Reproductive Rights Have Been Privacy Rights For 50 Years
About fifty years ago, the U.S. Supreme Court decided a case that would provide the basis for federal privacy protections for reproductive health decisions. The importance of protecting reproductive information and choice, particularly where abortion was concerned, was the basis for Roe v. Wade (1973) and Planned Parenthood v. Casey (1992), which provided women and pregnant individuals a basis for believing that their reproductive status and choices were confidential between them and their chosen healthcare provider. That decision was the law of the land for the decades that followed.
Two years ago, on June 24, 2022, the Supreme Court issued its decision in Dobbs v. Jackson Women’s Health Organization, overturning Roe and Casey, and removing the constitutional protections around reproductive choice and information, instigating and catalyzing a spate of laws criminalizing the act of seeking or providing abortion. In addition to reducing medical access and kindling distrust in reproductive health technologies, the decision propelled economic disruption and sparring between legal jurisdictions from cities to states to federal.
The effects have also spilled beyond the traditional healthcare and medical spaces. Suppliers of consumer-facing health and health-adjacent applications and services, from “period tracker” apps to activity loggers, have been forced to grapple with the question of how to continue to render their core services while ensuring that individuals’ data is protected against access that could lead to prosecution or persecution. Perceptions of privacy risks around data have become a significant weight on the balancing scale between protecting reproductive privacy and developing technologies and data that progress reproductive care and health.
In the wake of Dobbs, reproductive data and inferences drawn regarding reproductive status, as well as related information, have become a significant area of inquiry by lawmakers and regulators. State and federal lawmakers and regulators have coalesced around privacy as the basis for reproductive rights, generating proposals that weigh heavily on the side of restricting sensitive data to achieve protection. These include:
Laws and rules restricting the transfer of data between adversarial jurisdictions including ‘Shield Laws’ created by abortion-protective states to reduce data sharing for prosecution of abortion seekers and providers. In response to Executive Order 14076 on “Securing Access to Reproductive and Other Healthcare Services,” the Department of Health and Human Services (HHS) recently issued a rule prohibiting the use of reproductive information for investigative or prosecutorial purposes where “reproductive care may be assumed to be lawful in the context it was given” and emphasizing confidentiality as integral to patient-provider trust.
Explicit and emphatic protections for reproductive and gender-affirming care in broader privacy laws such as Washington state’s ‘My Health, My Data’ Act (MHMDA), described as a comprehensive privacy law. The portions and variations of the MHMDA ‘framework’ has made cameos in other state laws, including two recent proposals that ultimately failed to become law – the arguably more expansive New York S 158E that failed to receive the requisite votes and Vermont H 121, which was vetoed by the governor. Vermont’s governor cited the PRA as a key reason for the veto. The MHMDA PRA has also garnered far more attention than Nevada’s ‘use-based’ framework of sensitive data – argued by privacy scholars as a more effective approach.
Explicit reference to reproductive examples, such as location data related to abortion clinics in Federal Trade Commission (FTC) enforcement actions throughout 2023 and 2024. In 2023 the FTC pursued cases including those related to “unauthorized disclosures ”of “sexual and reproductive health” information in GoodRx and Easy Healthcare/Premom, as well as in reference to location data related to “reproductive health clinics” in Kochava. Unauthorized disclosures were a paradigmatic change in the FTC’s 2024 Health Breach Notification Rule (HBNR) rulemaking stemming from its inaugural application in GoodRx. In 2024, the FTC’s action against InMarket noted the company’s collection of location information, including where consumers “receive medical treatment”, and the X-Mode documents discussed the sensitivity of location of “women’s reproductive health clinics”.
The basis for privacy as the protective modality for reproductive care set in 1973 placed the responsibility of sound and equitable data practices squarely in the hands of privacy professionals today. In the two years since Dobbs, the issue of reproductive care has drastically shifted privacy policies in increasingly polarized directions across jurisdictions, disrupting data flows, including those that support reproductive and gender health. These disruptions have complicated and inhibited the slow correction of representation in data for improved health outcomes. It is imperative that new privacy laws and policies simultaneously protect and facilitate reproductive and gender health access and improvement.
The World’s First Binding Treaty on Artificial Intelligence, Human Rights, Democracy, and the Rule of Law: Regulation of AI in Broad Strokes
FPF has published a Two–Page Fact Sheet overview of the Framework Convention on AI.
While efforts to regulate the development and deployment of Artificial Intelligence (AI) systems have, for the most part, unfolded at national or regional level, there has been increased focus on the steps taken by the international community to negotiate and design cross-border regulatory frameworks. It is in this way that the data protection community, technology lawyers, and AI experts now have the crucial task of increasingly looking beyond regional borders for a holistic view of legislative frameworks aiming to regulate AI.
The Framework Convention on AI is one such significant initiative, which is spearheaded by the CoE, an International Organization founded in 1949 with the goal of promoting and advocating for human rights, democracy, and the rule of law. Recognizing that AI systems are developed and deployed across borders, an ad-hoc intergovernmental Committee on Artificial Intelligence (CAI) was established under the auspices of the CoE in January 2022, and tasked with launching a binding legal framework on the development, design, and application of AI systems.
There are several key reasons as to why the treaty is a significant and influential development in the field of global AI law and governance, not only in the context of the CoE and its Member States, but around the world.
Firstly, the Framework Convention was drafted by the CAI, composed of Ministers representing not only the CoE’s 46 Member States, but also of Ministers or high-level representatives from the Governments of the United States, Canada, Mexico, Japan, Israel, Ecuador, Peru, Uruguay, and Argentina. In addition to representatives of prominent human rights groups, the meetings of the CAI and the drafting of the Framework Convention included representatives of the European Commission, the European Data Protection Supervisor, and of the private sector. Inter-governmental and multi-stakeholder participation in the drafting of a cross-border, binding instrument is often a critical factor in determining its impact. Crucially, the Framework Convention will also be open for ratification to countries that are not members of the CoE.
Secondly, the importance of the Framework Convention lies in its scope and content. In addition to general obligations to respect and uphold human rights, it aims to establish a risk-based approach to regulating AI and a number of common principles related to activities within the entire lifecycle of AI systems. Its general principles include, among others, respect for human dignity; transparency and oversight; accountability and responsibility; non-discrimination; and privacy and personal data protection. States Parties to the Framework Convention will have to adopt appropriate legislative and administrative measures which give effect to the provisions of this instrument in their domestic laws. In this way, the Framework Convention has the potential to affect ongoing national and regional efforts to design and adopt binding AI laws, and may be uniquely positioned to advance interoperability.
With this brief overview in mind, this blog post contextualizes the work and mandate of the CAI in the context of the CoE and international law. It follows on to provide an outline of the Framework Convention, its scope, applicability, and key principles, including its risk-based approach. It then highlights its position towards fostering international cooperation in the field of cross-border AI governance through the establishment of a ‘Conference of the Parties.’ The post also draws some initial points of comparison with the EU AI Act and the CoE’s Convention for the Protection of Individuals with Regards to the Processing of Personal Data, otherwise known as Convention 108.
Human Rights Are At The Center of the Council of Europe’s Work, Including the Mandate of the Committee on Artificial Intelligence (CAI)
The CoE comprises 46 Member States, 27 of which are Member States of the European Union, and includes Turkey, Ukraine and the United Kingdom. In addition to its Member States, a number of countries hold the status of “Observer States”, meaning that they can cooperate with the CoE, be a part of its Committees (including the CAI), and become Parties to its Conventions. Observer States include Canada, the United States, Japan, Mexico, and the Holy See. Through the Observer State mechanism, CoE initiatives have an increasingly broader reach well beyond the confines of European borders.
As an International Organization, the CoE has played a key role in the development of binding human rights treaties, including the European Convention on Human Rights (ECHR), and Convention 108. Leveraging its experience in advancing both human rights and a high level of personal data protection, among other issues, the CoE has been well-placed to bring members of the international community together to begin to define the parameters of an AI law that is cross-border in nature.
