For many of us following along with the EU AI Act negotiations, the road to a final agreement took many twists and turns, some unexpected. For Laura Caroli, this long, complicated road has been a lived experience.

As the lead technical negotiator and policy advisor to AI Act co-rapporteur Brando Benefei, Caroli was immersed in high stakes negotiations for the world’s first major AI legislation.

IAPP Editorial Director Jedidiah Bracy spoke with Caroli in a candid conversation about her experience and policy philosophy, including the approach EU policy makers took in crafting the AI Act, the obstacles negotiators faced, and how it fundamentally differs from the EU General Data Protection Regulation.

She addresses criticisms of the act, highlights the AI-specific rights for individuals, discusses the approach to future proofing a law that regulates such a rapidly developing technology, and looks ahead to what a successful AI law will look like in practice.

In tandem with privacy, cybersecurity law is rapidly evolving to meet the needs of an increasingly digitized and complex economy. To help practitioners keep up with this ever-changing space, the IAPP published the first edition of Cybersecurity Law Fundamentals in 2021. But there have been a lot of developments since then.

Cybersecurity Law Fundamentals author Jim Dempsey, lecturer at UC Berkeley Law School and senior policy advisor at Stanford Cyber Policy Center, brought on a co-author, John Carlin, partner at Paul Weiss and former Assistant Attorney General, to help with the new edition.

IAPP Editorial Director Jedidiah Bracy recently spoke with both Dempsey and Carlin about the latest trends in cybersecurity, including best practices in dealing with ransomware, the significance of the new SEC disclosure rule, cybersecurity provisions in state privacy laws, trends in FTC enforcement, the recent Biden Executive Order on preventing access to bulk sensitive personal data to countries of concern, and much more.

We even hear about the time Carlin briefed the U.S. president on the Sony Pictures hack.

For those following the regulation of artificial intelligence, there is no doubt passage of the AI Act in the EU is likely top of mind. But proposed policies, laws and regulatory developments are taking shape in many corners of the world, including in Australia, Brazil, Canada, China, India, Singapore and the U.S. Not to be left behind, the U.K. held a highly touted AI Safety Summit late last year, producing the Bletchley Declaration, and the government has been quite active in what the IAPP Research and Insights team describes as a “context-based, proportionate approach to regulation.” In the upper chamber of the U.K. Parliament, Lord Holmes, a member of the influential House of Lords Select Committee on Science and Technology, introduced a private members’ bill late in 2023 that proposes the regulation of AI. The bill also just received a second reading in the House of Lords 22 March. Lord Holmes spoke of AI’s power at a recent IAPP conference in London. While there, I had the opportunity to catch up with him to learn more about his Artificial Intelligence (Regulation) Bill and what he sees as the right approach to guiding the powers of this burgeoning technology.

Hard to believe we’re at the twilight of 2023. For those following data protection and privacy developments, each year seems to bring with it a torrent of news and developments. This past year was no different. The EU General Data Protection Regulation turned five, and the Snowden revelations turned 10. From a finalized EU-US Data Privacy Framework, to major enforcement actions on Big Tech companies, to a panoply of new data protection laws in India and at least 7 US states, to the dramatic rise of AI governance, 2023 was as robust as ever.

To help flesh out some of the big takeaways from 2023, IAPP Editorial Director Jedidiah Bracy caught up with IAPP Research & Insights Director Joe Jones, who joined the IAPP at the outset of the year. 

After a gruelling trilogue process that featured two marathon negotiating sessions, the European Union finally came to a political agreement 8 December on what will be the world’s first comprehensive regulation of artificial intelligence. The EU AI Act will be a risk-based, horizontal regulation with far-reaching provisions for companies and organizations using, designing or deploying AI systems.

Though the so-called trilogue process is a fairly opaque one, where the European Parliament, European Commision and Council of the EU negotiate behind closed doors, journalist Luca Bertuzzi has acted as a window into the process through his persistent reporting for Euractiv.

