Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
On 25-26 June 2018, Privacy Commissioner John Edwards and I attended the 49th Asia Pacific Privacy Authorities (APPA) Forum in San Francisco, California, hosted by the United States Federal Trade Commission (FTC).
There is real value and significant practical benefit in getting together to discuss global privacy trends and share domestic experiences, including education and enforcement activities, problems faced and solutions adopted to address these.
The first day involved a roundtable where APPA members presented reports setting out recent developments in their jurisdiction following common themes: compliance and enforcement, international collaboration, law reform, and outreach and education. Some snapshots follow.
Data breach reporting
A number of jurisdictions are subject to mandatory data breach reporting schemes. Some jurisdictions provided statistics on the nature of reported data breaches under their reporting schemes. Other jurisdictions are in the process of establishing mandatory data breach notification schemes.
Some member jurisdictions have worked together on the enforcement action involving Vtech - a Hong Kong based maker of electronic learning products for children. VTech notified Canada of a global data breach compromising the personal information of half a million Canadians, most of whom were children.
Enforcement actions - United States
The US FTC updated the meeting on recent enforcement actions involving: -
These actions have all been settled and made public.
Cross Border Privacy Rules (CBPR) - Singapore
The Singapore Personal Data Protection Commission (PDPC) has become the sixth APEC economy to participate in the Cross Border Privacy Rules (CBPR) system alongside United States, Mexico, Canada, Japan and Republic of Korea. Singapore has become the second APEC economy to participate in the Privacy Recognition for Processors (PRP) system alongside United States.
The PDPC is currently looking at different models of appointing an Accountability Agent in Singapore and expects the CBPR/PRP scheme to be fully operational in Singapore by 2019. They are looking at ways to promote awareness of the APEC certification systems to showcase the benefits of the APEC certification systems to industry (e.g. preparing information materials, developing a logo/mark for CBPR/PRP to be used when the certification system is operational).
Artificial Intelligence update
Singapore PDPC shared a discussion paper with their analysis of some of the issues raised by the commercial development and adoption of AI solutions. The paper outlines the principles for responsible AI and a proposed governance framework that sets out practical ways organisations using AI can translate the principles into process (to promote public understanding and trust in AI technologies).
The proposed framework aims to encourage informed and constructive debate around this complex issue, and ultimately to sow the seeds for the private sector to develop voluntary governance frameworks, including voluntary codes of practice across the digital economy.
The Singaporeans have also established an Advisory Council on AI that comprises private sector thought leaders in AI and Big Data from local and international companies, academia and consumer advocates. The Advisory Council is to provide insights and recommendations to Government relating to the commercial deployment of data-driven technologies, and support the development of voluntary ethics standards and governance frameworks, advisory guidelines and codes of practice.
The Victorian Information Commissioner has recently produced an issues paper for the public sector and general public regarding AI and the implications for information privacy.
Panel discussion - Data breach notification
UK Information Commissioner Elizabeth Denham noted that the ICO was experiencing over-reporting of data breaches. Agencies are unclear about what they should report within the 72 hour timeframe required under the GDPR (that obliges agencies to determine within that time if there is a high risk from the breach and if so report it).
The ICO has adopted an approach that is primarily about supporting and managing the breach; and they will be doing further work to extract national value from data breach information.
Acting Australian Information and Privacy Commissioner Angelene Falk noted they had a 12 month lead in time for their data breach notification scheme and that agencies wanted clear guidance on what the definitions meant.
The Australian data breach notification scheme requires a report to be made as soon as practicable if the reporting threshold has clearly been met. If there is only a suspicion that the threshold has been met, then the agency has up to 30 days to make that assessment.
Panel member Stacy Shesser from the California Department of Justice commented that a large number of breaches had been reported under their long standing scheme. The scheme has a low reporting threshold with no harm requirement, and they observe ‘notice fatigue’ where most affected individuals do not bother to take up the free credit monitoring that businesses must provide under the scheme.
Fifteen APPA member privacy authorities attended the forum: China (Hong Kong and Macau authorities), Japan, Singapore, Korea (Personal Information Protection Commission and the Internet and Security Agency), Philippines, Mexico, Colombia, Canada (federal and British Columbia authorities), Australia (federal and Victorian authorities), New Zealand and the United States of America. There were observers from the United Kingdom (including the Information Commissioner) and justice officials from two US states (California and Washington).
Image credit: Pacific Ocean via Wikipedia (Creative Commons Licence)