Since its inception in January 2022, the CAI’s work falls under the human rights pillar of the CoE, as part of the Programme on the Effective Implementation of the ECHR, and the sub-Programme on the freedom of expression and information, media and data protection. It is therefore grounded in existing human rights obligations, including the rights to privacy and personal data protection. In order to grasp the possible impacts of such a treaty, it is crucial to understand how it will function under international law, while drawing a comparison between the Framework Convention on AI and Convention 108.
1.1. International Law in Action to Protect People in the Age of Computing: From Convention 108 to the Framework Convention
Traditionally, international law governs relations between States. It defines States’ legal responsibilities in their conduct with each other, within the States’ boundaries, and in their treatment of individuals. One of the ways in which international law governs the conduct and relations between States is through the drafting and ratification of international conventions or treaties. Treaties are legally binding instruments that govern the rights, duties, and obligations of participating States. Through treaties, international law encompasses many areas including human rights, world trade, economic development, and the processing of personal data.
It is on the basis of this treaty mechanism under international law that the CoE Convention 108 opened for signature on 28 January 1981 as the first legally binding, international instrument in the data protection field. Under Convention 108, States Parties to the treaty are required to take the necessary steps in their domestic legislation to apply its principles to ensure respect in their territory for the fundamental rights of all individuals with regard to the processing of their personal data.
In 2018, the CoE finalized the modernization of Convention 108 through the Amending Protocol CETS No. 223. While the principle-based Convention 108 was designed to be technology-neutral, its modernization was deemed necessary for two key reasons: 1) to address challenges resulting from the use of new information and communication technologies, and 2) to strengthen the Convention’s effective implementation.
Through the process of modernization, Convention 108 is now better recognized as Convention 108+, and as of January 2024 has 55 State Parties. Modernized Convention 108+ is also better aligned with the EU General Data Protection Regulation (GDPR), particularly with the expansion of its Article 9 on rights of the data subject, which now includes the individual right “not to be subject to a decision significantly affecting him or her based solely on automated processing of personal data” (automated decision-making).
As the only international, binding treaty on personal data protection, Convention 108 is an important reference point for the Framework Convention on AI. Already in its Preamble, the Framework Convention makes reference to the privacy rights of individuals and the protection of personal data, as applicable through Convention 108. Furthermore, both Conventions are similarly grounded in human rights and recognize the close interplay between new technologies, personal data processing, and the possible impacts of these on people’s rights.
Notably, and unlike Convention 108, the Framework Convention on AI takes the form of a so-called “framework convention”, a type of legally binding treaty which establishesbroader commitments for its parties. In essence, a framework convention serves as an umbrella document which lays down principles and objectives, while leaving room for stricter and more prescriptive standards and their implementation to domestic legislation.
Framework conventions are effective in creating a coherent treaty regime, while elevating the political will for action and leaving room for consensus on the finer details for a later stage. In this way, and considering that the Framework Convention on AI will also be open for ratification to non-Member States of the CoE, the instrument may become more attractive to a greater number of countries.
The Framework Convention on AI Proposes a Risk-Based Approach and General Principles Focusing on Equality and Human Dignity
2.1. A Harmonized Definition of an AI System
One of the first challenges of international cooperation and rule-making is the need to agree on common definitions. This has been particularly relevant in the context of AI governance and policy, as national, regional and international bodies have consistently negotiated to agree on a common definition for AI. The Framework Convention on AI addresses this in its Article 2, adopting the OECD’s definition of an AI system as a “machine-based system that for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that may influence physical or virtual environments. Different artificial intelligence systems vary in their levels of autonomy and adaptiveness after deployment.”
Promoted by one of the leading International Organizations in the global AI governance conversation, the OECD’s definition of an AI system has also been relevant in regional contexts. For example, the EU’s Artificial Intelligence Act (EU AI Act), which was given the final green light on 21 May 2024, adopts a very similar definition of an AI system. Similarly, Brazil’s draft AI Bill also adopts the OECD’s definition, showing the country’s intention to align its legislation with the mounting international consensus on a common definition for AI. It is also worth noting that the United States President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, and the recently enacted Colorado AI Act also adopt an AI definition that is similar in scope to the OECD definition.
The alignment on definitions is not insignificant, as it is by first agreeing on the subject matter of rule-making that a body of specific, intentional rules and principles can emerge. Furthermore, an initial alignment on definitions can help to already establish common ground for facilitating interoperability between different AI governance frameworks internationally.
2.2. The Framework Convention Only Applies to Public Authorities and Private Actors acting on their behalf
Before outlining the principles and obligations elaborated by the Framework Convention, it is important to establish the treaty’s scope and applicability. Its Article 3 states that the Convention covers “the activities within the lifecycle of artificial intelligence systems that have the potential to interfere with human rights, democracy and the rule of law.”
Notably, the draft of the Framework Convention on AI from 18 December 2023, which formed the basis for negotiations until its final adoption date in May 2024, made several and consistent references to the lifecycle of an AI system as including the design, development, use and decommissioning stages. However, the finalized Framework Convention on AI makes reference to these stages only once, in its Preamble. With the treaty’s signature and implementation later this year, it still remains to be seen how the lifecycle of an AI system will be interpreted by States Parties in practice, and how this will impact the scope of applicability of the Convention in different countries’ domestic laws.
Regarding scope, Article 3(1)(a) elaborates that each Party to the Framework Convention on AI will have to apply its principles and obligations within the lifecycle of AI systems undertaken by public authorities,or private actors acting on their behalf. Private actors will only fall under the scope of the Convention if they meet two requirements: 1) the country in which they are established or in which they develop or deploy their AI products and services is a State Party to the Convention, and 2) they are designing, developing or deploying artificial intelligence systems on behalf of that State Parties’ public authorities.
Therefore, the Framework Convention does not by itself, once ratified by States Parties, provide obligations for all private actors with a role in the lifecycle of AI systems, unless States Parties decide to extend its scope in national law.
In addition to defining what falls within the scope of the Framework Convention, it similarly defines matters which do not fall under its purview. Article 3(2) provides that a Party to the Convention shall not be required to apply its obligations to activities within the lifecycle of AI systems related to the protection of its national security interests. States Parties are, however, nevertheless under an obligation to comply with applicable international laws and human rights obligations, including for purposes of national security.
The Framework Convention will similarly not apply to research and development activities regarding AI systems not yet made available for use, unless their testing has the potential to interfere with human rights, democracy and the rule of law (Article 3(3)). Finally, the Framework Convention will not apply to matters relating to national defence (Article 3(4)).
2.3. General Obligations and Common Principles Include Accountability, Individual Autonomy, Safe Innovation
Instead of opting for more prescriptive requirements, the Framework Convention on AI opts for establishing a broader, umbrella approach for international AI law, while making specific and continued reference to existing obligations, such as those found in international human rights law.
Articles 4 and 5 of the Framework Convention on AI address the requirements to ensure that activities within the lifecycle of AI systems are consistent with obligations to protect human rights, that they are not used to undermine democratic processes, and that they respect the rule of law. This includes seeking to protect individuals’ fair access and participation in public debate, and their ability to freely form opinions.
In addition, in Articles 7 to 13, seven common principles are elaborated which would apply in relation to activities within the lifecycle of AI systems:
Respect for human dignity and individual autonomy (Article 7);
Maintain measures to ensure that adequate transparency and oversight requirements tailored to specific contexts and risks are in place (Article 8);
Adopt or maintain measures to ensure accountability and responsibility for adverse impacts on human rights, democracy and the rule of law (Article 9);
Ensure that activities within the lifecycle of AI systems respect equality, including gender equality, and the prohibition of discrimination as provided under applicable international or domestic legislation; Article 10 on equality and discrimination also goes beyond by including a positive obligation to maintain measures aimed at overcoming inequalities to achieve fair, just and equitable outcomes in relation to the lifecycle of AI systems (Article 10);
Adopt or maintain measures to ensure that the privacy of individuals and their personal data are protected, including through international laws, standards and frameworks, and that effective guarantees and safeguards are put in place (Article 11);
Take measures to promote the reliability of AI systems and trust in their outputs, which could include requirements related to adequate quality and security (Article 12);
Establish controlled environments for developing, experimenting and testing AI systems under the supervision of competent authorities (Article 13).
