Up next in 10
This year marks a high-stakes moment for digital governance as major legislation like the EU AI Act, DORA, and India's DPDPA see major enforcement, imposing new obligations on enterprises worldwide. We analyze how algorithmic logic and frameworks like the EU Digital Services Act (DSA) are compelling global censorship by targeting "misleading" or "harmful" political speech, humor, and memes, even when the content is not technically illegal. Explore the rise of Answer Engine Optimization (AEO) and question whether AI systems that generate single, optimized answers are reshaping objective reality itself, demanding new standards for accountability and provenance.
www.myprivacy.blog/policy-briefing-the-convergence-of-digital-control-and-its-implications-for-human-rights (http://www.myprivacy.blog/policy-briefing-the-convergence-of-digital-control-and-its-implications-for-human-rights)
www.compliancehub.wiki/briefing-on-the-2025-global-digital-privacy-ai-and-human-rights-landscape (http://www.compliancehub.wiki/briefing-on-the-2025-global-digital-privacy-ai-and-human-rights-landscape)
Show More Show Less View Video Transcript
0:00
Welcome to the deep dive. Today, uh
0:02
we're looking at something huge, almost
0:04
like a well, a massive collision course
0:07
set for 2025.
0:09
Yeah, it really feels like that.
0:10
We've got this incredible speed of AI
0:12
development, new digital spaces like the
0:15
metaverse popping up, digital ID systems
0:18
rolling out,
0:19
and all slamming right into this
0:20
incredibly messy, fragmented global
0:24
regulatory picture.
0:25
Exactly. the sources we've pulled
0:26
together really map out just how high
0:28
stakes this battlefield is becoming.
0:30
Right. So, our mission today really is
0:32
to cut through some of that complexity
0:33
for you. We want to make sense of this
0:35
legal patchwork, especially the uh the
0:37
global power plays coming out of Europe
0:39
with AI and content rules
0:41
and also dig into the deeper risks,
0:43
right? This whole idea of surveillance
0:45
capitalism operating in these new
0:47
digital worlds.
0:48
Definitely. And how governments are
0:49
stepping in trying to control data,
0:51
information flows, even digital identity
0:54
itself. There's a lot to unpack.
0:56
So, we'll be diving into the EU's
0:57
approach, California's enforcement
0:59
actions, and maybe touch on some of
1:01
those bigger almost philosophical
1:03
challenges of digital life today.
1:05
Let's jump in. Maybe start with the
1:06
regulatory side.
1:08
Europe's really leading the charge with
1:09
the EU AI act.
1:11
The first big comprehensive law for AI,
1:13
right?
1:14
That's it. And the core idea is this
1:16
riskbased framework. They've basically
1:19
sorted AI into four levels.
1:21
unacceptable, high, limited, and minimal
1:24
risk.
1:25
Okay. And the rules get tougher the
1:26
higher the risk.
1:27
Precisely. So for those high-risisk
1:29
systems, think AI and critical
1:31
infrastructure, hiring, maybe medical
1:33
devices, the obligations are intense.
1:35
What does that look like? More
1:37
paperwork.
1:37
Uh much more than paperwork. We're
1:39
talking serious pre-market checks,
1:40
conformity assessments, really detailed
1:42
technical documents that regulators can
1:44
inspect.
1:45
Okay.
1:45
And they have to be registered in a
1:46
public EU database before they're used.
1:49
But it's not just the specific
1:50
applications. They're also regulating
1:52
the underlying tech.
1:53
The foundational models like the big
1:55
LLMs.
1:56
Exactly. General purpose AI or GPAI. If
1:59
these models get big enough, hit certain
2:01
scale thresholds, they face a whole raft
2:03
of new rules around transparency,
2:05
copyright, documentation, it's a big
2:07
deal.
2:07
So Europe setting a global standard
2:10
essentially. Meanwhile, back in the US,
2:13
it's still the Wild West.
