⌛AI, privacy & why Meta is stuck in 2004

AI policy & regulation | Edition #115

*Personal request: dear readers, I'm moving this newsletter from LinkedIn to my website, where I have more autonomy and can build a closer relationship with the readers. Please re-subscribe here. Once you receive the welcome message in your inbox, you can safely unsubscribe from this LinkedIn publication. Thank you!

👋 Hi, Luiza Jarovsky here. Welcome to the 115th edition of this newsletter on AI policy & regulation, read by 30,000+ subscribers in 140+ countries. I hope you enjoy reading it as much as I enjoy writing it.

⏰ The EU AI Act enters into force next week. Get ready for governance challenges in AI: save your spot in the EU AI Act and Emerging Challenges in AI, Tech & Privacy Bootcamps starting in September (our summer AI training programs sold out). Join 850+ professionals who have attended our training programs, which are live, remote, and led by me. 👉 Learn more

⌛ AI, privacy & why Meta is stuck in 2004

Meta's life has not been easy in the last few weeks, with enforcement actions from the EU, Brazil, Nigeria, and more.

Recently, Meta spokesperson Kate McLaughlin said to The Verge:

“We will release a multimodal Llama model over the coming months, but not in the EU due to the unpredictable nature of the European regulatory environment.”

Unpredictable?

As the former Vice President of the EU Commission quoted in my post about the topic, “EU regulation is years in the making… and industry representatives pretend to be surprised by the outcome.”

Looking at the bigger picture, especially from a business angle, what is going on is that Meta is used to Zuckerberg's "move fast and break things" mode, and it loves it; it owes its success to it.

Meta, or Facebook as it used to be called, can be read through a network effect lens. As James Currier, NfX's general partner, wrote:

“Facebook represents a completely new type of media company. All media companies that came before — newspaper, radio, and television companies — were one-to-many, two-sided marketplaces with much weaker network effects. They were also less capable of building more network effects and other forms of defensibility on top of their existing products.”

A network effect can be described as “when another user makes the service more valuable for every other user. Once your company gets ahead, users won’t find as much value in your competitors’ smaller networks.”

Network effects don't happen by chance; they are a carefully planned and executed strategy for growing, conquering, moving fast, and breaking things.

I'm not naive: most companies today, especially startups, are trying to build all sorts of network effects that will give them strategic advantages, but as Currier's article suggests, Facebook did that magnificently, starting with its impressive growth when it was created in 2004.

However, it's not 2004 anymore, and the legal background has drastically changed.

In recent years, the EU has been heavily regulating tech: the General Data Protection (GDPR) was among the first legal shocks for Meta, and the data practices at the core of its business model started being seen by many as unlawful.

If you remember, on May 25, 2018—the day the GDPR came into force—Max Schrems, through his nonprofit noyb, filed complaints over “forced consent” against Google and three Meta services: Instagram, WhatsApp, and Facebook. Five years later, Meta's € 390 million fine arrived.

The GDPR fines against Meta did not stop coming, and more EU laws were enacted in recent years: the Digital Markets Act (DMA), the Digital Services Act (DSA), the EU AI Act, and more. All of them already affect or are expected to directly affect Meta. All tech companies within these laws’ scope will be forced to comply.

Of course, Meta and other big tech companies don't like strong regulatory frameworks. They prefer their own network effects and their ‘move fast and break things’ games, which they have much more control over and can master so well.

As any emperor who loses power, they are upset and trying to use both economic and political pressure to change that and, at the same time, influence public opinion against tech regulation.

So don't be tricked by Meta. The EU regulatory environment is not unpredictable. It's just that it's not 2004 anymore, and it's time to move on.

📲 Share

🇳🇬 Nigeria's Competition Authority vs. Meta

➡️ Meta was fined $220 million by Nigeria's Competition Authority due to some of its data practices, including consent and data transfers. Here's what you need to know. According to the Authority's final order:

"Meta Parties shall immediately reinstate the rights of Nigerian users to self-determine and control the use, processing, sharing or transfer of their data, as well as their right to informed choice, and fair dealings by providing Nigerian Users an opportunity to restrict and withdraw their consent without losing functionality or deleting the application."