The agreed upon principles attempt to strike a balance between stipulating broad, yet effective principles on the one hand, and determining the requirements which should be left to Member States’ discretion within their own jurisdictions and domestic legislation on the other.
Notably, the draft of the Framework Convention from 18 December 2023 included a general principle related to adopting and maintaining measures to preserve health, with the option of adopting a clause to include the protection of the environment in the scope of the principle. Similarly, in the same draft text from 18 December 2023, the previous iteration of above-mentioned Article 12 also included options to specify more prescriptive requirements regarding accuracy, performance, data quality, data integrity, data security, governance, cybersecurity and robustness. Both of these articles were amended over time during negotiations, and did not make it into the final text of the Convention.
A separate Article 21 specifically states that nothing in the Framework Convention shall be construed as limiting, derogating from or otherwise affecting human rights and obligations that may already be guaranteed under other relevant laws. Article 22 goes further to state that the Convention also does not limit the possibility of a State Party to grant wider protection in their domestic law. This is an important addition to the text, particularly at a time in which many countries and regions are drafting and adopting AI legislation.
2.4. The Risk-Based Approach is Different Than That of the EU AI Act, and it Mitigates Adverse Impacts of AI Systems
In its Article 1 on the object and purpose of the treaty, the Framework Convention on AI elaborates that measures implemented in the lifecycle of AI systems shall be “graduated and differentiated as may be necessary in view of the severity and probability of the occurrence of adverse impacts on human rights, democracy and the rule of law” (emphasis added). In this way, the Framework Convention on AI captures the risk-based approach that has become a familiar component of regulatory discussions and frameworks for AI thus far.
Article 16(1) further outlines what the risk-based approach will entail in practice. It provides that each State Party shall adopt or maintain measures for the identification, assessment, prevention and mitigation of risks posed by AI systems by considering actual and potential harms to human rights, democracy, and the rule of law. Article 16(2) proposes a set of broad requirements for assessing and mitigating risks, including to:
Take due account of the context and intended use of an AI system (Article 16(2)(a));
Take due account of the severity and probability of potential impacts (Article 16(2)(b));
Consider, where appropriate, the perspective of all relevant stakeholders, in particular persons whose rights may be impacted (Article 16(2)(c));
Apply the risk-management requirements iteratively and throughout the lifecycle of AI systems (Article 16(2)(d));
Include monitoring for risks and adverse impacts (Article 16(2)(e));
Include documentation of risks, actual and potential impacts, and on the risk management approach (Article 16(2)(f));
Require testing of artificial intelligence systems before making them available for first use and when they are significantly modified (Article 16(2)(g)).
The risk-based approach principles adopted by the Framework Convention on AI have similarities with obligations we see in the EU AI Act, particularly in relation to requirements for risk monitoring, documentation and testing. However, the Framework Convention does not take a layered approach to risk (from limited risk to high risk) and as such it does not prescribe contexts or use-cases in which AI systems may be prohibited or banned. Rather, in its Article 16(4), the Framework Convention on AI leaves this discretion to each State Party to assess the need for a moratorium, ban or other appropriate measures in respect to certain uses of AI that may be incompatible with human rights.
A Newly Created Body Will Promote International Cooperation on AI Governance
International cooperation and coordination in the field of AI governance has been called upon by many regional and international organizations and fora. Cross-border cooperation is consistently identified as a priority in the work of the OECD, forming one of the core tenets of the OECD AI Principles. Similarly, the United Nations’ High-Level Body on Artificial Intelligence is tasked with advancing an international, multi-stakeholder governance of AI, and calls for interoperability of AI frameworks and continued cooperation. The United Nations Human Rights Office of the High Commissioner recently released its Taxonomy of Human Rights Risks Connected to Generative AI, in the interests of stimulating international dialogue and agreement. At the intergovernmental level, the Group of 7 (G7) approved an international set of guiding principles on AI and a voluntary Code of Conduct for AI developers as part of the Hiroshima AI Process.
The Framework Convention on AI aims to establish its own proposal for furthering international cooperation, on the basis of a two-pronged approach: the first, encompassed in its Article 23, calls for the formation of a “Conference of the Parties”, to be composed of representatives of the Parties to the treaty; and the second, encompassed in its Article 25, through which Parties are to exchange relevant information among themselves, and to assist States that are not Parties to the Convention to act consistently with its requirements with a view to becoming Parties to it. The Preamble similarly recognizes the value of fostering cooperation and of extending such cooperation to other States that share the same values.
In this way, the Framework Convention on AI would encourage both continued cooperation and dialogue at the State Party level, as well as codify the requirement to take an inclusive stance towards countries which are not (yet) Parties to the treaty. This inclusive approach also extends to involving relevant non-State actors in the exchange of information on aspects of AI systems that may have an impact on human rights, democracy, and the rule of law, suggesting ongoing cooperation and exchange with public and private actors.
For an insight into how such continued cooperation may work in practice under the auspices of the Conference of the Parties, we can draw a useful example from the Consultative Committee established under Convention 108. The Consultative Committee is composed of representatives of Parties to the Convention, and observers such as non-Member States, representatives of International Organizations and non-governmental organizations. The Consultative Committee meets three times a year, and is responsible for the interpretation of Convention 108 and for improving its implementation, ensuring that it remains fit-for-purpose and adapting to an ever-growing set of challenges posed by new data processing systems.
Closing Reflections: Future Areas of Interplay?
As the world’s first treaty on artificial intelligence, the CoE’s Framework Convention on AI can help codify the key principles that any national or regional frameworks should include. With a strong foundation in human rights law, including respect for equality and non-discrimination, human dignity and individual autonomy, privacy and personal data protection, the concept behind the Framework Convention on AI is to act as a foundational, umbrella treaty beyond which more prescriptive rules can be adopted at country level.
In this way, complementarity can be achieved between, for example, the Framework Convention on AI and the EU AI Act, and the Framework Convention on AI and Convention 108. In both cases, the EU AI Act and Convention 108 are both instruments which go beyond principles and into prescriptive requirements for the regulation of AI systems and the processing of personal data, respectively. From 5 September 2024, when the Framework Convention will formally open for signature and ratification by States, the breadth of adoption of the treaty beyond CoE Member States should be closely monitored, as well as how the mechanisms for international cooperation on AI regulation progress in practice.
FPF has published a Two–Page Fact Sheetoutlining the scope, key terms, general obligations and common principles, risk-based approach requirements, and guidance on international cooperation.
FPF at CPDP.ai 2024: From Data Protection to Governance of Artificial Intelligence – A Global Perspective
Drawing inspiration from the latest developments in assessing the impacts and regulation of Artificial Intelligence (AI) technologies, the Brussels-based annual Computers, Privacy and Data Protection (CPDP) conference amended its acronym. The 17th edition became CPDP.ai for Computers, Privacy, Data Protection and Artificial Intelligence conference, taking place on 22-24 May.
To govern or to be governed, that is the question– this year, the main theme focused on the key questions of AI governance globally, and a vibrant programme explored current digital regulatory frameworks while navigating the complexity of the interplay with topics of privacy and data protection.
The Future of Privacy Forum (FPF) was present once again, organizing a panel on Global Approaches to AI Regulation: Towards an International Law on AI? FPF staff members also contributed to the conference as speakers in several other panels, having the opportunity to engage on key topics with a great variety of stakeholders from academia, industry, civil society, and regulatory authorities.
The CPDP.ai organizers recorded all the sessions which are available here.
