🔎 5) Privacy Regulatory Movements to Follow: India, Argentina, Australia, Canada, South Korea

Big regulatory movements in privacy and data protection will continue in 2023, and the jurisdictions to follow are India (again!), Australia, Argentina, Canada, and South Korea. If you're interested why, ask me for details.

For pointers on what to be looking for in US lawmaking, see my colleague Keir Lamont’s analysis in https://fpf.org/blog/five-big-questions-and-zero-predictions-for-the-u-s-state-privacy-landscape-in-2023/

This wraps up my first Masto thread.🤓

END

Second, #India will hold the Presidency of the #G20 and very recently the country marked a shift away from data localization with the withdrawal of the 2019 Personal Data Protection Bill and the introduction of the Digital Personal Data Protection bill last fall. 🇮🇳

This recent piece published by the Atlantic Council explains how “India’s #datalocalization pivot can revamp global digital diplomacy”: https://www.atlanticcouncil.org/blogs/southasiasource/indias-data-localization-pivot/

12/

🌏 This year will be crucial for moving the conversation forward on how to enable cross-border data flows at intergovernmental level, for several reasons.

First of all, Japan is back in a leadership position, this time holding the Presidency of the G7 and it has made its intentions very clear to continue pushing for DFFT by promoting regulatory cooperation.

In this respect, the DPAs of the G7 countries are working on “convergence to foster future interoperability” of transfer tools.

11/

↔️ 4) Big Intergovernmental Push for #Crossborder Data Flows: G7 and G20

Cross-border #data flows entered the world of high-level intergovernmental organizations decidedly in 2019, when Japan proposed the concept of Data Free Flow with Trust as a guiding principle for rule-making in this field, under the leadership of Shinzo Abe, the late prime minister of Japan. DFFT was endorsed in June 2019 by the members of the G20 nations, with only India expressing opposition towards it back then.

10/

 3) Seeing the results of ever-more-intertwining Competition and Data Protection Law

Scholars and some regulators have been writing for years now about how some parameters of competition law should include assessments of how lawfully or unlawfully companies collect, share and overall process personal data in a given market, when assessing anticompetitive behavior. The intertwinement of the two fields is now widely accepted & incorporated in new antitrust legal obligations.

9/

🤓 See some manifestations of this already last year, with a decision from the Hungarian DPA against a bank using an emotion recognition AI system for its customer services; https://www.lexology.com/library/detail.aspx?g=a9c66d5f-4faf-4500-a1bd-458bf9ebcec7

✍️ Of note, the CNIL published in September 2022 guidance on the GDPR and AI systems: https://www.cnil.fr/en/artificial-intelligence-cnil-publishes-set-resources-professionals

✍️ The Spanish DPA published extensive guidelines on AI and the GDPR already since 2020; https://www.aepd.es/sites/default/files/2020-02/adecuacion-rgpd-ia.pdf

8/

Meanwhile, attention should be paid to Data Protection Authorities. 🕵️

They are increasingly realizing that there are many AI systems running with the help of personal data processing, which brings such AI systems under their realm of enforcement.

This, paired with the enforcement appetite explored at point 1. above, will likely lead to some interesting decisions applying data protection law to the processing of personal data underpinning AI systems.

7/

🤖 2) The race to AI Regulation, and the AI awakening of DPAs

The question is not if (yes!) or when (this year?), but who will be the first jurisdiction with a general legal framework for AI. The EU, Brazil and Canada are the frontrunners in the race to adopting a general law that applies to AI systems.

6/