RECs Report: Towards a Continental Approach to Data Protection in Africa

On July 28, 2022, the African Union (AU) released its long-awaited African Union Data Policy Framework (DPF), which strives to advance the use of data for development and innovation, while safeguarding the interests of African countries. The DPF’s vision is to unlock the potential of data for the benefit of Africans, to “improve people’s lives, safeguard collective interests, protect (digital) rights and drive equitable socio-economic development.” One of the key mechanisms that the DPF seeks to leverage to achieve this vision is the harmonization of member states’ digital data governance systems to create a single digital market for Africa. It identifies a range of focus areas that would greatly benefit from harmonization, including data governance, personal information protection, e-commerce, and cybersecurity.  

In order to promote cohesion and harmonization of data-related regulations across Africa, the DPF recommends leveraging existing regional institutions and associations that are already in existence to create unified policy frameworks for their member states. In particular, the framework emphasizes the role of Africa’s eight Regional Economic Communities (RECs) to harmonize data policies and serve as a strong pillar for digital development by drafting model laws, supporting capacity building, and engaging in continental policy formulation.
This report provides an overview of these regional and continental initiatives, seeking to better clarify the state of data protection harmonization in Africa and to educate practitioners about future harmonization efforts through the RECs. Section 1 begins by providing a brief history of policy harmonization in Africa before introducing the RECs and explaining their connection to digital regulation. Section 2 dives into the four regional data protection frameworks created by some of the RECs and identifies key similarities and differences between the instruments. Finally, Section 3 of the report analyzes regional developments in the context of the Malabo Convention through a comparative and critical analysis and, lastly, provides a roadmap for understanding future harmonization trends. It concludes that while policy harmonization remains a key imperative in the continent, divergences and practical limitations exist in the current legal frameworks of member states.

Brussels Privacy Symposium 2023 Report

The seventh edition of the Brussels Privacy Symposium, jointly co-organized by the Future of Privacy Forum and the Brussels Privacy Hub, took place at the U-Residence of the Vrije Universiteit Brussel campus on November 14, 2023. The Symposium presented a key opportunity for a global, interdisciplinary convening to discuss one of the most important topics facing Europe’s digital society today and in the years to come: “Understanding the EU Data Strategy Architecture: Common Threads – Points of Juncture – Incongruities.” 

With the program of the Symposium, the organizers aimed to transversally explore three key topics that cut through the Data Strategy legislative package of the EU and the General Data Protection Regulation (GDPR), painting an intricate picture of interplay that leaves room for tension, convergence, and the balancing of different interests and policy goals pursued by each new law. Throughout the day, participants debated the possible paradigm shift introduced by the push for access to data in the Data Strategy Package, the network of impact assessments from the GDPR to the Digital Services Act (DSA) and EU AI Act, and debated the future of enforcement of a new set of data laws in Europe. 
Attendees were welcomed by Dr Gianclaudio Malgieri, Associate Professor of Law & Technology at Leiden University and co-Director of the Brussels Privacy Hub, and Jules Polonetsky, CEO at the Future of Privacy Forum. In addition to three expert panels, the Symposium opened with Keynote addresses by Commissioner Didier Reynders, European Commissioner for Justice, and Wojciech Wiewiórowski, the European Data Protection Supervisor. Commissioner Reynders specifically highlighted that the GDPR remains the “cornerstone of the EU digital regulatory framework” when it comes to the processing of personal data, while Supervisor Wiewiórowski cautioned that “we need to ensure the data protection standards that we fought for, throughout many years, will not be adversely impacted by the new rules.” In the afternoon, attendees engaged in a brainstorming exercise in four different breakout sessions, and the Vice-Chair of the European Data Protection Board (EDPB), Irene Loizidou Nikolaidou, gave her closing remarks to end the conference.

The following Report outlines some of the most important outcomes from the day’s conversations, highlighting the ways and places in which the EU Data Strategy Package overlaps, interacts, supports, or creates tension with key provisions of the GDPR. The Report is divided into six sections: the above general introduction; the ensuing section which provides a summary of the Opening Remarks; the next three sections which provide insights into the panel discussions; and the sixth and final section which provides a brief summary of the EDPB Vice-Chair’s Closing Remarks.

Editor: Alexander Thompson

Colorado’s Approval of Global Privacy Control: Implications for Advertisers and Publishers

The privacy laws of both Colorado and California require organizations to recognize Universal Opt-Out Mechanisms (UOOMs), a tool through which a person can invoke their opt out rights broadly across all the websites they visit. While California has required responding to certain UOOMs since July 2021, the Colorado Attorney General has only recently approved their first tool – the Global Privacy Control – as valid within the scope of the state law. This sets the stage for organizations within the law’s jurisdiction to take appropriate action necessary to ensure that they are recognizing and responding to any person’s use of the GPC. Below we provide information for what organizations need to know about UOOMs going forward, including particular implementation challenges that must be addressed to avoid enforcement actions for falling afoul of the law.

Background

Governor Polis signed the Colorado Privacy Act (CPA) in July 2021, making Colorado the third state to pass a comprehensive privacy law. Among other things, the act requires the Colorado Attorney General to conduct a special process for approving Universal Opt Out Mechanisms (UOOMs) for people to use as a means of invoking their opt out rights. Under Colorado law, covered entities will be required to honor these UOOMs beginning July 1, 2024. 

The Colorado AG’s office closed applications for UOOM tools on November 6, 2023. After a public comment period, the Colorado AG announced that only one tool – the Global Privacy Control (GPC) – would be acknowledged on the exclusive public list of acceptable UOOMs in Colorado.

The recognition of the GPC as a valid UOOM in Colorado leaves adtech vendors, advertisers, and publishers in a broadly similar place in both California and Colorado once enforcement begins this summer: Publishers will have to respond to valid GPC requests in both states; advertisers and vendors will have to adjust business practices accordingly. Although implementations of GPC must still satisfy the requirements of the CPA, Colorado’s decision aligns their enforcement of opt-out rights with those in California, creating momentum toward a national standard.

What should Advertisers, Publishers, and Other Organizations Know About the GPC and UOOMs in U.S. law

1. Implementations of GPC must still satisfy the requirements of CPA

Under the CPA, UOOMs in Colorado must satisfy three categories of rules. By selecting a single UOOM tool, the Colorado AG’s office has indicated that this is the only tool “recognized in so far as the UOOM or any authorized implementations meet the requirements of [the Colorado Privacy Act].” 