On May 23, FPF’s Policy Manager for Global Privacy, Bianca-Ioana Marcu moderated the FPF-organized panel on Global Approaches to AI Regulation: Towards an International Law on AI? Joining the conversation were Audrey Plonk, Head of Digital Economy Policy Division at the OECD, Emma Redmond, Associate General Counsel at OpenAI, Bruno Bioni, Director and Founder at Data Privacy Brasil, and Gregory Smolynec, Deputy Commissioner Policy and Promotion at the Office of the Privacy Commissioner of Canada (OPC).
This multi-stakeholder, comparative panel explored what we can learn from regional and international approaches to AI regulation, and how these may facilitate a more global, interoperable approach to AI laws. Panelists shared key perspectives:
Bruno Bioni noted that Brazil’s approach to AI regulation is nuanced and context-specific, considering existing asymmetric cultural and power dynamics in Brazil. As such, it incorporates a stronger rights-based approach than, for example, the EU AI Act, by including specific concepts of vulnerability and clauses on the protection of vulnerable groups.
Commissioner Smolynec highlighted Canada’s approach to AI regulation, through a strategic plan that outlines the priorities of the OPC, including protecting privacy with maximum impact using existing laws, as well as how to address and advocate for privacy in a time of rapid technological changes, fostering a culture of privacy and privacy-by-design, and promoting innovation while at the same time leveraging it to protect fundamental rights.
Emma Redmond noted that regulatory alignment and the concept of global harmonization are crucial and that while each piece of regulation has its place and purpose, areas of commonality have to be found.
Audrey Plonk added that in order to talk about coherent approaches to AI regulation across countries and regions, we have to start with agreeing on definitions and terminology, such as the OECD’s definition of an AI system which can now be found in different regional AI laws.
Photo description: Panel titled Global Approaches to AI Regulation: Towards an International Law on AI? (May 23, CPDP.ai)
On May 22, Andreea Șerban, FPF’s Global Privacy and AI Analyst, contributed to a panel titled Fundamental Rights Protection and Artificial Intelligence, organized by Encrypt, a project dedicated to creating a GDPR-friendly, privacy-preserving framework for big data processing. Speakers included Marco Bassini, Assistant Professor at Tilburg Law School, Simona Demková, Assistant professor at Universiteit Leiden, Michèle Finck, Professor of Law and Artificial Intelligence at the University of Tübingen, Andreea Șerban from Future of Privacy Forum, and Giovanni de Gregorio, PLMJ Chair in Law and Technology at Católica Global School of Law who moderated the panel.
The discussions focused on the procedural safeguards for AI-driven decision-making as the key approach to safeguarding fundamental rights protection, the role of the Fundamental Rights Impact Assessments under the EU AI Act, and lessons learned from the GDPR experience that could be leveraged for the implementation of the AI Act further exploring the interplay between the GDPR and the AI Act from a global perspective.
Photo description: Panel titled Fundamental Rights Protection and Artificial Intelligence (May 22, CPDP.ai)
On May 23, Christina Michelakaki, Policy Counsel for Global Privacy at FPF was part of the panel organized by the Centre for IT & IP Law (CiTiP) at KU Leuven, titled Transforming GDPR into a Risk-Based Harm Tool Alongside Specific AI Regulation. Meeting Separate but Complementary Needs, together with Felix Bieker, Legal Researcher at Unabhängiges Landeszentrum für Datenschutz, Nadya Purtova, Professor of Law, Innovation, and Technology at Utrecht University, and moderated by Michiel Fierens, Doctoral researcher at Centre for IT & IP Law, KU Leuven.
The panel explored the challenges in providing legal interoperability and synergies between specific concepts from the GDPR and the EU AI Act. In the ever-developing AI governance regulatory landscape, with a particular focus on the EU AI Act, privacy and data protection norms remain the tools of choice to regulate personal data processing. In this regard, Christina Michelakaki highlighted that the EU AI Act sets a foundational standard, yet it is up to the entities developing and deploying AI technology to keep track of the national initiatives that further develop these provisions, such as Italy’s new draft AI law, as new internal frameworks could create country-specific obligations to be met by these entities.
Photo description: Panel titled Transforming GDPR into a Risk-Based Harm Tool Alongside Specific AI Regulation. Meeting Separate but Complementary Needs? (May 23, CPDP.ai)
On May 24, Rob van Eijk, FPF’s Managing Director for Europe, was part of the panel Where are we heading? Looking into the EU Strategy for Data through the Lens of AI and Data Protection, organized by Meta, together with Luca Bolognini, President of the Italian Institute for Privacy and Data Valorisation, Peter Craddock, Partner at Keller and Heckman, Patricia Vidal, Partner at Uría Menéndez and moderated by Cecilia Alvarez, EMEA Privacy Policy Director at Meta.
The panel discussed AI in the context of a data-oriented regulatory framework, focusing on how the EU could foster AI-driven innovation and competitiveness while ensuring equitable access and benefits. Rob van Eijk presented one of the latest FPF resources, a detailed EU AI Act timeline, and provided an overview of the current EU data-related legislation, the role of the EU AI Act in this framework, and its expected enforcement. The panel recording can be found here.
Photo description: Panel titled Where are we heading? Looking into the EU Strategy for Data through the Lens of AI and Data Protection (May 24, CPDP.ai)
Photo description: Presentation of the FPF EU AI Act Timeline (May 24, CPDP.ai)
Lastly, on May 20, FPF’s Bianca-Ioana Marcu moderated a panel session in the CPDP.ai pre-event on the Global Impact of the EU’s Regulations on Platform, AI and Data Governance: The Case of Brazil, organized by the Law, Science, Technology & Society (LSTS) Research Group at the Vrije Universiteit Brussel and the Fundação Getulio Vargas (FGV) Law School. The event coincided with the launch of FPF’s Issue Brief on the Regulatory Strategies and Priorities of Data Protection Authorities in Latin America: 2024 and Beyond.
Photo description: Panel moderated by FPF’s Bianca-Ioana Marcu, with Alessandro Mantelero (Polytechnic University of Turin; Laura Schertel Mednes (University of Brasilia); Frederico Oliviera da Silva (BEUC); and Marco Almada (European University Institute).
Overall, the CPDP.ai 2024 conference brought together all major key stakeholders in the privacy and digital field for yet another successful gathering of minds, having delivered engaging and challenging discussions on the future of the regulatory landscape in this field and how to best address the innovative and disruptive challenges posed by technological developments, with a special highlight for AI and its interplay with data protection.
Editor: Bianca-Ioana Marcu
Future of Privacy Forum Recognizes Leading Careers in Privacy and Efforts in AI Regulation with Inaugural Global Award
June 11, 2024 – Last week, the Future of Privacy Forum (FPF) – a global non-profit focused on data protection headquartered in Washington, D.C. – presented the Government of Singapore with the inaugural Global Responsible AI Leadership Award for the country’s prominent, pragmatic, and respected work in establishing frameworks for AI regulation and governance and fostering international cooperation in this field. FPF also granted privacy experts Jim Halpert and Patrice Ettinger its Career Achievement Award and Excellence in Career Award, respectively. The awards recognize leading U.S. cybersecurity and privacy professionals for their exemplary leadership in the field of data protection. In her roles as Chief Privacy Officer at Pfizer and Avon, Patrice blazed a trail for senior privacy executives as she built global data governance programs at her company and led efforts to support best practices across the pharma sector. Halpert served the United States as a White House cyber security legal advisor and for decades as trusted counsel to leading companies. Each mentored, trained, and supported numerous staff and colleagues who went on to also become leaders in data protection.
“FPF is honored to recognize Jim Halpert, Patrice Ettinger, and the Government of Singapore for their continued efforts and commitments to ensuring data protection and cybersecurity not just in the United States, but globally,” said Jules Polonetsky, FPF’s CEO. “This year, we’ve seen the ever-increasing importance of data privacy and rapid advancements of AI capabilities. Leaders such as our awardees help provide protections, frameworks, and solutions that help advance society and protect citizens.”
