregon, and Vermont. California is also attracting attention for its efforts to build a “one stop shop” accessible deletion mechanism intended to allow individuals to request the deletion of their personal information across the entire data broker ecosystem.

On the other hand, it is possible that lawmakers will instead choose to address concerns about the data broker industry through more comprehensive regulatory approaches. There are inherent challenges to singling out a particular industry or practice for regulation that often raise complicated line drawing issues. A possible template for such a broader approach may be the aforementioned Maryland Online Data Privacy Act, which contains a unique standalone restriction on the sale of sensitive personal data.

  1. Which laws will be subject to legal challenges?

Several recent state privacy laws have been met with constitutional challenges, often concerning their intersection with First Amendment protected activity and impact to interstate commerce. To date, the most common litigation (and industry success in seeking injunctions) has involved laws requiring social media companies to conduct age verification and limit to features/access to certain child users. At the same time, lawmakers have continued to iterate on these proposals in search of a framework that can reliably withstand constitutional scrutiny – industry has notably only secured a partial injunction of the Texas SCOPE Act. 

Looking ahead to 2025, legislative experimentation and industry litigation concerning children’s online safety and privacy laws are likely to continue apace. However, the tenor of these challenges may evolve following the Supreme Court’s decision in NetChoice v. Moody. While that case involved state laws regulating the content moderation practices of social media companies, several Justices expressed disapproval of how the case was brought as a “facial challenge” prior to enforcement, which may shift litigation strategies to focus on “as applied challenges”.  

Stakeholders should also pay close attention to privacy laws in California and Maryland. In California, industry groups have already raised concerns that recent California Privacy Protection Agency rulemaking activity – on both data brokers and automated decisionmaking technology opt-outs – exceeds the bounds of the Agency’s statutory authority and is in violation of the California Administrative Procedure Act. Separately, while the Maryland Age Appropriate Design Code was drafted to remove any direct requirements to moderate content, the law’s risk assessment requirements may still contain “proxies for content” that Ninth Circuit found to likely violate the First Amendment in California’s version of the law.

  1. How will lawmakers approach artificial intelligence? 

Opportunities, risks, and hype surrounding advancements in artificial intelligence (AI) technologies have impacted every domain in tech policy, and data privacy is no exception. In fact, privacy rules may emerge as one of the more successful levers for governing AI. For example, existing technology-neutral privacy laws will already apply to AI systems to the extent that they collect, process and output personal information. In particular, transparency, security, risk assessment, and consumer choice requirements under existing laws are poised to have significant influence on the development and use of new AI tools.

It is also important to recognize that AI is not a single technology, but can encompass a range of systems, some of which have been with us for decades (such as facial recognition technology) and some of which are still emerging (such as general purpose ‘foundation’ models). Lawmakers therefore have an array of approaches from which they could address AI safety, transparency, and fairness. For example, they could comprehensively regulate a broad range of technologies and harms, which is the approach taken by the draft Texas Responsible AI Governance Act. They may also seek to regulate a particular AI technology or use case such as “‘deep fakes” in political advertisements. Finally, lawmakers could also bake new AI-specific requirements into comprehensive privacy laws, as Minnesota did this year by creating a new right to contest the result of significant profiling decisions.

President-elect Donald Trump’s promise to repeal the Biden Administration’s AI Executive Order and incoming FTC Chair Ferguson’s leaked agenda to “terminate all initiatives involving so called… AI ‘bias’” could also inspire state lawmakers to focus on the use of AI systems in a manner that results in unlawful discrimination. This was the focus of the Colorado AI Act, which was enacted this year and that may serve as a template for similar state level efforts. However, efforts to establish a harmonized state-level approach to regulating discriminatory outcomes in high-risk systems may be complicated: Colorado’s pathsetting law is likely to be further shaped by amendments and rulemaking prior to taking effect.

  1. How will the new administration and congress impact the state privacy landscape?

Next year, President-elect Trump will enjoy narrow but meaningful majorities in both chambers of congress. The Republican Party has historically supported the enactment of broadly preemptive privacy legislation, raising the possibility – however faint – that some or all of the emerging state privacy ‘patchwork’ could be superseded by new federal legislation. Business groups may see a window of opportunity to advocate for a broadly preemptive national privacy framework modeled on existing state laws like the Texas Data Privacy and Security Act. However, at present there is little to suggest that preemptive comprehensive privacy will be a top priority for Republican lawmakers during the next congress, though bipartisan movement on child-specific online safety legislation appears more likely.

