IAPP Global Privacy Summit: Calls for a Federal Privacy Law Gain Momentum


The International Association of Privacy Professionals (IAPP) Global Privacy Summit 2022 wrapped up on April 13. Held as an in-person event this time after being canceled in 2020 and held virtually in 2021, the summit featured Apple CEO Tim Cook, Microsoft president and vice-chair Brad Smith, FTC chair Lina Khan, and European commissioner for justice Didier Reynders among others, as the keynote speakers.

With a mission to define, promote and improve the privacy profession globally, the nonprofit’s annual summit is a way for professionals to get the latest developments, practices, and policies around privacy and data protection.

This year, the IAPP Global Privacy Summit held over 85 sessions where over 200 speakers shared their views on one of the most contested issues in information security today. Here are the key highlights from the four-day summit.

Highlights from IAPP Global Privacy Summit 2022

Tim Cook and Apple’s resolve against sideloading

Cook termed upholding user privacy as “one of the most essential battles of our time.” And for that, his and Apple’s position hasn’t changed regarding sideloading. They are dead set against it.

“Policymakers are taking steps, in the name of competition, that would force Apple to let apps onto the iPhone that circumvent the App Store through a process called sideloading,” Cook said. He is referring to the newly passed Digital Markets Act in the European Union, which would mandate Apple to allow the installation of apps from third-party app stores on Apple devices.

Currently, Apple holds firm control over the setup of apps sourced from third parties. If such regulations come into effect, Cook says, “data-hungry companies would be able to avoid our privacy rules, and once again track our users against their will. It would also potentially give bad actors a way around the comprehensive security protections we put in place, putting them in direct contact with our users.”

“And we have already seen how that creates vulnerabilities in other companies’ devices.” Well, yes. Android indeed tends to be more infected than iOS. But there are other factors besides sideloading that influence the security of devices. These include Android’s open-source nature, fragmentation, and simply a higher number of devices.

But Apple is all for GDPR-esque privacy regulations in the U.S. at the federal level. “We also call for a strong and comprehensive law in the United States.” But that’s about it on the subject.

Cook also mentioned Apple’s encryption rules and its role in imparting more robust privacy controls to users. Apple introduced App Tracking Transparency for iOS 14.5 onwards last April. It certainly has been a hit. As of February 2022, users’ opt-in rate for cookie tracking by third parties has not exceeded 18%Opens a new window globally, and 25% in the U.S. Google is doing this for Android through Privacy Sandbox for Android.

See More: Why Data Privacy & Compliance Is a Year-Round Event

FTC blasts limitless monetization of user data for targeted advertising

Lina Khan was appointed as the FTC chair in June 2021. Her keynote speech at IAPP Global Privacy Summit 2022 was the first significant address relating to privacy.

Khan used this opportunity to implore the role of modern technology in enabling surveillance and the need for an interdisciplinary approach to privacy.

Khan said the present-day tech biz incentivizes “endless tracking and vacuuming up of users’ data.”

“Across domains, companies can analyze stunningly detailed user profiles to target [ads] with striking precision. The general lack of legal limits on what types of information can be monetized has yielded a booming economy built around the buying and selling of this data,” she said.

“Digital technology allows data collection on a hyper-granular level. And the more we rely on digital tools to carry out tasks, the vast the scope of data collection, keystroke use and browser history to location and health records.”

FTC commissioner Noah Phillips concurred with Khan’s concerns over targeted or surveillance advertising practices but stated that companies could undertake deceptive practices irrespective of market dominance.

“The theory is that privacy harms, privacy violations are a symptom of monopoly, that it is the big guys and market power that enables the bad things we see on privacy,” Phillips said. “It’s not that competition will never yield privacy, surely it sometimes does. But on average, over time we see big guys creating privacy problems, but we also see little guys. To take our focus off the little guys would be putting a lot of privacy harms aside.”

While both agree that limits to data collection are necessary, the duo are at odds when it comes to using the word ‘surveillance’ while referring to targeted ads and with whom the accountability lies.

The FTC has been in a partisan 2-2 stalemate, hindering federal agencies’ ability to enforce rules. That said, Phillips argued that rule-making is not for the FTC and is the prerogative and expertise of Congress.

However, both Khan and Phillips agreed on the need for higher staffing at the FTC. The founding director of the Center on Privacy and Technology at Georgetown Law, Alvaro Bedoya, is expected to be appointed to the FTC soon.

See More: Congress Introduces New Bill to End Targeted Digital Advertising by Big Tech

Microsoft at IAPP Global Privacy Summit

Microsoft president and vice-chair Brad Smith supported Cook in his keynote address over the need for privacy legislation. Smith even criticized Congress over inaction on the matter and called the legislature “frozen in time.”

He called on a separate new commission to oversee all things digital, citing the U.K’s Digital Regulation Cooperation Forum, which came into being in July 2020.

“Everyday, governments are creating complex regulatory requirements for technology. We, like many companies and institutions, follow this not just in one place but every place and what we see is an explosion of technology laws and regulations and proposals that are literally sweeping the planet.”