The first and second of these rules relate to Notice and Choice under Rule 5.03 and Default Settings under Rule 5.04. The notice and choice requirements ask UOOM vendors to ensure that the signal represents an “affirmative, freely given, and unambiguous choice to opt out” of targeted advertising and data sales. The requirements for default settings seek to ensure the choice remains a genuine opt-OUT with respect to the device. The default browser installed on the device cannot simply negate the selection in a user interface to transform the user-facing mechanism into what would appear to be an opt-IN for the user. For browsers or browser extensions that do not come pre-installed on the device and that are marketed as tools for exercising a user’s opt out rights, the consumer’s decision to install and use these tools is considered an affirmative, freely given, and unambiguous choice.

The final requirement for UOOMs in the CPA is to follow Technical Specifications under Rule 5.06. The technical specification requirements make the tool “universal” in the sense that it can automatically transmit the opt-out to multiple publishers while remaining in compliance with other requirements, like the notice and choice requirements and the default settings requirements, and without unfairly disadvantaging controllers.

It is noteworthy that the AG’s office distinguishes between “the UOOM” – the GPC in this case – and “any authorized implementations” of the UOOM. Several organizations, including FPF, expressed broad support of the GPC while correctly observing that the GPC is a protocol-level technical specification and is implementable in valid and invalid ways in user-facing tools. Actual implementations of the GPC vary significantly in their interface and functionality. However, it is not clear what is required for an implementation to be “authorized”. One may read the language to require some additional recognition by the Colorado AG’s office (which has not produced a list of authorized implementations) or instead to include those implementations recognized by the creators of the GPC, which lists several implementations that support the GPC on their website. It is even possible that “authorized implementations” may even refer to other authorized, yet-to-be-approved UOOMs and have nothing to do with the GPC.

Based on this analysis, it is technically possible for publishers to receive an invalid GPC signal originating from a tool that fails to implement other requirements of the CPA. However, discerning the validity of GPC signals as they are received may require publishers to implement otherwise invasive means, like browser fingerprinting.

2. GPC will be a multi-state enforcement priority for 2024

Despite the limitations of approving a technical specification, the decision in Colorado to recognize only the Global Privacy Control marks an alignment with California that the GPC should be a clear priority for organizations looking to avoid an enforcement action in 2024. Controllers in Colorado and businesses in California should earnestly implement appropriate means to receive these signals and respond in their advertising technology stack. Industry preparation should include some mechanism for differentiating data that has been opted-out of sale or sharing from data that has not.

The Colorado AG also indicated that the current public list (which, again, consists solely of the GPC) will be “prioritized for enforcement,” meaning publishers will likely be required to respond to GPC opt-out requests as soon as the enforcement date of July 1, 2024 rolls around. Any relevant on-going or concluded investigations in California since the AG settlement with Sephora have not resulted in publicly announced enforcement actions. However, it has remained an area of active interest, including recent discussions by the California Privacy Protection Agency (CPPA) regarding the possibility of requiring browser vendors to implement a feature allowing users to express their opt-out preferences to publishers.¹

3. Novel mechanisms may still be reconsidered in upcoming years

In naming the GPC as the current exclusive UOOM recognized in Colorado, Colorado AG also indicated that this did “not exclude additional UOOMs from meeting the requirements” in the future. This could mean the other shortlisted opt out mechanisms (i.e., the OptOut Code or the Opt-Out Machine) or some tool that has not yet been developed may be able to be approved in the future. However, the process for submitting applications is uncertain. The website is no longer accepting submissions, and although it may be opened to new submissions in the future, no plans for doing so are currently public.

The Colorado AG also indicated that when it does accept new applications, it will also seek public comments on them in a similar process. The three applications listed in the shortlist each took different approaches to standardizing expression of user opt out preferences. The OptOut Code proposal focused on prepending a code to human-readable device names, the Opt-Out Machine proposed an automated email-based opt out mechanisms, and the Global Privacy Control (GPC) proposed using their HTTP-based protocol-level specification in Colorado, having already been recognized as a UOOM in California.

Challenges Ahead for Enforcement

Enforcement of the Colorado Privacy Act’s requirements for opt-outs will begin later this year. Although the Colorado AG selected the GPC, they did not reveal their rationale or respond substantively to the concerns raised during the comment process. As a result, specific enforcement techniques and investigative approaches are hard to predict. At least four enforcement challenges exist for Colorado: (1) responding to the GPC alone may not be enough to ensure compliance with the CPA, (2) confirmation of signals by controllers is not required making verification of the receipt of valid signals difficult, (3) invalid GPC signals are difficult to detect definitively, and (4) the current move toward enforcement is happening at a time of transition in the industry at large.

First, responding to the GPC alone is not enough for compliance with the CPA. Although the GPC specification includes optional requirements allowing publishers to confirm to users that they have received the GPC signal, this confirmation is not technically tied to any advertising that appears on the publisher site. In other words, it is possible for a publisher site to continue serving targeted ads while confirming to users that their GPC opt-out signal has been received, either intentionally or accidentally. The Colorado AG will need some mechanism for discerning whether any advertising displayed was targeted or not. For people who have invoked the GPC, publishers are likely to replace targeted advertising with contextual advertising, and these ads may be served by similar ad servers, making discernment challenging. (The opt-out also applies to the sale of personal data, but that would not be immediately obvious to an enforcement agency in a single web browsing session regardless of the GPC configuration.) 

Second, optional confirmation requirements in the GPC specification are not strictly required by the CPA. Although confirmation may be useful for users, advertisers, and publishers seeking to test their configuration of their GPC tool of choice, their utility as part of regulatory enforcement remains unclear, and without them it is unclear how Colorado enforcement agencies will determine whether a signal has been received and responded to. It is worth noting here that California’s recently proposed revisions to the California Consumer Privacy Act (CCPA) would require businesses to display the status of the consumer’s choice.²

Third, invalid implementations of the GPC can transform the opt-out into a user-facing opt-in. Developers of privacy-oriented browsers and browser extensions have evinced a desire to make the user’s experience of setting up both the browser and the GPC as fast and easy as possible, but the legal environment is inherently complex. The installation and configuration process for these tools will be critical to ensuring that GPC signals are valid in each jurisdiction where they are intended to apply. The GPC signal does not embed information on which browser, extension or tool sent the signal. This can make it difficult for organizations seeking to determine a mechanism’s validity and investigators seeking to respond to GPC signals sent using an invalid mechanism or configuration.  Investigators will also have to determine if the person covered by the signal is a Colorado resident.

