Privacy Commissioner John Edwards partakes in a sake ceremony

These APPA sessions emphasized that data flows underpin the digital economy and innovation. Significant developments are increasing the international imperative to harmonise privacy frameworks and build interoperable frameworks for data flows.

Cross border data transfers

APPA members heard from James Sullivan, Deputy Assistant Secretary for Services at the US Department of Commerce. The Department administers the EU-US, Privacy Shield Framework, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States.

Mr Sullivan observed that data underpins a globally connected world and underpins benefits for citizens and the economy, driving 20% of global economic output. Privacy and data protection are essential for legal certainty and to build trust and it is right for citizens to know what happens with their data.

He noted the absence of a globally accepted standard of data privacy and thought there was unlikely to be a global standard any time soon.

The concerns are that inconsistent regulatory regimes will exacerbate compliance costs and that some countries are adopting prescriptive rules on data flows such as data localisation.

While the GDPR is both comprehensive and progressive, from the US perspective there are still questions regarding its potential impacts on free speech, research and the compliance cost burden. The challenge raised by Mr Sullivan was how countries can prepare for the next big wave of technological change in the absence of global data protection standards. He suggested the most realistic option was to build interoperability between current schemes such as the EU/U.S. Privacy Shield and the APEC Cross Border Privacy Rules to bridge the different regimes.

How to establish the Free Data Flow World while ensuring security of personal information through mutual trust

A public conference following APPA. Keith Enright, Google’s Chief Privacy Officer, noted Japan’s strong privacy laws and its strong position as a proponent for the APEC Cross Border Privacy Rules, was a participant in the CPTPP, and had achieved EU adequacy under the GDPR.

Mr Enright described trust as the foundation for everything Google does. He said two core priorities for Google are ensuring the free flow of data and preserving user trust by confirming privacy is central to product development enabling users to control their experience.

Mr Enright noted that Google is taking steps to lead on data portability including the Data Transfer Project. Google had previously announced new privacy features during Privacy Awareness Week in May.

There’s a lot of privacy activity in Asia with new laws emerging including China and India. Asian countries take an economic approach to the regulation of data flows. However, data is not just a commodity and privacy is taken very seriously by Asian privacy regulators. In some jurisdictions there is tradition of a complementary human rights approach (such as Hong Kong). Many jurisdictions want to become AI and analytics hubs and to do so requires strong privacy laws. The challenge in Asia is how to combine different approaches to data protection.

The ICO noted that a strong regulatory scheme such as the GDPR has not proved to be an impediment to innovation, citing on the ICO’s regulatory sandbox initiative.

G20 side event – Global free flow of data with adequate protection

A G20 side event provided an opportunity to hear from speakers from the European Commission and several Asian and European privacy authorities. Mr Bruno Gencarelli, from the European Commission, expressed strong support for the free flows of data with trust initiative to combine high standards of privacy and data protection with economic data flows.

Mr Gencarelli commented on the historic nature of the recent EU/Japan mutual adequacy decision and the common vision of both sides that privacy needs to be effectively protected with a clear set of rules and rights and an independent enforcement authority. These rights are necessary to support democratic and electoral systems and support economic growth as a foundation for consumer trust. The result of the mutual adequacy decision is that data can flow freely between Japan and the EU and will amplify the benefits of a free trade agreement. Mutual adequacy will also provide an opportunity for closer and deeper co-operation between respective data protection authorities.

French data protection authority (CNIL) President Mme Denis, noted that free flows of data cannot undermine the protections guaranteed under the GDPR framework. The GDPR has several mechanisms for a wide variety of transfers including contractual clauses and an adequacy decision.

Mme Denis also noted that the Council of Europe Convention 108 has potential to foster greater convergence – this is an international instrument and is open to accession by countries outside Europe.

New Zealand has observer status, along with a number of other non-European observers

Highlights from the panels included:

• Mr Ken Katayama for Microsoft told us that a year on from GDPR, Microsoft considers privacy is a fundamental human right, has extended GDPR subject access rights to all users and continues to advocate for a federal privacy law in the US.

• Mme Pouliou, head of privacy for Chanel reported that the GDPR has led to significant harmonisation across 28 countries and has the potential to inspire greater global harmonisation.

• Australian Information Commissioner, Angelene Falk, shared the Australian experience of building trust in personal information handling and the OAIC’s collaboration with other regulators. Australia is implementing the APEC Cross Border Privacy Rules and is considering certification of privacy competence as a potential mechanism for recognising organisational accountability.

Read Part 1 of blog here