Around the World: GDPR turns 5 years old and what to expect from AI regulation

Audio by Bill Fisher, Paul Briggs, Evelyn Mitchell, and Carina Perkins | May 19, 2023

Episode Transcript:

Bill Fisher:

Hello, everyone. Welcome to Behind the Numbers Around the World, an eMarketer podcast Made Possible by InMobi. It's Monday, May the 22nd, and I'm your host for today, Bill Fisher. It's my absolute pleasure to welcome you all to Around the World with GDPR turning five years old and what to expect from AI regulation.

Welcome folks to a Behind the Numbers show that takes you around the world looking at what various countries are doing in the worlds of commerce, media, and advertising. Each month I give you a global news recap. Then I speak with a few of our regional experts to get their take on the main theme for today's show. We're celebrating today five years of GDPR or the General Data Protection Regulation.

This is the EU's legal framework for keeping everyone's personal data safe by requiring companies to have robust processes in place for handling and storing personal information. Today, we will be asking what has changed five years on from the implementation of this framework.

Paul Briggs:

Soon after GDPR became a topic on organization's mind five years ago, privacy reform in Canada has been shot to the top of the legislative agenda.

Bill Fisher:

What issues have regulators faced in enforcing the GDPR?

Evelyn Mitchell:

The pace of innovation is such that the slowness in legislation is really, I think, going to be a big problem down the road.

Bill Fisher:

And what lies in store for data regulation as generative AI comes to the fore?

Carina Perkins:

I think we are going to see the sort of initial regulation of generative AI is going to be under data protection until we're waiting for that specific legislation to be introduced.

Bill Fisher:

Right. I'm going to kick things off today with our three and three segment. I have three minutes to cover three interesting and related news stories we've seen in around the world towers this month. The timer is set. Let's go. For our first story, we're in Europe, Ireland in fact, for the big one, GDPR's fifth anniversary and issues around enforcement. The Irish Council for Civil Liberties, the ICCL, recently released its report titled 5 years: GDPR's crisis point, outlining the European Economic Area's inability to properly regulate Big Tech.

Its words. "In Ireland, in particular, where some of the world's largest companies have their European headquarters, Google, Meta, Microsoft, and so on, regulatory enforcement has been especially difficult. In terms of cross-border infringements, for example, the ICCL found that 75% of the Irish Data Protection Commission's EU level decisions were overruled." Here's European Data Protection supervisor Wojciech Wiewiórowski outlining the problem.

Wojciech Wiewiórowski:

There is actually no system of harmonization of the judicial review over that. One of the things that we will have to look at from the perspective of this first year is how the judicial approach to the GDPR may differ from country to country. Of course, somebody can...

Bill Fisher:

To butcher a cultural turner phrase that's popular at this time of year, may the enforcement be with you. Our second story is about open AI and regulatory scrutiny in Germany. Speaking to a AFP late last month, Marit Hansen, commissioner for the northern state of Schleswig-Holstein, indicated that regional data protection authorities had reached out to OpenAI and demanded responses as to ChatGPT's data protection risks.

They want to ascertain whether the AI platform is compliant with GDPR, specifically in informing its users that they have rights to access, correct, or even delete their data. The collection of information by these generative AI platforms certainly has many ramifications. As Jon Henshaw, senior director of search engine optimization at Vimeo, outlined when speaking with The Economist.

Jon Henshaw:

The fact that it's taking everybody else's information to me is an extreme form of copyright infringement. I see that as being ripe for lawsuits.

Bill Fisher:

This is hot on the heels, of course, of Italy blocking ChatGPT in late March. It appears that AI may not be okay when it comes to GDPR. And for our final story, we're going one step further and asking if corporate use of ChatGPT may expose businesses to GDPR breaches. On the first of the month, Samsung brought into force and employee ban on platforms such as ChatGPT after workers accidentally leaked sensitive information to the platform. Cybernews has more.

Cybernews:

Samsung's secrets are impossible to retrieve now. They became a part of ChatGPT, or at least that's what OpenAI, the company behind the chatbot, said. Various institutions were quick to raise alarm because this behavior might be incompatible with some national and international laws, such as the General Data Protection Regulation used by the European Union.

Bill Fisher:

It's important that businesses implement well-structured compliance measures if they're going to start relying on this tech. A recent investigation by Cyberhaven released that sensitive data makes up 11% of what employees copy and paste into ChatGPT. Copy/paste in haste and you could end up red-faced. That's my three and three this month. Now, before I introduce the next three, that's my three guests on the show today, I'm going to give you this month's culture shock. This is where I take you to various countries around the world and give you some cultural facts or introduce you to some culturally specific norms.

