An Overview of Data Privacy in 2024: Roles, Responsibilities and Risk from the GDPR to the AI Act
The landscape of data governance has undergone significant transformations, driven by the relentless pace of technological advancements and the increasing complexity of regulatory requirements.
Beginning with the rudimentary tools of early web analytics, organisations have gradually transitioned to sophisticated analytics platforms capable of processing vast amounts of data in real-time.
These platforms have revolutionised various aspects of business operations. Now they provide insights into consumer behaviour, market trends, and operational efficiencies that were previously unimaginable.
With this comes a need to put stringent regulatory requirements in place to keep consumer data secure. In this webinar write-up, we’ll be exploring an overview of data privacy in 2024 – the roles, responsibilities, and risk from the GDPR to the AI act.
This is a webinar write-up of Aurélie Pols’ talk at Privacy4Marketers. You can get her slides here. You can purchase the recordings (8 in total) or get them for free by signing up to a paid Cookiebot plan using our referral link. Just make sure to send a screenshot of the billing confirmation to william@measuremindsgroup.com.
How do data analytics and advertising blend together?
A pivotal moment in the evolution of data governance occurred with Google’s 2008 acquisition of DoubleClick. A move that effectively integrated data analytics with the advertising industry.
DoubleClick is a company that was founded in 1995 and became one of the pioneers in online advertising technology.
It started as an ad-serving platform but expanded its services to include various tools and solutions for digital marketers and publishers.
The core offering of DoubleClick was its DART ad-serving technology. Which allows advertisers to manage, track, and optimise their online advertising campaigns across multiple websites and platforms.
This technology enabled advertisers to deliver targeted ads to specific audiences based on various criteria such as demographics, interests, and browsing behaviour.
One of the key innovations introduced by DoubleClick was the ability to serve ads in real-time based on user data and behaviour. Which significantly improved the efficiency and effectiveness of online advertising campaigns.
Google’s acquisition of DoubleClick
The acquisition allowed Google to integrate DoubleClick’s technology and services into its advertising ecosystem. This provided advertisers and publishers with more comprehensive and sophisticated tools for managing and monetising online advertising inventory.
Today, DoubleClick is part of Google’s suite of advertising products and is known as Google Marketing Platform. It offers a wide range of solutions for advertisers and publishers. This includes ad serving, campaign management, audience targeting, and analytics, helping businesses reach their target audiences more effectively and efficiently across the web.
This convergence gave rise to programmatic advertising and real-time bidding, enabling advertisers to target specific audiences with unprecedented scale, precision and efficiency.
However, it also raised concerns about consumer privacy and data protection. As the collection and utilisation of personal information became increasingly pervasive in online advertising practices.
This necessitated the development of robust data governance frameworks to ensure compliance with regulatory mandates and protect individuals’ rights to privacy.
How have regulatory frameworks progressed?
The enactment of regulatory frameworks such as the General Data Protection Regulation (GDPR) marked a significant milestone in the evolution of data governance. It followed the 1995 DPD, Data Protection Directive.
Introduced by the European Union in 2016, the GDPR set forth comprehensive guidelines for the collection, processing, and storage of personal data. They had a particular emphasis on transparency, consent, and individual rights.
The GDPR not only established a new standard for data protection within the EU but served as a catalyst for similar initiatives worldwide too. It prompted countries and regions to reevaluate their data protection laws and adopt stricter regulations to safeguard user privacy in the digital age.
The emergence of the AI Act
In response to the growing influence of artificial intelligence (AI) and algorithmic decision-making systems, the European Union proposed the Artificial Intelligence Act. A comprehensive regulatory framework aimed at addressing the safety implications of AI technology.
The AI Act establishes guidelines for the development, deployment, and use of AI systems, with a focus on ensuring transparency, accountability, and human oversight.
By defining specific requirements for high-risk AI applications and promoting the responsible use of AI technology, the AI Act aims to mitigate potential risks while fostering trust and confidence in AI-driven solutions.
On the 2nd of February 2024, the Council of EU Ministers unanimously approved the AI act. This was a huge win for the regulation of AI technology.
Bridging regulatory divergence
One of the key challenges facing organisations in the realm of data governance is the divergence between regulatory approaches in different jurisdictions.
While the European Union has adopted a rights-based approach to privacy protection, emphasising the fundamental rights of individuals to control their personal data, the United States has traditionally favoured a more market-driven model with a greater emphasis on self-regulation and industry standards.
