The Data Diva E198 - Giulia Carna and Debbie Reynolds

Show Notes

Debbie Reynolds “The Data Diva” talks to Giulia Carna, Global Senior Data Privacy Counsel, ACI Worldwide (United Kingdom). We discuss the intricacies of the EU's AI Act, its impact on privacy regulations, and the ongoing challenges in the data protection realm.

Giulia Carna shares her journey from a corporate and commercial lawyer in Milan to becoming a leading privacy law expert. She provides insights into the EU's AI Act, discussing its categorization of AI systems and the importance of a risk-based approach to regulation. The episode also offers a comparison of AI and privacy regulation approaches across the EU, UK, and US, highlighting their distinct strategies and common challenges.

As we delve into the current privacy challenges, Giulia emphasizes the shift from compliance-focused strategies to addressing technological challenges involving AI, big data, and the Internet of Things. She discusses strategies for integrating legal compliance with business goals and explains how organizations can navigate compliance across different organizational levels. She also talks about her hope for data privacy in the future.

Many thanks to the Data Diva Talks Privacy Podcast Privacy Visionary, Smartbox AI, for sponsoring this episode and supporting our podcast. Smartbox.ai, named British AI Company of the Year, provides cutting-edge AI. For more information about Smartbox AI, visit their website at https://www.smartbox.ai. Enjoy the show

Support the show

Transcript

25:31

SUMMARY KEYWORDS

privacy, ai, systems, data, technology, company, debbie, compliance, world, data protection, legislation, risk, act, eu, law, regulation, providers, assessments, podcast, happening

SPEAKERS

Debbie Reynolds, Giulia Carna

Debbie Reynolds  00:00

Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.

Hello, my name is Debbie Reynolds. They call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast, where we discuss Data Privacy issues with industry leaders around the world, with information that business needs to know now. I have a very special guest on the show all the way from the United Kingdom, Giulia Carna. She is the Senior Data Protection Cousel at ACI Worldwide. Welcome.

Giulia Carna  00:41

Hi, Debbie, thank you so much for being here.

Debbie Reynolds  00:47

Well, it's a pleasure to have you on the show. I actually saw you speak at PRIVSEC in London a couple of years ago. I was actually hiding in the back of the auditorium because I had a call that day, but I sent you a note and said, hey, I really loved your presentation. You were on a panel about privacy-enhancing tech, and we've kept in touch since then. it took us a while, but we finally got our schedules aligned so that you could be on the podcast. So, thank you so much for being on the show.

Giulia Carna  01:16

Thank you, Debbie, thank you. Actually, it's my first podcast, and I can say that I am really, truly thankful and humble to be here in your presence. So thank you.

Debbie Reynolds  01:31

Well, it's my pleasure to have you on the show. I think in our communications together, you made a comment on a p[ost you and I both saw, and I felt that you very much champion human rights, the rights of people, and really standing up for what you think is right. I think that's such an admirable quality that you have, in addition to being really brilliant in terms of understanding law, regulation, compliance, and where things are going on privacy.

Giulia Carna  02:02

Oh, thank you. I think that is one of the main reason why I am really passionate about privacy and human rights, and this is why I made my passion as my job, because I think that someone loves privacy and who works in this space must really have a great conception of human rights and trust.

Debbie Reynolds  02:32

I agree with that. To me, it makes me feel good that I can do something that can really make a difference in people's lives. I agree with you on that, but why don't you give me your background, tell me your journey into privacy and how you came to your career in data protection?

Giulia Carna  02:53

Oh, sure. Debbie, so I am an Italian lawyer, and I started my career in corporate and commercial law. I started working in a law firm in Milan in corporate law, commercial and tax law, and then after seven years, I moved on as an in-house lawyer, where I started working in commercial law, but also in compliance regulatory methods and privacy law. But my real career in this world started basically seven years back when I started doing projects on data subject rights and how to prepare a company for the GDPR, and since 2017, basically, I was dealing only with data protection and Data Privacy matters, and since then, basically I never went back to my commercial and corporate background. Now, I am working for ACI Worldwide. We are a global provider of real-time payments and banking solutions, and we are helping thousands of bank and business worldwide companies to facilitate transactions and payment systems, and then I worked as a Senior Data Protection Counsel for this company here. I had the chance to collaborate closely with different departments, such as product teams, the marketing team, and the security team, and I had the possibility of providing legal support on a wide range of methods like compliance methods and risk management matters. So I can say that my time spent in ACI gave me valuable insight into the privacy and practical and radical consequences of legal decisions on business matters. So yeah, so this is my journey, and how I started in the privacy field.

