| Time |
Session |
Panelists |
| |
Monday, 12 June 2023 |
|
| 18:00 — 20:00 |
Welcome Reception (guests invited) |
|
| |
Tuesday, 13 June 2023 |
|
| 7:30 — 8:30 |
Sign-in |
|
| 8:30 — 8:45 |
Welcome and overview |
D'Ambra, Matus, Moncure, Weinlein |
| 8:45 — 10:00 |
EU-U.S. data transfers and the EU-U.S. Data Privacy Framework: What's next? |
Alvarez, Brady, Gerlach*, Koning, Promislow |
| |
In the wake of the July 2020 landmark decision of the European Court of Justice (ECJ), Schrems II, that struck down the EU-U.S. Privacy Shield, parties on both sides of the Atlantic began work in earnest on a new framework for data transfers between the EU and U.S. that could withstand ECJ scrutiny. In March 2022, an “agreement in principle” was reached on such a framework – the EU-U.S. Data Privacy Framework (“Framework”). Subsequent efforts to turn that “agreement in principle” into a legal framework, including the October 2022 White House Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities, resulted in the European Commission releasing a draft adequacy decision for the Framework in December 2022. The panel will lead a dialogue on the structure and contents of the Framework; the efficacy of the Commission’s draft adequacy decision; the likelihood of avoiding a potential Schrems III; what the ideal mechanism for EU-U.S. data transfers would look like; and the broader context of international efforts to achieve free data flows with trust. |
|
| 10:00 — 10:15 |
Morning Break |
|
| 10:15 — 11:15 |
Global approaches to regulating AI: Convergence or divergence? |
Promislow*, State, Tommasone, Wilkinson, Wimmer |
| |
In early 2021, the European Commission proposed the first-ever legal framework for AI, the “Proposal for a Regulation laying down harmonised rules on artificial intelligence” (or the “Artificial Intelligence Act”). The regulation’s main focus is on specific risks surrounding AI and the categorization of such risks. Around the same time, the U.S. Federal Trade Commission (FTC) released Business Guidance noting the FTC’s perception that AI could inadvertently introduce bias or other unfair outcomes and warned of the potential applicability of Section 5 of the FTC Act, the Fair Credit Reporting Act, and the Equal Credit Opportunity Act. The Artificial Intelligence Act and the FTC’s Business Guidance appear to suggest a more restrictive approach to AI on the part of regulators in the EU and the U.S. The government of the United Kingdom, however, may be headed in a different direction – with innovation as a priority. In June 2022, the Secretary of State for Digital, Culture, Media and Sport (DCMS) presented to the UK Parliament a policy paper entitled, “Establishing a pro-innovation approach to regulating AI.” The panel will lead a dialogue on the strengths and weaknesses of these varying jurisdictional approaches in the infancy of AI regulation. The panel will also consider whether AI is the new battleground for international commercial supremacy, and if so, how that can be expected to impact the evolution of regulation of AI across the globe. |
|
| 11:15 — 12:15 |
What does the future hold for online advertising under the GDPR, in California and elsewhere? |
Alvarez, Feehan, Gerlach, Jorgensen, Matus*, Talavera de la Esperanza |
| |
In February 2022, the Litigation Chamber of the Belgian Data Protection Authority (APD) found that the Internet Advertising Bureau Europe’s (IAB Europe) Transparency and Consent Framework (TCF) violated several GDPR provisions and, accordingly, imposed a €250,000 fine. Under the TCF, consent management platforms (CMPs) capture the preferences of online users in TC Strings (digital strings containing user preferences). The APD held that IAB Europe – as well as CMPs, publishers and participating ad tech vendors – lacked a valid legal basis for the processing of personal data through the TCF. In January 2023, APD approved IAB Europe’s action plan to bring processing of personal data under the TCF into compliance with the GDPR. The implementation of the action plan, however, will entail operating changes for TCF participants that may ultimately be found inadequate by the ECJ. Meanwhile, in California, the CCPA was amended specifically to capture the practice of “sharing” personal information in online advertising, as opposed to merely its “sale,” leading to new contractual requirements. The CCPA also now includes new provisions specifically to "target" targeted advertising. Finally, in November 2022, the UK Competition and Markets Authority (CMA) announced a new effort to look into Business to Consumer (B2C) online sales practices. The panel will compare and contrast the aforementioned developments in the EU, California, and the UK, and assess the trends lines for online internet advertising vis-à-vis data protection regulations globally. |