The awards were presented during FPF’s 15th Anniversary Advisory Board Meeting in Washington, D.C., on June 6. The award ceremony was held a day after FPF’s inaugural DC Privacy Forum, which brought together thought leaders, industry experts, and policymakers to explore the pivotal intersection of data privacy and AI, and its complex challenges and opportunities, as well as launched FPF’s Center for Artificial Intelligence.
FPF’s 2024 Achievement Award Winners include:
The Republic of Singapore, Global Responsible AI Leadership Award Winner
(Received by Singapore’s Ambassador to the United States, His Excellency Lui Tuck Yew)
The Government of the Republic of Singapore has made significant progress in the development and governance of artificial intelligence technologies over the last few years. Singapore was also ranked third in the 2023 Global AI Index, which benchmarks nations on their level of investment, innovation, and implementation of AI.
In 2019, Singapore published its first National AI Strategy, outlining plans to drive AI innovation and adoption across the economy. This was refreshed in December 2023. In 2019 and 2020, the Personal Data Protection Commission of Singapore also launched two editions of the Model AI Governance Framework, which won a UN WSIS Prize in 2019. Most recently, Singapore launched the Model AI Governance Framework for Generative AI in June 2024 – one of the first in the world to do so. Singapore was also ranked third in the 2023 Global AI Index, which benchmarks nations on their level of investment, innovation, and implementation of AI. The Government has also aimed to nurture an AI governance testing community by encouraging open-source engagement and collaboration on AI testing and assurance through its AI Verify Foundation. Singapore’s active contributions to multilateral platforms such as the United Nations and the OECD on global AI governance is a testament to its leading influence in this space.
Jim Halpert, Career Achievement Award Winner
Jim Halpert serves as General Counsel for the Office of the National Cyber Director at The White House. He is a renowned cybersecurity and privacy lawyer who, prior to his current appointment, worked at DLA Piper, where he was co-chair of the firm’s global Privacy & Cybersecurity practice, as well as partner of the IP & technology practice. Halpert has helped draft many state security and breach notice laws, the National Association of Corporate Directors Cyber Risk Handbook, DLA Piper’s Data Protection Laws of the World Handbook, and two major U.S. federal privacy laws.
Patrice Ettinger, Excellence in Career Award Winner
Patrice Ettinger served as the Vice President and Chief Privacy Officer at Pfizer for over a decade, where she led a global team on strategy, legal counseling, cybersecurity, compliance, and policy on privacy and data protection. While at Pfizer, she was a member of the companies’ AI Council, Bioethics Advisory Council, and Digital Policy Group, and co-chaired the Pfizer Women’s Resource Group in the New York headquarters. She also serves on the AI Governance Advisory Board at the International Association of Privacy Professionals (IAPP), where she is also an IAPP Westin Emeritus Fellow. Ettinger is also a senior fellow at FPF.
###
About Future of Privacy Forum (FPF)
The Future of Privacy Forum (FPF) is a global non-profit organization that brings together academics, civil society, government officials and industry to evaluate the societal, policy and legal implications of data use, identify the risks and develop appropriate protections.
FPF believes technology and data can benefit society and improve lives if the right laws, policies and rules are in place. FPF has offices in Washington D.C., Brussels, Singapore and Tel Aviv. Follow FPF on X and LinkedIn.
Newly Updated Guidance: FPF Releases Updates to the Generative AI Internal Policy Considerations Resource to Provide New Key Lessons For Practitioners
Today, the Future of Privacy Forum (FPF) Center for Artificial Intelligence is releasing a newly updated version of our Generative AI internal compliance document – Generative AI for Organizational Use: Internal Policy Considerations, with new content addressing organizations’ ongoing responsibilities, specific concerns (e.g., high-risk uses), and lessons taken from recent regulatory enforcement related to these technologies. Last year, FPF published a generative AI compliance checklist, which drew from a series of consultations with practitioners and experts from over 30 cross-sector companies and organizations, to provide organizations with a powerful tool to help revise their internal policies and procedures to ensure that employees are using generative AI in a way that mitigates data, security, and privacy risks, respects intellectual property rights, and preserves consumer trust.
Generative AI uses have proliferated since the technology’s emergence, transforming how we interact, work, and make decisions. From drafting emails and computer code to performing customer service functions, these technologies have made significant progress. However, as generative AI continues to advance and find new applications, it is essential to consider how the internal policies governing them should evolve in response to novel challenges and developments in the compliance landscape.
Key takeaways from the Considerations document include:
Privacy, data protection, and AI impact assessments are ongoing responsibilities that entail cross-team collaboration from across the organization;
Employees using generative AI systems should be aware of public policy considerations—such as those related to addressing bias and toxicity—that override system outputs in order to mitigate or prevent the social and ethical harms that may arise from the deployment of generative AI systems;
In addition to privacy counsel, organizations should engage with experts representing a variety of legal specialties to issue spot and identify appropriate mitigations;
Organizations that develop and use generative AI tools should follow the latest enforcement trends, such as algorithmic disgorgement, and use them to encourage internal compliance with legal requirements; and
It is important for organizations to evaluate whether certain applications of generative AI systems either qualify as high-risk uses, or are prohibited under relevant laws, such as the EU AI Act, as these determinations can affect organization’s compliance obligations and the contents of internal policies.
As generative AI becomes mainstream through tools such as chatbots, image generation apps, and copilot tools that help with writing and creating computer code, it introduces new and transformational use cases for AI in everyday life. However, there are also risks and ethical considerations to manage throughout the lifecycle of these systems. A better understanding of these risks and considerations is essential as practitioners devise policies to manage the benefits and risks of generative AI tools. The re-release of Generative AI for Organizational Use: Internal Policy Considerations strives to do this. Download the updated version of the Considerations document.
Future of Privacy Forum Launches the FPF Center for Artificial Intelligence
The FPF Center for Artificial Intelligence will serve as a catalyst for AI policy and compliance leadership globally, advancing responsible data and AI practices for public and private stakeholders
Today, the Future of Privacy Forum (FPF) launched the FPF Center for Artificial Intelligence, established to better serve policymakers, companies, non-profit organizations, civil society, and academics as they navigate the challenges of AI policy and governance. The Center will expand FPF’s long-standing AI work, introduce large-scale novel research projects, and serve as a source for trusted, nuanced, nonpartisan, and practical expertise.
FPF’s Center work will be international as AI continues to deploy globally and rapidly. Cities, states, countries, and international bodies are already grappling with implementing laws and policies to manage the risks.“Data, privacy, and AI are intrinsically interconnected issues that we have been working on at FPF for more than 15 years, and we remain dedicated to collaborating across the public and private sectors to promote their ethical, responsible, and human-centered use,” saidJules Polonetsky, FPF’s Chief Executive Officer. “But we have reached a tipping point in the development of the technology that will affect future generations for decades to come. At FPF, the word Forum is a core part of our identity. We are a trusted convener positioned to build bridges between stakeholders globally, and we will continue to do so under the new Center for AI, which will sit within FPF.”
The Center will help the organization’s 220+ members navigate AI through the development of best practices, research, legislative tracking, thought leadership, and public-facing resources. It will be a trusted evidence-based source of information for policymakers, and it will collaborate with academia and civil society to amplify relevant research and resources.
“Although AI is not new, we have reached an unprecedented moment in the development of the technology that marks a true inflection point. The complexity, speed and scale of data processing that we are seeing in AI systems can be used to improve people’s lives and spur a potential leapfrogging of societal development, but with that increased capability comes associated risks to individuals and to institutions,” saidAnne J. Flanagan, Vice President for Artificial Intelligence at FPF. “The FPF Center for AI will act as a collaborative force for shared knowledge between stakeholders to support the responsible development of AI, including its fair, safe, and equitable use.”