2:14
Well, maybe not the Wild West, but
2:16
definitely fragmented. We're expecting
2:18
maybe 20 states to have their own
2:20
comprehensive privacy laws by the end of
2:22
2025.
2:24
Think Delaware, Iowa, Maryland,
2:26
Minnesota, New Jersey joining the mix.
2:29
20 different state laws. I mean, that
2:31
sounds like a compliance nightmare for
2:32
any business operating across state
2:34
lines. Does that complexity just get
2:36
passed on to us, the consumers? Does it
2:39
cancel out the benefit?
2:40
It definitely creates headaches for
2:42
businesses, no doubt. But you know these
2:44
state laws are pushing boundaries where
2:45
federal action has stalled. There is
2:48
some common ground emerging though
2:50
like what
2:50
the big one is data protection impact
2:52
assessments DPAs. More and more states
2:55
are requiring these for anything
2:56
considered high-risk data processing.
2:58
And the definition of what counts as
3:00
sensitive data is getting wider too is
3:02
Oh absolutely. It's moving way beyond
3:04
just say financial or health records.
3:06
Newer laws like in Maryland, Delaware,
3:09
or New Jersey are adding things like
3:11
national origin or transgender and
3:13
non-binary status.
3:14
That's significant.
3:15
It is. And Maryland's definition of
3:17
consumer health data is particularly
3:19
strong. It covers reproductive care,
3:21
gender affirming care info, and puts
3:24
really tight limits on sharing that
3:25
data. Basically, you can only process it
3:27
if it's absolutely essential for a
3:29
service the consumer explicitly asked
3:31
for. That's a major shift.
3:33
Okay, let's pivot to California. They've
3:35
had their law that's CCPA for a while.
3:38
What are the regulators focusing on
3:40
there?
3:41
Consistency seems to be the theme.
3:43
They keep hitting companies for
3:45
technical issues and what they call dark
3:47
patterns.
3:48
Dark patterns, like tricking users,
3:50
kind of making things deliberately
3:52
confusing. The Healthline case is a good
3:54
example. Regulators said their cookie
3:56
banner was deceptive. Plus, their opt-
3:58
out tools just didn't work properly. Uh
4:00
Honda and Todd Snyder got flagged to
4:02
basically for bad website design that
4:04
made opting out way harder than it
4:06
needed to be.
4:06
So friction by design
4:08
pretty much.
4:08
Yeah.
4:09
Another big one is ignoring global
4:11
privacy control signals. The GPC browser
4:13
setting. Companies are still getting
4:15
caught not respecting that universal
4:17
optout.
4:18
Okay. Standard compliance stuff.
4:19
Anything newer? More surprising.
4:22
Yes. Actually the most interesting thing
4:24
I think came out of that Healthline case
4:26
again it was a violation of purpose
4:28
limitation. purpose limitation.
4:30
Yeah. Healthline was apparently sharing
4:32
the titles of articles, people read
4:35
things like living with Crohn's disease
4:36
with advertisers.
4:38
Wow. So using your reading habits on
4:40
sensitive health topics to target ads.
4:43
Exactly. The state argued that sharing
4:46
went way beyond what a consumer would
4:48
reasonably expect. Even if it was
4:50
technically disclosed somewhere deep in
4:52
a privacy policy, it suggested a medical
4:54
condition.
4:55
That feels deeply uncomfortable. It
4:56
shows California is looking beyond just
4:58
checkbox compliance, doesn't it? They're
5:00
looking at the actual impact on trust.
5:02
That seems to be the direction. It's
5:03
about reasonable expectations.
5:05
Interestingly though, California's new
5:07
rules on automated decision-making,
5:09
ADMT, ended up being narrower than first
5:12
proposed.
5:12
How so?