"Meta Parties shall immediately ensure that their Privacy Policy complies with the applicable data protection laws in Nigeria with respect to its obligation to ensure data subjects consent freely to any Privacy Policies, by updating the Privacy Policy in an intelligible format, that allows Nigerian Users the opportunity to fully express their legitimate rights with respect to each data point collected, processed, transferred or shared."

"Meta Parties shall pay a penalty of Two Hundred and Twenty Million U.S Dollars only ($220,000,000.00) (at prevailing exchange rate where applicable). This shall be paid no later than 60 days from the date of this order."

➡️ Nigeria joins the EU, Brazil, and others that are pressuring Meta to comply with their data protection, consumer protection & competition laws. Meta has said that the EU regulatory environment is "unpredictable" and that it's “disappointed” with the recent Brazilian decision. What will it say about the Nigerian decision?

➡️ Link to the final order and notice here.

📲 Share

📑 Regulatory Mapping on AI in Latin America

➡️ The non-profit Access Now published the report "Regulatory Mapping on AI in Latin America," and it's a must-read for everyone interested in global AI governance. Quotes:

"The regulatory framework for AI in the region is in its infancy. None of the countries analysed has a specific law in place to regulate the use and development of this technology, although all have introduced regulatory proposals in their respective parliaments or legislative bodies. Most Latin American countries propose regulations inspired by or with important similarities to the proposed EU Artificial Intelligence Act (AI Act). Some countries, such as Argentina or Brazil, have initiatives that propose regulations for AI in relation to certain subjects or contexts, in addition to ones that provide a general regulation of the discipline. Others, such as Chile, Costa Rica, and Colombia, have all proposed the creation of specialised authorities to oversee and supervise the implementation and development of these technologies. In this section, we provide an analysis of the main draft laws that have been presented in the eight countries selected in this report." (page 55)

"The drive towards AI regulation in Latin America is underway. This is evidenced by the existence of multiple draft laws, national strategies, and the prolific production of soft law documents and governance projects. It is foreseeable that in the coming years these efforts will be stepped up, so it will be necessary to sustain the focus on human rights in the development of public policy in AI. To this end, decision-makers in different spheres, both public and private, must adopt a perspective focused on compliance with the international, regional, and local human rights framework. The benefits that AI technologies can offer society are no justification for disregarding this set of fundamental rules or for legitimising harm to individuals." (page 90)

➡️ Read the report here.

📲 Share

🇪🇺 The EDPB's recommendations on the EU AI Act's implementation

➡️ On July 16, the European Data Protection Board (EDPB) published the document "Statement 3/2024 on data protection authorities’ role in the Artificial Intelligence Act framework." Among other measures, it recommends:

"(...) DPAs should be designated by Member States as MSAs [Market Supervisory Authorities] for the high-risk AI systems mentioned in Article 74(8) AI Act. Further, the EDPB recommends that, taking account of the views of the national DPA [Data Protection Authorities], Member States consider appointing DPAs as MSAs for the remaining high-risk AI systems as listed in Annex III, particularly where those high-risk AI systems are in sectors likely to impact natural persons rights and freedoms with regard to the processing of personal data, unless those sectors are covered by a mandatory appointment required by the AI Act (e.g. the financial sector)."

"Considering the above, since the single point of contact under the AI Act should be a MSA as provided for by Article 70(2) AI Act, DPAs (acting as MSAs) should be designated as the single points of contact for the public and counterparts at Member State and Union levels. This would be without prejudice to the representatives of Member State to the European Artificial Intelligence Board, which could be different, as indicated by Article 65(4)(b) AI Act. This would also enable a unified, consistent, and effective approach across the different sectors."

"The considerations made so far concerning the relationship between national DPAs and MSAs under the AI Act similarly apply to the supervisory activity carried out by the AI Office on general-purpose AI models, which could be as well trained on personal data and whose output can affect individuals’ privacy and data protection rights. In this regard, no clear coordination is currently established in the AI Act between the AI Office and the DPAs/EDPB."

➡️ Read the full document here.

