The Privacy Advisor Podcast

AI governance is a rapidly evolving field that faces a wide array of risks, challenges and opportunities. For organizations looking to leverage AI systems such as large language models and generative AI, assessing risk prior to deployment is a must. One technique that's been borrowed from the security space is red teaming. The practice is growing, and regulators are taking notice. Brenda Leong, a partner of Luminos Law, helps global businesses manage their AI and data risks. I recently caught up with her to discuss what organizations should be thinking about when diving into red teaming to assess risk prior to deployment.

As the U.S. enters the final stretch of the 2024 election cycle, we face a tight race at the presidential and congressional levels. With a razor-thin margin separating Vice President Kamala Harris and former president Donald Trump, we decided to take a look at the possible policy positions of each campaign with regard to privacy and artificial intelligence governance. Of course, reading tea leaves is no easy feat, but while attending IAPP Privacy. Security. Risk. 2024 in Los Angeles, California, IAPP Editorial Director Jedidiah Bracy sat down with Managing Director, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, to gain his insight on each camp's policy positions, from the administrative state to international data transfers and beyond. Here's what he had to say.

The year 2024 proved to be another robust one for emerging U.S. state privacy law. Seven states joined the ranks, bringing the total up to 19. Unlike previous years, however, 2024 underwent a paradigm shift away from the standard framework influenced by the draft Washington State Privacy Act. For the Future of Privacy Forum's Keir Lamont, CIPP/US, and Husch Blackwell's David Stauss, CIPP/E, CIPP/US, CIPT, FIP, PLS, 2024 marked the end of what Lamont calls the "Pax Washingtonia" era for state privacy law. While attending the IAPP Privacy. Security. Risk. conference in Los Angeles, California, IAPP Editorial Director Jedidiah Bracy caught up with Lamont and Stauss to discuss this busy year in state privacy law, as well as what to expect with rulemaking and enforcement at the state level.

Reva Schwartz, a research scientist and principal investigator at NIST, leads the groundbreaking ARIA program aimed at assessing AI's risks and impacts. She discusses the initiative's goal to develop real-world testing methods for AI systems, ensuring their trustworthiness. The conversation dives into the importance of collaboration in model testing and participant recruitment, and how evaluating AI through realistic scenarios will help mitigate biases. Schwartz highlights the establishment of the AI Resource Center as a vital hub for risk management and fostering a trustworthy AI community.

Darren Abernethy discusses the rise in privacy litigation trends, focusing on tracking technologies like session replays, chatbots, and pixels. He explains the implications of wiretapping statutes, California's interpretation of SIPA, and the Video Privacy Protection Act. The podcast explores recent lawsuits, emphasizing the importance of data minimization and compliance with evolving privacy laws.

Lead technical negotiator, Laura Caroli, discusses the EU AI Act negotiations, highlighting unique approach, challenges, criticisms, AI-specific rights, and future implications. She compares the AI Act to the GDPR, addresses enforcement structures, and stresses the importance of flexibility and stakeholder dialogue in creating a future-proof framework for AI regulation.

In tandem with privacy, cybersecurity law is rapidly evolving to meet the needs of an increasingly digitized and complex economy. To help practitioners keep up with this ever-changing space, the IAPP published the first edition of Cybersecurity Law Fundamentals in 2021. But there have been a lot of developments since then. Cybersecurity Law Fundamentals author Jim Dempsey, lecturer at UC Berkeley Law School and senior policy advisor at Stanford Cyber Policy Center, brought on a co-author, John Carlin, partner at Paul Weiss and former Assistant Attorney General, to help with the new edition. IAPP Editorial Director Jedidiah Bracy recently spoke with both Dempsey and Carlin about the latest trends in cybersecurity, including best practices in dealing with ransomware, the significance of the new SEC disclosure rule, cybersecurity provisions in state privacy laws, trends in FTC enforcement, the recent Biden Executive Order on preventing access to bulk sensitive personal data to countries of concern, and much more. We even hear about the time Carlin briefed the U.S. president on the Sony Pictures hack.

For those following the regulation of artificial intelligence, there is no doubt passage of the AI Act in the EU is likely top of mind. But proposed policies, laws and regulatory developments are taking shape in many corners of the world, including in Australia, Brazil, Canada, China, India, Singapore and the U.S. Not to be left behind, the U.K. held a highly touted AI Safety Summit late last year, producing the Bletchley Declaration, and the government has been quite active in what the IAPP Research and Insights team describes as a "context-based, proportionate approach to regulation." In the upper chamber of the U.K. Parliament, Lord Holmes, a member of the influential House of Lords Select Committee on Science and Technology, introduced a private members' bill late in 2023 that proposes the regulation of AI. The bill also just received a second reading in the House of Lords 22 March. Lord Holmes spoke of AI's power at a recent IAPP conference in London. While there, I had the opportunity to catch up with him to learn more about his Artificial Intelligence (Regulation) Bill and what he sees as the right approach to guiding the powers of this burgeoning technology.

Joe Jones, Privacy and data protection expert, joins the show to discuss the major developments in data protection and privacy in 2023. They explore enforcement actions on Big Tech, the finalization of EU regulations, the role of privacy professionals in AI governance, and the implementation of privacy laws in various countries.

Guest Luca Bertuzzi, Expert in European Union AI Act and its political deal, discusses the EU AI Act negotiations and what comes next. Topics include the difference between general purpose AI systems and foundational models, negotiations on national security provisions, prohibited practices and exemptions, high risk applications and fundamental rights assessment, penalties and fines, next steps, and potential roadblocks.