5:13
They're focusing mainly on AI that
5:15
substantially replaces human decision-m
5:17
in really significant areas. Jobs,
5:20
loans, healthcare access, things with
5:22
major consequences. So targeting the
5:24
impact again, not just the use of AI
5:26
itself, right?
5:27
It's just such a complex web for
5:30
businesses dealing with PII personally
5:32
identifiable information across all
5:34
these places. Uh we should probably
5:37
mention for businesses trying to
5:38
untangle this resources like
5:40
pi.compliancehub.wiki
5:42
are invaluable for navigating these
5:44
jurisdictional mazes and the growing
5:46
scrutiny. Okay, so that's the regulatory
5:49
mess. Let's talk about the why. Why is
5:52
all this data handling so contentious?
5:54
Well, the core concept really comes from
5:56
Shashana Zubos. She calls it
5:58
surveillance capitalism,
6:00
right? I've heard the term. What's the
6:01
gist?
6:02
The gist is it's an economic system
6:04
built on grabbing personal data. She
6:06
calls it behavioral surplus and using it
6:08
not just to predict, but ultimately to
6:11
shape our behavior for profit.
6:12
So our data becomes the raw material.
6:14
Exactly. The new means of production.
6:16
And it creates this massive imbalance of
6:18
knowledge and power between the
6:19
companies collecting the data and us the
6:22
users.
6:22
And something like the metaverse just
6:23
puts this on steroids presumably with
6:26
all the sensors, eyetracking,
6:28
microphones
6:28
absolutely turbocharges it. The sheer
6:31
volume and intimacy of data collected in
6:34
potential metverse environments dwarf
6:36
what we see on the current web. And this
6:39
leads to some pretty serious ethical
6:41
problems drawing on critiques from well
6:44
various traditions.
6:45
Okay. Can we break those down simply?
6:47
Sure. Think of it in three ways. First,
6:49
alienation. Your data, something you
6:51
produce, gets taken and used against
6:53
your interests, like manipulative
6:55
targeted ads, making you buy things you
6:57
don't need.
6:58
Okay, makes sense.
6:59
Second, exploitation. Companies profit
7:01
enormously from the data you generate
7:03
just by using their services, your
7:05
clicks, your posts, your attention. It's
7:07
like digital free labor, but you don't
7:09
really get paid fairly for the value you
7:11
create,
7:11
right? We get the free service, they get
7:13
the valuable data. And third, perhaps
7:16
most critical, is domination. Because
7:18
they know so much more about you than
7:20
you know about them and control the data
7:22
flows, they gain this power to interfere
7:24
with your choices subtly or overtly
7:26
whenever they want. It undermines your
7:28
autonomy.
7:29
That control aspect. It leads us right
7:32
into the censorship debate, doesn't it?
7:34
Especially with the EU's digital
7:35
services act, the DSA.
7:37
It really does. The DSA forces the
7:39
really big online platforms, the VLOOPs,
7:43
with over 45 million EU users to tackle
7:47
systemic risks.
7:48
And systemic risks sounds pretty broad.
7:51
It is extremely broad
7:52
and controversial. It covers things like
7:54
misleading or deceptive content,
7:57
disinformation, hate speech.
7:59
But here's the kicker. It explicitly
8:01
targets content that is perfectly legal
8:03
but is just deemed well harmful or
8:06
undesirable by regulators or the
8:08
platforms themselves.
8:09
Legal but harmful. That's a tricky line.
8:11
How do they enforce that?
8:13
With massive potential fines up to 6% of
8:15
global annual revenue. The financial
8:17
pressure is immense.
8:18
6% of global. Wow.
8:19
Yeah. So platforms have a huge incentive
8:21
to just remove content flagged by
8:23
government approved trusted flaggers
8:24
rather than fight it and risk those
8:26
penalty. It encourages over removal. And
8:28
this affects users outside the EU too.
8:30
Absolutely. Because these big US
8:32
platforms usually have one global set of
8:34
terms of service, the DSA effectively
8:37
forces them to apply EU content
8:39
standards worldwide. It exports EU
8:41
speech norms to Americans and everyone
8:43
else.