Today, given we're going to spend some time talking about generative AI and the large language models that underlie them, I thought we could concentrate on language today. According to data from Ethnologue, English is the most spoken language in the world. There are nearly 1.5 billion speaker, and Mandarin Chinese comes in second with just over a billion. But which country do you think is the most multilingual, that is, has the most languages spoken with in its borders? You might be surprised to hear that that honor goes to Papua New Guinea, where they speak, wait for it, 840 different languages if you can believe that.

This is essentially due to the terrain in the country. It's got lots of valleys and mountains, and it meant that over the course of its history, multitudes of separate groups grew up in relative isolation and thus developed their own unique dialects and tongues that are unintelligible to each other and thus qualify them as separate languages. The official language of Papua New Guinea is a language called Tok Pisin. And though ChatGPT claims to be fluent in the language, I'm not sure I trust it completely. I asked it to translate a few phrases for me and there were some significant discrepancies with other translation apps.

Anyway, we're conducting today's episode in English, you'll be pleased to hear. My first English speaker on the show is our principal analyst for Canada, Paul Briggs. Hey, Paul.

Paul Briggs:

Hey, Bill. It's great to be here talking privacy.

Bill Fisher:

Great to have you. Next, we have our senior analyst covering digital advertising and media, and I'm very excited that this is her first appearance on Around the World. It's Evelyn Mitchell. Great to have you, Evelyn.

Evelyn Mitchell:

Great to be here. Really excited to chat with you all.

Bill Fisher:

And finally, we have our senior retail analyst covering the UK and she's very English, it's Carina Perkins. Hello, Carina.

Carina Perkins:

Hi, Bill. Thanks for having me back on.

Bill Fisher:

Anyone fluent in Tok Pisin?

Evelyn Mitchell:

Can't say I am. No.

Bill Fisher:

Any languages? Do we have any multilinguals amongst us?

Carina Perkins:

I've got some basic French.

Evelyn Mitchell:

Yeah, me too.

Paul Briggs:

Being from Canada, I wish I could say I was fully bilingual. I speak a little French, but not much. It's something that I can't boast.

Bill Fisher:

I struggle with English sometimes, but I'm definitely not multilingual. Right. We're going to start with a big birthday. GDPR turns five before the end of the week. Evelyn, today you're our data privacy expert. How would you describe the impact it's had on data regulation, not just in Europe, but around the world?

Evelyn Mitchell:

Well, how much time do we have, Bill? Just kidding. GDPR really kicked off a new era of privacy austerity globally. It has disrupted the fundamentals of digital advertising pretty fully. The GDPR inspired the California Consumer Privacy Act or CCPA, which took effect in 2020 as the first US privacy law. California is a huge market too for many advertisers, so that was a really big deal when it happened. Now we have a cascade of other states jumping on the bandwagon.

GDPR's key principles, including its definition of personal data, the idea of purpose limitation, implementation of security measures, all those can also be found in legislation from Canada, Brazil, India. There are, of course, nuances from country to country, but GDPR really started it all. Its impact can't really be overstated.

Bill Fisher:

You mentioned state to state and you talked about Canada as well. Paul, tell us about what's gone on in Canada since GDPR came into being?

Paul Briggs:

Sure, yeah. Soon after GDPR became a topic on organization's minds five years ago, privacy reform in Canada has been shot to the top of the legislative agenda. Sad to say that that privacy reform has not been enacted as of this year, 2023. We have seen in Quebec, the province of Quebec, has enacted something called Bill 64, which is privacy regulation and consumer privacy protection for residents in the province and also for organizations that operate in that province.

In that isolated region of Canada, there is GDPR-like privacy reform. The rest of the country, it's up in the air to see when the federal regulation will come into effect. Best guess, earliest, probably sometime in 2024, but it could last in the 2025. It's a catching up exercise for regulators in Canada, but the GDPR model is certainly one that regulators in Canada are trying to emulate.

Bill Fisher:

But it's taking time, right?

Paul Briggs:

It does, yeah. The slow gears of government machinery are at work for sure.

Evelyn Mitchell:

I think most countries around the world are catching up to the EU in this respect and many other respects when it comes to regulating the digital advertising industry as well.