This regulatory dissonance not only complicates compliance efforts for multinational corporations but also highlights the need for greater collaboration and harmonisation of standards at the international level to ensure consistent and effective data protection measures across borders.
In navigating the increasingly complex maze of data governance, organisations must adopt a proactive approach to compliance and risk management.
This entails not only understanding and adhering to existing regulatory requirements but also anticipating and preparing for future regulatory developments and emerging threats.
From implementing robust data protection measures and conducting privacy impact assessments to fostering a culture of ethical data stewardship and transparency, organisations must demonstrate a commitment to upholding the highest standards of data governance and privacy protection. This will earn the trust and confidence of consumers, regulators, and stakeholders alike.
Be aware of compliance challenges
In the pursuit of compliance, stakeholders encounter a myriad of challenges and ethical considerations that permeate the digital landscape.
The metaphor of the “three monkeys” — hear no evil, see no evil, speak no evil — poignantly illustrates the varied responses to compliance obligations within this realm.
It highlights how some entities may turn a blind eye, avoid acknowledging compliance issues, or refrain from actively addressing them.
Notably, certain influential entities wield disproportionate power within the ecosystem. They shape regulatory discourse and compliance standards to better suit their interests, sometimes at the expense of broader ethical considerations and regulatory obligations.
Understanding privacy risks and regulatory dynamics
The dynamics of regulatory enforcement underscore a complex interplay between legislative proposals, investigations, and judicial rulings.
From the initial crafting of regulatory proposals to the imposition of fines and penalties, the trajectory of compliance is influenced by multifaceted processes and stakeholder engagements.
For instance, supervisory authorities exercise enhanced powers under regulations like Article 58 of the GDPR. Signalling a shift towards more rigorous enforcement mechanisms and heightened accountability standards for organisations handling personal data.
If you’re unfamiliar with Article 58 of the GDPR, here’s a quick overview of what it entails:
1. General Powers: Supervisory authorities have various powers to ensure compliance with the GDPR. This includes the power to access personal data, obtain information from data controllers and processors, and conduct investigations.
2. Investigative Powers: Supervisory authorities may carry out investigations. Either on their own initiative or in response to complaints or concerns raised by individuals or organisations. These investigations may involve accessing premises, reviewing documentation, and interviewing relevant personnel.
3. Corrective Powers: If a supervisory authority determines that a data controller or processor is not in compliance with the GDPR, it may issue warnings, reprimands, or orders requiring the organisation to rectify the non-compliance within a specified timeframe.
4. Administrative Fines: Supervisory authorities have the power to impose administrative fines for violations of the GDPR. These can be significant and may vary depending on the nature and severity of the infringement. These fines are intended to be effective, proportionate, and dissuasive.
5. Other Remedies: In addition to administrative fines, supervisory authorities may also impose other corrective measures, such as temporary or permanent bans on data processing, suspension of data transfers to third countries, or orders to delete or rectify personal data.
Global perspectives on privacy legislation: USA vs Europe
A comparative analysis reveals stark contrasts between European and American approaches to privacy legislation.
While Europe champions fundamental rights and individual privacy through regulations like the GDPR, the United States leans towards a more business-centric model, where data often acts as a catalyst for economic growth and innovation.
Let’s take a look at some of the main differences between American and European approaches to privacy legislation:
Legal frameworks
– Europe: The European Union has implemented the General Data Protection Regulation (GDPR), which is a comprehensive regulation governing data protection and privacy for all individuals within the EU and the European Economic Area (EEA).
The GDPR emphasises the protection of personal data and grants individuals significant control over their data. That being said, data controllers are still accountable for the protection of their user’s personal data, so they need to take the proper steps to do so.
– United States: The United States lacks a comprehensive federal privacy law similar to the GDPR. Instead, it has a patchwork of sector-specific laws (e.g., HIPAA for healthcare, COPPA for children’s online privacy) and state-level regulations (e.g., California Consumer Privacy Act, or CCPA). The U.S. approach is generally more fragmented and lacks a unified standard.
Focus on individual rights
– Europe: The GDPR places a strong emphasis on individual rights, such as the right to access personal data, the right to erasure (“right to be forgotten”), the right to data portability, and the right to be informed about data processing activities.
Additionally, the right to object to automated decision-making is the stepping stone towards more transparency for data processing operations that do not fall under high risk in the AI Act.