Source: Brad Smith at IAPP Global Privacy Summit

“The United States increasingly stands alone. The fact of the matter in my view is there is a critical element we are failing to think about. The failure of the U.S. to legislate doesn’t stop global regulation. It doesn’t even slow it down. It just makes our country less influential in the world,” he said.

Smith said technology is no longer a tool, but a weapon wielded in “so many ways and shapes and forms, directly and indirectly.”

“We have to address the problem that technology has created.” He underscored how multiple sectors are regulated by respective agencies, such as Automobiles by National Highway Safety Administration, Airplanes by the Federal Aviation Administration, Pharma by the Food and Drug Administration, Telephones by the FTC, Nuclear Power by The Nuclear Regulatory Commission and so on.

Smith said that the difference between these sectors and digital tech and data is that organizations in the latter have had to adapt to new laws and regulations way more quickly than those involved in the former.

“Would we be better served to place in the hands of people, pursuant to the rule of law, the ability to learn and master the facts for an industry and craft carefully very thoughtful rules?” Smith added. “Is that a better future than asking a Congress or a legislature or a Parliament to go on a piecemeal basis and change each and every law separately, and with less coordination?”

Smith also called for greater international or cross-border cooperation about digital technology. He highlighted that Privacy Shield that regulated transatlantic data transfers between the U.S. and the E.U. took four months to materialize, while the latest framework has taken 18 months. We should add that the new framework is agreed upon without any details being made public.

“We need people who can think creatively. We need people who can think across boundaries.” We need privacy regulators, professionals and practitioners who recognize that privacy itself is much less siloed than it used to be,” Smith said.

“Some of the leading privacy issues of our time involve the intersection of privacy and, say, the protection of children. With digital safety its privacy and cybersecurity. And then there is the intersection of protection of privacy and public health. We need to think across the traditional intellectual boundaries that have in some ways, have perhaps too nearly subscribed to our thinking in the past.”

See More: EU, U.S. Announce Breakthrough in Transatlantic Data Transfer Saga, But Mum on Details

New framework for transatlantic data transfers

The invalidation of the Privacy Shield framework was caused primarily by concerns about the lack of a federal privacy law in the U.S. Meta even stirred up controversy when it said it might have to leave the E.U.

But late in March, both parties agreed “in principle” on a new framework for transatlantic data transfers. Ever since, U.S-based companies such as Meta, who were impacted by Privacy Shield being thrown out the window, and privacy advocates and individuals in the E.U. have their eyes and ears on when the new framework, whose name isn’t even public yet, will be enforced.

European commissioner of justice Didier Reynders clarified, “It is difficult to give a precise timeline at this stage, but we expect that this process could be finalized by the end of this year. While we still have a lot of work ahead of us, I do believe this agreement in principle confirms once more how much the European Union and the U.S. can achieve by building on their shared values.”

Reynders and Bruno Gencarelli, the European Commission’s head of international data flows and protection, revealed that the E.U. may determine privacy adequacyOpens a new window . This includes provisioning “for safeguards limiting access to data by American intelligence authorities to what is necessary and proportionate to protect national security.”

Reynders added, “We had very detailed discussions to explore different solutions that could be developed within the U.S. legal system.”

Apparently, these solutions or, in other words, provisions are being guaranteed through what the U.S. Department of Commerce deputy assistant secretary for services Christopher Hoff called “unprecedented commitments” and “substantial strengthening of privacy and civil liberties safeguards” as part of a redress system being enacted by the executive branchOpens a new window of the U.S. government.

Hoff said, “All those things will become a lot more clear in time, but there’s been a lot of thought and paper back and forth. I’ve been impressed with how forward-leaning, well-intentioned and privacy-focused those around the table have been.”

Colorado’s privacy law

Microsoft’s Brad Smith wasn’t the only one to criticize Capitol Hill. Colorado attorney general Philip Weiser noted that states had taken it upon themselves to bring in privacy laws as Congress has failed to address concerns.

“If you’re looking for public policy innovations, I wouldn’t recommend it’s generally worth looking in Washington. I would look to the states,” said Weiser. “State leadership on data, privacy and data security is what economists would call a second-best world. The best world would be a world where Congress could pass a law with clear standards and authority for state agencies to enforce that law like we have in Dodd-Frank.”

“I would sign up for that tomorrow, but (Washington) is not working as it should and as we need it to.”

Weiser outlined his plans for rulemaking under the Colorado Privacy Act, which includes collecting feedback from individuals about provisions such as opt-out, consent, dark patterns, data protection assessments, profiling, interpretive guidance, offline collection and multi-jurisdiction issues.

He explained the aim to differentiate between violators and those who engage in willful noncompliance. Colorado Privacy Act, Weiser said, doesn’t make exceptions and includes nonprofit organizations as subject to the law, something other states haven’t done.

The Colorado Privacy Act is slated for enforcement starting in 2023.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!