Eduardo Ustaran Profile picture
Feb 24 8 tweets 5 min read
Just back from a 🇺🇸 roadshow to spread the word about the emerging #AI regulation in 🇪🇺&🇬🇧, and the learning points from speaking to technology & privacy professionals are significant. Mini-🧵
1️⃣Overall, there is an understanding that this is happening and is happening fast, but for a sizeable majority, it is truly eye opening to hear about the breadth & depth of the forthcoming #AI regulatory regime and fully appreciating the precise impact is going to take time.
2️⃣The parallels with the emergence & spread of the #GDPR (despite the very different obligations) is what really makes people realise how ambitious #AI regulation is and how it will be affecting biz across the Atlantic.
3️⃣An effective way to explain how #AI regulation will affect legal compliance activities that 🇺🇸 #privacy professionals clearly understand is to show how the requirements will equate to the efforts devoted to meeting #GDPR accountability obligations, but several times over.
4️⃣The complex reality of #AI development is that the potential use cases are limitless (from the almost mundane to the truly transformational for the world), so assessing the precise impact of the proposed regulations on each scenario is key to determine efforts & resources.
5️⃣For experienced #privacy professionals, the fact that the proposed #AIAct changes the controller/processor paradigm to place the most substantive obligations on developers who may not know how their #AI will be employed by users is a steep hill to climb.
6️⃣A bit like any attempts to avoid the application of #GDPR by arguing that most data is not personal data, instinctive reactions to argue that most #AI is not “high risk” appear largely futile because ultimately it is going to be almost impossible to limit the purposes of #AI.
7️⃣Finally, for me the key lesson is that we have reached the point where we are starting to shape the building blocks of global #AI compliance programmes, and this work is now going to be ongoing pretty much forever. END

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Eduardo Ustaran

Eduardo Ustaran Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @EUstaran

May 17, 2022
Cookie consent is an issue that keeps on giving.🧵
Since 2011, the level of regulatory scrutiny on this #ePrivacy requirement has resembled the stock market: an ever oscillating line which as time goes by is only going upwards (peaking at record levels in the past two years).
Off the top of my head, key milestones in this recent progression include:
1️⃣@ICOnews 2019 report on RTB which shocked the advertising industry.
2️⃣@EUCourtPress Planet49 decision focusing on valid consent.
3️⃣@CNIL relentless & big ticket enforcement.
4️⃣Belgian DPA’s TCF decision.
Add the effective campaigning & activity of @NOYBeu & @johnnyryan and the result is an environment where targeted advertising needs to be compatible with ‘Reject All’ buttons & a cookie-less Internet. Two reactions I’m seeing:
1️⃣Non-consented targeting.
2️⃣Cookie walls.
Read 6 tweets
Aug 13, 2020
After today, the UK is likely to witness Europe’s greatest collective exercise of the Art. 22 #GDPR right not to be subject to fully automated decision-making that significantly affects individuals. A semi-forgotten right is ready to show what it can do for young people’s future.
As this is generating some interest, let me elaborate a bit on the legal position as I see it. The right not to be subject to a decision based solely on automated processing is not a new creation of the #GDPR. A very similar formulation has existed in English law since 1998.
Traditionally, this right has hardly been exercised, partly due to its complexity and partly due to the fact that its most obvious uses (challenging employment or financial decisions) were explicitly excluded by the exemption applicable to contracts.
Read 12 tweets
Mar 30, 2020
Things we are (re-)learning about data & #privacy thanks to #coronavirus:
1️⃣Personal data is hugely valuable and a key element of solving complex problems.

2️⃣Anonymised information generated by our use of technology is also hugely valuable for strategic decision-making.
3️⃣Data is exponentially (no pun intended) more helpful when used at a global scale.

4️⃣Data protection law (if properly drafted) is sufficiently flexible to achieve its aim AND still be compatible with common sense & fighting #Covid_19
5️⃣Even in a global health crisis, privacy professionals have role to play.

6️⃣Elaborating on point5️⃣ above, many #coronavirus related crucial decisions will be much better made with the involvement of professionals who know how to apply #privacy & data protection rules wisely.
Read 4 tweets
May 10, 2019
Steadily approaching #GDPR anniversary and I see two big & fundamental issues everyone is really struggling with:
1️⃣Lawful grounds for processing
2️⃣DPIAs
One is as old as #EUdataP law itself but the #GDPR has injected new impetus. The other is yet to be learnt properly. Thread⬇️
There are three grounds for processing that get 99% of the attention:
1️⃣Consent seems easy & solid, but it is the most difficult.
2️⃣Contractual necessity is yet to be explored & debated properly.
3️⃣Legitimate interest is seen as the holy grail but remains largely misunderstood.
The standards for valid consent will eventually be settled by #CJEU but it is clear that #GDPR raises the bar well above what has become common practice (think cookie banners & ‘take it or leave it’ approaches). So consent is bound to become the residual option, not the default.
Read 6 tweets
May 1, 2018
When people agonise about being ‘ready’ for #GDPR, think about this: How can anyone be ready when we are all still debating which lawful grounds for processing (consent/contractual necessity/legitimate interests) apply to some of the most common uses of data? 1/4
Aside from obvious cases, determining the lawful ground for processing is a critical aspect of #EUdataP which is extremely difficult to get right, because it rests on the correct legal interpretation of complex concepts like ‘consent’, ‘necessity’ & ‘rights and freedoms’ 2/4
But since under #GDPR you have to reveal which lawful ground you rely on, everyone is taking a view which may or may not be right in the end. We simply don’t know with 100% certainty and it will take years of enforcement and court decisions to know for sure. 3/4
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(