2023 Year in Review: AI Privacy, Children’s Privacy, EU-U.S. Data Privacy Framework

In 2023, Innovators Network Innovation fellows published some groundbreaking work on a wide range of issues within the privacy world. Even as Congress continued to struggle to advance comprehensive privacy legislation, the fellows worked hard to bring their expertise to bear on some of the central privacy law and policy issues before state, federal, and international venues, from privacy labeling and security hygiene to compliance, artificial intelligence (AI), COVID-specific privacy, and the future of transatlantic data transfers, just to name a few.

Here are a few of the highlights from the fellows’ work in 2023:

AI Has a Privacy Problem?

A Medium piece written by Lourdes Turrecha, chief privacy officer at Cloud Software Group, discusses the growing privacy concerns associated with the widespread adoption of AI in various applications of our lives. While we can acknowledge the great benefits that AI systems provide, Lourdes helps readers understand the threats it can pose to the privacy and security of personal data.

Lourdes asserts that rather than issuing a prohibition on further AI development to address AI’s privacy issues, we should instead encourage the development of innovative technologies like “privacy tech” to tackle these privacy/security challenges. She writes: “The solution is in truly innovative technologies: responsible AI and privacy tech tools designed to solve our privacy, security, data governance, ethics, trust, and safety problems in the AI context.” While she acknowledges the need for a comprehensive federal privacy framework is real, the flexible nature of tech entrepreneurs and innovators can curb some of the serious privacy threats we face today.

Are We Protecting Children?

With Congress declining to enact the Kids Online Safety Act (KOSA, S.1409) and the Children and Teens’ Online Privacy Protection Act (COPPA 2.0, S.1418), many are questioning whether Congress is doing anything to address children’s privacy. It is important to consider that state-level policies like the California Age-Appropriate Design Code (AADC) may exacerbate a privacy regime when it piles on restrictions that require individualized state-by-state compliance concerns. As Eric Goldman outlines in his Amicus Briefchallenging the constitutionality of AADC in the NetChoice V. Bonta case, he writes:

“American business regulation generally encourages ‘permissionless’ innovation. The idea is that society benefits from more, and better, innovation if innovators don’t need the government’s approval. The AADC turns this concept on its head. It requires businesses to prepare ‘impact assessments’ before launching new features that kids are likely to access. Those impact assessments will be freely available to government enforcers at their request, which means the regulators and judges are the real audience for those impact assessments. As a practical matter, given the litigation risks associated with the impact assessments, a business’s lawyers will control those processes–with associated delays, expenses, and prioritization of risk management instead of improving consumer experiences.”

The technology-driven markets AADC would affect are dynamic and competitive conditions evolve quickly. Doubling down on age-specific privacy requirements and restrictions while leaving federal laws untouched for other age groups would cause significant capital that currently fuels innovation (including on privacy features) to go toward compliance instead. The problem is exacerbated when compliance requirements conflict with each other across jurisdictions. Ultimately, businesses would realistically react to regimes involving conflicting age verification; comprehensive privacy regimes ensure that their services/features are not available at all for children. This would limit internet access and only create a more burdensome verification regime for developers.

What Does the EU-U.S. Data Privacy Framework (DPF) Mean for SMEs?

On October 12, 2023, the UK-U.S. Data Bridge officially went into effect. This agreement seeks to govern the streamlined transfer of personal data from UK organizations to certified counterparts in the United States. At the same time, it is intended to ensure that UK individuals receive full UK General Data Protection (GDPR) protections when their data crosses into the United States. The Data Bridge plays a crucial role in global data transfer and has been essential to SMEs. As Paula Bruening, senior counsel at Wuersh & Gering LLP, explains in a podcast, more SMEs are collaborating and partnering because of this framework. The DPF offers a “more streamlined and cost-effective way of coming into compliance.”

Other Highlights from Our Fellows

Sign-on letter from academics to congressional leadership Re: Fourth Amendment Issues Posed by the EARN IT Act (S. 1207, H.R. 2732), Eric Goldman

 “Accommodating Children’s Needs Online: An Impossible Task?” Computers, Privacy, and Data Protection (CPDP) Conference, Eric Goldman

Metrics for Success: Why and How to Evaluate Privacy Choice Usability,” Communications of the ACM, Lorrie Cranor

Is There a Reverse Privacy Paradox? An Exploratory Analysis of Gaps Between Privacy Perspectives and Privacy-Seeking Behaviors,” Privacy Enhancing Technologies Symposium (July 2023), Lorrie Cranor

Data Safety vs. App Privacy: Comparing the Usability of Android and iOS Privacy Labels,” Arxiv, Lorrie Cranor

Key Considerations for Legislating Kids’ Data Privacy,” Law360, Paula Bruening

Elon Musk & Future of Life’s Call to Halt AI Systems Training is the Wrong Move,” Medium, Lourdes Turrecha