8:44
Have we seen examples of this yet?
8:45
Content being flagged?
8:47
We have. Reports mention things like
8:49
questioning the efficiency of electric
8:50
cars in Poland or even satirical posts
8:53
about immigration in France being
8:54
targeted for removal or labeling
8:56
just for questioning policy or making
8:58
jokes
8:58
under these broad disinformation or
9:00
harmful contact categories. Yes. When
9:03
you compel global platforms to police
9:05
vague concepts like misleading content
9:08
under threat of huge fines, you
9:10
inevitably end up chilling legitimate
9:11
speech. It's a form of global censorship
9:14
pressure. It's fascinating how these
9:16
corporate and state powers are
9:17
constantly reshaping basic ideas like
9:20
free expression and well privacy itself
9:23
and understanding those core principles
9:25
like privacy a self-determination user
9:27
control over their own information is
9:29
crucial right now for anyone wanting
9:31
deeper analysis on this
9:32
www.mmyrivacy.blog
9:34
blog does some really insightful work
9:36
tracking how these concepts are
9:37
evolving.
9:38
Okay, so we've got AI regulation,
9:40
content moderation. Let's talk about the
9:42
ultimate data point, identity. There's a
9:44
big push for national digital ID systems
9:47
globally.
9:48
A very big push often linked to
9:50
biometric data, fingerprints, facial
9:53
scans, iris scans, and frequently aiming
9:55
for centralized, sometimes even
9:57
mandatory systems.
9:58
That sounds risky. Centralizing
10:01
everyone's biometrics. immensely risky.
10:04
Human rights groups, cyber security
10:05
experts, they all raise red flags. A
10:08
centralized biometric database is a
10:09
hacker's dream. A single point of
10:11
failure for the most sensitive data
10:13
imaginable.
10:14
And you can't just reset your
10:15
fingerprint like a password.
10:16
Exactly. If it leaks, it's potentially
10:18
compromised forever. You might be, as
10:20
one source put it, unable to restore a
10:22
pristine identity. That's why the strong
10:25
recommendation from experts is always
10:27
enrollment must be voluntary.
10:28
Keep it optin.
10:29
Yes. and governments should actively
10:31
avoid creating these huge central
10:33
biometric honeyotss.
10:34
Are there real world examples of where
10:36
this has gone wrong or shown the risks?
10:38
Definitely. India's adhar system is
10:40
often brought up. While technically
10:43
voluntary at first, it quickly became
10:45
almost essential for accessing basic
10:48
services making it sort of coercive.
10:49
And the risk
10:50
the big one cited is surveillance risk.
10:53
Every time ATAR is used for
10:54
authentication, it creates a log.
10:57
Analyzing those logs over time allows
10:59
for incredibly detailed profiling of
11:01
people's movements, activities,
11:03
interactions, pervasive surveillance
11:05
potential.
11:06
Okay, so that's one model. Any others?
11:08
Maybe more secure ones.
11:09
Estonia is often held up as a more
11:11
sophisticated example. They use public
11:13
key cryptography, store key data on
11:15
secure chips, not just biometrics in a
11:17
central pot. It's used for digital
11:19
signatures, secure login.
11:21
That's better.
11:21
It's generally considered much better.
11:23
But even the Estonian system had
11:24
vulnerabilities discovered that required
11:26
urgent fixes. It showed significant
11:28
risks were still present. It proves no
11:31
system is totally foolproof.
11:33
So if centralized is risky and even
11:35
sophisticated systems have flaws, are
11:37
there other ways to handle digital
11:39
identity?
11:40
There are emerging alternatives people
11:42
are excited about. Yeah. Things like
11:43
self- sovereign identity or SSI.
11:46
Self- sovereign meaning the user is in
11:49
control.