The November election results will influence not only the legislative agenda in Washington D.C., but also legislative activity in the states. Democratic governors and attorneys general are already discussing legislative and legal strategies to attempt to minimize or block various priorities of the Trump agenda. Concerns about the incoming administration’s approach to issues like immigration, law enforcement, and health care may be a motivating factor for commercial privacy legislation in Democrat-controlled states. For example, in a potential sign of things to come, Democratic Senators in Michigan rapidly sought to establish new protections for “reproductive health data” during the State’s ‘lame duck’ session immediately following the November election. 

Outside of a few notable examples, recent state privacy laws have typically been enacted on an overwhelmingly bipartisan basis. However, this pattern could shift next year should commercial privacy become increasingly intertwined with other, more polarized issues. Therefore, while 2025 is likely to be as active as ever for legislative activity, this dynamic could ultimately reduce the amount of bills that are enacted compared to prior years. 

Do you have the answers to these questions or are you brave enough to make your own predictions? Email the author of this post at [email protected] 

In a Landmark Judgment, The Inter-American Court of Human Rights Recognized an Autonomous Right to Informational Self-Determination

The following is a guest post to the FPF blog by Jonathan Mendoza Iserte, Secretary of Personal Data Protection at Mexico’s Instituto Nacional de Transparencia y Acceso a la Información y Protección de Datos Personales (INAI), and Nelson Remolina Angarita, Professor at the Faculty of Law, Universidad de los Andes, (Colombia). The guest blog reflects the opinion of the authors only. Guest blog posts do not necessarily reflect the views of FPF.

The right to “informational self-determination” has recently emerged as an autonomous fundamental right within the Inter-American legal sphere, following a landmark ruling by the Inter-American Court of Human Rights (IACHR) in the case Members of the José Alvear Restrepo Lawyers’ Collective vs. Colombia, issued on October 18th, 2023. Its protection is essential for the exercise of other fundamental rights, such as the right to privacy, reputation, the right to defense, and the right to security within the Inter-American system of fundamental rights. The case was brought to the attention of the IACHR on July 8, 2020, by the Inter-American Commission on Human Rights and it highlights the obligation of States to protect the right to informational self-determination against practices of surveillance, harassment, and the collection of personal information by state agencies. The Court examined the allegations related to the intelligence activities carried out by the Colombian State against members of the José Alvear Restrepo Lawyers’ Collective (CAJAR), an organization dedicated to the defense of human rights in Colombia, which resulted in threats, intimidation, and a climate of insecurity that forced several of its members into exile.

The facts of the case concern events that began in the 1990s. It has been alleged that during intelligence operations, information was collected about members of CAJAR and that this information was misused, including being handed over to illegal armed groups. It was noted that the victims “did not have access to an effective remedy to address their claims related to accessing the intelligence database” of the State.

Although the ruling covers a wide range of human rights issues, in this piece we will focus solely on matters related to data protection or informational self-determination. The purpose of this analysis is to analyze the most relevant aspects of the case regarding the right to personal data protection, exploring its development and recognition as an autonomous human right that must be respected and upheld within the Inter-American human rights system. Specifically, it will address how the Inter-American Court has integrated this right into the framework of state obligations, and how its violation affects not only the privacy of individuals but also their ability to exercise other fundamental rights.

1. Importance of the CAJAR Ruling regarding personal data processing in the Inter-American human rights system 

 With the CAJAR landmark ruling, the IACHR expressly recognized informational self-determination as an autonomous human right for the first time, which must be respected and upheld within the Inter-American human rights system. Indeed, in its judgment Series C No. 506 of October 18, 2023, the IACHR concluded:

586. In the view of the Inter-American Court, the aforementioned elements give shape to an autonomous human right: the right to informational self-determination, recognized in various legal systems in the region, and which finds its basis in the protective content of the American Convention, particularly in the rights enshrined in Articles 11 and 13, and, in terms of its judicial protection, in the right guaranteed by Article 25.”1(…)

588. Ultimately, it is an autonomous right that, in turn, serves as a guarantee for other rights, such as those concerning privacy, the protection of honor, the safeguarding of reputation, and, in general, human dignity. It is worth noting that this right extends, with the applicable limitations (see paras. 601 to 608 below), to any personal data held by any public body, and it similarly applies to records or databases managed by private entities, issues that are not addressed in detail due to the scope of this international case.” (Emphasis added)

This is a ruling of great significance within the Inter-American human rights system because it imposes obligations on States and opens the door for it to be upheld by international courts of justice.

The Inter-American Human Rights System (IAHRS) is based on the American Convention on Human Rights (ACHR), where States voluntarily commit to respecting and guaranteeing the rights established in the treaty, including the right to informational self-determination. This right encompasses the ability to access and control personal data held in public records. In this context, as noted in the CAJAR ruling, the state’s actions constituted a violation of this right, prompting the Court to issue binding rulings that may require reparations, legislative reforms, or other measures to remedy and prevent future violations.

