Just back from a 🇺🇸 roadshow to spread the word about the emerging #AI regulation in 🇪🇺&🇬🇧, and the learning points from speaking to technology & privacy professionals are significant. Mini-🧵 1️⃣Overall, there is an understanding that this is happening and is happening fast, but for a sizeable majority, it is truly eye opening to hear about the breadth & depth of the forthcoming #AI regulatory regime and fully appreciating the precise impact is going to take time.

Cookie consent is an issue that keeps on giving.🧵
Since 2011, the level of regulatory scrutiny on this #ePrivacy requirement has resembled the stock market: an ever oscillating line which as time goes by is only going upwards (peaking at record levels in the past two years). Off the top of my head, key milestones in this recent progression include:
1️⃣@ICOnews 2019 report on RTB which shocked the advertising industry.
2️⃣@EUCourtPress Planet49 decision focusing on valid consent.
3️⃣@CNIL relentless & big ticket enforcement.
4️⃣Belgian DPA’s TCF decision.

After today, the UK is likely to witness Europe’s greatest collective exercise of the Art. 22 #GDPR right not to be subject to fully automated decision-making that significantly affects individuals. A semi-forgotten right is ready to show what it can do for young people’s future. As this is generating some interest, let me elaborate a bit on the legal position as I see it. The right not to be subject to a decision based solely on automated processing is not a new creation of the #GDPR. A very similar formulation has existed in English law since 1998.

Things we are (re-)learning about data & #privacy thanks to #coronavirus:
1️⃣Personal data is hugely valuable and a key element of solving complex problems.

2️⃣Anonymised information generated by our use of technology is also hugely valuable for strategic decision-making. 3️⃣Data is exponentially (no pun intended) more helpful when used at a global scale.

4️⃣Data protection law (if properly drafted) is sufficiently flexible to achieve its aim AND still be compatible with common sense & fighting #Covid_19

Steadily approaching #GDPR anniversary and I see two big & fundamental issues everyone is really struggling with:
1️⃣Lawful grounds for processing
2️⃣DPIAs
One is as old as #EUdataP law itself but the #GDPR has injected new impetus. The other is yet to be learnt properly. Thread⬇️ There are three grounds for processing that get 99% of the attention:
1️⃣Consent seems easy & solid, but it is the most difficult.
2️⃣Contractual necessity is yet to be explored & debated properly.
3️⃣Legitimate interest is seen as the holy grail but remains largely misunderstood.

When people agonise about being ‘ready’ for #GDPR, think about this: How can anyone be ready when we are all still debating which lawful grounds for processing (consent/contractual necessity/legitimate interests) apply to some of the most common uses of data? 1/4 Aside from obvious cases, determining the lawful ground for processing is a critical aspect of #EUdataP which is extremely difficult to get right, because it rests on the correct legal interpretation of complex concepts like ‘consent’, ‘necessity’ & ‘rights and freedoms’ 2/4