Join us as we share another insightful conversation from the On Location Podcast Coverage of RSA Conference 2024 hosted by Sean Martin and Marco Ciappelli.
Guest: Anu Talus, Head of the Office of the Information Commissioner (TSV), and Chair of the European Data Protection Board (EDPB) [@EU_EDPB]
On LinkedIn | https://www.linkedin.com/in/anu-talus-657a892/
At RSAC | https://www.rsaconference.com/experts/Anu%20Talus
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
The latest episode of the On Location podcast, hosted by Sean Martin and Marco Ciappelli, provided a deep dive into the crucial topics of data privacy and AI ethics, featuring an enlightening discussion with Anu Talus, the Finnish Data Protection Ombudsman. The conversation explored the intersection of GDPR, the AI Act, and the ethical considerations surrounding artificial intelligence.
The Role of Anu Talus: Protecting Data Privacy in Europe
Anu Talus, the Finnish Data Protection Ombudsman and chair of the European Data Protection Board, shed light on the dual role she holds in safeguarding data privacy across Europe. With a comprehensive overview of the GDPR and its application in the new reality of AI, Talus emphasized the importance of a harmonized approach to data protection legislation.
Unveiling the Complexity: AI Act and GDPR Interconnection
The discussion with Talus goes deep into the intricate interplay between the AI Act and GDPR, highlighting the essential role of the GDPR in regulating the processing of personal data in AI applications. The conversation underscored the need for a consistent and comprehensive enforcement mechanism to ensure the protection of individuals' privacy rights.
Navigating Ethical Dilemmas: Balancing Innovation and Risk
Ethical considerations in AI governance were a focal point of the conversation, with a deliberate exploration of the challenges posed by emerging technologies like deepfakes and misinformation. Talus emphasized the significance of conducting thorough risk assessments to strike a balance between innovation and ethical usage of AI.
Bridging Stakeholders: Collaboration for Effective Legislation
The episode highlighted the importance of stakeholder engagement in the legislative process, emphasizing the need for diverse perspectives to inform effective policymaking. Talus underscored the value of collaborative efforts among researchers, policymakers, and industry innovators in shaping meaningful and enforceable regulations.
Looking Ahead: Insights and Experiences from RSA Conference 2024
As Anu Talus prepared to participate in a panel on AI Governance and Ethics at the RSA Conference, the podcast provided a glimpse into the anticipated discussions around data privacy, AI ethics, and legislative perspectives. The panel promised a robust dialogue with industry experts and privacy advocates, offering attendees a wealth of insights to carry forward.
Join the Conversation: A Call to Action for Data Privacy Advocates
The episode concluded with a call to action for listeners to engage with the evolving landscape of data privacy and AI ethics. Encouraging attendance at the RSA Conference panel, Sean Martin and Marco Ciappelli emphasized the importance of continued dialogue and collaboration in shaping a secure and ethically-driven AI ecosystem.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS-B9eaPcHUVmy_lGrbIw9J
Be sure to share and subscribe!
____________________________
Resources
AI Governance & Ethics: A Discussion with the Big Players: https://www.rsaconference.com/USA/agenda/session/AI%20Governance%20%20Ethics%20A%20Discussion%20with%20the%20Big%20Players
EDPB: https://www.edpb.europa.eu/edpb_en
Learn more about RSA Conference USA 2024: https://itspm.ag/rsa-cordbw
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Unpacking Data Privacy and AI Ethics at RSA Conference 2024 | An RSA Conference 2024 Conversation With Anu Talus | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Marco.
[00:00:01] Marco Ciappelli: Sean.
[00:00:02] Sean Martin: I've seen your itinerary.
[00:00:04] Marco Ciappelli: You've seen it. I've seen
[00:00:05] Sean Martin: it. It's online.
[00:00:07] Marco Ciappelli: Privacy. I can't do anything anymore.
[00:00:09] Sean Martin: It's all, it's all right there. I know what time you're leaving, airports, rental car.
[00:00:16] Marco Ciappelli: There must have been my, uh, AI assistant that, uh, didn't protect my data, but it got a beautiful job in booking everything exactly the way I want it to.
[00:00:26] Sean Martin: Right. And, uh, I think
[00:00:29] Marco Ciappelli: You have to balance, Sean.
[00:00:30] Sean Martin: I was confused though. You're, you're going to Helsinki.
[00:00:34] Marco Ciappelli: I wish, actually, I'm going to Europe after, uh, but not to LCK, unfortunately.
[00:00:41] Sean Martin: We don't get to go there, but our guest gets to come to California for RSA conference. Anu Talus, thank you for being part of the conversation today.
[00:00:51] Anu Talus: Thank you for the invitation. It's my pleasure.