The Center will officially launch at FPF’s inaugural summit DC Privacy Forum: AI Forward. The in-person and public-facing summit will feature high-profile representatives from the public and private sectors in the world of privacy, data and AI.
FPF’s new Center for Artificial Intelligence will be supported by a Leadership Council of leading experts from around the globe. The Council will consist of members from industry, academia, civil society, and current and former policymakers.
See the full list of founding FPF Center for AI Leadership Council members here.
I am excited about the launch of the Future of Privacy Forum’s new Center for Artificial Intelligence and honored to be part of its leadership council. This announcement builds on many years of partnership and collaboration between Workday and FPF to develop privacy best practices and advance responsible AI, which has already generated meaningful outcomes, including last year’s launch of best practices to foster trust in this technology in the workplace. I look forward to working alongside fellow members of the Council to support the Center’s mission to build trust in AI and am hopeful that together we can map a path forward to fully harness the power of this technology to unlock human potential.
Barbara Cosgrove, Vice President, Chief Privacy Officer, Workday
I’m honored to be a founding member of the Leadership Council of the Future of Privacy Forum’s new Center for Artificial Intelligence. AI’s impact transcends borders, and I’m excited to collaborate with a diverse group of experts around the world to inform companies, civil society, policymakers, and academics as they navigate the challenges and opportunities of AI governance, policy, and existing data protection regulations.
Dr. Gianclaudio Malgieri, Associate Professor of Law & Technology at eLaw, University of Leiden
“As we enter this era of AI, we must require the right balance between allowing innovation to flourish and keeping enterprises accountable for the technologies they create and put on the market. IBM believes it will be crucial that organizations such as the Future of Privacy Forum help advance responsible data and AI policies, and we are proud to join others in industry and academia as part of the Leadership Council.”
Christina Montgomery, Chief Privacy & Trust Officer, AI Ethics Board Chair, IBM
The Future of Privacy Forum (FPF) is a global non-profit organization that brings together academics, civil society, government officials, and industry to evaluate the societal, policy, and legal implications of data use, identify the risks, and develop appropriate protections.
FPF believes technology and data can benefit society and improve lives if the right laws, policies, and rules are in place. FPF has offices in Washington D.C., Brussels, Singapore, and Tel Aviv. Learn more at fpf.org.
FPF Statement on the House Energy and Commerce Subcommittee on Innovation, Data and Commerce’s May 23 unanimous House subcommittee vote on the American Privacy Rights Act
Today, the House Energy and Commerce Subcommittee on Innovation, Data and Commerce unanimously passed the revised draft of the American Privacy Rights Act.
Peak Privacy: Vermont’s Summit on Data Privacy
On June 13, 2024, Governor Phil Scott vetoed H. 121. This marked the first governor veto of a comprehensive privacy bill passed by the state legislature.
Immediately prior to the close of the state legislative session on May 10, 2024, the Vermont legislature passed H. 121, “An act relating to enhancing consumer privacy and the age-appropriate design code.” If enacted by Governor Scott, Vermont could become the state with the farthest-reaching comprehensive privacy law. While the Vermont Data Privacy Act (VDPA) is modeled after the popular Connecticut privacy framework, it goes further in many places, drawing inspiration from a variety of sources. Vermont adds data minimization provisions inspired by Maryland’s new privacy law, new digital civil rights protections pulled from the American Data Privacy and Protection Act, a trimmed-down Age-Appropriate Design Code (AADC) focused on design features, and an entirely novel private right of action.
Applicability
At over 100 pages, determining whether and how an organization will be covered by the H. 121 is a more complicated question than under most state privacy laws. The VDPA contains unique scoping provisions and tiered effective dates tied to an organization’s size and the types of data it processes, and the AADC scope is entirely distinct from the rest of the VDPA.
Tiered effective dates
The Vermont Data Privacy Act establishes a tiered timeline for applicability. For larger organizations that process data of 25,000+ Vermont consumers or process data for 12,500 consumers and get more than 25% of their revenue from selling personal data, the law will go into force on July 1, 2025. Come July 1, 2027, the law will apply to organizations that either process data of 6,250+ consumers, or process data of 3,125 consumers and get more than 20% of their revenue from selling personal data. Despite Vermont’s small population, proportionally speaking these are the lowest coverage applicability thresholds across all comprehensive state privacy laws.
No revenue and data processing thresholds for health data and kids data
The VDPA contains heightened protections for minors’ data and provisions concerning consumer health data that are not tied to the above revenue and data processing thresholds. As a result, small businesses could potentially have obligations under these provisions. Vermont joins an emerging trend originating in Connecticut of making certain protections for the most sensitive categories of personal information generally applicable, rather than being subject to a small business exception.
Separate applicability for Age-Appropriate Design Code
The standalone AADC section also contains a unique applicability threshold. Rather than apply to controllers, the AADC section applies to “covered businesses” that collect consumers’ personal data, determine the purposes and means of processing that data, and, alone or in combination, buy, receive for commercial purposes, sell, or share the personal data of at least 50% of their consumers. Given that this section specifies businesses and the revenue threshold is 50%, it will likely apply to a smaller subset of organizations than those covered under the VDPA. The ultimate scope of this provision is likely to be substantially shaped by how the term “receive for commercial purposes” is interpreted.
Notable protections for Vermonters
Much ink has been spilled over the “state privacy patchwork,” but the Vermont law itself is a bit of a patchwork, given that it draws inspiration from multiple sources, such as Connecticut, Maryland, and the American Data Privacy and Protection Act. Many rights given to individuals may be familiar, such as accessing, correcting, and deleting personal information. However, Vermont’s patchwork bill creates notable differences, including data minimization, prohibitions on selling sensitive data, and prohibitions on discriminatory processing.
Data minimization
The VDPA places default limits on the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the individual. This limit matches Maryland – however, Vermont lacks Maryland’s requirement that the processing of sensitive data must be strictly necessary, making Vermont somewhat less restrictive. Vermont further limits any processing for a purpose not disclosed in a privacy notice unless an individual’s consent is obtained or the purpose is reasonably necessary to and compatible with a disclosed purpose.
Prohibitions on selling sensitive data
Similar to Maryland, the VDPA prohibits the sale of sensitive data. Under the VDPA, sensitive data includes, among other things, consumer health data, biometric or genetic data, and personal data collected from a known minor. While the privacy protections for minors’ data and consumer health data largely follow Connecticut’s, Vermont goes further by not allowing the sale of sensitive data even with consent. Vermont may go further than even Maryland because it defines “sale” more broadly than any state privacy law to date, including the exchange of personal information not just for monetary value or other valuable consideration, but for a commercial purpose.
Prohibitions on discriminatory processing
Vermont prohibits processing an individual’s personal data in violation of State or federal laws that prohibit unlawful discrimination or in a manner that discriminates against individuals or otherwise restricts the enjoyment of goods and services based on protected classes. There are limited exceptions for self-testing and diversity applicant pools. These civil rights protections, derived from the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act discussion draft, go further than existing state privacy laws because the prohibition is not strictly tried to discrimination that is already unlawful. One minor difference from ADPPA is that Vermont prohibits discrimination against individuals, rather than “in a manner that discriminates,” though this distinction may not have a practical impact.
Broad Right to Opt out of Targeted Advertising
Like the Connecticut framework, the VDPA allows for the option to opt out of targeted advertising. However, the VDPA broadens the definition of targeted advertising to include first-party data shared between distinctly branded websites, including websites operated by the same controller. This expanded definition goes much further than any existing state privacy law.
A limited private right of action
To date, the only comprehensive state privacy law with any private right of action is California, which narrowly provides that certain data breaches can be the basis for a cause of action. Otherwise, comprehensive privacy laws are solely enforced by government regulators such as State Attorneys General. Vermont would break this mold by allowing individuals to bring suit against “large data holders” and data brokers in instances where there were alleged violations involving sensitive data or confidentiality of consumer health data. Vermont defines large data holders as organizations that process the data of more than 100,000 Vermont residents. This is noteworthy because as of the 2020 census, the Vermont population is 643,000. By limiting the private right of action to specific types of entities and particular kinds of privacy violations, the private right of action reflects a compromise between lawmakers in the House who wanted a broad private right of action and lawmakers in the Senate who struck it entirely in an earlier draft.