|
| 12:15 — 13:15 |
Lunch |
|
| 13:15 — 14:30 |
Data protection authority (DPA) roundtable |
Cervera Navas, Hurley, Moncure*, Wimmer |
| |
Global DPAs will lead a dialogue on their respective challenges and priorities in both their enforcement and advisory roles under global data protection regimes. The dialogue will also address technological developments and data transfer mechanisms (e.g., SCCs; EU-U.S. Data Privacy Framework). |
|
| 14:30 — 14:45 |
Afternoon Break |
|
| 14:45 — 16:00 |
Insights from former DPAs |
Fabiano, Matus*, Schaar, Shonka |
| |
Examining issues of cross-border data transfers and data protection can look very different for a regulator than a business or other organization. How does being a DPA shape one’s view of the issues? This panel brings together former DPAs from across the globe who have experience on both sides of the regulatory divide to dialogue on what they see as the most important trends in the data protection field, how working in a regulatory capacity has changed how they speak with organizations about data protection, and what they see as the critical foci for DPAs. |
|
| 16:00 — 17:00 |
Operating under China's Personal Information Protection Law (PIPL) |
D'Ambra*, Duan, State, Wilan, Yu |
| |
China’s PIPL went into effect on November 1, 2021, and in June 2022, China issued administrative rules fleshing out the restrictions on cross-border data transfers in addition to the requisite steps required to obtain regulatory approval of such transfers. These steps include (1) clearing a security assessment approved by the Cyberspace Administration of China (CAC) and (2) either obtaining a personal information protection certification from a professional institution designated by the CAC or entering into a standard format data transfer agreement with the foreign recipient of the data. Unfortunately, the exact metes and bounds of this complex process remains largely unclear, leaving multinational companies in a difficult position when conducting investigations or cross-border discovery of data in China. Our panel will share first-hand experience with navigating the challenges of the PIPL and other Chinese data protection laws and will provide practical tips on addressing these challenges. |
|
| 17:00 — 19:00 |
Reception (guests invited) |
|
| |
|
|
| |
Wednesday, 14 June 2023 |
|
| 8:00 — 9:00 |
Sign-in |
|
| 9:00 — 10:15 |
Cross-border data transfers regulatory action and case law update |
Baylson, Brady, Drum, Scorza, Withers* |
| |
Each year, the International Programme features a detailed discussion of recent regulatory actions and court decisions on privacy, data security, and cross-border data transfer issues. This year’s panel of privacy and data security legal scholars will lead a dialogue on the most instructive actions and cases from the past year. |
|
| 10:15 — 10:30 |
Morning Break |
|
| 10:30 — 11:45 |
Data security and breach regulation and litigation, including responding to regulators across jurisdictions in an ever-expanding breach notification environment |
Bryant, D'Ambra, Shonka, Wilan*, Wilkinson |
| |
New or revised privacy laws and regulations globally now usually include data breach notification requirements. When faced with a potential data breach, companies must determine how to respond to divergent notification requirements across jurisdictions. Companies also face an ever-increasing risk of litigation from regulators, individuals, or organizations. This panel will explore best practices associated with data breach response as related to notification requirements and preparing for potential litigation. Panelists will also lead a dialogue on the nuances of cross-border data transfers in the context of data breach litigation. |
|
| 11:45 — 13:00 |
Data protection and security audit 101: Practical realities for audit preparation and response |
Bryant, Jorgensen, Koning, Moncure* |
| |
Data protection and security audit provisions are increasingly a part of new data protection laws and regulations, turning what was once a best practice into a mandatory legal requirement. This panel will examine how companies should prepare for and respond to such audits. Who should be involved in the audit? What exactly should be audited? Depending on the jurisdiction and situation, can privilege protections be applied to the audit? Panelists will lead a dialogue on these questions and other key points related to data protection and security audits. |
|
| 13:00 — 14:00 |
Lunch (provided) |
|