[00:00:54] Sean Martin: And for, uh, for bearing with us is Mark when I be silly. Uh, but this is an important conversation and I want to, uh, congratulate you on and being part of RSA conferences as part of our coverage on the chats on the road to RSA conference. And you have a session there, a panel where you're looking at data privacy, of course.
And, uh, we're excited to learn a little bit more about that topic from you and, and what folks can expect to hear and, and your, your overall view of RSA. Data privacy, we're going to connect it to, you guessed it, AI as well, I think, right? So, uh, we'll dig in a little bit to that. Uh, before we get into that though, a few words about who Anu is and, uh, yeah, maybe, maybe a brief view of how you arrived at the
[00:01:40] Anu Talus: well, uh, if I, if I start by, um, introducing myself, um, I am the Finnish, um, well, data protection ombudsman or information commissioner, uh, if you prefer, uh, if you prefer that. And I'm the chair of the EDBB. So the European data protection board. So it is a dual role. And, um, Starting with the EDBB, uh, what we do, what, what the EDBB is, uh, the European Data Protection Board, it is and, um, uh, EU body, which brings together, uh, all the national data protection authorities.
So all to, all to EU and EEA, um, uh, EU and EEA. information commissioners, uh, to make, to make together, uh, decisions and, uh, to define a harmonized approach, how to, how to apply it to data protection legislation, uh, in EU. Um, and it has a competence, for example, to make binding decisions. So it's an EU body, uh, which brings together national data protection authorities with the competencies to make binding decisions.
We have several, uh, different tasks. We, for example, uh, provide guidelines, uh, guidance, and this is something we've been doing a lot during the past, uh, let's say five, five, six years. Because, um, I don't know, um, well, perhaps, uh, you've heard of the GDPR, uh, so the GDPR became applicable, uh, about, uh, five years, six years ago.
So this, this is why we have been focusing a lot on providing guidance, uh, uh, in the past, past six, uh, five years and ensuring, uh, ensuring, um, the consistent application, uh, throughout, uh, the European Union. We also have a role as a dispute resolution mechanism, as a dispute resolution body. So in cases where the National Data Protection Authorities, the National Information Commissioners are not able to agree on a subject matter among, among ourselves, it will be then brought to, to the European Data Protection Board, to the EDBB for a decision and those decisions are binding.
So, um, This is the other role. And then also we, for example, uh, provide, uh, advice for the European commission. So when the European commission is, for example, uh, is working on a legislative, legislative, um, proposal, this is when we, uh, Uh, I would provide them, uh, advice and examples of that would be, um, digital Euro and then for example, to AI act, but this is also one of the, one of the tasks, uh, of the board.
[00:04:39] Marco Ciappelli: So you made a pretty, uh, nice overview and it. Every time you touch on something, I'm thinking with AI, this got more complicated. And, uh, and so a few, few questions that I'm sure we're going to ask you, and I'm going to start with how is affecting the GDPR, this very fast evolution of artificial intelligence?
[00:05:04] Anu Talus: Well, you probably know about the AI Act, which was quite recently, yes, uh, agreed, uh, agreed on. Um, well, starting with the GDPR, um, it is, uh, drafted in a technologically, uh, neutral way. And what, how the GDPR works with the, with the new digital, uh, legislation, it sets the grounds. It sets the ground for all the new legislation, which have been, uh, which have been, um, developed now in the past years.
The AI Act is not the only one. There are also other, other, um, other EU level legislation which has been, uh, agreed on in the past, past years. So, um, but of course the AI Act, it's a very, uh, it's a very exhaustive piece of legislation and it has a lot of, uh, overlaps, uh, with the, with the GDPR, which is the, which is the law which regulates.
It regulates the processing of personal data and the data privacy. So, um, , the GDPR, uh, sets also the grounds for the AI Act. And, uh, even when the AI Act, uh, is, uh, is applied, um, The GDPR must be applied at the same time when it is about processing of personal data. So quite often when we are talking about AI and AI applications it also includes a processing of personal data.
There might be models which are completely entirely based on processing of personal data or at least the application would have, would contain some processing of personal data. So, uh, when, um, When, uh, when the AI Act is, uh, uh, is applied, uh, it must also, it must also go hand in hand with the GDPR. Uh, what is very, uh, interesting here at this very moment, because it has, uh, quite recently been agreed on, is that who will be The ones who will enforce the AI Act and this is of course for us from the regulator's perspective, a very important, uh, uh, very important topic because, um, what, what we want as an EDBB is that there will not be a fragmented, uh, enforcement.
And now it is for all the member states to, to decide. Who will be the competent authority in each member state to enforce the AI Act? And by so far, um, many of the data protection authorities who now, um, supervises the, the application of the GDPR have actually already, uh, enforced, uh, AI. So when there is, uh, processing of personal data, Stake.
