There's rarely a quiet week in data protection — and this one was no exception. Below are three developments from the past seven days that caught my eye.
Story #1: The rise and rise of the Chief AI Officer
Has your organisation put somebody — or somebodies — in charge of artificial intelligence? Maybe that person is, or will be, you.
The Financial Times ran an interesting story this week on the rise of the so-called Chief AI Officer. The article focuses on AI Officers at blue chip companies, and perhaps understandably so.
But an increasing number of my clients and contacts are tasked with leading — or being heavily involved in — their organisations' AI strategies. These folks work at companies of all shapes and sizes, many of which don't have an "official" AI boss.
Indeed, my view is that we should all aim to become AI-savvy, irrespective of our role or title. To update Marc Andreessen's quote about computers and the internet, AI will put jobs in two categories: people who tell AI what to do, and people who are told by AI what to do.
Whether or you're not an AI Officer, you'll want to be firmly in the former category.
*****
So what to do if you’ve been asked to take the lead for all — or even some part — of your organisation’s AI activities?
First of all: congratulations. Assuming that your employer doesn’t (and isn’t intending to) use AI for nefarious means, you'll have a front seat ride for the development of the most exiting mass-scale technology since the smart phone. You may even be driving that development. You will also be highly employable for the foreseeable future.
The elephant in the room is that some people may be given the AI portfolio because no one else wants the role. It’s seen as too hard, or too much work, or too risky. We saw this play out in the GDPR context, where individuals — from IT, legal and compliance — were asked to become their company's data protection officer, often in addition to their day job.
Notwithstanding that I'm generally optimistic about these things, I would see this as an opportunity. Will it be hard? Yes. And hard work? Also yes. But will you be more knowledgeable, and therefore more valuable, within your organisation and beyond? Absolutely — and you don't need me (or AI) to tell you that.
Story #2: The regulator must investigate — but must it enforce?
It stands to reason that a big part of a data protection regulator’s job is to enforce the law. But what does that mean in practice?
Is every infringement actionable? Or is it sufficient for the regulator to determine that some non-compliance does not require a sanction? Last week, an advocate general (AG) of the European Court of Justice issued an Opinion that considered exactly these questions.
The topic may seem like navel gazing. But if your organisation is subject to the GDPR, the AG’s conclusions have practical — and reassuring — implications for you. So do read on.
*****
In a nutshell, the AG found that EU data protection authorities must:
- Act whenever they identify GDPR non-compliance in the course of their investigations; and
- Determine the appropriate corrective measure to remedy the infringement(s) they find.
Crucially, however, data protection authorities may choose not to enforce those infringements — i.e., the question of whether they must act should be distinguished from how to act. So, where (for example) the non-compliance is of a low level, or it has already been resolved, corrective measures may not be needed.
That has to be right — and the AG recognises that requiring enforcement of all cases of non-compliance wouldn’t be workable or, ultimately, productive. Most regulators are already overstretched and underfunded. Analysis in 2022 found that the UK ICO took an average of five hours to review and close each of the 31,000 of the 36,000 complaints it received the previous year.
*****
A good rule of thumb is that an organisation which claims to be “fully” or “one hundred per cent” GDPR compliant likely is not. Total compliance may be possible, but it’s the exception to the rule. Indeed, the regulators themselves don’t always get it right.
With that in mind, one can take comfort from the AG’s Opinion. Clearly, you strive for compliance, but it should be reassuring to know that, for legal and practical reasons alike, the chances are good that lower-level breaches — particularly where you’ve taken steps to address the issue — may not be penalised.
Story #3: The GDPR says “no”
Most of us have a funny/ridiculous “sorry, the GDPR won’t let me do that” story. Not being able to put name tags on your kids' school clothes. The newsagent requiring your consent before they deliver the Sunday papers. That sort of thing.
Sometimes, though, the ramifications are more serious. This week I read about Irish local authorities not being able to view road collision data maintained by the country's Road Safety Authority due to "a GDPR issue". And it got me thinking.
*****
Fundamentally, I see data protection laws as an enabler, rather than a blocker. Does that mean you can do whatever you want with personal data? Of course not. If, after doing the analysis, it becomes clear that your proposed processing activity isn’t lawful, that’s fine. And here, “lawful” is a broad concept that comprises black letter law as well as ethical considerations and, quite simply, whether it’s the right thing to do.
But my starting point with (for example) the GDPR isn't "no". To be clear, I'm not advocating an exercise in interpretive — and unsupportable — legal gymnastics in order to get the answer you wanted from the start. It's a process. But the starting point can, indeed I think it should, be: let's see if we can make this work.
*****
Some years ago, while on a run in Portugal, I listened to a podcast in which Kirk Nahra of WilmerHale said that he saw his job as helping clients to achieve their business aims.* Obviously, Kirk said it more eloquently than I just have, and I’d encourage people to listen to the podcast. The episode link is here, and the wider series, The Data Protection Breakfast Club, which is run by Andy Dale and Pedro Pavon, always delivers.
Maybe Kirk's approach is/was painfully obvious to everyone else, but as a junior lawyer it was a real lightbulb moment for me. It’s a lesson I go back to time and again.
Is there a big takeaway here? Perhaps not. It's just that advising on data protection law, much like life, seems to be easier — not to mention more fun — if you approach it positively.
* Yes, I do listen to privacy podcasts in my spare time.
Subscribe to Ropes & Gray Viewpoints by topic here.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.