Finally, enforcement of the CPA comes at a time when the industry is transitioning away from the third-party cookie and toward new advertising APIs, presenting an additional challenge for discernment of targeting information. Publishers will need to be able to connect receipt of the GPC signal to their new infrastructure for advertising APIs during this transition. Similarly, Colorado’s enforcement will need to be able to verify compliance with the CPA, including responses to valid GPC signals, during this industry transition. Many other states are considering comprehensive privacy laws, some with subtly different opt out rights. Colorado has indicated that they prefer a harmonious, multi-state approach where possible, but this possibility remains an open question as states consider new approaches to privacy.

Conclusion

Colorado’s adoption of the GPC as the only valid universal opt out mechanism, for now at least, represents a critical step for vendors, advertisers, publishers, and users.  Broad alignment with California marks this as important outside of Colorado as well, particularly with other states adopting or considering comprehensive privacy laws. Although some challenges and open questions remain, covered entities should earnestly work towards compliance to be able to honor these UOOMs beginning July 1, 2024.

¹ Note that this requirement may complicate the default setting requirements discussed earlier given Colorado’s differentiation between a browser that comes pre-installed on a device and one that does not.

² See page 40, in § 7025 on Opt-out Preference Signals.

FPF Health & Wellness: Mapping the 2024 Health Privacy Landscape, A 2023 Retrospective

In 2024, health and wellness-focused companies are increasingly integrating AI to streamline their services–with the expansion of AI-enabled digital health, the universe of potential health inferences will also expand, triggering new concerns about patient and consumer privacy. At this intersection of reproductive health privacy and AI concerns, state legislators and federal regulators appear poised to take more action on health data privacy, with specific attention to reproductive health privacy and genetic data privacy. As we look ahead to further developments, it is prudent to look back and understand exactly where the regulatory landscape stands and how we got here…

In 2023, health data privacy developments were nearly all related to the continuing development of privacy law responses to the Supreme Court’s Dobbs decision and subsequent moves by states to bar access to certain reproductive health care services and to criminally prosecute individuals seeking access to that care. As reproductive health care remains in jeopardy in several states, we expect that reproductive health data privacy will continue to drive broader action on health data privacy. In this 2023 retrospective, FPF has identified the top themes of health legislation and regulation while looking ahead to 2024. 

FPF Joins the NIST Artificial Intelligence Safety Consortium

The Future of Privacy Forum (FPF) is collaborating with the National Institute of Standards and Technology (NIST) in the U.S. Artificial Intelligence Safety Institute Consortium to develop science-based and empirically backed guidelines and standards for AI measurement and policy, laying the foundation for AI safety across the world.

This initiative will help prepare the U.S. to address the capabilities of the next generation of AI models or systems, from frontier models to new applications and approaches, with appropriate risk management strategies.

“As an organization that has been at the forefront of responsible data practices for more than a decade, FPF is honored to be included in the list of influential and diverse stakeholders involved in the U.S. AI Safety Institute Consortium assembled by the National Institute of Standards and Technology. We look forward to contributing to the development of safe and trustworthy AI that is a force for societal good.” 

Jules Polonetsky, CEO, FPF

The consortium includes more than 200 member companies and organizations that are on the frontlines of creating and using the most advanced AI systems and hardware, the nation’s largest companies and most innovative startups, civil society and academic teams that are building the foundational understanding of how AI can and will transform our society, and representatives of professions with deep engagement in AI’s use today.

The consortium will be housed under the U.S. AI Safety Institute (USAISI) and will contribute to priority actions outlined in President Biden’s landmark Executive Order, including developing guidelines for red-teaming, capability evaluations, risk management, safety and security, and watermarking synthetic content. Additional information on this Consortium can be found here.

The Garden State Joins the Comprehensive Privacy Grove

On January 16, 2024, Governor Murphy signed S332 into law, making New Jersey the thirteenth U.S. State to adopt a comprehensive privacy law to govern the collection, use, and transfer of personal data. S332 endured a long and circuitous route to enactment, having been introduced in January 2022 and amended six times before being passed by both chambers during the waning hours of New Jersey’s legislative session. The law will take effect on January 15, 2025. S332 bears a strong resemblance to other laws following the Washington Privacy Act (WPA) framework, particularly those passed in Delaware, Oregon, and Colorado. Nevertheless, S332 diverges from existing privacy frameworks in several significant ways. In this blog we highlight eight unique, ambiguous, or otherwise notable provisions that set S332 apart in the U.S. privacy landscape.

1. Private Right of Action Confusion

One ongoing controversy regarding S332 is whether the law could provide the basis for a private right of action. S332 specifies that the New Jersey Attorney General has “sole and exclusive authority” to enforce a violation of S332 and that nothing in the law shall be construed as providing the basis for a private right of action for violations of S332. A late amendment removed language stating that S332 should not be construed as providing the basis for a private right of action “under any other law.” Industry members raised concerns that the removal of this language opens up the possibility of private lawsuits by tying alleged violations of the law to causes of action under other laws. In his signing statement, Governor Murphy attempted to assuage industry fears by noting that “nothing in this bill expressly establishes such a private right of action” and “this bill does not create a private right of action under this law or under any other law.” Some industry members remain unconvinced, however, and continue to advocate for clarifying amendments.

2. Data Protection Assessments Prior to Processing

New Jersey joins the majority of state privacy laws in requiring that controllers conduct a data protection assessment (DPA) for any data processing activity that “presents a heightened risk of harm to a consumer.” New Jersey is notable, however, for explicitly requiring that the DPA occur before initiating any such high risk processing activities. Prior to New Jersey, only the Colorado Privacy Act’s implementing regulations required that DPAs occur prior to initiating processing. Following the NetChoice v. Bonta litigation, which saw California’s Age-Appropriate Design Code Act preliminarily enjoined, this requirement could raise First Amendment concerns if it is interpreted as a prior restraint on speech.