In a further act of compromise, Vermont legislators took a creative approach to the timeframe for bringing any lawsuits. The private right of action goes into effect January 1, 2027, which is 18 months after when the largest organizations will have come into compliance with the law. The private right of action will sunset after two years unless the Vermont legislature passes a new law to affirmatively reauthorize it. Separately, the Attorney General is charged with conducting a study and developing recommendations to the legislature on implementing a private right of action, including applicability thresholds to ensure that a private right of action does not harm good-faith actors or small businesses and damages that balance the consumer interest in enforcing rights against any incentives provided to litigants with frivolous claims. The report is due by January 15, 2026, a year before the private right of action takes effect and as the legislature begins its next session.
Heightened protections for minors, including two duties of care
Because Vermont draws from Connecticut’s framework, the VDPA includes heightened protections for children and teens that largely mirror Connecticut. These protections include a duty to avoid a “heightened risk of harm” to minors, restrictions on selling minors’ data, and additional risk assessment requirements for controllers who process minors’ data. One subtle but significant difference is that Vermont adds additional harm to be considered in the duty of care and data protection impact assessments. Covered organizations will need to consider any “unintended disclosure of personal data of a minor.” Interestingly, this is language that was considered in Colorado this legislative session, but was ultimately rejected in favor of “unauthorized disclosure of the personal data of minors as a result of a security breach.” The harm articulated in Vermont is much broader and could cover inadvertent disclosures, not just disclosures due to a security breach.
However, the protections focused on children and teens do not end there. During the 2024 session, Vermont lawmakers pursued parallel efforts to protect children online: H. 121, a comprehensive privacy bill, which passed, and S. 289, an AADC. A slimmed-down version of S. 289 was appended to H.121, resulting in the passage of both. The Vermont Data Privacy Act provisions address minors’ data protection, while the AADC addresses safety and design features of online services for minors. A key example of this delineation is that while the VDPA restricts dark patterns specifically related to exercising data rights, the Vermont AADC bans all dark patterns. The AADC defines dark patterns broadly as any user interface that undermines user autonomy. Without attaching this restriction to data rights or any specifically identified harm, the prohibition can be interpreted quite broadly. Additionally, the AADC further prohibits “low-friction variable rewards” that “encourage excessive and compulsive use by a minor.” A low-friction variable reward is defined as “design features or virtual items that intermittently reward consumers for scrolling, tapping, opening, or continuing to engage” in a service, with examples including endless scroll and autoplay.
Another additional wrinkle of the attached AADC is that Vermont actually creates two duties of care for minors. In the comprehensive privacy section, companies have a duty to avoid heightened risk of harm to minors. The AADC separately requires an affirmative minimum duty of care owed to minors by a business that processes a minor’s data in any capacity.
Lastly, the AADC disclaims that age verification is not required to comply with the obligations of this section. This may be a proactive effort to avoid any litigation regarding the constitutionality of age verification mandates. However, the AADC instead clarifies that the obligations imposed should be done with age estimation techniques. Given how age estimation is defined, this would provide a novel question for a court to consider, should there be any litigation. However, it is worth noting that age estimation often includes additional data collection, so covered organizations will need to take care in reconciling these obligations with the data minimization provisions of the VDPA.
Next steps
H. 121 has not yet been presented to the Governor for consideration. Once received, the Governor will have merely five days to consider the bill. Given the novelty of several provisions of the bill, it may be cause for concern or may be an opportunity for Vermont to raise the bar across the nation. Should the Governor veto, the bill passed both chambers with the votes necessary to support a veto override. Organizations in scope and Vermonters should take note that the bill also calls for the Attorney General to lead a public education, outreach, and assistance program, which would begin to take effect July 1, 2024.
New Report Examines Generative AI Governance Frameworks Across the Asia-Pacific Region
This report examines the current state of governance frameworks for generative AI systems in five countries in the Asia-Pacific (APAC) region: Australia, China, Japan, Singapore, and South Korea.
The key takeaways of the report include:
A comparison of regulatory responses to generative AI across the APAC region, including details about China’s unique approach enacting binding regulations for generative AI.
Five areas of consensus across jurisdictions, which can inform efforts to address regulatory fragmentation.
An overview of the existing laws and regulations in the five jurisdictions that may apply to generative AI, like data protection and privacy regulations.
Analyses of current frameworks for the development and deployment of generative AI systems and LLMs with common use cases.
The report concludes by highlighting key points for policymakers, developers, and deployers:
There is a need to counter the risk of regulatory fragmentation across the region.
Robust internal AI governance structures, such as data management practices, privacy protection processes, security safeguards, and transparency measures, are widely recognized building blocks for the responsible development and use of generative AI.
The report’s unveiling took place at an in-person launch event, co-hosted by FPF and Lee & Ko, one of South Korea’s premier full-service law firms. It featured remarks from senior leaders and government officials, including Kang Do-hyun, the 2nd Vice Minister of Science and ICT; Choi Jang-hyuk, the Vice Chairman of the Personal Information Protection Commission; Christina Montgomery, Vice-President and Chief Privacy and Trust Officer, IBM, and Member of the U.S. National AI Advisory Committee; Ko Hwan-kyung, Lee & Ko Partner, and Josh Lee Kok Thong, FPF APAC’s Managing Director.
“We’re delighted to convene this important discussion on AI governance with Lee & Ko,”Josh Lee Kok Thong, FPF APAC’s Managing Director, said. “The launch of our report, ‘Navigating Governance Frameworks for Generative AI Systems in APAC,’ is the culmination of an extensive research project that started in April last year on the regulatory and governance landscape for generative AI systems and LLMs in the APAC region. The region is at an inflection point in the governance and regulation of generative AI systems, and this report details the approach of five significant jurisdictions and reflects the need to harmonize the regulatory fragmentation across the region.”
For more information about the event, the agenda, and speakers, visit the FPF site.
The North Star State Joins the State Privacy Law Constellation
On May 19, 2024, the Minnesota Legislature passed HF 4757, an omnibus budget bill that includes the Minnesota Consumer Data Privacy Act (MNCDPA). The bill now heads to Governor Walz for signature. Developed by State Representative Steve Elkins over nearly five years and multiple legislative sessions, the MNCDPA is among the strongest iterations of the Washington Privacy Act (WPA) framework. In this blog post, we highlight nine things to know about the MNCDPA that set Minnesota apart in the state privacy law landscape. If enacted by Governor Walz, the law will take effect on July 31, 2025 for most controllers and on July 31, 2029 for postsecondary institutions regulated by the Office of Higher Education.
1. Expansive Rights Include Contesting Profiling Decisions, Identifying Specific Third Party Recipients of Personal Data, and Adolescent Privacy Protections
Like the majority of states, the MNCDPA provides core individual rights of access; correction; deletion; portability; and to opt-out of processing personal data for targeted advertising, sale of personal data, or profiling in furtherance of automated decisions that produce legal or similarly significant effects.
Minnesota is the first state, however, to offer an additional right with respect to profiling: Where an individual’s data is profiled in furtherance of decisions that produce legal or similarly significant effects, the individual has a right to contest the result of the profiling. This includes: a right to be informed of actions that could have been taken by the individual “to secure a different decision” and actions that can be taken in the future; a right to review the personal data used in the profiling; and, if that decision was based on inaccurate personal data, a right to correct that data and have the profiling decision be reevaluated. This right to contest a decision based on profiling appears to be broader than the right to opt-out of profiling, because the opt-out right applies to profiling in furtherance of automated decisions that produce legal or similarly significant effects whereas the right to contest the result of profiling applies to profiling in furtherance of decisions with such effects.
