Reflecting on Europe's Leading Privacy Conference
I spent last week in Brussels, attending Europe's leading privacy conference and meeting with folks about data privacy. Here are some thoughts.
I spent last week in Brussels, attending the 2023 Computers, Privacy, and Data Protection (CPDP) conference — the leading privacy conference in Europe — as well as meeting with folks about data privacy issues. My attendance was under my hat at Duke University’s Sanford School of Public Policy, where I run its data broker research program and lecture on technology policy (among other things). Here are some quick thoughts on the conference and my privacy conversations in Brussels. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The One-Liner
European privacy discourse continues to shape global debates — including around contractual relationships with data “processors,” limited purposes for collection, and the legal discussion of “de-identification” — while excitement is growing about the idea of “Data Free Flow with Trust” promoted by the G7 countries.
Europe’s 2023 CPDP Conference
I attended numerous, excellent sessions, including about:
Whether AI is really “for the people” and the extent to which European policy, law, and practice continues to harm migrants through surveillance, automated public decision-making, and other technology applications;
Cooperation between the EU and Association of Southeast Asian Nations (ASEAN) on data privacy and contractual mechanisms to transfer data;
Emerging technical best-practices for protecting children’s online privacy in the digital age;
The importance of strong encryption in the face of government proposals to eliminate end-to-end encryption or effectively undermine it through requirements for companies to scan messages and content; and
How surveillance technologies and measures introduced or expanded during the Covid-19 pandemic’s global peak remain in place today, among many others.
In quick succession, from the conference and several conversations and meetings I had around the conference, a few other thoughts stand out.
There is substantial interest in the G7’s “Data Free Flow with Trust” discussions. The Japanese government introduced this idea at the 2019 G20 in Osaka, Japan, after which the Indian government refused to sign onto the declaration; it was very unclear whether Global South countries would agree with the US, Europe, and other involved partners. Now, the 2023 G7 leaders’ communique has included a substantial focus on the “Data Free Flow with Trust” concept, loosely defined as promoting cross-border data flows on the internet with some guardrails in place.
It was clear from my conversations in Brussels that many privacy experts are excited about where this discussion will lead — especially if it can reduce conflicts between emerging data privacy and governance regimes around the world. Every country’s privacy conversation is at least slightly different. Further, not every country is equally interested in — or engaged in — a widespread public conversation about balancing issues like open data flows and national security risks. The hope for many was that “Data Free Flow with Trust” could encourage those conversations while promoting baseline privacy practices in the process. Of course, the support was not unequivocal. Open questions ranged from whether the countries promoting “Data Free Flow with Trust” would engage stakeholders, including civil society and industry, in conversations about implementation and whether the US (in particular, the US Congress) would actually pass a comprehensive privacy law anytime soon.
I was also excited by the discussions about data reuse and third-party data use. Given my Duke team’s research and work on data brokers (including my recent testimony to the US Congress), I was also pleased that not every element of the conversation related to data brokerage per se. Data brokers did indeed come up as a considerable privacy and surveillance problem. But there were also conversations more broadly about the problems with companies gathering data for one stated purpose and then using it for another. In a discussion focused on the Asia-Pacific, one individual made the point that individuals’ (and regulators’) lack of visibility into third-party data use presents a fundamental privacy and governance problem.
These are just some quick thoughts on an exciting several days in Brussels. For those debating it for next year, the CPDP conference is certainly well worth attending.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
—
© 2023 Global Cyber Strategies LLC.