Assistant Privacy Commissioner Jon Duffy reflects on his December trip to Cebu, Philippines, alongside Commissioner John Edwards, to attend the 52^nd Asia Pacific Privacy Authorities (APPA) forum (Dec 1-2, 2019).

As I landed at Cebu airport to warm greetings from our charming hosts from the Philippine National Privacy Commission, I was surprised to learn Typhoon Kammuri was set to hit the country in the coming days.

I nervously scanned news reports of the impending destruction set to be wrought on the country. Travel advisories from authorities and global news agencies suggested all non-urgent travel to the Philippines be avoided. As the forum got underway, I quickly discovered that many assembled delegates shared my unease at the weather situation.

I needn’t have worried. Demonstrating remarkable foresight, the Philippines Government had appointed Raymond Liboro as its Privacy Commissioner. Commissioner Liboro, a former head of the Philippine national weather service, calmly assured the assembled delegates, over a chorus of emergency SMS alerts, that the typhoon would pass harmlessly by the venue. As a further show of faith, dinner was scheduled to be held outdoors that evening and would include local dancing.

A traditional Filipino dancing display at the 52nd APPA forum in Cebu, Philippines

Thankfully, Commissioner Liboro’s predictions were accurate and delegates got on with sharing their knowledge and experience absent Kammuri. 

Key themes

APPA 52 saw delegates from 14 privacy authorities around the Pacific assemble in Cebu. During the two days, many topics of shared interest were discussed, both during the formal sessions and informal meetings afterwards.

The following themes piqued my interest:

Closer ties between competition/consumer protection authorities and data protection authorities across the region

Several jurisdictions reported on increased cooperation and convergence between agencies enforcing competition and consumer protection legislation and their work in the data protection space.

Many delegates noted the Australian Consumer and Competition Commission’s (ACCC) Digital Platforms Inquiry and its recommendations for strengthening privacy protections in Australia, as a leading example of increasing convergence between different regulatory bodies. The ACCC’s recommended reforms are aimed at providing greater protection for consumers against the misuse of data and empowering them to make informed choices.

In a further example of consumer protection action in the privacy space, the ACCC recently instituted proceedings against Google for allegedly misleading consumers about the personal location data it collects, keeps and uses. 

Similarly, the US Federal Trade Commission (which has responsibilities across competition, consumer protection and data protection areas) noted increasing convergence in issues between its internal teams. They recently levied a record-breaking $US5 billion civil penalty against Facebook with the requirement that Facebook implement changes to its privacy practices, its corporate structure and the role of CEO Mark Zuckerberg.

Other jurisdictions, including Canada, noted the need for regulators to familiarise themselves with the work of other privacy authorities, particularly when dealing with issues relating to the digital economy, where the companies being regulated are often bigger than many nation states.

From a New Zealand perspective, OPC are seeing complaints that raise potential issues under not only the Privacy Act but also the Fair Trading Act, Credit Contract and Consumer Finance Act and Commerce Act. Following the international trend, we expect to work more closely with the Commerce Commission in future to provide the best regulatory response to issues as they arise.

Use of facial recognition by law enforcement

Hong Kong’s privacy authority (PCPD) presented on issues associated with the use of facial recognition by law enforcement. The technology’s use had caused civil unrest as citizens object to the installation and “always on” nature of this infrastructure. Hong Kong uses “smart lampposts”, capable of monitoring traffic and weather data, measuring vehicle speeds, recognising Bluetooth devices and licence plates and with the ability to film immediate surroundings. The strong public back lash has forced the Hong Kong Government to suspend the roll out of this technology and disable some functions in lampposts already installed.

The UK’s Information Commissioner’s Office (ICO) spoke about its investigation into trials of live facial recognition technology by several police forces in the United Kingdom. The technology can be deployed to recognise individuals in crowds at large public gatherings. The ICO investigation highlighted the need for legislation and binding codes of practice to regulate the deployment of this technology. Regulation must give Police clear guidance and the public confidence, that this highly invasive technology will be used appropriately.

The ICO issued its first ever Commissioner’s Opinion on the subject and engaged with the public to understand sentiment around the use of this technology. 

Ongoing modernisation of data protection laws

Many jurisdictions, including New Zealand, noted that their privacy laws were being reviewed or modernised.

Canada is looking to recognise privacy as a fundamental human right and for the recognition of the quasi-constitutional nature of privacy law.

Japan and Singapore also highlighted ongoing law reform. The Australian delegation referenced the recommendations for law reform in the Digital Platforms Inquiry and the FTC noted the need for reform to provide the ability to obtain orders which have financial penalties attached for non-compliance, to stop agencies engaging in conduct.

The call for stronger penalties to encourage compliance with privacy law is something we are familiar with in New Zealand as well.

Risk of re-identification in anonymised datasets

The Office of the Victorian Information Commissioner presented  a recent investigation into the release of myki data by Public Transport Victoria (PTV).

When releasing a large dataset of information containing travel events from the myki travel card operated in Melbourne, PTV claimed that the dataset had been de-identified. However, having obtained the dataset online, academics were able to identify individuals from the dataset.

Analysis showed that when two myki card scans were known by time and stop location there was a high risk of re-identification.

PTV was issued with a compliance notice as a result of the investigation, which concluded that a high level of skill is required by organisation staff to comprehensively de-identify such datasets. OVIC recommended organisations take a conservative approach when considering releasing such information publicly.

Philippines – app-based lending concerns

The National Privacy Commission (NPC) described an alarming volume of complaints received about app-based lending companies. An NPC investigation determined that where borrowers failed to make loan repayments on time, the companies in question can access borrowers’ smartphones and use contact lists or phone directories to contact borrowers’ associates, disclose unwarranted or false information, harass or make threatening communications and otherwise use borrowers’ data in an unduly intrusive manner.

The NPC investigation is ongoing with charges filed against three companies to date. Criminal prosecution could be recommended in these cases which, upon conviction, could result in significant fines or terms of imprisonment for directors.

All in all, APPA 52 was a fruitful and inspiring conference for all involved.

APPA 53 is set to take place in Hong Kong in May 2020. Hopefully with no typhoons this time.