3. Thresholds for Applicability

S332 is notable for not including a revenue threshold in its applicability provisions. The law applies to controllers that control or process the personal data of either (a) at least 100,000 New Jersey residents annually, or (b) at least 25,000 New Jersey residents annually and the controller derives revenue from the sale of personal data. Prong (b) differs from the majority of existing privacy frameworks, which tend to require that the controller derive at least a certain percentage of revenue from personal data sales (e.g., 25%) to be covered. This is another similarity between S332 and the Colorado Privacy Act, which sets the same thresholds. 

The carve outs in S332 are similar to those in the Delaware Personal Data Privacy Act. S332 includes data-level exemptions for protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) and “personal data collected, processed, sold, or disclosed by a consumer reporting agency” insofar as those processing activities are compliant with the Fair Credit Reporting Act (FCRA). With respect to the financial industry, S332 joins the majority of states by providing entity-level and data-level exemptions for financial institutions and their affiliates subject to Title V of the Gramm-Leach-Bliley Act (GLBA). Notably, however, S332 does not contain exemptions for nonprofits, higher education institutions, or personal data regulated by the Family Educational Rights and Privacy Act (FERPA).

4. Rulemaking

New Jersey becomes just the third state, after California and Colorado, to provide for rulemaking in its comprehensive privacy law. The Act charges the Director of the Division of Consumer Affairs in the Department of Law and Public Safety with promulgating rules and regulations necessary to effectuate the purposes of S332. This provision includes no details on the timeframe or substance of rulemaking, other than that the New Jersey Administrative Procedure Act applies. As the rulemaking process unfolds, this could be a valuable opportunity for stakeholders to seek clarity on some of S332’s ambiguous provisions.

5. Ambiguity on Authorized Agents and UOOMs

New Jersey joins Colorado, Connecticut, Delaware, Montana, Oregon, and Texas in allowing an individual to designate an authorized agent to exercise the individual’s right to opt out of processing for certain purposes. S332’s authorized agent provision has two ambiguities. First, subsection 8(a) specifies that an individual can designate an authorized agent to “act on the consumer’s behalf to opt out of the processing and sale of the consumer’s personal data.” (Emphasis added.) As written, this provision would create a broad opt-out right with respect to all processing, distinct from the explicitly established opt-out rights in the bill. It is more likely that this provision is intended to be limited to opting-out of processing for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. The second ambiguity is the qualifier that an individual can use an authorized agent designated using technology to opt-out of profiling only “when such technology exists.” It is not clear who or what determines the availability of such technology.

S332 also joins California, Colorado, Connecticut, Montana, Oregon, and Delaware in requiring that controllers allow individuals to opt-out of the processing of personal data for targeted advertising or the sale of personal data on a default basis through a universal opt-out mechanism (UOOM). Designed to reduce the burden on individuals’ attempting to exercise opt-out rights, UOOMs encompass a range of tools providing individuals with the ability to configure their devices to automatically exercise opt out rights through a preference signal when interacting with a controller through a desktop or mobile application. S332’s statutory requirements for a UOOM, however, are ambiguous and inconsistent with those in existing privacy frameworks. Specifically, one requirement is that a UOOM cannot “make use of a default setting that opts-in a consumer to the processing or sale of personal data.” (Emphasis added.) This is clearly inconsistent with the purpose of a universal opt-out mechanism, which is to opt individuals out of such processing.

6. Adolescent Privacy

S332 continues and builds upon a trend of increased privacy protections for adolescents (while legislating around the existing, largely preemptive COPPA regime for individuals 12 and under). For individuals whom the controller actually knows are 13-16 years old or willfully disregards their age, the controller must obtain consent from the teens before processing their personal data for the purposes of targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects. Several states have iterated on adolescent privacy protection in recent years by requiring consent for these processing purposes. Delaware raised the bar when it required such consent for individuals aged 13 through 17, but it did not extend the opt-in consent requirement to profiling. Oregon was the first state to include profiling in the opt-in consent requirement, but its age range was slightly narrow at 13 through 15. New Jersey is unique and arguably goes the furthest by extending the opt-in consent requirement to cover individuals aged 13 through 16 and extending this requirement to profiling in furtherance of decisions that produce legal or similarly significant effects.

7. Expansive Definitions of Sensitive Data and Biometric Data

S332’s definitions of sensitive data and biometric data (which require opt-in consent to process) continue and build upon trends seen in stronger iterations of the WPA framework. S332’s definition of sensitive data includes additional categories seen in a minority of existing privacy frameworks, such as “status as transgender or non-binary” and “sex life.” 

S332’s definition of sensitive data also goes beyond the other WPA-style laws in two ways. First, the coverage of health data is slightly expanded to include mental or physical health treatment (in addition to condition or diagnosis). Second, sensitive data also includes “financial information,” which it specifies “shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.” This category is new to the non-California laws.

The definition of biometric data is also broader than in most of the WPA-style laws, which consistently define biometric data as “data generated by automatic measurements of an individual’s biological characteristics.” S332, in contrast, defines biometric data as “data generated by automatic or technological processing, measurements, or analysis of an individual’s biological, physical, or behavioral characteristics,” and it explicitly includes facial mapping, facial geometry, and facial templates in its list of examples. This language is similar to the definitions of biometric data and biometric identifiers in the Colorado Privacy Act Rules.

8. Expanded Right to Delete

Finally, S332 provides an expanded right to delete with respect to third party data, first observed in Delaware. When a controller has lawfully obtained an individual’s personal data from a third party and the individual submits a deletion request, the controller must either (a) retain a record of the deletion request and the “minimum data necessary” to ensure that the individual’s personal data remains deleted and not use that retained information for any other purpose, or (b) delete such data. This is different from the majority of states, which instead allow a controller that obtains personal data from third party sources to respond to a deletion request by retaining such data but opting the individual out of processing activities that are not subject to a statutory exemption (such as fraud prevention or cybersecurity monitoring).

FPF Announces International Technology Policy Expert as New Head of Artificial Intelligence

FPF has appointed international technology policy expert Anne J. Flanagan as Vice President for Artificial Intelligence (AI). In this new role, Anne will lead the privacy organization’s portfolio of projects exploring the data flows driving algorithmic and AI products and services, their opportunities and risks, and the ethical and responsible development of this technology.

Anne joins FPF with almost 20 years of experience in international strategic technology governance and development. She has a proven track record of bringing together stakeholders worldwide, including businesses, governments, academics, and civil society organizations, to co-design policy frameworks that address our time’s most intractable technology policy issues.