Carina Perkins:

I think what's really interesting in the UK is we have a bit of a different scenario where we were part of the EU when the GDPR was first implemented. When Brexit happened, the government merged its existing Data Protection Act with the EU GDPR and created the UK GDPR, which is essentially fairly identical to the EU GDPR. There's a few small differences. And that meant that the UK was able to gain adequacy status with the EU, which means personal data can still flow freely between the EU and the UK.

But now the UK government is proposing a new data protection and digital information bill which would update the UK GDPR, and critics of it say that it's actually watering down some of the data protection that has been offered to consumers under the UK GDPR. The government says that it's taking a more risk-based approach and that it's going to fix some of the issues that companies have had implementing the regulations. But it's quite interesting that whereas the rest of the world is trying to catch up with the EU, the UK is now diverging away from those rules.

Bill Fisher:

How long will it take to go through all the relevant legislative courts? Again, it's time, right?

Carina Perkins:

It's time. It was first proposed in July 2022, but then it was shelved because of the change of leadership in the Conservative Party. I think it had its second reading in the House of Commons recently.

Evelyn Mitchell:

That sounds a lot like what's happening with the American Data Privacy and Protection Act here in the US. We also, like Canada, still lack a federal privacy legislation here, although there's a growing chorus of voices requesting that rather than have a patchwork of state level privacy laws that businesses have to either develop a really intense, really fractured strategy to adhere to the nuances in different states and there's also the complication of identifying where someone resides and where they actually are, it's a really messy system, moving beyond that to have just one federal level law that businesses need to adhere to.

That's generally where things are headed, but the ADPPA, or ADPPA as some folks call it, it showed a lot of promise. There was momentum behind it last year, and then we had to change Congresses, so it got punted back to the beginning of the legislative process, which it's slow, very slow, despite how much people want it.

Paul Briggs:

I totally agree with Evelyn there in terms of the organizations operating in a country want a federal law that is all encompassing. What I've seen though in Canada is that a lot of the companies that operate across Canada also operate in Quebec, so they are subject to the law in Quebec that's already enacted. By becoming compliant with that local law or that regional law, that puts them in a better position when a federal law comes into place.

That's sort of like companies that were becoming GDPR compliant even though they didn't necessarily do a lot of business in the EU. Getting up to that standard, the privacy regime, the enforcements, the principles are similar across jurisdictions to a large degree. Complying with what's available in Quebec for Canadian companies is going to put them in good stead for a federal law that's coming down the pipe.

Carina Perkins:

I think a lot of companies in the UK, even if the UK law was watered down, they would still comply with EU GDPR, because if they're operating across that border, they really have to comply with the strictest rules. But I think there is fear that by watering down the legislation, the government insists it's not watering down, I hasten to add, but that's been a critique that's been named at it. But the adequacy status is under threat and it's only valid for four years. There's no automatic renewal. It will be renewed in 2025, I think, and that could put a risk at that data flow between the UK and the EU.

Evelyn Mitchell:

Ooh, data flows. There's another privacy topic.

Bill Fisher:

Let's talk about data flows because it's difficult enough. As I mentioned in the first story there, in Ireland, it was making rulings that were then overruled from within the EU. These problems get magnified, I guess, when data has to flow further across the Atlantic. What are some of the challenges involved in that?

Evelyn Mitchell:

I think most of the rhetoric in this conversation converges on national security. GDPR was the legal basis for the Schrems II decision that invalidated the data transfer mechanisms under the Privacy Shield Framework between the EU and the US. Basically just when the data of European citizens is stored in the US, it can be accessed, or at least under Privacy Shield, it could be accessed by the US government for surveillance purposes, which is in violation of the GDPR. But Transatlantic data flows are critical for many businesses. Meta is a big one that comes to mind.

In October of last year, President Biden signed an executive order to start implementing US commitments under the new EU-US Data Privacy Framework. It's not the most inspired title, kind of boring, but we might have a Schrems III on our hands is my read of what's coming next. We can see similar conversations around privacy consumer data and national security in debates around banning TikTok in pockets of the world.

Carina Perkins:

Definitely. We've seen that in the UK where the Information Commissioner's Office has just fined TikTok for processing data of children under 13 who are using the platform without the consent of their parents. I think we're already seeing examples of regulators going after social media platforms based on privacy concerns.

Paul Briggs:

Same in Canada. TikTok is under investigation right now by the Office of the Privacy Commissioner for alleged privacy violations. It's part of a story with China-Canada relations that is quite fraught at the moment and TikTok's response is that it's part of that diplomatic drama, but the fact that these privacy allegations or violation allegations across jurisdictions, I think, is something that can't be ignored.

