The 43rd edition of the Global Privacy Assembly, GPA Mexico 2021 co-sponsored by Baker McKenzie, kicked off Monday with a full slate of virtual presentations and discussions. The program included speakers from regulators and data protection authorities, the private sector, think tanks and advocacy groups, NGOs, and academia—and covered topics ranging from facial recognition to the impact of data protection on marginalized communities.

In case you weren’t able to catch the proceedings we’ve compiled some of the key takeaways from Day 1.

Keynote Speech I: Technological evolution: human intervention in mass data processing 

  • Elizabeth Coombs, Associate Professor at University of Malta (presenter)
  • Jennifer King, Privacy and Data Policy Fellow at Stanford University

Professor Jennifer King (Privacy and Data Policy Fellow at Stanford University) set out a thesis for the regulation of AI, starting from the observation that the use of poor data to develop and train AI systems inevitably results in dysfunctional AI that may use decision automation to cause harm to individuals and communities. It is therefore imperative that organizations that collect data for these purposes do so ethically, using tools to trace the origin of the data, obtaining consent and having strict data retention policies. In the sort of regulatory landscape that Professor King envisions, privacy is understood both as an individual right, but also as a societal right. Because of the communal nature of this right, regulators may consider divestitures of data assets to prevent tech giants from obtaining monopolies of data. Other potential approaches Professor King advocates include a greater role for data intermediaries, rethinking internet governance forums to empower individuals, and investment in the development of public sector data sources reserved for noncommercial uses.

Panel I: Data Protection and Human Rights: Mass surveillance by facial recognition and analysis of metadata 

  • Omar Seghrouchni, President of the National Supervisory Commission for the Protection of Personal Data of Morocco (moderator)
  • Heng Xu, Professor and Director of Kogod Cybersecurity Governance Center
  • Claudia del Pozo, Director of the Eon Resilience Lab at C Minds
  • Brenda Leong, Senior Counsel and Director of Artificial Intelligence and Ethics at Future of Privacy Forum
  • Ann Cavoukian, Executive Director at Global Privacy and Security by Design Centre 

The day’s first panel considered the ethical and policy considerations invoked by the rising adoption of facial recognition technologies. Claudia del Pozo  (Director of the Eon Resilience Lab) sounded a particular note of caution for the deployment of such technologies in Latin American jurisdictions, many with authoritarian traditions, a loose patchwork of data protection regimes, lack of compliance with the proportionality principle, and a citizenry that may (understandably) value physical security over the risks posed by such technologies to individual liberties. Taking a similar stance, Ann Cavoukian (Executive Director at Global Privacy and Security by Design Centre) noted that surveillance using technologies like facial recognition is constantly growing and it is being used without typical privacy guardrails like awareness, consent and control.

Keynote Speech II: Privacy and Pandemic COVID-19: Vaccine Passports and Similar Certificates 

  • Elizabeth Denham, UK Information Commissioner and Chair of the GPA (presenter)
  • Alessandra Pierucci, Chair of the Committee of Convention 108 at Council of Europe

Alessandra Perucci (Chair of the Committee of Convention 108 at Council of Europe) underlined the importance of transparency as a necessary element to maintain trust of individuals. Other data privacy principles are of particular importance in the pandemic are proportionality and time-limitations, such that data collected for the purpose of the pandemic should not be used later for other purposes. In another example, she emphasized there is a particular risk that vaccine data may be misused to discriminate against vulnerable communities like migrants, who may not have ready access to vaccines. These limitations are consistent with the derogation clause under Article 15, which mandates derogations only when they are limited in time and scope, and are proportionate. Alessandra concluded with a tribute to Giovanni Buttarelli, whose vision she shares. Before the pandemic, Giovanni said that personal data tells a story, in the best scenario for the common good, in the worst scenario they may act as a boomerang. Alessandra transposed this statement in the pandemic period, saying that personal data tell a story about health of individuals, and in the best scenario they’re used for the good of common health, while as a boomerang it may cause risks of discrimination and surveillance.

Panel II: Promotion of an ethical approach into organizations 

  • Raymund Liboro, Privacy Commissioner and Chairman of the National Privacy Commission of Philippines (moderator)
  • Stephen Bonner, Executive Director of Regulatory Futures and Innovation at the Information Commissioner’s Office UK
  • Irina Raicu, Director of the Internet Ethics Program of the Markkula Center for Applied Ethics
  • Constanza Gómez Mont, Founder and President at C Minds4
  • Bojana Bellamy, President at Centre for Information Policy Leadership (CIPL) 

Data ethics is an investment; companies who have devoted time and effort to create solid ethical frameworks are already starting to see dividends. The public refuses to trust and engage with enterprises that don’t share their values and ethics. And companies must show their values by going beyond the bare minimum that is necessary for compliance. Similarly, as Irina Raicu (Director of the Internet Ethics Program of the Markkula Center for Applied Ethics) pointed out — and moderator Raymund Libro (Privacy Commissioner  of the National Privacy Commission of Philippines) echoed — regulators must do more than set minimum requirements but should establish incentives (like diminished sanctions and sandboxes) for businesses to go above and beyond. To achieve this goal, academics, companies and government entities need to collaborate with each other.