The MNCDPA also follows trends established by other states with respect to expanded individual rights. Like the Oregon Consumer Privacy Act, the MNCDPA includes a right for individuals to obtain a list of specific third parties to whom their personal data has been disclosed or, if that information is not available, a list of specific third parties to whom the controller has disclosed any individual’s personal data.
The MNCDPA also provides heightened protections for adolescents. Like the majority of state privacy laws, the MNCDPA deems the personal data of a “known child”—where a controller has actual knowledge of, or willfully disregards, that individual is younger than 13—as sensitive data, requiring opt-in consent for processing. Some states, like Oregon and New Jersey, have started adding additional protections for teenagers by changing opt-out rights to opt-ins, and Minnesota follows that trend: For targeted advertising and sale of personal data, the controller must obtain consent if the controller knows that the individual is between the ages of 13 and 16. Notably, those protections only apply where a controller “knows” the individual is between those ages, not if the controller “willfully disregards” the individual’s age. That is a departure from similar adolescent privacy protections in other states and narrows Minnesota’s adolescent privacy protections.
2. When Individuals Exercise Their Rights, Controllers Must Disclose Whether They Collected Certain Information
When an individual exercises any of their rights under the MNCDPA, controllers have an additional requirement to inform individuals “with sufficient particularity” whether the following types of information have been collected but to not disclose the information itself: (1) SSN; (2) driver’s license or government ID number; (3) financial account number; (4) health insurance account or medical identification number; (5) account password, security questions, or answers; or (6) biometric data. This obligation to inform with sufficient particularity that these types of data have been collected applies whenever an individual exercises any of their rights, not just the right to access. Given that a controller must not disclose the listed information, this provision arguably narrows the right to access with respect to these types of data, but is likely to benefit security overall and help prevent identity theft.
3. Heightened Data Security Requirements Include Inventorying Data, Documenting Compliance, and Appointing a Chief Privacy Officer
Like the majority of states, the MNCDPA requires controllers to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, and integrity, and accessibility of personal data.” Minnesota goes further than other states, however, by explicitly requiring that such security practices include maintenance of a data inventory. Although this is often considered a best practice in many circumstances and is likely a standard practice amongst companies subject to such reasonable security requirements in other states, no prior state comprehensive privacy law has mandated that controllers create and maintain this kind of inventory. The bill provides no specific definition or guidance as to what this inventory should entail.
The MNCDPA also includes prescriptive requirements for controllers to “document and maintain a description of the policies and procedures the controller has adopted to comply with [the law],” including the name and contact information of the chief privacy officer or individual with primary compliance responsibility as well as a description of the policies and procedures taken to comply with the controller duties, which has many subcomponents. The implicit requirement to have a chief privacy officer or similar individual responsible for compliance is a first amongst state comprehensive privacy laws.
Another novel controller duty which will impact data security is that controllers are prohibited from retaining personal data “that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed.” This retention principle may have already been an implicit requirement under the bill’s data minimization and purpose limitation rules.
4. Novel Protections for Deidentified and Pseudonymised Data
State comprehensive privacy laws typically require that controllers who disclose de-identified or pseudonymous data “exercise reasonable oversight to monitor compliance with any contractual commitments” to which that data are subject. Consistent with the Colorado Privacy Act, the MNCDPA extends this obligation to use of such data rather than just disclosure. Additionally, the MNCDPA includes two novel protections for deidentified and pseudonymous data, providing that: (1) processors and third parties may not attempt to identify the subjects of such data without the “express authority” of the controller who deidentified or pseudonymized the data; and (2) controllers, processors, and third parties may not attempt to identify the subjects of data that was collected with only pseudonymous identifiers.
5. “Data Privacy and Protection Assessments” Introduce Expansive New DPIA Requirements
As is common under laws drafted in the WPA framework, the MNCDPA requires controllers to conduct and document assessments for certain high-risk processing activities. The MNCDPA uses the term “data privacy and protection assessment” (DPPA) rather than the more familiar terms “data protection assessments” or “data protection impact assessments” used in other states, which reflects the fact that the MNCDPA’s DPPA requirements are similar but not identical to the requirements in other states.
The triggers for conducting a DPPA are similar to those under other states: processing personal data for targeted advertising; selling personal data; processing sensitive data; conducting any processing activity that presents a heightened risk of harm to individuals; or processing personal data for profiling that presents a reasonably foreseeable risk of certain substantial injuries (e.g., unfair treatment, financial injury, etc.). Where the MNCDPA differs from other states is in its more prescriptive content requirements. DPPAs must take into account the type of personal data to be processed, whether the data are sensitive data, and the context of processing. Furthermore, the DPPA must include the description of policies and procedures which the controller is required to create (see section 2 above for a description of this requirement).
6. Minnesota Continues Maryland’s Trend of Heightening Civil Rights and Nondiscrimination Protections
State privacy laws typically prohibit controllers from processing personal data in violation of state or federal laws that prohibit unlawful discrimination. The MNCDPA contains an additional civil rights protection: Controllers may not process individuals’ personal data on the basis of their “actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the [individual or class of individuals] with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.” This is similar to a prohibition in the recently enacted Maryland Online Data Privacy Act (MODPA), which prohibits controllers from processing personal data or publicly available data in a way that either unlawfully discriminates in or unlawfully makes unavailable “the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability,” subject to limited exceptions.
7. Specific Geolocation Data is Defined Based on Decimals of Latitude and Longitude Instead of Feet
The majority of state comprehensive privacy laws include precise geolocation data as a category of sensitive data. Although the language varies slightly from state to state, that term is generally defined as information derived from technology that identifies an individual’s specific location (or a device linked or linkable to the individual, in Oregon), accurate within a radius of 1,750 feet or less (1,850 feet in California).
The MNCDPA includes “specific geolocation data” as a category of sensitive data, but it abandoned this foot-based standard in favor of a definition based on decimals of latitude and longitude: Specific geolocation data means “information derived from technology . . . that directly identifies the geographic coordinates of a consumer or a device linked to a consumer with an accuracy of more than three decimal degrees of latitude and longitude or the equivalent in an alternative geographic coordinate system, or a street address derived from the coordinates.” This definition includes typically exceptions for content of communications and data generated by utility metering infrastructure or equipment, but it also includes a novel carve-out for “the contents of databases containing street address information which are accessible to the public as authorized by law.”
8. Limited Applicability to Small Businesses, Like Under the Texas Data Privacy and Security Act
The MNCDPA contains two levels of protections for small businesses. First, the law’s thresholds for applicability are relatively high. A controller is not subject to the law unless they process either (1) the personal data of 100K Minnesotans (excluding payment transactions data) or (2) generate at least 25% of their gross revenue from the sale of personal data and process the personal data of at least 25K Minnesotans. Second, small businesses, as defined by the U.S. Small Business Administration in 13 C.R.F. 121, are largely exempt from the MNCDPA. Notwithstanding this limited entity-level exemption, small businesses are prohibited from selling an individual’s sensitive data without that individual’s prior consent. The Texas Data Privacy and Security Act and the recently enacted Nebraska Data Privacy Act include similar provisions, but neither of those laws include controller thresholds on top of the small business exemption.
9. New Requirements for Privacy Notices and Assessments
The MNCDPA contains novel transparency obligations, requiring that controllers include in their privacy notice “a description of the controller’s retention policies for personal data” as well as the date the notice was last updated. The bill also details how a privacy notice should be made available: Privacy notices “must be posted online through a conspicuous hyperlink using the word ‘privacy’ on the controller’s website home page or on a mobile application’s app store page or download page,” provided via a hyperlink in an app’s settings menu or similarly conspicuous and accessible location, or, if the controller does not operate a website, made available “through a medium regularly used by the controller” to interact with individuals. Controllers are not required to provide a Minnesota-specific notice if their general privacy notice contains all the required information.
