GDPR: What's next?

1. GDPR: What's next?

Welcome! GDPR is one of the most prominent regulations related to data and new technologies that applies to the EU single market. But there are more in the making!

2. The digital single market

While GDPR covers data protection and new technologies like AI to some extent, it doesn't cover the entire spectrum of the digital landscape we operate in. The European Commission has taken many steps to strengthen its digital sovereignty, set standards with a clear focus on data, technology, and infrastructure, and create a single digital market with its 27 member states. Some initiatives include the reform of the ePrivacy regulation for electronic communications. Digital Services Act or DSA aimed to ensure individuals' online safety and increase online platform accountability. The Digital Markets Act or DMA attempts to push online platforms to be fair to users who depend on their services (like small business owners who sell through large online retail platforms). And the most pertinent example to our course is the AI act, GDPR-like regulation focused on AI technologies and systems.

3. The AI act

We have seen that AI systems pose several risks to individuals' rights and safety and societal values. While GDPR addresses some elements of AI technologies, it doesn't cover all. So the European Commission introduced the AI act, which can be seen like an extension of GDPR for AI systems. AI act is expected to be consolidated in the European Parliament by 2023. It will regulate AI systems based on the risks they pose. It defines AI systems more precisely and links them to risks, so that companies can make informed risk-benefit choices on the type of AI that they wish to use. For instance, from the earlier example: whether to use a machine learning black box model for a mortgage decision system or not. There are many similarities with the GDPR, such as the scope, the risk-based approach, the accountability principle, accountabilities obligations, and administrative fines.

4. The global GDPR influence

While GDPR is a European law, it has influenced data protection regulations worldwide. Thanks to its adequacy decision requirements, many countries have amended their data protection laws to be in line with GDPR to have access to the EU single market. Many data privacy regulations after GDPR are primarily inspired by and often very similar to GDPR. Examples include the California Consumer Privacy Act, CCPA, Virginia Consumer Data Protection Act, VCDPA, and Brazil's version of GDPR, known as LGPD. Now that we have seen GDPR both as a standalone instrument and in conjunction with evolving regulations and its global influence, we need to remember the main objective of such regulations.

5. Future ready

It is to balance the risks of new technologies in a changing society to protect individual rights. Many of these regulations follow a risk-based approach, weighing the risks and benefits to establish rules for enabling responsible innovation. That is to enable economic growth while protecting the rule of law, democratic values, and societal moral obligations. There is no perfect law since technology is dynamic and constantly evolving. To keep up with new trends and govern them for responsible innovation, companies and organizations should take proactive systems approach using by-design thinking and always staying up to date with state-of-the measures.

6. Let's practice!

Awesome! We are nearly there. Let's practice your new knowledge.