Bill Fisher:

Lots of challenges already. I want to move the conversation along now to look at challenges yet to come. Generative AI generally is likely to throw up more and more issues again. A couple of the stories in the three and three segment there talked about AI and some of the ways it's falling foul of GDPR. What do we think will happen to GDPR and other regulations around the world to try to cope with this very fast moving space?

Paul Briggs:

I can start, Bill, in terms of what the Canadian story is. AI regulation falls within this privacy reform. There's three real steps in this privacy reform that's happening in Canada called the Digital Charter Implementation Act. That's the full name of it. One is a consumer privacy bill. That's the first step. Number two is putting an enforcement regime in place to hold companies to account for violations. And the third critical aspect is AI regulation. I think that is pretty vague right now in terms of how they're describing it.

I think regulators are trying to get their heads around how to regulate AI, what are the risks for harm, what are the potential concerns for consumer privacy. That is still to be determined. I think when this bill was introduced about a year ago, a lot of what's happened with ChatGPT and generative AI had not really hit the mainstream. That in the last six months is just definitely changing the scope of the regulatory requirement for that Canadian privacy reform.

Evelyn Mitchell:

Over here in the US, Morning Consult surveyed adults in February and found that nearly three quarters of US adults are concerned about personal data privacy when it comes to AI. Legislators are definitely on the case. But as we've mentioned several times so far, it's slow. What I think is interesting about AI is that the pace of innovation is such that the slowness in legislation is really, I think, going to be a big problem down the road because AI is moving very quickly.

Democracy with bicameral legislatures and everything, they're not known for speed and proactiveness. In the case of AI, even if everyone were to be proactive, once that law gets enshrined, it will likely have to be updated much sooner than the typical law would need to be to keep up with how things evolve. It's early days now, and it seems like it will always be early days just because of how fast AI is evolving.

Carina Perkins:

I think what's interesting we've seen is that the UK is also considering new proposals for regulating artificial intelligence. Like we said, those regulations are going to take quite a long time to put into place and might be out of date as soon as they are put into place. But what's really interesting is that we're seeing data regulators take an interest in AI and looking at how regulation under regulations that already exist, if that makes sense. Italy, for instance, has insisted that OpenAI introduced data protection measures before it can operate there.

The European Data Protection Board has announced a task force to address potential regulation of artificial intelligence chatbots. The UK is taking a bit more of a relaxed approach, but the ICO has just published guidance reminding developers and users of LLMs and generative AI of their duties under data protection laws. I think we are going to see the initial regulation of generative AI is going to be under data protection until we're waiting for that specific legislation to be introduced.

Bill Fisher:

Interesting stuff.

Evelyn Mitchell:

In the US, the FTC has also been releasing blog posts and being very explicit that AI is... That they've got a watchful eye on businesses that are involved with AI. Interesting stuff.

Bill Fisher:

It is indeed.

Paul Briggs:

It's funny, I can't help but think that it's a race. On one starting line, you've got AI, which is essentially a robot. And on the other starting line, you've got government regulatory process. It's sort of like a turtle and the hare. The challenge is for that process of regulation to speed up. I know that is a heavy ask, but I just can't help but think that the race is a little bit uneven at the moment.

Bill Fisher:

Interesting stuff. Right. Fantastic conversation, but now it's time for our recap stats quiz. This is where we recap today's theme with a few related stats questions for my guests. There's no prize. It's all about bragging rights. There are only three questions, so it's nice and quick and it's multiple choice. Our first question, cumulative GDPR fines reached nearly 3 billion euros as of this month, but which month of which year saw the greatest number of individual fines levied? This is according to the cms.law GDPR enforcement tracker.

December 2020, December 2021, or December 2022. Which of those months do you think had the greatest number of individual GDPR fines levied? I'm going to start alphabetical by surname. Briggs, you're up first. December 2020, December 2021 or December 2022.

Paul Briggs:

Yeah, I'm trying to figure out if there was any fathered or grandfathered in dates or stage dates that might impact this. I'm going to go with '21 of December. December '21.

Bill Fisher:

Okay. Mitchell, you're next.

Evelyn Mitchell:

Yeah, I think I'm also going to say December 2021.

Bill Fisher:

Perkins?

Carina Perkins:

I'm going to go a bit different. I'm going to say December 2022 just to count for those backlogs.

