Privacy and data protection commissioners from around the globe gathered in Queenstown on 29-30 November for the 64^th meeting of the International Working Group on Data Protection in Telecommunications (IWGDPT).

In all, 38 delegates from 18 jurisdictions participated in the IWGDPT meeting. New Zealand was represented by the Government Chief Privacy Officer, Russell Cooke, and three from our office, including Privacy Commissioner John Edwards.

The IWGDPT – called the ‘Berlin Group’ for brevity - was initiated in 1983 by the Berlin Commissioner for Data Protection and Freedom of Information and includes regulators from around the world.  Since the beginning of the 90s the group has focused on the protection of privacy on the internet.

The Queenstown sessions included discussions on artificial intelligence (AI), location tracking, smart devices for children, and protecting the privacy of children in online services. There were also conversations about web tracking, blockchain, international privacy standardisation and the role of the right to data portability.

Data portability

Our office contributed a paper exploring the emerging right to data portability. Data portability can be defined as a right that allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows someone to move, copy or transfer their personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.

So far only the European Union with its General Data Protection Regulation (GDPR) has adopted data portability as a general privacy principle. This raised issues that were worth exploring further. Should other regions or countries consider adopting such a right? How would such a right sit with existing privacy rights? What would the advantages or disadvantages be for consumers or controllers? What issues are created for business or consumers by this right existing in one region but not others?

An underlying objective of privacy and data protection laws is often said to be to support individual autonomy by giving individuals a measure of control over the personal information held about them.

But a key aspect that needs to be explored further is interoperability between data protection jurisdictions. For instance, what will be the relationship between the GDPR regime and other jurisdictions without data portability law, and how this can be optimised for consumers?

In New Zealand, our office is advocating for data portability as a right to be included in the Privacy Act which is currently being reformed. You can read more about that here.

Privacy and artificial intelligence

The Norway Data Protection Authority is the rapporteur for the working paper on artificial intelligence. The intensive use of data involved in many forms of AI, and some of the new data processing opportunities it brings, challenge fundamental data protection principles. Another Berlin Group paper highlighted the most relevant challenges regarding privacy and the processing of personal data in AI.

The discussion centred on unlawful bias and discrimination, and lack of transparency and intelligibility. If AI systems operate like black boxes, they are outside the scope of meaningful scrutiny and accountability. If organisations are unwilling or unable to explain the decisions made by artificial intelligence powered systems, the individual will have no way of knowing whether the decisions were accurate, fair, or even about them.

It will also be difficult for an individual to challenge or contest the decision. To protect individual rights, people must be provided both the logic of the processing and an explanation of the automated decision-making. Further, a lack of transparency and intelligibility in AI systems will also make it difficult for regulators to investigate, audit and inspect the systems.

The presentation outlined how data protection and privacy regulators need to possess sufficient knowledge, expertise and resources to give guidance and to investigate possible breaches of relevant data protection or privacy regulation.

Data protection and privacy regulators also need to strengthen public awareness by providing guidance to relevant stakeholders. This could include promoting the use of privacy by design principles with AI-based services developers, providers and users, while also strengthening their supervisory activities.

Location tracking

A working paper by the Italian Data Protection Commission examined the data protection and privacy risks associated with large scale collection of location data in the public interest and gave recommendations on how to mitigate these risks.

The paper and following discussion noted the trend toward including predictive capacity was likely to continue, and the number of tracking applications was set to increase. This was already evident in the many devices that we carry and wear, and the increasing number of connected appliances and objects that register our location history.

If no safeguards were in place, the main risk is of a strong bias: that of our being guided (or forced) into doing certain things and going certain places based on a service provider’s assumptions about our needs and the best way to meet them. The paper noted that this approach would reduce or eliminate opportunities for us to make free and serendipitous discoveries.

Significant privacy risks included the reuse of data for purposes beyond the original scope and a growing erosion of trust in the organisations that collect the data. If left unchecked, people could increasingly develop an uncomfortable sense of surveillance in their digital and real lives. This chilling effect could deter us taking part in some activities or using some products, and potentially providing elements for stalking, blackmailing, and thefts.

The paper recommended regulators promote data processing transparency by the organisations that use location tracking. One way is to mandate best practices, such as periodic checks and audits. Regulators had a role in promoting trust in the use of devices and apps through the scrutiny of certification schemes and codes of conduct.

In conclusion

The working papers on location tracking and artificial intelligence were adopted and will be published next year, after amendments generated by the meeting discussion have been made.

These regular meetings are also characterised by representations from industry players. In Queenstown, the Berlin Group commissioners were addressed by Google’s Global Privacy Counsel, Peter Fleischer, and Facebook’s Director of Privacy Policy, Laura Juanes. Both industry spokespeople were questioned by the delegates about privacy concerns and issues.

More information about the International Working Group on Data Protection in Telecommunications can be found here (in German and English). Published working papers can be found here.

Image credit: Queenstown from Bob's Peak - by Lawrence Murray via Wikimedia.

International, data