– United States: While there are privacy laws in the U.S., they often focus more on specific industries or aspects of privacy rather than on comprehensive protection of individual rights. The U.S. tends to prioritise business interests and innovation alongside privacy concerns.
Opt-in vs. opt-out
– Europe: The GDPR generally follows an “opt-in” approach, requiring users to give consent. But, furthermore requiring a lawful basis for collecting, processing and sharing any personal data. The bases outlined in Article 6 must be applied for processing, together with a clearly defined purpose, to be considered lawful.
Companies must also provide clear and transparent information about data processing activities.
– United States: In many cases, the U.S. adopted a “notice and choice” or “opt-out” approach. Individuals are automatically included unless they take action to exclude themselves. This can result in less stringent consent requirements and may lead to more permissive data collection practices.
Enforcement and penalties
– Europe: The GDPR provides for substantial penalties for non-compliance. Thes include fines of up to 4% of annual global turnover or €20 million, whichever is higher. European data protection authorities have the authority to investigate violations and impose fines.
– United States: Enforcement mechanisms vary across different laws and jurisdictions. While regulatory agencies such as the Federal Trade Commission (FTC) have the authority to enforce privacy regulations, penalties may not be as severe or consistently applied compared to the GDPR. However, class actions, being a commonly accepted business practice, are increasingly being tested out thus increasing risk around the processing of personal information.
Cultural and historical factors
– Europe: European countries often have stronger cultural norms regarding privacy. This stems from historical experiences with authoritarian regimes and invasions of privacy. This cultural emphasis on privacy has influenced the development of stringent data protection laws in Europe.
– United States: While privacy is valued in the U.S., the cultural context and legal traditions are different. There is a historical emphasis on individual freedoms and entrepreneurship. This sometimes translates into a more business-friendly regulatory environment with less stringent privacy protections.
This regulatory divergence highlights the complexities of harmonising privacy principles across jurisdictions and reconciling disparate interpretations of data governance standards. Which presents a significant challenge for multinational organisations operating in global markets.
Roles and responsibilities in privacy governance
Effective privacy governance hinges upon the clear delineation of roles and responsibilities within organisations. Data Protection Officers (DPOs) play a pivotal role in overseeing compliance efforts, providing guidance, and ensuring adherence to regulatory standards.
The distinction between the roles of DPOs and legal counsel underscores the importance of prioritising the interests of data subjects and upholding ethical data practices throughout all stages of data processing and management.
As organisations navigate the intricate legal landscape of privacy governance, contractual obligations assume paramount significance.
Thorough diligence in evaluating privacy-enhancing tools, conducting privacy impact assessments, and documenting compliance measures underscores the proactive approach needed to mitigate risks and uphold regulatory standards.
Clarity in defining contractual obligations and delineating roles between data controllers and processors fosters transparency and accountability within the data ecosystem. Thus facilitating more effective collaboration and risk management practices.
Conclusion
In traversing the massive landscape of privacy governance, organisations are called upon to embrace ethical data stewardship as a foundational principle.
By prioritising transparency, accountability, and collaboration, stakeholders can effectively navigate the complexities of regulatory compliance. Important for upholding the principles of trust, integrity, and consumer privacy in an era defined by rapid technological innovation and evolving regulatory frameworks.
We provide GDPR & cookie compliance services to help ensure that you’re analytics are robust whilst respecting user’s privacy and protecting your business from fines.
As organisations embark on this transformative journey, the imperative lies in charting a course towards a more sustainable and equitable future for data governance and privacy compliance, where the rights and dignity of individuals are respected and protected in all facets of data processing and management.
About Aurélie Pols
Aurélie pioneered Digital analytics in Europe as one of the first Google Analytics consultancies in Europe. She co-founded OX2 in Belgium in 2003. Which was successfully sold to UK-based Digitas LBi (Publicis) in 2008 with an EBIT of 20%.
Aurélie now works as an independent consultant, defining data flows and supporting companies in their risk exercises to determine potential data liabilities.
She has been acting as DPO for major US-based platforms since the ink was dry on the GDPR and serves customers globally to support their global digital data strategies. She recently obtained a certificate in Privacy Engineering from Carnegie Mellon University and is often called back to Brussels.
- What is a Customer Data Platform (CDP) & How to Use One - 25/04/2024
- What is Google Consent Mode V2 & How to Implement It - 24/04/2024
- How to Implement Consent Mode with Cookiebot CMP - 09/04/2024