📲 Share

🇮🇹 Italian Competition Authority vs. Google

➡️ The Italian Competition Authority launched an investigation against Google. Here's what you must know:

"The Italian Competition Authority has opened investigation proceedings against Google and its parent group Alphabet with respect to the submission to users of a request for consent to the 'linking' of the services offered. This request would in fact appear to provide no relevant information - or would provide it inadequately and imprecisely - as to the real effect that consent has on Google's use of personal data of users. The same critical issues would arise with respect to the variety and number of Google’s services for which 'combination' and 'cross-use' of personal data may occur, and with respect to the possibility of modulating (and thus limiting) consent to only some services."

➡️ From a legal perspective, this is an interesting investigation combining competition law, data protection issues (consent, personal data), and dark patterns (deceptive design).

➡️ Read the press release here.

📲 Share

🏛️ Court of Justice of the European Union vs. TikTok

➡️ The Court of Justice of the European Union rules against TikTok in the company's action against its "Gatekeeper" designation under the Digital Markets Act. Quotes:

"(...) the Court rejected Bytedance’s argument that the fact that its global market value was mainly attributable to its activities in China showed that its impact on the internal market was not significant, as demonstrated by the fact that its EU turnover was low. According to the Court, the Commission was entitled to consider that Bytedance’s high global market value, together with the large number of TikTok users in the European Union, reflected its financial capacity and its potential to monetise those users."

"(...) since its launch in the European Union in 2018, TikTok had succeeded in increasing its number of users very rapidly and exponentially, reaching, in a short time, half the size of Facebook and of Instagram, and a particularly high engagement rate, with young users in particular, who spent more time on TikTok than on other social networks."

"(...) The Court emphasised, inter alia, that, although in 2018 TikTok was indeed a challenger seeking to contest the position of established operators such as Meta and Alphabet, it had rapidly consolidated its position, and even strengthened that position over the following years, despite the launch of competing services such as Reels and Shorts, to the point of reaching, in a short time, half the size, in terms of number of users within the European Union, of Facebook and of Instagram."

➡️ Read the press release and the decision.

📲 Share

🎙️Insights on AI governance, compliance & regulation

➡️ This Thursday! If you are interested in AI governance, compliance, and regulation, you can't miss my conversation with Barry Scannell on Thursday, July 25. To participate live and receive the recording, register here.

➡️ To watch my previous live sessions, visit my YouTube channel.

🎤 Are you looking for a speaker in AI, tech & privacy?

I would welcome the opportunity to:

➵ Give a talk at your company;

➵ Speak at your event;

➵ Coordinate a private AI Bootcamp for your team (15+ people).

➡️ Learn more here.

🔥 AI Governance is HIRING

Below are 12 AI Governance positions posted in the last few days. Bookmark, share & be an early applicant:

1. Siemens Energy (Portugal): AI Governance Consultant - apply

2. BASF (Spain): Data & AI Governance Facilitation - apply

3. Xero (Australia): Data & AI Governance Specialist - apply

4. Hyatt Hotels (US): Director Data & AI Governance - apply

5. Schaeffler (Germany): Consultant - Data & AI Governance - apply

6. Snowflake (US): Senior PMM - Data & AI Governance - apply

7. Analog Devices (Ireland): Senior Manager, AI Governance - apply

8. TRUSTEQ GmbH (Germany): AI-Governance Senior Consultant - apply

9. Hays (Germany): Data & AI Governance Automation Specialist - apply

10. Forsyth Barnes (US): AI Governance Lead - apply

11. The Future Society (US): Director, U.S. AI Governance - apply

12. Radiant Systems Inc (US): Generative AI Governance Analyst - apply

➡️ For more AI governance and privacy job opportunities, subscribe to our weekly job alert. Good luck!

📲 Share

⏰ The EU AI Act enters into force next week: obtain AI training

Our summer AI training programs sold out! If you want to join the next cohorts in September (live online), make sure to save your spot:

1. Emerging Challenges in AI, Tech & Privacy (4 weeks).

🗓️ Wednesdays, September 3 to 24. 👉 Learn more & register

2. The EU AI Act Bootcamp (4 weeks).

🗓️ Wednesdays, September 4 to 25. 👉 Learn more & register

📩 Subscribe to the AI, Tech & Privacy Academy's Learning Center to receive info on our AI training programs and other learning opportunities. 👉 Learn more

🙏 Thank you for reading!

If you have comments on this week's edition, reply to this email or write to me, and I'll get back to you soon.

Have a great day.

Luiza