In this batch of sessions, regulators and litigators were asked to share their insight and updates on AI, GDPR and the Meta class action.
The sessions featured Kate Jones, CEO of the Digital Regulation Cooperation Forum (DRCF) being interviewed by Alice Wallbank, Privacy & Data knowledge lawyer at Shoosmiths; Dr Liza Lodvahl-Gormsen, Senior Research Fellow and Director of the Competition Law Forum in conversation with Matthew MacLachlan, Principal Associate, Shoosmiths; and a presentation from Diarmuid Goulding, Deputy Commissioner of the Irish Data Protection Commission (DPC).
Fostering collaboration
Kate Jones, CEO, DRCF
Alice Wallbank and Kate Jones discussed the DRCF’s role in fostering collaboration among UK digital regulators (Ofcom, CMA, ICO, and FCA) and navigating the complexities of emerging technologies, particularly AI. The DRCF aims to balance consumer protection with innovation and growth, facilitating dialogue and joint projects among regulators.
Jones highlighted the DRCF’s AI and Digital Hub, a pilot program providing businesses with holistic regulatory guidance. She emphasized the importance of AI literacy and the need for regulators to understand and address overlapping concepts in different legislation. The DRCF is also actively involved in horizon scanning, exploring emerging technologies like Web3, Quantum and synthetic media, and publishing insights for industry.
The discussion touched on online consumer harms, particularly fraud, and the role of “harmful design” in influencing user behavior. Jones pointed to the importance of promoting “system two thinking” (conscious deliberation) over “system one thinking” (automatic reactions) in online environments.
Regarding international cooperation, Jones explained that while the DRCF engages in its own international network focused on regulatory collaboration, individual regulators maintain strong relationships with their counterparts in other jurisdictions including the EU. She also addressed the question of potential deregulation pressures, emphasizing the need for “smart, manageable regulation” that balances innovation with consumer protection. Organizations want “a level playing field,” she said.
Jones also touched on the use of AI tools by the regulators themselves, confirming that they are actively exploring and implementing such technologies for data analysis and other regulatory functions eg an AI-driven version of the FCA Handbook.
The value of data
Dr Liza Lodvahl-Gormsen
Dr Liza Lodvahl-Gormsen spoke with Matthew MacLachlan about the value of data, and the class action on Meta.
Today, users are sitting on a huge pile of data which they are giving away for free, Dr Lodvahl-Gormsen said. She mentioned social media companies as one example, highlighting the lack of transparency, and how such actors are profiting from using and selling user data without those affected knowing where their data is going. And she spoke about how some actors are combining first and third-party data for their own benefit to, for example, create better profiles to target in marketing campaigns.
Dr Lodvahl-Gormsen co-authored the paper Facebook’s Anticompetitive Lean in Strategies in 2019, and Facebook’s Exploitative and Exclusionary Abuses in the Two-Sided Market for Social Networks and Display Advertising for the Journal of Antitrust Enforcement in 2021, and this session was mostly focused on her major class-action claim against Meta.
The claim is representing 45 million Facebook users, and seeks a minimum of £2.1 billion ($2.7 billion) in damages plus interest for abuse of dominant market position.
The case alleges that “users are paying an unfair price, in the form of their personal data, to Facebook, or have been subjected to unfair terms and conditions.” And that this “unfair deal” is only possible due to the market dominance that Facebook holds.
She set out the steps involved in making the claim, and how it was first refused in 2023. A revised version was later accepted by the Competition Appeal Tribunal in early 2024. Meta then tried to appeal the claim, which the UK court of appeal denied in October 2024.
The trial against Meta is expected to take place in 2026.
Dr Lodvahl-Gormsen highlighted the fact that users are giving away data for free multiple times, and wondered if companies should pay for using our data in the future.
Regulating AI
Diarmuid Goulding, Deputy Commissioner of the Irish DPC
In a presentation Goulding focused primarily on the DPC’s role in regulating AI within the framework of the GDPR, and its recent engagement with the European Data Protection Board (EDPB).
On the DPC’s role and growth: The DPC is Ireland’s independent public authority, acting as the supervisory authority for GDPR. It handles numerous complaints and consultations, particularly concerning large multinational companies based in Ireland. The DPC collaborates closely with other European supervisory authorities through the EDPB.
AI and GDPR: Goulding emphasized that existing GDPR regulations apply to AI systems and that there is a need for a wider consideration of the governance of AI. He also highlighted the challenges of applying established data protection principles to the novel aspects of AI, particularly generative AI. The DPC sought an EDPB opinion on AI models to create a harmonized position on fundamental questions regarding AI compliance with the GDPR.
EDPB opinion on AI Models: The EDPB opinion addressed key issues:
- anonymization of AI models;
- legal basis for processing in AI model development and deployment;
- downstream liabilities for AI deployers.
The opinion stresses the need for case-by-case assessments of anonymization and legal basis, rather than categorical rules. It also outlines the importance of the “legitimate interests” test in article 6(1)(f) of the GDPR and gives guidance on mitigation measures.
International cooperation: The DPC actively engages with international regulators, including through joint statements on trustworthy AI. Goulding also expressed the need for harmonized European approaches to AI regulation (an area we have covered).
Challenges and future directions: The DPC acknowledges the increasing overlap between different regulations, such as GDPR and cybersecurity. Goulding highlighted the need for ongoing dialogue and collaboration between regulators.
The DPC is increasing its capacity to deal with the rising challenges of AI regulation and are working to increase industry engagement. The DPC is also increasing focus on protecting vulnerable groups.
Data security: Goulding expressed his concerns surrounding DeepSeek and the importance of data security. DeepSeek may disrupt laws on data protection and transfers on both sides of the Atlantic, as well as disrupting US markets.
Read our other reports from this years Data Insights x Shoosmiths event.
From guardians to architects: Reimagining the DPO in the AI era
Privacy experts give advice on complying with DORA and NIS2
Rethinking decision-making: Rory Sutherland on AI, human behavior, and original thinking
