Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
Attendees at this year's APPA forum in Tokyo, Japan
In late May, Privacy Commissioner John Edwards and I attended the 51st Asia Pacific Privacy Authorities (APPA) Forum hosted by the Personal Information Protection Commission (PPC) in Tokyo, Japan.
APPA is the principal forum for privacy and data protection regulators in the Asia Pacific and meets twice a year. Fourteen APPA members attended as well as guest speakers from European data protection bodies including the Information Commissioner’s Office (United Kingdom), CNIL (France) and the European Data Protection Board.
Day one
The first day included a roundtable where APPA members discussed recent developments in their jurisdictions. Topics included law reform, research, investigations and enforcement as well as education and outreach. There were also conversations on trust marks, data portability and open banking, investigations and enforcement, terrorism and social media.
Trust Marks
New Zealand and Singapore outlined to the forum their respective privacy trust mark schemes.
New Zealand’s Privacy Trust Mark was launched a year ago to highlight excellent privacy practices or products in the public or private sector. It grants a licence for agencies to use the trust mark for specific products or services (rather than their overall business) that demonstrates excellence in privacy.
By contrast, Singapore’s Data Protection Trustmark is a comprehensive framework that certifies an organisation has deployed sound and accountable data protection practices. The aim is to foster best practice, to provide a means of demonstrating a commitment to compliance to consumers and potentially to provide a bridge for transferring data across borders to other certified Asia-Pacific organisations.
Data portability and open banking
Data portability is the concept that individuals should be able to directly access and require transfer of their personal data in reusable digital form. This enables consumers to easily switch from one provider to another and promotes competition. In the banking sector this enables “open banking” where a bank shares a customer’s data via and application programming interface (API) with third parties nominated by the customer.
In Australia, a consumer data right is being established under a co-regulatory model between the Australian Information Commissioner and the Australian Competition and Consumer Commission. This will be rolled out by sector, beginning with open banking.
In Canada, a Parliamentary Committee has been conducting a review of the merits of open banking. The Canadian Privacy Commissioner made a submission to the review emphasising the need for appropriate safeguards and meaningful consent.
The move towards open banking is also progressing in New Zealand with the launch last month of Payments NZ API Centre. OPC New Zealand is leading work on a paper to develop a first principles approach to data portability for the International Working Group on Data Protection and Telecommunications, with assistance from the PDPC Singapore and the ICO, United Kingdom, reported on here.
Investigations and enforcement
PDPC Singapore is moving to a mandatory data breach notification regime and has issued guidance ahead of amendments coming into effect. PDPC has also released guidelines on “active enforcement” that details the Commission’s approach to applying its regulatory powers when dealing with data breaches.
OPC Canada discussed its joint investigation of Facebook’s disclosure of user information to third party apps that was later used for targeted political messaging. It found Facebook did not obtain adequate user consent. They are also investigating the collection of financial data by Statistics Canada.
The ICO observed that personal information lost in data breaches is surfacing in subsequent economic crime targeting large datasets. They investigated a complaint about HM Revenue and Customs Voice ID service under the GDPR and issued an enforcement notice requiring the HMRC to delete biometric data that was collected unlawfully without explicit consent. The ICO also discussed the need for regulators to consider enhancing investigative capability to deal with digital evidence, drawing on its investigation of the Cambridge Analytica scandal and noting regulators need a deep understanding of the technology.
CNIL has issued the largest fine so far under the GDPR, fining Google €50 million for failing to comply with its GDPR obligations. Google failed to provide its users with enough information about its data consent policies or give users control over how their information was used.
Terrorism and social media
John Edwards led discussion on the March 15 mosque attacks in Christchurch that were livestreamed by the attacker on Facebook. John spoke of NZ Prime Minister Ardern’s collaboration with French President Macron to launch the Christchurch Call to action to address terrorist and violent extremist content online. We reported on Facebook’s reaction to the tragedy in our regular blogs
In Australia, new laws were introduced immediately following the attacks to outlaw the hosting and streaming of abhorrent violent content online (to be reviewed by the Attorney-General in the next two years). Canada also proposed penalties for social media companies that fail to combat online extremism.
Singapore contributed with discussion of its recently passed law, the Protection from Online Falsehoods and Manipulation Bill (POFMA) after heated debate.
The French data protection authority, CNIL was given responsibility in 2014 to oversee Police requests for the blocking of access to websites that either provoke or support terrorism and child pornography.
In the United Kingdom, an Online Harms white paper was presented to Parliament proposing a new independent regulator to oversee a new comprehensive framework for online safety.
Day two
Artificial intelligence (AI)
APPA members from the US Federal Trade Commission, Hong Kong, Singapore and Japan, discussed the adoption of artificial intelligence.
The Federal Trade Commission has held hearings into the consumer protection and antitrust implications of AI and predictive analytics. The use of AI in China is rapidly gaining pace, and the Beijing Academy of Artificial Intelligence (BAAI) has recently released the Beijing AI principles. PCPD Hong Kong has also developed an ethical accountability framework. PDPC Singapore has released a model artificial intelligence (AI) governance framework for public consultation to enable organisations to address key ethical and governance issues when deploying AI solutions. Japan has produced a set of principles flowing from the philosophical position that AI should support human dignity, diversity and inclusion, and a sustainable society.
Children’s privacy
The Information Commissioner’s Office (UK) discussed its “Age Appropriate Design Code for online services” containing 16 standards for age appropriate design applying to a broad range of information services likely to be accessed by children, including apps, search engines, social media and online games. The Code proposes high privacy standards by default, for example, geolocation off by default.
The US Federal Trade Commission discussed its investigation of a social networking app (Musical.ly, now known as Tiktok) under the Children’s Online Privacy Protection Act (COPPA). It resulted in a settlement fine of $5.7million for non-compliance for failing to obtain parental consent for collecting personal information from users under the age of 13. The company has now released a different version of the app for such users. PPC Japan reported on its education activities to promote children’s privacy.
GDPR one year on
The chair of the European Data Protection Board (EDPB), Andrea Jelinek and President of the French data protection supervisory authority (CNIL), Marie-Laure Denis, provided an overview of regulatory activity during the first year of the GDPR.
During its first year, national data protection authorities received 144,000 queries and complaints and over 89,000 breaches have been logged. The GDPR creates a duty on national authorities working separately on cross border cases to cooperate to provide a consistent application its rules.
Co-operation and mutual assistance between national regulators are facilitated by the Internal Market Information system (IMI) a secure multilingual online tool that provides a structured and confidential way to share information between EU authorities.
Back