From Theory to Practice: Highlights From Day 1 of EODS 2025

The day traced a clear arc: from regulators grappling with definitions, to industries trialling PETs at scale, to big questions about trust in the AI era. What was once theoretical is now urgent, and the sessions made that clear. 

Robert Pisarczyk opened the summit by pointing out that privacy-enhancing technologies have outgrown the research stage. They are in production, and organisations are already building business cases around them. The question is not “if” they’ll scale, but “how.” That framing shaped the day. 

GDPR: Are We There Yet?

Helen Dixon, who spent ten years as Ireland’s Data Protection Commissioner, took the stage with the authority of someone who has lived the GDPR story from the inside. Her keynote, “GDPR — Are We There Yet?”, was part reflection, part warning. The regulation has undeniably shifted global norms, but the hardest questions remain unsolved.

Her focus was anonymisation. Under GDPR, data that is “sufficiently anonymised” falls outside the regulation, but what counts as sufficient is still contested. Dixon explained that many organisations overestimate the strength of their anonymisation. Techniques that once felt safe, for example, removing names or obvious identifiers, can be undone by modern re-identification attacks that cross-reference multiple datasets.

In her fireside chat with Yves-Alexandre de Montjoye (Imperial College London), Dixon emphasised the need for measurement tools. Organisations need more than policies; they need concrete ways to test whether their data really resists re-identification. 

In Finance, the Next Crisis May Be About Trust, Not Money

The first panel turned the spotlight on financial services. Phil Cheetham (LSEG), Anthony Ta (Société Générale), and Steve Flinter (Mastercard), moderated by Catherine Fitzsimons (Fidelity), didn’t sugar-coat it: the next financial crisis may not come from money, but from trust.

The reasoning is simple. Financial markets depend on confidence. If customers or regulators lose trust that their data is being used responsibly, the fallout could rival a financial crash.

The panellists described how firms are embedding PETs to avoid that risk. Mastercard’s work on PETs allows banks to run joint analyses on fraud patterns and cross-border transactions without ever sharing raw customer data. Instead of months of legal wrangling, data clean rooms and differential privacy make it possible to collaborate in near real time. 

The takeaway was that companies that build these capabilities in advance will move faster than those who scramble after the fact.

Media and Technology: PETs as Enablers

The afternoon session turned to media and technology. Ryan Kunkel (PBS), Monisha Varadan (Google), and Anthony Moran (Meta), moderated by Jas Johal (Alvarez and Marsal), spoke about scaling privacy across fast-moving, federated organisations.

They explained that PETs are not silver bullets. No single technology will solve every problem. But PETs do something regulations alone cannot: they provide technical guarantees. If a data clean room or a differential privacy system is well designed, it mathematically prevents misuse, regardless of intent.

That guarantee changes the conversation inside companies. Engineers and product teams have to collaborate with legal and compliance colleagues because the technology itself demands cross-functional governance. The panel urged companies to stop seeing privacy-by-design as a bureaucratic checkbox. Done right, it speeds up innovation by reducing the risk of needing retroactive fixes.

Future of SaaS Revisited

Jack Fitzsimons of Oblivious revisited the “Future of SaaS” theme introduced at EODS 2023. He reminded the audience that SaaS is no longer a niche delivery model. It underpins the global digital economy, with revenues on the scale of national GDPs.

He pointed to JPMorgan Chase CISO Patrick Opet’s recent open letter, which warned that SaaS “is quietly enabling cyber attackers and creating a substantial vulnerability that is weakening the global economic system.” The concentration of services in a handful of providers, combined with rushed feature rollouts, has eroded long-standing security boundaries and created single points of systemic failure.

Jack argued that the answer is “verifiable SaaS,” enabled by confidential computing. Customers should be able to cryptographically verify the environment before their data is processed, replacing retrospective assurances with real-time proof.

Anonymisation under Scrutiny

The ICO’s anonymisation guidance took the stage in the afternoon. Paul Comerford (ICO) joined Rory O’Keeffe for a short fireside, followed by a panel with Salil Vadhan (Harvard & OpenDP), Gary Howarth (NIST), Sophie Stalla-Bourdillon (Brussels Privacy Hub), and Yves-Alexandre de Montjoye (Imperial College London).

The discussion explored how to define and test anonymisation in an era of AI. Regulatory decisions have recognised that pseudonymised data can be treated differently depending on context: it may be personal data for one actor but not for another, suggesting that a one‑size‑fits‑all compliance approach can be inadequate.

Differential privacy, on the other hand, provides a formal, quantitative way to limit re‑identification risk (using parameters like ε) and can complement context‑based assessments. Adopting it in practice, however, requires new skills, tools and governance.

The group also debated transparency. Regulators want companies to disclose their methods. But how much detail can you share without arming potential attackers? The balance between accountability and security remains unsettled.

Clean Rooms in Action

Dave Fagan (Mastercard) and Spencer Cook (Databricks) brought theory back to practice with their session on data clean rooms. They described how Mastercard’s Data Clean Room lets partners analyse, enrich, and model sensitive data collaboratively while keeping each party’s raw information sealed.

They shared an example: predicting payment timeframes by combining Mastercard’s transaction data with client datasets. In the past, this raised both privacy and intellectual property concerns. With the clean room, the work happens in a controlled environment. Outputs are shared, but raw inputs are never exposed.

This approach not only ensures compliance but also accelerates time to insight, opening new possibilities for collaboration.

Innovation Meets Regulation

The talk from Graham Mudd (Mozilla) reframed the privacy debate. He argued that privacy and innovation are not opposing forces, but mutually reinforcing when PETs are used correctly. The key shift is from policy to proof.

He explained that the perceived trade-off between privacy and performance is a myth. In practice, PETs allow organisations to meet stringent regulatory standards like GDPR, the AI Act, and health data safeguards, while still running analytics that deliver value.

He pointed to deployments where PETs have reduced exposure risks without compromising on speed or accuracy. The message was clear: embedding PETs early avoids the cost of retrofitting later, and proves that compliance and innovation can move together.

Future-Proofing Privacy

The day ended with a forward-looking panel featuring Helen Dixon, Stephen Deadman (Meta’s former DPO), and Henri Kujala (Vodafone), moderated by Monisha Varadan.

Regulators are challenged to move from principle‑based frameworks to more real‑time agility as AI and related technologies evolve faster than regulatory cycles. Privacy roles are evolving into strategic, cross‑functional positions. People in these roles coordinate legal, business and technical teams to handle fragmented international laws and internal change. Organisations need to keep these three areas in balance.

The panel’s shared view was that trust will remain the currency of the future. Companies that fail to secure it may not survive the transitions ahead.

Beyond the Stage

Breaks and coffee chats played their own role. Attendees from law, policy, tech, and academia compared notes in the corridors, often echoing what panellists said on stage. Many described the same challenge in different languages: how to build a shared vocabulary that connects regulatory expectations, technical detail, and business goals.

If You Missed It

Day 1 delivered a clear message: privacy is no longer a compliance afterthought. It is part of the infrastructure. Finance leaders warned that trust may be the next systemic risk. Media and tech leaders framed PETs as enablers, not obstacles. Regulators wrestled with defining anonymisation in the AI age. And across all of it ran a thread of collaboration.

If you weren’t in the room, the insight to take away is simple: privacy is now the architecture of innovation. Without it, none of the promises of AI, finance, or technology will stand. Next time, we’ll dive into day 2, which looked at cross-border data collaboration, responsible AI deployments, and the future of governance.