Q2 Privacy Update: AI Takes Center Stage, plus Six New US State Laws
The past three months witnessed several notable changes impacting privacy obligations for businesses. Coming into the second quarter of 2023, the privacy space was poised for action. In the US, state lawmakers worked to push through comprehensive privacy legislation on an unprecedented scale, we saw a major focus on children’s data and health data as areas of concern, and AI regulation took center stage as we examined the intersection of data privacy and AI growth. Internationally, the EU continued to set the standard for AI regulation through its AI Act, trans-Atlantic data flows advanced, and countries around the globe evolved their privacy regimes.
United States
At the start of the year, the US had six state privacy laws that took lawmakers years to achieve. By the end of the second quarter, that list grew to twelve. In various stages of completion, and with effective dates spanning years, the significant growth of state-led efforts sends a clear signal of what happens in the absence of federal action. States will fill the voids.
Helping to deepen the patchwork of privacy laws erupting across the US, the new laws continue to prove that the devil is in the details. Though similar to what has come before, these laws showcased a range of approaches and varying degrees of consumer protection concerning the definition of sale, how universal opt-outs are handled, and caveats to data subject rights. State laws are increasingly viewed as a continuum of protection, ranging from business-friendly to consumer-friendly, with a lot of room in between.
See more on these comprehensive state privacy laws here, but to recap: Iowa kicked off the wave on March 29. Next came Indiana, Tennessee, Montana, Texas, Oregon, and on the last day of the quarter, Delaware joined the list. In these laws, we see some new twists, like an affirmative defense in Tennessee, redefined scope in Texas, and additional protections for children in Montana. Acknowledging as well that Florida passed a privacy law with a scope so narrowly focused, it’s hard to consider it a comprehensive privacy law.
States also pushed forward niche privacy laws aimed at protecting health and children’s data and began to discuss approaches to regulating artificial intelligence. Five states passed legislation to add greater protections for children’s privacy, particularly as it relates to social media platforms. Legal challenges from tech trade groups highlight the ongoing debate and potential conflicts between privacy laws and First Amendment rights, as evidenced by a federal lawsuit filed by NetChoice, a tech trade group whose members include social media platforms Meta, Twitter, and TikTok, challenging the new state law in Arkansas which requires age verification and parental consent for users under eighteen.
Despite momentous action at the state level, talks of federal privacy all but evaporated this quarter, with attention migrating toward addressing challenges associated with Artificial Intelligence. The intersection of privacy and AI emerged as a key area of focus, with organizations striving to strike a balance between leveraging AI technologies for innovation while safeguarding privacy. Ultimately, this raises questions about where lawmakers’ attention will settle and whether a future solution will address the existing regulatory vacuum for privacy and AI.
International
The EU continues to lead in the race to legislate around AI as the European Parliament voted in favor of the AI Act, sending it towards the trialogue phase of the EU’s legislative procedure, which involves negotiations between the European Commission, the European Parliament, and the European Council to reconcile and agree upon final text before it is submitted for approval and formal adoption.
The UK continues to move forward with its privacy revamp. After the Data Protection and Digital Information (No 2) bill was introduced to Parliament, the UK Information Commissioner’s Office released a favorable opinion with Commissioner John Edwards stating, “The DPDI bill has moved to a position where I can fully support it.” The UK made efforts to promote cross-border data flows as well, first by applying to be an associate in the Global Cross-Border Privacy Rules Forum (the first to apply since the Forum’s inception in 2022), and then announcing that a data bridge with the US is well underway. The two partners announced in a joint statement an agreement in principle to establish the “UK Extension to the Data Privacy Framework” following nearly two years of discussions.
Enforcement in Q2 was headlined by Ireland’s Data Protection Commission (DPC), fining Meta a record-breaking €1.2 billion, as well as an order to suspend future transfers of personal data to the US within five months of the DPCs decision. While the decision took nearly three years to come to fruition, the action highlighted the need for a trans-Atlantic transfer mechanism. Meta responded by saying the violation is less about its practices and more about the “fundamental conflict of law between the US government’s rules on access to data and European privacy rights, which policymakers are expected to resolve this summer.”
Looking to Q3
Overall, the second quarter of 2023 witnessed a flurry of privacy-related activities, highlighting the growing importance of privacy protections in the wake of major technological advances. As privacy laws evolve and AI regulation gains prominence, striking the right balance between innovation, privacy, and ethical considerations remains a critical challenge for individuals, organizations, and policymakers. Here’s a list of what we’re watching as we move to the end of Q3:
- Now that the trans-Atlantic data flow is approved, we are watching for the next legal challenge to emerge from Max Schrems’ group, noyb.
- As AI captures more attention from regulators worldwide, how will US federal and state governments react? Will the US tackle privacy and AI in one regulation?
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.