“Anne is a true leader of efforts to establish policies and standards for emerging technologies,” said Jules Polonetsky, CEO of FPF. “The vast amounts of data that enable AI and the myriad uses are creating some of the most exciting opportunities for progress, but also some of the gravest risks the world has faced. We’re eager for Anne to build on FPF’s extensive current portfolio of AI projects and open up new initiatives.”

As Deputy Head of Division for Telecommunications Policy & Regulation at the Department of Communications, Climate Action, and Environment in Ireland, Anne was responsible for developing Ireland’s technical policy positions and diplomatic strategy regarding EU legislation on telecommunications, digital infrastructure, and data. She represented Ireland in the EU Digital Single Market Strategic Group at the European Commission and the Working Party on Telecommunications and Information Society at the Council of the European Union. Anne also played a crucial role in the EU’s early approach to AI governance, contributing to the foundational work on the EU’s Digital Single Market. 

Since moving to the U.S. in 2019, Anne has held several senior positions in technology policy, including at the World Economic Forum’s Centre for the Fourth Industrial Revolution and, most recently, Reality Labs Policy at Meta Platforms Inc. In all of these senior roles, her research and expertise has helped technology business leaders shape responsible and sustainable technology development.

 “I have seen global leaders, from governments to CEOs, struggle with developing AI in an ethical and responsible manner,” said Flanagan. “This is complicated by the unprecedented speed in AI innovation and an intersection with other emerging technologies and policy issues. As we think about managing AI, human centricity needs to be at the forefront of any approach, and therefore, the importance of data stewardship becomes vital. I’m excited for this opportunity at such a distinguished organization as the Future of Privacy Forum, where these concerns are already front and center. I look forward to working towards building sustainable and trustworthy policy solutions with diverse stakeholders globally.” 

Since 2015, FPF has worked with corporate, civil society, and policy stakeholders to develop best practices for managing risks posed by AI and has worked to assess whether data protection practices such as fairness, accountability, and transparency are sufficient to answer the ethical questions they raise. More recently, FPF explored the challenges and responsible applications regarding AI in the workplace with its 2023 Best Practices for AI and Workplace Assessment Technologies and updated its 2020 report, The Spectrum of Artificial Intelligence and accompanying Spectrum of Artificial Intelligence Infographic. Additional FPF AI projects include Automated Decision-making Under the GDPR,  Generative AI for Organizational Use: Internal Policy Checklist, Unfairness By Algorithm: Distilling the Harms of Automated Decision-Making and more. 

Anne holds a Masters in Economics and Political Science from Trinity College Dublin, a Masters in International Relations from Dublin City University, and a Masters of Business Administration from Trinity College Dublin. A former appointee to the UK Government’s International Data Transfers Expert Council, Anne is also a Member of the Board of Advisors of the Innovation Value Institute (IVI) at Maynooth University and a recognized Woman Leader in Data and AI at WLDA.tech.

7 Essential Tips to Protect Your Privacy in 2024

Today, almost everything we do online involves companies collecting personal information about us. Personal data is collected and used for various reasons – like when you use social media, shop online, redeem digital coupons at the store, or browse the internet. 

Sometimes, information is collected about you by one company and then shared or sold to another. While data collection can benefit both you and businesses – like connecting with friends, getting directions, or sales promotions – it can also be used in invasive ways unless you take control.

You can protect your personal data and information in many ways and control how it is shared and used. On this Data Privacy Day or Data Protection Day in Europe, recognized annually on January 28 to mark the anniversary of Convention 108, the first binding international treaty to protect personal data, the Future of Privacy Forum (FPF) and other organizations are raising awareness and promoting best practices for data privacy. 

FPF is partnering with Snap Inc. to provide a privacy-themed Snapchat filter to spread awareness of the importance of data privacy to your networks. Share the pictures you took using our interactive lens on social media using the hashtag #FPFDataPrivacyDay2024.

Here are 7 quick, easy steps you can take to better protect your privacy online and when using your mobile device.

1. Check Your Privacy Settings on Social Media

Many social media sites include options on how to tailor your privacy settings to limit how data is collected or used. Snap provides privacy options that control who can contact you and many other options. Start with the Snap Privacy Center to review your settings. You can find those choices here.

Snap also provides options for you to view any data they have collected about you, including account information and your search history. Downloading your data allows you to view what information has been collected and modify your settings accordingly. 

Instagram allows you to manage various privacy settings, including who has access to your posts, who can comment on or like your posts, and manage what happens to posts after you delete them. You can view and change your settings here.

TikTok allows you to decide between public and private accounts, allows you to change your personalized ad settings, and more. You can check your settings here.

Twitter/X allows you to manage what information you allow other people on the platform to see and lets you choose your ad preferences. Check your settings here.

Facebook provides a range of privacy settings that can be found here.

In addition, you can check the privacy and security settings for other popular applications such as BeReal and Pinterest here. Be sure to also check your privacy settings if you have a profile on a popular dating app such as Bumble, Hinge, or Tinder.

What other social media apps do you use often? Check to see which settings they provide!

2. Limit Sharing of Location Data

Most social media apps and websites will ask for access to your location data. Do they need it for some obvious reason, like helping you with directions, showing your nearby friends, or perhaps a store location you’re looking for? If not, feel free to opt-out of location data. Be aware that location data is often used to personalize ads and recommendations based on locations you have recently visited. Allowing access to location services may also permit sharing of location information with third parties.

To check the location permissions allowed for apps on an iPhone or Android, follow the below steps.

iPhone

• Navigate to “Settings,” then “Privacy & Security,” and then “Location Services.”
• Search for each app downloaded on your phone
• Open each and make sure “Never” is selected or only “While Using.”

Android

• Navigate to “Settings,” then “Location,” and then “App Location Permissions.”
• Select the app you would like to prevent from accessing your location.
• Make sure “Not Allowed” is selected or “Allowed only while in use.”

3. Keep Your Devices & Apps Up to Date

Keeping software current and up to date is the only way to ensure your device is protected against the latest software vulnerabilities. Installing the latest security software, web browsers, and operating systems is the best way to protect against various online threats. By enabling automatic updates on your devices, you can be sure that your apps and operating systems are always up to date. 