The IACHR does not have enforcement powers comparable to those of national courts, its rulings are based on the principle of state consent under international law and are reinforced through mechanisms such as diplomatic pressure, reputational accountability, and domestic implementation. States are expected to integrate these rulings into their legal systems, and non-compliance may lead to international scrutiny. 

Adopting mechanisms to guarantee this right in practice (not just on paper or in theory) is  one of the obligations States must fulfill, as emphasized by the IACHR:

599. In any case, the Inter-American Court reiterates that the effectiveness of the right to informational self-determination requires States to provide adequate, swift, free, and effective mechanisms or procedures to process and address requests, either by the same authority managing the data or by another competent institution in matters of personal data protection or oversightdocs (see para. 582). (…) This requirement, derived from the obligation established in Article 2 of the American Convention, which encompasses the issuance of regulations and the development of practices conducive to the observance of human rights, including appropriate administrative procedures, constitutes an essential guarantee for asserting and exercising this right.”2 (Emphasis added)3

In the operative part of the ruling, the IACHR decided, among other things, the following:

13. The State is internationally responsible for the violation of the right to informational self-determination, recognized in Articles 11.2 and 13.1 of the American Convention on Human Rights, in relation to the obligations to respect and guarantee rights, and to adopt domestic legal provisions as established by Articles 1.1 and 2 of the same international instrument.” Specifically, the IACHR declared the violation of the right to informational self-determination because the victims of arbitrary intelligence activities were not guaranteed “access to the data that the intelligence agencies had collected about them. Furthermore, such access was hindered due to the limited progress in purging the archives of the now-defunct DAS” (paragraph 1011).

Given the above, the IACHR ordered a purge of the archives4 of the defunct Administrative Department of Security (DAS) to ensure that victims can access their information and exercise the eventual correction, cancellation, or deletion of data held in the archives (paragraph 1011). Additionally, the IACHR demands that, during the purging of the archives, “authorities must ensure the protection of sensitive data contained in the archives regarding which public access may eventually be granted” (paragraph 1013).

Moreover, the IACHR ordered that:

36. The State shall proceed with the approval of the necessary regulations to implement reasonable, swift, simple, free, and effective mechanisms or procedures that allow individuals to access and control the data held on them in intelligence archives, in accordance with the scope of the right to informational self-determination, as detailed in paragraphs 1059 and 1060 of this Judgment.

This order vindicates an essential aspect of the right to data protection, which not only includes access to the data but also the existence of effective mechanisms to that end. This means that it is not enough to create formal or theoretical tools, but rather useful and timely tools to ensure that rights are realized or guaranteed in practice.

The IACHR’s decision has been compared to the 1983 ruling of the Federal Constitutional Court of Germany on the law regarding the population, profession, and workplace census (Census Law), which highlighted the importance and scope of the right to “informational self-determination” and outlined the factual, legal, and administrative conditions that should govern the collection and processing of personal data through population censuses.

The right to informational self-determination encompasses the trilogy made up of the person, their personal data, and their constitutional rights. It represents an essential right that is gaining increasing relevance in the face of the growing use of information about individuals, and it is realized in the ability of individuals to decide when and within what limits personal matters are made public, as well as in controlling what happens to their personal data. The ruling points out that the current and future conditions of data processing endanger self-determination because technologies make it easier to: 

(1) Archive personal data indefinitely; 

(2) Integrate that information with data from other databases anywhere in the world; 

(3) Review or consult personal data in seconds. 

Added to this is the individual’s inability or difficulty in controlling both the use of their personal data and the quality of the information about them.

As with other rights, informational self-determination is not guaranteed without limits. The ruling clarifies that “the individual does not have unlimited or absolute dominion over their data.” The prevalence of the public interest justifies the imposition of certain restrictions to live in society. For those limitations to be valid and legitimate, they must be based on a legal or constitutional mandate.

2. The right to informational self-determination, as cornerstone of democratic regimes in Latin America

The ruling of the IACHR in the CAJAR case not only represents a milestone in recognizing informational self-determination as an autonomous human right but also presents an urgent challenge for Latin American states regarding the protection of fundamental rights in the digital environment. In a region still facing deep inequalities, conflicts, and institutional fragility, the protection of personal data and privacy is not only essential to safeguarding individual rights, but also to strengthening the democratic regime upon which human rights are based.

A solid democratic regime depends on transparency, accountability, and the unrestricted respect for citizens’ rights, where the right to informational self-determination plays a vital role. Undue state surveillance, mass data collection without control, and information leaks, as evidenced in the CAJAR case, are practices that undermine public trust in institutions and create an environment of insecurity and harassment, especially for those who defend human rights or criticize power. Therefore, protecting personal information becomes a fundamental guarantee for free citizen participation without fear of reprisals.