11:50
That's the core idea. often using
11:52
technologies like blockchain. The goal
11:54
is to decentralize identity data. You'd
11:57
hold your own identity credentials in a
11:59
secured digital wallet on your device
12:01
and only share specific pieces when
12:03
necessary with your explicit consent.
12:06
Giving control back to the individual
12:08
sounds great. What's the catch?
12:10
The catch is often regulation,
12:12
ironically, especially things like GDPR
12:14
in Europe.
12:15
How so? Well, GDPR includes the um right
12:18
to erasure, the right to have your
12:20
personal data deleted. But blockchain by
12:23
its very nature is designed to be
12:25
immutable, permanent, and tamperproof.
12:27
Ah, so you can't easily delete data from
12:30
a blockchain record.
12:31
Exactly. Reconciling that fundamental
12:33
conflict, the right to be forgotten
12:34
versus an unchangeable ledger is a huge
12:37
legal and technical challenge that
12:39
hasn't really been solved yet.
12:40
The security questions around identity
12:42
data, especially biometrics that you
12:43
can't change, are just paramount.
12:45
absolutely critical
12:46
and uh we should definitely acknowledge
12:48
resources like biometric.mmyprivacy.blog
12:50
here they do crucial work digging into
12:53
these specific complex security risks
12:56
associated with biometric data.
12:58
Mhm. Essential reading in this space.
13:01
So pulling this all together, it feels
13:03
like a global race, doesn't it?
13:04
It really does. You've got this
13:06
relentless drive for data extraction on
13:08
one side, surveillance, capitalism, the
13:11
metaverse buildout, and on the other,
13:13
you have these reactive, often
13:15
fragmented, sometimes quite heavy-handed
13:17
regulatory responses trying to catch up
13:19
or control it.
13:20
Like the DSA, the AI act, the US state
13:23
laws.
13:24
Exactly. And the fundamental tension
13:26
underneath it all remains the same. It's
13:28
a struggle between individual privacy
13:31
and control versus expanding corporate
13:33
and state power over our digital lives.
13:35
Okay, let me throw out one final maybe
13:37
provocative thought based on where this
13:39
seems to be heading. Let's think beyond
13:41
just controlling content or data use.
13:43
What about controlling the answers?
13:44
What do you mean by answers?
13:45
Think about answer engine optimization.
13:47
AEO, we all know SEO, search engine
13:49
optimization that gives you sources,
13:51
links you can check, right?
13:52
Right. Multiple results usually.
13:54
But AEO is different. It optimizes for
13:56
the AI to give you one single answer,
13:59
the definitive response.
14:00
Ah, like the snippets Google shows, but
14:03
turbocharged by generative AI.
14:05
Exactly. And the danger there, I think,
14:07
is really profound. When AI optimization
14:10
replaces source verification AO doesn't
14:13
just filter information, it starts to
14:15
subtly shift what we even perceive as
14:17
truth.
14:18
That's a powerful idea. It becomes a
14:20
kind of censorship by design happening
14:22
silently in the background. The
14:24
algorithm curates reality,
14:26
right? It normalizes a version of truth
14:28
that's been, as one source put it,
14:30
prefiltered in darkness.
14:32
And that plays right into the liars
14:33
dividend problem, too, doesn't it? If AI
14:35
can generate perfectly convincing fake
14:37
text, images, video,
14:39
and bad actors can just dismiss real
14:41
evidence as fake. And it becomes harder
14:42
to tell the difference.
14:43
Yeah. When the answer engine smooths
14:45
away the friction of debate, the need to
14:47
check sources, the possibility of being
14:49
wrong,
14:50
you know, you end up with a system that
14:51
can serve up a very comfortable, very
14:54
optimized, but maybe fundamentally
14:55
curated reality. And the big question
14:58
left for all of us, for you listening,
14:59
is who gets to decide what the optimal
15:02
answer actually
#Government
#Legal