IAPP Editorial Director Jedidiah Bracy caught up with Bertuzzi to discuss the negotiations and what comes next in the process.

Martin Abrams knows a little something about information privacy and consumer policy. Over the course of the last 40-plus years, Abrams has had his hands in a number of initiatives, including as co-founder and president of the Center for Information Policy Leadership and founder of the Information Accountability Foundation. He took part in the development of the APEC Cross Border Privacy Rules and the OECD’s Working Party on Information Security and Privacy. Abram's work on transparency and accountability has been influential on policy makers around the world.

At the latest Global Privacy Assembly in Bermuda, Abrams announced he was retiring from his full-time position at IAF and taking more time to be with his family. IAPP Editorial Director Jedidiah Bracy caught up with Abrams to take a look back at his career, the changes he’s seen in information policy and where he thinks data policy and regulation are heading.

The EU AI Act negotiations recently hit a major roadblock after EU Council Member States France and Germany unexpectedly pushed back on the European Parliament's draft position on regulating foundation models. The obstacle was so sudden, it appeared the negotiations were in a stalemate. Though the issue has not yet been fully resolved, the Spanish presidency of the EU Council is reportedly working with Member States to find a position that is workable for the European Parliament. 

This comes as the IAPP hosts its sold out Data Protection Congress 2023 in Brussels, Belgium. To be sure, the foundation model issue is not the only sticking point remaining in the trilogue negotiations. There are others. 

To get the inside scoop, I had the chance to catch up with EU AI Act co-rapportuer Dragoș Tudorache and Kai Zenner, head of staff for German MEP Axel Voss about the negotiations, the obstacles and whether there will be an agreement before next year's parliamentary elections. 

As automated systems rapidly develop and embed themselves into modern life, policy makers around the world are taking note and, in some cases, stepping in. Earlier this year, the Biden-Harris administration took an early step by releasing a Blue Print for an AI Bill of Rights. Comprising five main principles, as well as what should be expected of automated systems, while offering a slate of real-world examples of the potential harms and benefits of artificial intelligence, the Blueprint is a must-read for AI governance and privacy professionals working in the space.

Suresh Venkatasubramanian is a Professor of Computer Science and Data Science at Brown University. He also co-authored the Blueprint while serving as Assistant Director for Science and Justice in the White House Office of Technology and Policy.

IAPP Editorial Director Jedidiah Bracy recently caught up with Suresh to learn more about his work on the Blueprint, how it fits into the broader spectrum of existing AI guidelines and frameworks, and what professionals should know about this rights-based document.

We often focus on consumer policy when discussing privacy laws and obligations, but companies must protect their employee data, as well. Navigating complex employee privacy and labor laws in the U.S., for example, can be challenging, and new state laws, like the California Privacy Rights Act, apply more pressure on privacy pros charged with ensuring employee data is protected and handled appropriately.

Littler Mendelson Privacy and Data Security Practice Group Co-Chair Zoe Argento knows the workplace privacy field well and advises clients on a wide range of issues. IAPP Editorial Director Jedidiah Bracy recently caught up with Argento to discuss some of the pressing trends in the workplace privacy space, including CPRA obligations, workplace surveillance and artificial intelligence issues, international data transfers and data security best practices.  

The prospect of day-to-day life with artificial intelligence is no longer a future endeavor. AI systems comprise countless applications across public and private organizations, and through open-sourced systems, such as ChatGPT, AI is now consumer-facing and usable.

The U.S. National Institute of Standards and Technology was directed by the National Artificial Intelligence Initiative Act of 2020 to create a voluntary resource for organizations designing, developing, deploying or using AI systems to help manage risk and to promote trustworthy and responsible development of AI systems.

As a result, NIST released the AI Risk Management Framework 1.0 along with supplementary documents to help organizations. To learn more about the newly released framework and how organizations should approach it, IAPP Editorial Director Jedidiah Bracy caught up with NIST Research Scientist and Principle Investigator for AI Bias Reva Schwartz.