Users can check the status of their operating systems in the settings app. 

For iPhone users, navigate to “Software Update,” and for Android devices, look for the “Security” page in settings.

4. Use a Password Manager

Utilizing a strong and secure password for each web-based account helps ensure your personal data and information are protected from unauthorized use. Remembering passwords for every account can be difficult, and using a password manager can help. Password managers save passwords as you create and log in to your accounts, often alerting you of duplicates and suggesting the creation of a stronger password. 

For example, if you use an Apple product when signing up for new accounts and services, you can allow your iPhone, Mac, or iPad to generate strong passwords and safely store them in iCloud Keychain for later access. Some of the best third-party password managers can be found here.

5. Enable Two-Factor Authentication

Two-factor authentication adds an additional layer of protection to your accounts. The first authentication is the standard username and password combination used for years. The second factor is a text message or email with a code sent to a personal device. This added step makes it harder for malicious actors to access your accounts. Two-factor authentication only adds a few seconds to your day but can save you from the headache and harm that comes from compromised accounts. To be even safer, use an authenticator app as your second factor. 

Remember to adjust your settings regularly, staying on top of any privacy changes and updates made on the web applications you use daily. Protect your data by being intentional about what you post online and encouraging others to look at the information they may share. By adjusting your settings and making changes to your web accounts and devices, you can better maintain the security and privacy of your personal data.

6. Use End-to-End Encryption for Secure Messaging

Using applications with secure end-to-end encryption, such as Signal and ProtonMail, ensures that only you and the intended recipient can read your messages. Other applications such as WhatsApp and Telegram are also end-to-end encrypted, though be sure to update your settings in Telegram as messages are not encrypted by default.

As many of us share sensitive information with our families and friends, it’s critical to be mindful of how our personal information is shared and who has access to it. 

What better time to reassess our data practices and think about this important topic than during Data Privacy Day?

7. Turning off Personalized Ads

Take control of how companies use your personal information to advertise to you by going into the settings of your applications. See below for how-to guides with quick, step-by-step instructions to turn off ad personalization for popular apps you may be using: 

• Google & Android
• Apple (including App Store, Apple News, and more)
• Snapchat
• TikTok
• Pinterest
• Twitter/X

If you’re interested in learning more about one of the topics discussed here or other issues driving the future of privacy, sign up for our monthly briefing, check out one of our upcoming events, or follow us on Twitter, LinkedIn, or Instagram. 

FPF brings together some of the top minds in privacy to discuss how we can all benefit from the insights gained from data while respecting the individual right to privacy.

Identifying Privacy Risks and Implementing Best Practices for Body-Related Data in Immersive Technologies

As organizations develop more immersive technologies, and rely on the collection, use, and transferring of body-related data, they need to ensure their data practices not only maintain legal compliance, but also more fulsomely protect people’s privacy. To guide organizations as they develop their body-related data practices, the Future of Privacy Forum created the Risk Framework for Body-Related Data in Immersive Technologies. This framework serves as a straightforward, practical guide for organizations to analyze the unique risks associated with body-related data, particularly in immersive environments, and to institute data practices that earn the public’s trust. Developed in consultation with privacy experts and grounded in the experiences of organizations working in the immersive technology space, the framework is also useful for organizations that handle body-related data in other contexts. This post will build on our previous blog post where we discussed the importance of understanding an organization’s data practices and evaluating legal obligations. In this post we will focus on identifying the risks data practices raise and implementing best practices to mitigate these risks.

I. Identifying and assessing risk to individuals, communities, and society

Beyond legal compliance, leading organizations also should seek to ensure their products, services, and other uses of body-related data are fair, ethical, and responsible. Body-related data, and particularly the aggregation of this data, can give those with access to it significant insight into an individual’s personal life and thoughts. These insights include not just an individual’s unique ID, but potentially their emotions, characteristics, behaviors, desires, and more. As such, it is important for safeguards to prevent harmful uses of body-related data. Proactively identifying the risks their data handling raises will help organizations determine which best practices are most appropriate. 

As demonstrated in the chart below, privacy harms may stem from particular types of data being used or handled in particular ways, or transferred to particular parties. Organizations should consider the factors related to data type and data handling that impact the risks associated with their data practices.

When assessing the risks their data practices raise, organizations should ask themselves questions including:

• What are the harms that each risk may create, and how severe might they be?
• Who is likely to be the most significantly harmed by the realization of any given risk?
• What organizational goal or objective is a given data practice serving?
• Are there any public policy or legal considerations impacting an organization’s analysis of their data practices?
• Might technology change in the near future in a way that makes certain data practices more or less likely to result in harm, or more or less harmful?
• Are there any alternatives to a given data practice that are more privacy-friendly, while still allowing the organization to achieve its objectives?
• Does a given data practice raise risks that are too significant or implicate sufficiently serious harms such that it should be abandoned altogether?

II. Implementing relevant best practices

There are a number of legal, technical, and policy safeguards that can help organizations maintain statutory and regulatory compliance, minimize privacy risks, and ensure that immersive technologies are used fairly, ethically, and responsibly. These best practices should be implemented in a way that is intentional—adopted as appropriate given an organization’s data practices and associated risks; comprehensive—touching all parts of the data lifecycle and addressing all relevant risks; and collaborative—developed in consultation with multidisciplinary teams within an organization including stakeholders from legal, product, engineering, privacy, and trust and safety.

The chart below summarizes some of the major best practices organizations can apply to body-related data, as well as specific recommendations for each.

It is critical to note that no single best practice stands alone, and instead the contemplation of best practices should be considered comprehensively and implemented together as part of a coherent strategy. In addition, any strategy and practices must be evaluated on an ongoing basis as technology, data practices, and regulations change.

As organizations grapple with the privacy risks that body-related data raises, risk-based approaches to evaluating data practices can help organizations ensure they are not just compliant but also that they value privacy. FPF’s Risk Framework for Body-Related Data in Immersive Technologies serves as a starting point for organizations that collect, use, or transfer body-related data to develop best practices that prioritize user privacy. As technologies become more immersive, the unique considerations raised in this framework will be relevant for a growing number of organizations and the virtual experiences they create. Organizations can use this framework as a guide as they examine, develop, and refine their data practices.

