Key Takeaways from the IAPP Global Privacy Summit 2022
The following article was originally published on the NCBA Privacy & Data Security Section Blog on May 11, 2022, and has been republished here with the consent of the North Carolina Bar Association.
After two-plus years of mostly attending CLEs, webinars, and other knowledge-building events via Zoom, Teams or some other virtual platform, it was great to get together with like-minded privacy professionals in Washington, D.C., April 10-13 for the 2022 IAPP Global Privacy Summit. I’ll be honest, I did not know what to expect from an actual in-person conference and networking event, but the IAPP and its speakers and sponsors did not disappoint.
From headliners like Apple CEO Tim Cook and FTC Chair Lisa Khan to a plethora of informative breakout sessions, GPS was a great way to brush up on a variety of current topics. Throw in getting to spend some quality time catching up with folks I have not seen in several years (or in some cases had only met virtually over the last two), and it was a good time all around. One pro tip on navigating the large crowds at GPS is and always has been to find a few folks you know to pal up with for sessions and networking events.
While there was something for everyone at GPS 2022, the points that have stuck with me in the few short weeks since attending are the following:
The push and pull between states and the federal government on what the U.S. privacy regime will look like is real.
Colorado Attorney General Phil Weiser did not shy away from criticizing the federal government’s approach and history of inactivity with respect to moving comprehensive privacy legislation. He was clear that he thought privacy leadership and enforcement in the U.S. would come from the states and, in particular, the state’s Attorneys General. He touted the collaborative approach that state leaders in Colorado took in working across the aisle in a bipartisan fashion (unlike Congress) to introduce and pass the Colorado Privacy Act. This critical view of the federal government’s approach was contrasted by a panel of Congressional staffers who suggested that significant bipartisan progress was being made on a comprehensive federal privacy law that could be passed as early as the end of 2022.
The group addressed the constant sticking points of whether a federal law should preempt the newly enacted state laws and whether there should a private right of action. In a sign that things might not be as close as the early enthusiasm indicated, no one had a clear answer on those issues, but there was consensus that a middle ground was closer than it has been in the past. Also on the federal front, FTC Chair Lisa Khan, in her first major address on privacy issues since being appointed last year, noted that the FTC’s work would be aided by a federal privacy law and seemed optimistic that it was a real possibility.
Big tech has differing views on privacy and Internet regulation.
Both Apple CEO Tim Cook and Microsoft President Brad Smith took to the main stage for keynote addresses in front of packed rooms. Both men acknowledged the fundamental importance of privacy and acknowledged the inevitably of federal privacy regulation, but differed greatly when it came to their outlooks on recent efforts. Cook did stress that Apple believes the U.S. needs a strong comprehensive privacy law similar to the GDPR, but then turned to his “deep concerns” with the direction of legislation aimed at regulating how the company manages app downloads and other activities seen as anti-competitive. He used the forum presented by GPS 2022 to stress that such regulations would, in his view, undermine the privacy and security measures that are part of Apple’s core.
In short, Cook’s view seemed to be that Apple knows best when it comes to privacy. Smith, by contrast, discussed Microsoft’s success in working with lawmakers to influence the direction of privacy and Internet protection legislation in the U.S. He even floated the idea of a completely new regulator focused on Internet and digital affairs. In his view, such a body would be better equipped to work with industry to craft rules that provided adequate protection without crippling innovation. It certainly seemed as if Microsoft’s view is that regulation is a coming reality, so it’s better to work from within than to rail against the inevitable.
Everybody seems to agree that figuring out data transfers from the European Union to the U.S. is a top priority.
In a panel on the topic of transatlantic data transfers, staffers from both the European Commission and the U.S. Department of Commerce who have been directly involved in drafting the recently released transatlantic Data Transfers Framework spoke about the progress made and the distance left to go. These sentiments were echoed by European Commissioner of Justice Didier Reynders in a keynote address in which he referred to the negotiations as being “intense” at times. All sides were clear that the ball is currently in the U.S. government’s court with a goal of the end of 2023 for a final deal. U.S. Department of Commerce Deputy Assistant Secretary for Services Christopher Hoff cautioned that the process of converting the framework into actual U.S. law would be arduous. One positive take away from the staff panel was the observation that it was going to be more difficult to apply the framework to U.S. government operations than it would be for most private businesses who had previously self-certified to Privacy Shield.
If you’d like to learn more about GPS 2022, including, in some instances, access to full presentations, visit the IAPP’s conference website here: https://iapp.org/conference/global-privacy-summit/. I hope to see some of you there next year!