And when you are, uh, enforcing A-G-D-P-R or the law enforcement directive or international implementation laws, uh, of that, you are also enforcing, uh, AI related, uh, matters. So there is a lot of, uh, experience already gained, uh, by the, by international, uh, supervisory authorities. Uh, when it comes to, when it comes to ai.
And, uh, it would be very important to get this, uh, this experience in use, uh, when it will be decided who is, uh, who are the competent, uh, authorities, uh, to enforce the AI Act.
[00:08:52] Sean Martin: Uh, so many questions, because I, one part of me thinks having the GDPR there as a layer Might help with the, uh, AI act, certainly with the protection of personal information as part of looking at the role of AI in, in, in business and society, but then just the world of AI is so broad.
I'm thinking things like, uh, create, collecting publicly available information and creating. Potentially private like information. So deep fakes and misinformation and those types of things can make it really complex. He, I don't know if you can share how, how broad the AI act and GDPR go in terms of things, things of those nature, the scenarios like that, where, yeah, I guess misinformation or wrong information or deepfake type.
[00:09:54] Anu Talus: Well, um, yes, there are, uh, a lot of, uh, possible scenarios. I do, uh, agree, um, on that. Um, some of these scenarios would, uh, involve already some aspects of processing of, uh, personal, um, data. Uh, Of course, the AI Act then will bring another layer on top of it. I cannot really go into details yet. We have quite a general approach to this. This stage and we are also very much focusing on, on the enforcement and, uh, to, to, uh, you know, to this question to avoid the fragmented, uh, enforcement. This is, uh, this is what we have, what we are focusing very much at this stage.
But, uh, but, um, what would be important is that when there is an overlap, and if there are, uh, different, uh, uh, authorities who are enforcing this, um, it should, well this is basically what I, I be, I, I've been keep saying here. Uh, it should, you should have the same outcome. You should have the same, uh, approach regardless of who is, uh, who is the authority, um, enforcing the, um, the.
to AI Act. And here I think that regardless of who will eventually then be the competent authority to enforce the AI Act, there will be a lot of cooperation between the data protection authorities. So there will certainly, there will certainly be an important role for the data protection authorities to play also in, uh, in, in those cases.
So, uh, yes, uh, I can, uh, I can see that there are many, many different scenarios you could, you could play with when we are talking about the protection of personal data and, uh, and AI.
[00:11:58] Marco Ciappelli: So in the panel that you're going to be part of an RSA conference, which of course will give more information for people that want to come in and participate in the audience, you're actually sitting down with some company, some big players in the, in the AI.
And, um, and I'm interested in, in knowing what stage are we in and when you talk about ethics in, in AI and how the consumers, which is something that, of course, the GPR is clearly mind, probably more than, uh, in this side of the world in the United States. Um, Where are we standing in the perception,, and in the way that we want to really protect these people that are starting to use AI?
Maybe they're already using AI and they don't know about it. And how are Your conversation with this player is from a legislative perspective.
[00:12:58] Anu Talus: Well, if I start first with what new to AI act will bring to what we have now, and then perhaps, I will go in more to the ethics and of, uh, the assessment of, uh, , different systems.
One of the core, um, novelties of, uh, of the ai, uh, act is that some, um, some, um, uh, AI systems, uh, are, uh, not allowed at all because they are not in accordance with, uh, with some core values, uh, some core EU values. And an example of this, uh, would be a, um, a, uh, social scoring. So this type of, uh, limitations, uh, are set in place, uh, to, to protect,
the people, not only citizens, but the people also on a more general level. What is, of course, always very important is to, to, And this also comes from the GDPR to, to have to, to, to conduct a thorough, uh, um, assessment of the impacts. So to have a, have a thorough, uh, assessment of the risks, uh, involved, uh, in the processing.
And this is also something where then the AI Act will have a different layers different. Different ranks of, uh, of risks, depending on the type of processing, uh, processing we have, uh, have at, uh, at stake. So, um, of course, it's always what is important here. It's, it's always. To find the right balance, because at the same time, now we are very much focusing here, uh, how we should, uh, you know, be quite prudent with AI, but at the same time, it can also bring quite a lot to the, you know, to, to what we have at the moment.
It's, it's a very valuable, uh, very valuable, uh, way to improve, uh, many things. For example, let's, uh, Well, in many different fields. So, uh, it's, uh, it's always about balancing and assessing to, to, to, to carry, carry out, to carry through a, very thorough, uh, risk assessment so that you can actually do the balancing.
You need to, you need to see the, and to be very honest with the risks, to be able to balance those risks, with application, uh, uh, we, we have, have at stake. So, um, this is, well, this is one of the reasons why this is very interesting. And I think this is also the, it's the same with the protection of personal data.