This Year’s Must-Read Privacy Papers to be Honored at Washington, D.C. Event

The Future of Privacy Forum’s 14th Annual Privacy Papers for Policymakers Award Recognizes Influential Privacy Research

Today, the Future of Privacy Forum (FPF) — a global non-profit focused on data protection headquartered in Washington, D.C. — announced the winners of its 14th annual Privacy Papers for Policymakers (PPPM) Awards.

The PPPM Awards recognize leading U.S. and international privacy scholarship that is relevant to policymakers in the U.S. Congress, federal agencies, and international data protection authorities. Nine winning papers, two honorable mentions, two student submissions, and a student honorable mention were selected by a diverse group of leading academics, advocates, and industry privacy professionals from FPF’s Advisory Board.

Award winners will have the unique opportunity to showcase their papers. Authors of U.S. focused papers will present their work at the Privacy Papers for Policymakers ceremony on February 27, 2024, in Washington, D.C. Winning papers with an international focus will be presented at a virtual event on March 1, 2024.

“Academic scholarship is an essential resource for legislators and regulators around the world who are grappling with the increasingly complex uses of personal data. Thoughtful policymakers will benefit from the deep analysis and independent thinking provided by these essential publications.” – FPF CEO Jules Polonetsky

FPF’s 2023 Privacy Papers for Policymakers Award winners are:

• Towards a Latin American Model of Adequacy for the International Transfer of Personal Data by Luca Belli, Fundação Getulio Vargas Law School; Ana Brian Nougrères, Naciones Unidas en el Derecho a la Privacidad; Jonathan Mendoza Iserte, INAI, Mexico; Pablo Palazzi, Centro de tecnología y Sociedad de la Universidad de San Andrés; & Nelson Remolina Angarita, GECTI de la Universidad de los Andes
  • This article analyzes the regulatory regime for international transfers of personal data based on the legislation of several Latin American countries (namely Argentina, Brazil, Colombia, Mexico and Uruguay), its general regime and the different exceptions considered in the existing regulations. Finally, after explaining the divergences, different alternatives and ideas are proposed to create a specific regime to be used within Latin America for international transfers of personal data and recognition of adequacy. On the other hand, an analysis is carried out on the phenomenon of international data collection and solutions are proposed so that the rights of data owners are guaranteed when their information is collected from other countries without the collector being domiciled in the country of the data subject.

• Less Discriminatory Algorithms by Emily Black, Barnard College–Columbia University; John Logan Koepke, Upturn; Pauline Kim, Washington University in St. Louis – School of Law; Solon Barocas, Microsoft Research and Cornell University; and Mingwei Hsu, Upturn
  • Entities that use algorithmic systems in traditional civil rights domains like housing, employment, and credit should have a duty to search for and implement less discriminatory algorithms (LDAs). Why? Work in computer science has established that, contrary to conventional wisdom, for a given prediction problem, there are almost always multiple possible models with equivalent performance—a phenomenon termed model multiplicity. Model multiplicity has profound ramifications for the legal response to discriminatory algorithms. As a result, the law should place a duty of reasonable search for LDAs on entities that develop and deploy predictive models in covered civil rights domains. The law should recognize this duty in at least two specific ways. First, under the disparate impact doctrine, a defendant’s burden of justifying a model with discriminatory effects should be recognized to include showing that it did a reasonable search for LDAs before implementing the model. Second, new regulatory frameworks for the governance of algorithms should include a requirement that entities search for and implement LDAs as part of the model-building process.

• Future-Proofing Transparency: Re-Thinking Public Record Governance for the Age of Big Data by Beatriz Botero Arcila, Institut d’Etudes Politiques de Paris (Sciences Po) and Harvard University, Berkman Klein Center for Internet & Society
  • Public records, public deeds, and even open data portals often include personal information that can now be easily accessed online. With Big Data and powerful machine learning algorithms, personal information in public records can easily be used to infer sensitive data about people or aggregated to create a comprehensive personal profile of almost anyone. This information is public and open, however, for many good reasons. Can the interest in record publicity coexist with the growing ease of deanonymizing and revealing sensitive information about individuals? This Article addresses this question from a comparative perspective, focusing on US and EU access to information law. The Article shows that the publicity of records was, in the past and notwithstanding its presumptive public nature, protected because most people would not trouble themselves to go to public offices to review them, and it was practically impossible to aggregate them to draw extensive profiles about people. Drawing from this insight and contemporary debates on data governance, this Article challenges the binary classification of data as either published or not and proposes a risk-based framework that re-inserts that natural friction to public record governance by leveraging techno-legal methods in how information is published and accessed.

• Experiments with Facial Recognition Technologies in Public Spaces: In Search of an EU Governance Framework by Catherine Jasserand, University of Groningen
  • According to a survey conducted in 2020 by EDRi, at least 15 European countries have already used or experimented with facial recognition technologies (FRTs) in public spaces without much public debate. Yet, these highly intrusive technologies capture the distinctive facial characteristics of individuals to identify them. The systems operate at a distance without people’s cooperation or awareness. Evidence from France and the United Kingdom shows that public authorities (mainly the police) have trialed and used the technologies in public spaces. Drawing insights from these experiments, the chapter assesses whether the applicable data protection frameworks are sufficient to regulate public authorities’ experimentation with FRTs in public spaces. After identifying the regulatory gaps of the existing frameworks, the chapter provides some arguments and tools for a reflection on an experimental approach to test these technologies (such as Data Protection Impact Assessments, experimental legislation, and regulatory sandboxes based on the future AI Act).

• Do No Harm Guide: Applying Equity Awareness in Data Privacy Methods by Claire McKay Bowen, Urban Institute; and Joshua Snoke, RAND Corporation
  • Researchers and organizations can increase privacy in datasets through methods such as aggregating, suppressing, or substituting random values. But these means of protecting individuals’ information do not always equally affect the groups of people represented in the data. A published dataset might ensure the privacy of people who make up the majority of the dataset but fail to ensure the privacy of those in smaller groups. Or, after undergoing alterations, the data may be more useful for learning about some groups more than others. How entities protect data can have varying effects on marginalized and underrepresented groups of people. To understand the current state of ideas, we completed a literature review of equity-focused work in statistical data privacy (SDP) and conducted interviews with nine experts on privacy-preserving methods and data sharing. These experts include researchers and practitioners from academia, government, and industry sectors with diverse technical backgrounds. We offer an illustrative example to highlight potential disparities that can result from applying SDP methods. We develop an equitable data privacy workflow that privacy practitioners and decisionmakers can utilize to explicitly make equity part of the standard data privacy process.