Debbie Reynolds  05:49

That's fascinating. I love the fact that you say you worked with all these different teams and collaborated with them, and I think as especially, and we're going to talk about AI, especially as the technology is getting more complex, and you work with a technology company, you have a front row seat to a lot of the complexities that happen within organizations, especially as they try to evolve with innovation and then also complying with certain regulations. Give me a little bit about AI and what's happening with Artificial Intelligence. Since you're in Europe now, obviously, the EU has their AI Act that was recently finalized, and also we know that there's some activity happening in the UK about Artificial Intelligence as well. But give me your thoughts about what is happening as someone in Europe, I know from the US we're watching with great interest in what's happening in Europe around Artificial Intelligence. What are your thoughts?

Giulia Carna  06:55

Yes, Debbie, I think that this is a really strong moment for Europe because the EU AI Act will have the same impact that the GDPR had five years back, I can say that the most important difference between the EU and the US, for example, is the risk basic approach, because this piece of legislation is basically based on risks, and there are several risk categories. We have the prohibited AI systems that must be removed within six months of the AI Act coming into force luckily towards the end of this month, or April or June this year, this system has a significant risk to fundamental rights, safety, or health, such as, for example, social credit scoring systems or emotional recognition systems that use biometric data in the workplace, except for medical or safety reasons and or, for example, AI system used for making risk assessments of natural persons based on the profiling of a person. This will be the prohibited AI system; then we have the high-risk AI system, which is those that are covered by certain view harmonization legislation and are used as a safety component of a product. Or the AI system is itself a product covered by the view harmonization legislation listed in Annex One. All systems that must go through third-party conformity assessments under the View Harmonization legislation listed in Annex One, then this category of AI systems referred to in Annex Three, are also considered to be High-Risk Systems and a provider, for example, who consider that those systems are not high risk, must document in their assessment before listing that system in the market or putting this system into service, then we have a limited risk AI system. Those systems are not high-risk systems, but they do pose transparency risks. So this means that they are subject to specific transparency requirements. For example, providers must make sure that user knows that they are interacting with a machine, and then we have many more systems that can be freely used without additional requirements. For example, they are systems that we use for language translation tools, for example, video games or weather broadcasting tools. On top of these four risk category systems, we have specific requirements on providers of Generative AI models. These models are basically used to create general purposes AI systems, like the famous ChatGPT; in this case, providers are required to perform fundamental right impact assessments and conformity assessments to mitigate risk and test and monitor the systems for cyber security and accuracy. This is quite a difficult and complex framework, but I think that right now, what is relevant for companies, and especially for multinational companies, is that you can consider how being compliant with this new legislation because the first step for a company should be to know all the relevant laws and any additional sector-specific legislation, and then map out the potential gaps, and also gaps and overlap with other legislation, such as, for example, AI acts, with the GDPR, with the dollar regulation, with the cyber residents act. At this point in time, it is really crucial to conduct a risk assessment, including, for example, the PIA and any other necessary assessments, updating policies, for example, and also leverage the process that we have already in place, for example, for privacy and procurement compliance, because the sum of this compliance task, for example, the DPIA will be exactly the same process that we can still use for being compliant with the AI Act, and these are I think the main keywords of this new piece of legislation, the UK, like also the GDPR, they have completely different perspective, because the UK is less comprehensive, I think, and less centralized, because they prefer to have sector-specific perspective. Maybe the same thing also for the US because I think that the US has a sector-specific perspective as the US had with privacy without a unified set of AI principles and guidelines the EU made and the hope that the AI Act will have the same roots and the same baseline as the GDPR, and they will serve as a basic cutting point for the global market.

Debbie Reynolds  14:40

I agree. My perspective about the GDPR is I always thought that GDPR would be very influential, even in jurisdictions where people didn't really have to follow GDPR, like the US, and it has been so. I think some of that influence has been that we've seen laws since GDPR was enacted that around the world, certain jurisdictions have borrowed bits and pieces of GDPR, like maybe the calling data controllers or data subjects or different types of things. So I think that the AI Act will be very influential in that way, but also, and I want your thoughts, I think one thing that the US is getting used to, or will have to get used to more now that, I think, is very typical and common in Europe that you all are already accustomed to, and that is doing these risk-based approach assessments of privacy uses, and also AI uses. So what do you think about this point?