It, it's not about, um, It's not about, uh, um, banning something entirely, but it is about finding, uh, finding the ethical way to, to use it and to, to, to have it, um, have it developed. So this is, uh, this is why I quite like this field. There is always something new, you know, you have never, you know, you're never in a ready made world.
So this is, this is, I think one of the perks in, in this, uh, this field.
[00:16:29] Sean Martin: So I want to, I want to dig into the panel in one, one second, but I have one more question because we're talking about risk. We're talking about ethics. We're talking about technology. We're talking about. Rules and laws. And to me, that paints a picture of a lot of different roles of folks.
And I know in, in the States, I feel that we struggle with bringing together researchers and security and privacy and politicians and lawmakers and enforcers. And the list goes on in order to come up with something that that's meaningful and enforceable and. People know why, right? It's not, there's no question of why we're doing this.
Can you describe how that works for you? I mean, that might be a big open question, but maybe just a brief overview of do you have those folks involved so we can understand this is how AI works. This is how technology surrounding AI works. Could you just describe some scenarios of In healthcare, we can achieve this, but only if we understand GDPR and the AI act in these scenarios and bring it together.
[00:17:42] Anu Talus: Well, normally when, uh, when commission, um, makes a proposal for legislation, there's normally a stakeholder hearing, uh, in the beginning. Uh, now I don't know the details of, uh, what has, um, uh, or, uh, all the, about all the hearings which have taken the place, uh, for, um, What is a specific piece of legislation, but this is also something that, um, we can do, for example, into EDBB, uh, when we are, uh, when we are working on guidelines.
So we can, we can have a, um, stakeholder hearing to have, to hear a different, uh, different angles, uh, different, uh, different approaches for, uh, for a certain, uh, certain topic. Um,
This is, this is, uh, well, the legislative in, in the legislative process. It is of course even more important to have, uh, have hearings and, uh, the views from, uh, from different, uh, different angles to, to, to find to. Best, best possible balance there.
[00:18:49] Marco Ciappelli: Well, it's definitely important to bring together and this is a conversation in cyber security we have all the time and bringing together the legislators and people that make the rules and people that make it in force and the innovators in the industry that are always trying to, by definition, pushing, On the limits of what they are allowed to do, because they may give an advantage on the market, something interesting for people to, to jump on.
And, we see this all the time. So it's, it's, about balancing a lot of different things. So as we're closing here, um, I know this is the first time that you're actually going to be at RSA conference and, uh, you're going to find a lot of cyber security people there.
And, uh, what are you expecting maybe from this, uh, this conversation that you're going to have as a panelist? And, uh, maybe from the people that you, you meet there, what are you going to bring back to, to Europe?
[00:19:49] Anu Talus: Well, this is actually, I think that what we just talked about, just Just now a minute ago is also very much what I'm looking for from from the conference to have to have a little bit to see and hear a little bit different angle a little bit different perspective and To have to be able to engage in in those conversations.
This is something what I very much Uh, uh, value, and this is actually also something what I like, uh, in my role, uh, in the EDBB chair. I very much like to listening to different members and the different angles, uh, of the members and then trying to find the best possible, um, solution for that. But this is very, very much what I'm looking for, uh, from this, uh, conference to have and hear a different angle to the topics, uh, which we actually have in, in common.
[00:20:40] Sean Martin: An exciting time. No question about that. And lots to do, so I'm appreciative for the work you're doing at EDPP and bringing Your knowledge to the U. S. and, and bringing your findings from the U. S. back to Europe, so we can be a little more consistent. I think you used that word earlier. Um, and so I'm, I'm excited for that.
And your session, it's a panel, it's called AI Governance and Ethics, a discussion with the big players. It's Thursday, May 9th, 830 in the morning, local time. Of course, uh, you have, uh, Chief Privacy Officer, Chief Privacy Officer, and, uh, head of, Head of privacy at, uh, and general counsel. Uh, good, a good panel to have a good chat about.
So I'm, I'm encouraging everybody to go and listen. That if people in the U S think that this isn't coming to the U S, uh, think differently. We might be a little behind, uh, Europe in terms of, uh, Privacy regulations and things like that. But, uh, we see it, we see it coming. So this is an important conversation to listen to.
And I encourage everybody to, to attend the event and that session. And I know I want to thank you for joining us today. Uh, And, uh, for, yeah, for making the time and, and wish you safe journey to, uh, to San Francisco.
[00:22:07] Anu Talus: And look forward forward my, uh, my trip there.
[00:22:12] Sean Martin: Yes. I look forward to meeting you there as well.
And, uh, thanks Marco for a good chat. Thanks everybody for listening to this episode of On Location with Sean and Marco Chats on the Road to RSA Conference. Uh, still one of many episodes coming. Lots to talk about data protection AI one of them. So thanks everybody for listening and we'll catch you there