• AI Audits: Who, When, How…Or Even If? by Evan Selinger, Rochester Institute of Technology – Department of Philosophy; Brenda Leong, Luminos.Law; and Albert Fox Cahn, Surveillance Technology Oversight Project, Harvard University – Carr Center for Human Rights Policy, Yale Law School
  • Artificial intelligence (AI) tools are increasingly being integrated into decision-making processes in high-risk settings, including employment, credit, health care, housing, and law enforcement. Given the harms that poorly designed systems can lead to, including matters of life and death, there is a growing sense that crafting policies for using AI responsibly must necessarily include, at a minimum, assurances about the technical accuracy and reliability of the model design. Because AI auditing is still in its early stages, many questions remain about how to best conduct them. While many people are optimistic that valid and effective best practice standards and procedures will emerge, some civil rights advocates are skeptical of both the concept and the practical use of AI audits. This chapter aims to explain why AI audits often are regarded as essential tools within an overall responsible governance system and how they are evolving toward accepted standards and best practices. We will focus most of our analysis on these explanations, including recommendations for conducting high-quality AI audits. Nevertheless, we will also articulate the core ideas of the skeptical civil rights position. This intellectually and politically sound view should be taken seriously by the AI community. To be well-informed about AI audits is to comprehend their positive prospects and be prepared to address their most serious challenges.

• Data Is What Data Does: Regulating Based on Harm and Risk Instead of Sensitive Data by Daniel J. Solove, George Washington University Law School
  • Heightened protection for sensitive data is trendy in privacy laws. Although heightened protection for sensitive data appropriately recognizes that not all situations involving personal data should be protected uniformly, the sensitive data approach is a dead end. The sensitive data categories are arbitrary and lack any coherent theory for identifying them. The borderlines of many categories are so blurry that they are useless. Moreover, it is easy to use nonsensitive data as a proxy for certain types of sensitive data. This Article argues that the problems with sensitive data make it unworkable and counterproductive as well as expose a deeper flaw at the root of many privacy laws. These laws make a fundamental conceptual mistake—they embrace the idea that the nature of personal data is a sufficiently useful focal point. But nothing meaningful for regulation can be determined solely by looking at the data itself. Data is what data does. To be effective, privacy law must focus on harm and risk rather than on the nature of personal data. Privacy protections should be proportionate to the harm and risk involved with the data collection, use, and transfer.

• The Prediction Society: Algorithms and the Problems of Forecasting the Future by Hideyuki Matsumi, Vrije Universiteit Brussel (VUB); Keio University and Daniel J. Solove, George Washington University Law School
  • Today’s predictions are produced by machine learning algorithms that analyze massive quantities of data, and increasingly, important decisions about people are being made based on these predictions. Algorithmic predictions are a type of inference, but predictions are different from other inferences and raise several unique problems. (1) Algorithmic predictions create a fossilization problem because they reinforce patterns in past data and can further solidify bias and inequality from the past. (2) Algorithmic predictions often raise an unfalsifiability problem. (3) Algorithmic predictions can involve a preemptive intervention problem. (4) Algorithmic predictions can lead to a self-fulfilling prophecy problem. More broadly, the rise of algorithmic predictions raises an overarching concern: Algorithmic predictions not only forecast the future but also have the power to create and control it. Data protection/privacy law do not adequately address these problems. Many laws lack a temporal dimension and do not distinguish between predictions about the future and inferences about the past or present.  We argue that the use of algorithmic predictions is a distinct issue warranting different treatment from other types of inference.

• Beyond Memorization: Violating Privacy Via Inference with Large Language Models by Robin Staab, Mark Vero, Martin Vechev, and Mislav Balunovic, ETH Zurich
  • Current privacy research on large language models (LLMs) primarily focuses on the issue of extracting memorized training data. At the same time, models’ inference capabilities have increased drastically. This raises the key question of whether current LLMs could violate individuals’ privacy by inferring personal attributes from text given at inference time. In this work, we present the first comprehensive study on the capabilities of pretrained LLMs to infer personal attributes from text. As people increasingly interact with LLM-powered chatbots across all aspects of life, we also explore the emerging threat of privacy-invasive chatbots trying to extract personal information through seemingly benign questions. Finally, we show that common mitigations, i.e., text anonymization and model alignment, are currently ineffective at protecting user privacy against LLM inference. Our findings highlight that current LLMs can infer personal data at a previously unattainable scale. In the absence of working defenses, we advocate for a broader discussion around LLM privacy implications beyond memorization, striving for a wider privacy protection.

In addition to the winning papers, FPF selected for Honorable Mentions: The After Party: Cynical Resignation In Adtech’s Pivot to Privacy by Lee McGuigan, University of North Carolina at Chapel Hill; Sarah Myers West, AI Now Institute; Ido Sivan-Sevilla, College of Information Studies, University of Maryland; and Patrick Parham, College of Information Studies, University of Maryland; and Epsilon-Differential Privacy, and a Two-step Test for Quantifying Reidentification Risk by Nathan Reitinger and Amol Deshpande of the University of Maryland.

FPF also selected two papers for the Student Paper Award: The Privacy-Bias Tradeoff: Data Minimization and Racial Disparity Assessments in U.S. Government by Arushi Gupta, Stanford University; Victor Y. Wu, Stanford University; Helen Webley-Brown, Massachusetts Institute of Technology; Jennifer King, Stanford University; and Daniel E. Ho, Stanford Law School; and Estimating Incidental Collection in Foreign Intelligence Surveillance: Large-Scale Multiparty Private Set Intersection with Union and Sum by Anunay Kulshrestha and Jonathan Mayer of Princeton University. A Student Paper Honorable Mention went to Ditching “DNA on Demand”: A Harms-Centered Approach to Safeguarding Privacy Interests Against DNA Collection and Use by Law Enforcement by Emma Kenny-Pessia, J.D. Candidate at Washington University in St. Louis School of Law.

In reviewing the submissions, these winning papers were awarded based on the strength of their research and proposed policy solutions for policymakers and regulators in the U.S. and abroad.

The Privacy Papers for Policymakers event will be held on February 27, 2024, in Washington, D.C., exact location to be announced. The event is free and open to the public.