At the regional level, Latin American countries need to strengthen their legal frameworks to protect personal data and ensure that informational self-determination is respected in practice, not just on paper. In this sense, a key recommendation is that states adopt robust data protection laws aligned with international standards, such as the Council of Europe’s Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and its additional protocol on supervisory authorities and transborder data flows; the Ibero-American Data Protection Standards of the Ibero-American Data Protection Network, and the updated Principles on Privacy and Personal Data Protection of the Organization of American States (OAS), which can serve as a model. 

These laws must establish clear and effective mechanisms for citizens to access, rectify, and delete their data, and these mechanisms must be agile, free, and accessible to all sectors of the population, particularly the most vulnerable. Additionally, it is essential to have independent data protection authorities equipped with sufficient resources to oversee compliance with regulations and with sanctioning powers.

In addition to strengthening legal frameworks, it is imperative that Latin American countries develop secure technologies and platforms that enable accountable data processing. The use of encryption and other Privacy Enhancing Technologies, regular security audits, and the responsible purging of databases are fundamental steps to ensure that sensitive information is protected from unauthorized access. In the case of the now-defunct DAS in Colombia, the IACHR ruling ordered the purging of intelligence files, highlighting the need for states to implement effective protocols to guarantee the deletion or rectification of obsolete personal data or data collected arbitrarily without specific purposes.

Strengthening the democratic regime in the region means recognizing that the protection of personal data and the right to privacy are not privileges, but fundamental pillars for the defense of all human rights. Respect for informational self-determination not only protects citizens from abuses of power but also fosters trust in democratic institutions, creating a more transparent, secure, and participatory environment.

The construction of a strong democracy in Latin America necessarily involves a robust defense of digital rights, where informational self-determination and data protection are unrestricted guarantees for all citizens. As Yuval Noah Harari points out, “It is not enough for a democratic government to refrain from infringing on human and civil rights. It must take steps to guarantee them.”

  1.  See Inter-American Court of Human Rights Judgment of October 18, 2023. Series C No. 506. The official text of the judgment can be consulted at: https://jurisprudencia.corteidh.or.cr/vid/953775991. ↩︎
  2. See Inter-American Court of Human Rights Judgment of October 18, 2023. Series C No. 506. The official text of the judgment can be consulted at: https://jurisprudencia.corteidh.or.cr/vid/953775991. ↩︎
  3. See Inter-American Court of Human Rights Judgment of October 18, 2023. Series C No. 506. The official text of the judgment can be consulted at: https://jurisprudencia.corteidh.or.cr/vid/953775991. ↩︎
  4. The operative part of the judgment states the following: ’23. The State shall proceed with the purification of intelligence files in order to guarantee the victims’ right to informational self-determination regarding the data concerning them in such files, in the terms of paragraphs 1011 to 1014 of this Judgment.’ ↩︎

Brussels Privacy Symposium Report 2024

This year’s Brussels Privacy Symposium, held on 8 October 2024, convened global stakeholders from across Europe and beyond for in-depth discussions on the EU AI Act in the context of the broader EU digital ecosystem. Co-organized jointly by the Future of Privacy Forum and the Brussels Privacy Hub of the Vrije Universiteit Brussel, the eighth edition of the Symposium was a melting pot of brilliant minds from across academia, regulatory authorities and policymakers, industry, and civil society. 

In addition to three expert panels exploring notions of risk and impact assessments across the EU digital rulebook, prohibitions and obligations for sensitive data processing, and an increasingly complex enforcement landscape, the organizers also welcomed Mark Scott, Senior Resident Fellow at the Atlantic Council’s Digital Forensics Research Lab for the Opening Keynote. With previous roles as chief technology correspondent for Politico, and more than a decade as correspondent for the New York Times, Scott provided a thorough and frank analysis of Europe’s “digital challenge” as the focus shifts from rulemaking to enforcement. 

For this year’s program, Professor Adriana Iamnitchi, Chair of Computational Social Sciences at Maastricht University, presented research findings from a cutting-edge project analyzing search trends and patterns on prominent social media platforms to identify mis/disinformation. And finally, European Data Protection Supervisor Wojciech Wiewiórowski and Professor Gloria González-Fuster of the Vrije Universiteit Brussel sat together for a candid closing dialogue on the future of data protection

In the Report of the Brussels Privacy Symposium 2024, you can read the key takeaways from the highlights mentioned above, along with many more practical and actionable insights on the complex interplay between the different elements of the EU data strategy architecture. 

Read the Report