Regulating at the speed of innovation

Navigating the Digital Frontier: Des Hogan on Regulating AI and Protecting Privacy at Web Summit Lisbon 2025

Commissioner Des Hogan of the Data Protection Commission (DPC) addressed the complexities of regulating big tech and the rapid pace of AI innovation at Web Summit Lisbon 2025. He emphasized the DPC’s mission to regulate in real-time, focusing on risks and harms to individuals, and upholding the GDPR’s principle of individual autonomy and control over personal data. His background in human rights informs this values-based, technologically neutral approach.

The appointment of Niamh Sweeney, a former Meta lobbyist, raised concerns. Commissioner Hogan clarified her diverse professional background, which includes journalism and government advisory roles. He stated that the DPC proactively addressed potential conflicts, with Ms. Sweeney, along with the other commissioners, deciding to recuse herself from decisions involving Meta or Stripe for relevant periods, a standard practice within the DPC.

The DPC’s regulatory strategy targets significant risks. Recent actions include an inquiry into TikTok’s data transfers to China, a country not deemed adequate for data protection. Other priorities involve protecting children’s data online and ensuring proper data sharing for vulnerable groups, such as older persons, to prevent misuse of GDPR as a barrier. Precise location data and data broker practices are also under scrutiny, highlighting concerns about commercial and state surveillance.

The DPC has been actively regulating AI for over two years. They engaged with Google on its Bard AI, suggesting necessary improvements before its market launch. A notable instance involved Meta, which initially disagreed with the DPC’s request to pause its AI training plans but ultimately complied. The DPC also took legal action against Twitter (now X) for similar reasons, demonstrating a proactive stance on emerging AI challenges.

To foster a consistent regulatory environment, the DPC obtained a swift opinion from the European Data Protection Board (EDPB). This opinion clarifies that AI development can proceed if it adheres to GDPR principles like transparency, lawful processing, and data minimization. Commissioner Hogan stressed the importance of anonymizing or pseudonymous data to prevent personal identification. He affirmed that GDPR is technology-neutral and innovation-friendly, provided companies integrate ethical guardrails and respect privacy, fostering trust.

Europe’s new digital laws, including the Digital Markets Act, Digital Services Act, and the upcoming AI Act, complement GDPR, which remains paramount. The DPC has established an inter-regulatory function to ensure consistent application across different regulatory bodies, promoting a pan-European approach. Looking ahead, Commissioner Hogan believes the privacy landscape will continue to focus on trust, individual autonomy, and human dignity, ensuring technology empowers rather than restricts individuals.