Bill Fisher:

December was a very busy month though. Each of those months were in the top three. December 2020 and 2021 each had 57 fines handed out, but December 2022 saw 67. Carina, a point for you. Well done. Right. Next up, I mentioned in one of the news stories that Ireland was the European home to many large global businesses, and Luxembourg too is home to Amazon's European operations.

Those two countries have handed out the largest fines in terms of monthly value. Ireland first, then Luxembourg. But which country do you think has handed out the most GDPR fines in just numerical terms? We have Spain, Italy, or Germany. We'll start with Evelyn this time.

Evelyn Mitchell:

Germany.

Bill Fisher:

Okay. Carina?

Carina Perkins:

I'm going to go with Italy.

Bill Fisher:

And Paul?

Paul Briggs:

Well, just to change things up, I'll go with Spain.

Bill Fisher:

Okay. These were the top three. I'd have thought Germany, because it's very privacy centric, right? But that comes in third. 148 fines handed out. Then Italy, 265. Spain handed out 646 fines, if you can believe it. But interestingly, those fines totaled only 600 million euros, so that equates to around 90,000 euros per fine. If you compare that with Ireland, the average there was 55 million euros per fine. Lots of small fines in Spain, but well done to Paul. You get that point. For the final question, we've alluded to this a little bit.

I took a delve into the history of the GDPR. And though it came into effect on May 25th, 2018, it had been in the works for much longer than that. According to the European Data Protection Supervisor, when did the European Parliament vote to adopt GDPR? Was it March 2014, June 2015, or May 2016? '14, '15, or '16 essentially. We'll start with Carina this time.

Carina Perkins:

I'm going to go March 2014.

Bill Fisher:

Okay. Paul?

Paul Briggs:

If you would've provided years as far back as 2010, I probably would've went there. I'll go with 14 as well.

Bill Fisher:

Okay. And Evelyn?

Evelyn Mitchell:

I'm going to go 2015 just to be different.

Bill Fisher:

You don't have to be different on this show, but it sometimes helps. But on this case, it hasn't helped because it was indeed March 2014. Well done, Paul and Carina. March 2014, it was passed by a vote of 621 to 10 with 22 abstentions. Then in June 2015, this is when the council reached a general approach for GDPR. In May 2016, that was when GDPR actually went into force, even though companies weren't required to comply. It then took another two years for it to be a requirement. Okay, let me count up the scores. We have a tie.

I always like it when we have a tie because I always have a tiebreaker in the locker, and it's Paul and Carina in the race for this one. This is a free form answer where the closest number wins. This is based on that enforcement tracker data. In September 2018, so this is just four months in to GDPR enforcement, there was just one single fine handed out that month in September 2018. How much do you think that fine amounted to in euros? Have a little think and whoever wants to jump in first and be brave, have your guess.

Paul Briggs:

I'll go first. I think I'm going to go on the lower end just because it's an easier transition into the regulation. Maybe 5 million euros.

Bill Fisher:

Okay.

Carina Perkins:

I'm going to go with 25 million.

Bill Fisher:

Okay. We do have a winner, but you are quite a long way out. In September 2018, and there's no insight into who this fine was handed out to or where, but that single fine amounted to 300 euros. It was incredibly small. In actual fact, it took three years until July 2021 for the total cumulative fines to pass one billion. It did take a long time. Anyway, we have a winner and it is Mr. Briggs. Paul, congratulations.

Paul Briggs:

Awesome.

Carina Perkins:

Well done, Paul.

Evelyn Mitchell:

Congratulations.

Bill Fisher:

It's a shame it wasn't you, Evelyn. You could have had... Unfortunate. Anyway, that's what I like about this show. We always end with a winner because it is time to call an end to today's show. Paul, thank you for speaking with us today.

Paul Briggs:

Thanks, Bill.

Bill Fisher:

Evelyn, great to have you on the show.

Evelyn Mitchell:

This is super fun. Maybe next time I'll win.

Bill Fisher:

I'm sure you will. Carina, thank you for lending your expertise.

Carina Perkins:

Thanks, Bill. Looking forward to next time.

Bill Fisher:

Thanks to all of you for listening in today to Around the World, an eMarketer podcast made possible by InMobi. Tune in tomorrow for our Behind the Numbers Daily Show hosted by Marcus. If you want to ask us any questions, you can, of course, email us at podcast@emarketer.com. I hope to see all of you next month for another edition of Behind the Numbers Around the World, which will be in English, I assure you. Bye for now.