Parallel Session I. Data Analytic users: considerations in privacy 

  • Steve Wood, Deputy Commissioner at the Information Commissioner’s Office, UK (moderator)
  • Eduardo Ustarán, Global Co-Head at Hogan Lovells Privacy and Cybersecurity 
  • Daniel Leufer, Europe Policy Analyst at Access Now
  • David Banisar, Senior Legal Counsel at ARTICLE 
  • Lucie Audibert, Legal Officer at Privacy International
  • Caitlin Fennessy, VP & Chief Knowledge Officer at IAPP
  • Ed Britan, Vice President, Associate GC, Head of Global Privacy at Salesforce 

The emergence of data analytics provides new challenges; simply complying with privacy obligations may not always sufficient in the data analytics context to avoid undesirable results, according to Daniel Leufer (Europe Policy Analyst at Access Now). David Banisar (Senior Legal Counsel at ARTICLE 19) urged lawmakers to learn from debates in other areas— like those around redlining in the FCRA and government transparency laws that enable individuals to enforce their rights — to guide policymaking regarding data analytics. Lucie Adibert (Legal Officer at Privacy International) noted that the effects of data analytics are especially powerful in areas with power imbalances like where it is used to make welfare distribution decisions. Caitlyn Fennessy (VP & Chief Knowledge Officer at IAPP) observed that privacy is becoming more technical and more human, which requires engagement with a larger spectrum of stakeholders and the use of new tools like synthetic data, secure multiparty computation, cookie alternatives. The discussion culminated in a consideration of the role of impact assessments in the data analytics context, with many on the panel skeptical that these can be effective unless they are sufficiently public and engage with the affected stakeholders. All agreed that organizations need to be transparent and their collection proportional to create trust.

Parallel Session III: Inclusive Policies: Poverty and marginalization sectors in the protection of personal data 

  • Óscar Mauricio Guerra Ford, INAI Commissioner (moderator)
  • Gabriela Zanfir Fortuna, Vice President for Global Privacy at Future of Privacy Forum
  • Valeria Milanes, Executive Director of ADC (Asociación por los Derechos Civiles), Argentina
  • Fredesvinda Montes, Senior Financial Sector Specialist at World Bank
  • Malavika Raghavan, Senior Fellow for India at Future of Privacy Forum
  • Gianclaudio Malgieri, Associate Professor of Law and Technology at the Augmented Law Institute of EDHEC Business School 

Information Technology and Communications in today’s world offer broad advantages to populations. However, these digital benefits are not having an equal impact on social sectors where there is a clear imbalance in access to technologies, which is known as a digital gap. According to the UN, almost half the world’s population — 3.7 billion people — are still offline. The panel discussed the importance of developing policies to bridge this gap and extend the benefits of digital technologies to these populations. According to Professor Gianclaudio Malgieri (Associate Professor of Law and Technology at the Augmented Law Institute) , there are not enough provisions on discrimination and social disadvantages in the European Law including the GDPR as there remain people with higher risk of having their fundamental rights hindered. Normally data subjects are faced with a privacy paradox meaning that they may not want to provide information though they understand that certain benefits come from providing such information. Vulnerable or marginalized populations face a double paradox because providing such data can be source to discrimination and they also have higher needs to share their data to obtain certain benefits.

Parallel Session V: A cross-regional conversation: effective tools for secure-free data flows 

  • Moderator: Francisco Javier Acuña Llamas, INAI Commissioner (moderator)
  • Clarisse Girot, Director for Asia Pacific at Future of Privacy Forum
  • Yeong Zee Kin, Deputy Commissioner at Personal Data Protection Commission, Singapore
  • Danilo Doneda, Board Member at International Association of Privacy Professionals
  • Javier López González, Senior Trade Policy Analyst at OECD
  • Caroline Louveaux, Chief Privacy Officer at Mastercard 

Different approaches exist to regulate international data transfers. For example, unilateral and domestic mechanisms that enable the transfers of data, such as pre-approved contractual clauses. Alternatively , trade agreements (broadly divided into three categories: non-binding; binding data flow provisions; and those open to future negotiation) facilitate cross-border data flows. Governments often pursue multiple, complementary approaches. According to moderator Francisco Javier Acuña Llamas (INAI Commissioner) the three Cs analysis should inform governments’ approach to facilitating data flows: commonalities (as found between and within instruments); convergence (overlaps between data flow and privacy requirements); complementarity (unilateral mechanisms draw from, and contribute to, plurilateral arrangement)

Note: the views expressed by the speakers as reported in this post do not necessarily reflect those of Baker McKenzie or any of their clients.

The Global Privacy Assembly is an international forum with more than 130 data protection and privacy authorities. The GPA´s vision is to build and maintain an environment in which privacy and data protection authorities around the world are able effectively to act to fulfil their mandates, both individually and in concert, through diffusion of knowledge and supportive connections.


Carlos is one of Mexico's most active privacy, data protection and information security lawyers. He has implemented privacy management compliance programs for over 100 companies, including several Fortune 500 companies. He advises on corporate and commercial matters where privacy is an issue, including e-discovery, FCPA investigations, e-commerce, direct marketing, privacy in the workplace, litigation and M2M communications.


Daniel Villanueva Plasencia is a member of Baker McKenzie’s Intellectual Property Practice Group in Guadalajara. He has extensive experience in intellectual and industrial property matters, including trademarks, patents and copyrights. Prior to joining the Firm, he was the founding partner of a local firm in Guadalajara.


Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.


Karla Guerrero is an associate for the Intellectual Property Practice Group in Baker McKenzie's Mexico City Office. Her experience includes advice and guidance to clients on the compliance with legislation of data protection.