On October 24, the Austria, Berlin, Frankfurt, Hamburg, Leipzig, Luxembourg, Munich, Rhine-Ruhr, Stuttgart and Switzerland IAPP (formerly known as the International Association of Privacy Professionals) KnowledgeNet chapters joined together for a daylong conference exploring the state of privacy, artificial intelligence (AI), information governance and the application of regulation for European organizations and multinationals doing business in Europe and abroad.
In the panel titled “Global Privacy and AI Challenges: U.S. and EU Perspectives,” two Americans, a German and a Canadian living abroad led an hour of lively discussion and some jokes that may have landed – at least those jokes dealing with German Works Council oversight.
The panel mirrored the entirety of the KnowledgeNet conference and explored four key themes:
- The European/American perspective and potential divide – what are both sides of the Atlantic doing about AI and privacy in their respective regions, and how can both work more effectively across borders?
- What happens where law meets compliance? What do organizations do with limited resources and the impossibility of perfection?
- What big transformations are confronting global organizations, what is driving these transformations and which regions are hotbeds of activities?
- What are some war stories from the frontlines of privacy, information governance, security and AI?
The audience provided lively participation, asking questions regarding the uneven application of privacy law in various U.S. states and whether there is realistic hope on the horizon for a one-size-fits-all solution. Absent global or even regional reassurances from the panel, the questions turned to the specifics: What standards could multinational organizations embrace that might help in the near term, especially when advanced and newer technologies are introduced into organizations through the back door without approvals by procurement, privacy impact assessments or new contracting terms?
The panel referenced guidance by regulators and lawmakers in the U.S. who had themselves pointed to specific standards as indicators of compliance, at least facially. The privacy and security guidance first examined when then-California Attorney General Kamala Harris referenced the Center for Internet Security's Top 20 Critical Security Controls (CSC) (now known as the Center for Internet Security (CIS) Controls) in the 2016 California Data Breach Report as a baseline indicator of whether an organization was meeting basic standards. The discussion then led to the guidance from the National Association of Insurance Commissioners' Model Bulletin on AI Adoption that specifically referenced the National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework (RMF) as a model for an insurer's existing enterprise risk management (ERM) program. The recitation ended with how the upcoming Colorado AI Act also prospectively references both the NIST RMF and the International Organization for Standardization (ISO)/International Electrochemical Commission (IEC) 42001:2023 standard as examples of a reasonable risk management policy related to AI use, as well as considerations for ERM requirements.
Outside general standards and high-level regulatory advice, of particular interest to European counsel for multinational organizations with locations and presence in the U.S. was how plaintiffs' counsel in the U.S. approach private rights of action, especially regarding the “zombie technologies” associated with websites running legacy technologies, such as pixels, video plug-ins and chatbots – even when these technologies come from “white label” providers.
BakerHostetler has certainly covered these issues before in blog posts and treatments, but the panel was another fantastic opportunity to remind organizations to engage in some end-of-the-year hygiene for online websites and other outward-facing “presences,” including applications. Not only have California plaintiffs' counsel been busy examining the “outer layer of the onion,” i.e., the parts of organizations visible from the outside, but multinational organizations have also been confronting new actions commenced or filed in other states by attorneys general (California and Texas) and other state plaintiffs' attorneys (including Florida). Ultimately, the panel and discussion combined views on federated approaches in the U.S. to applicable law, the application of U.S. and international standards (e.g., CIS Controls, the NIST RMF, ISO/IEC 42001:2023), and real-world experience with regulators and plaintiffs' counsel – or what actually happens when theory meets practice.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.