Giulia Carna  15:44

I think that the US will have exactly the same standard that the US had for the GDPR for the privacy world. I still think that the US will have very sectoral, specific rules on this. What I believe is that there is at least willingness to find some sort of common ground on these important topics, and also the US, the UK, in the EU, had really different approaches, but on something, they are trying to converge and talk the same language, I think that the AI Act is more centered on the human centric, while maybe the US is more focused on the product, maybe it's a different perspective, but on something we all want to find a common language and a common view on things, because all the globe thinks that we need and we must deal with AI, because this is the future of the world, especially in the digital world,

Debbie Reynolds  17:26

I agree. We'll definitely see how things play out. I think that there is a lot of pressure from around the world to see what the US wants to do about maybe harmonizing privacy legislation and maybe, hopefully, some Federal privacy law. We'll see. I'm not going to hold my breath, but it can definitely happen, for sure. So, what is happening in the world right now that concerns you as it relates to privacy?

Giulia Carna  17:53

These are really challenging fields and constantly change because technology is constantly changing. I think that the main challenge will be focused on the new technology. So AI, Big Data, Blockchain, Internet of Things, and the main challenge for privacy professional people will become to gain all technical knowledge and speak the same language, maybe technology team, product team, and this is one of the skills that will be required for privacy professional people to have, especially if you are working for a global company, basically. So yeah, I think that right now, this will be one of the main challenges, all focused on technology, tools, and innovation rather than compliance tasks. I think that since the GDPR came into force in 2019, until last year, the main challenge was more focused on cross-border data and all the compliance tasks in the PIA Data Privacy framework. But now we are most on the technological side because companies now know what they have to do, and the majority of companies, at least this is my hope, already have Data Privacy frameworks in place with all these compliance tasks to be done, and now, yes, this is the next step. So just based on technology, and to keep an eye and to have a better and technical understanding of this choice, because they can have a really long consideration on thr privacy side. Personally, I'm a lawyer who, of course, is really conscious of personal data because we know that personal data it is not only an asset and a reason for data monetization for a company, but at the same time, I really believe in technology, in innovation, and I think that all these tools, AI Big Data, can be really helpful for us as privacy professionals, and also for the company to pursue the recent goals, but at the same time, we really need to have consideration about the privacy implication for using this source. So we really needed to find a balance between business goals also how to preserve human rights and how to build the trust with your customers and consumers also.

Debbie Reynolds  21:23

I agree with that. I think that there has to be a new level of transparency that maybe companies never had to do before as a result of this, and then all of that, to me, goes towards whether consumers trust you, or humans trust you or not with their data. I think that, and I agree wholeheartedly that companies are shifting from just thinking about privacy and technology from a purely compliance lens to understanding how they need to change the way that they operate internally, and then how the technology plays into that. Then I also think because of the rapid changes and development in the technology, it's just going to make that challenge more complex for organizations. What do you think?

Giulia Carna  22:13

Yes, I totally get your point. Yeah, I think that this is a crucial point that companies are trying to do right now, and this is also our responsibility as privacy professional people to have really a deep understanding of all this technicality.

Debbie Reynolds  22:39

So if it were the world, according to you, Giulia, and we did everything that you said, what would be your wish for privacy or data protection anywhere in the world, whether that be the technology regulation or human behavior?

Giulia Carna  22:54

For me, would be a balance of all this, of technology, of fundamental rights; I think that it is not possible to separate all these factors. But my wish, basically is to be flexible and believe in technology and innovation, but keeping secure and consider the personal data as a fundamental right and not just a reason for data monetization, because the personal data is much more than this.

Debbie Reynolds  23:46

Well, thank you so much. I agree with that; it does have to be a balance, and we need to look at it from different dimensions, so thank you so much for staying up late and having this call with me. I'm really happy that we were able to connect and have this episode. So thank you so much.

Giulia Carna  24:04

Oh, thank you, Debbie. This was a wonderful experience to be on this podcast with you. I always followed your podcast, and I really like your perspective of Data Privacy as a fundamental right, and I think that we are really glad to have you as a leader in this space, because, as I always said, Data Privacy is not just a law. It's not just a regulation; it's mainly a fundamental human right and each privacy professional person must feel these responsibilities on their own shoulder, as I do and you do. Thank you so much.

Debbie Reynolds  25:01

Oh, thank you. That's very sweet. Thank you. I hope we can have time to collaborate in the future. That would be great. Well, thank you so much for this session. It's amazing. Thank you.

Giulia Carna  25:14

Thank you. Debbie, thank you. Bye, bye, all.

Debbie Reynolds  25:16

Bye, bye. Have a good night.