Last week was a big week for privacy internationally. Privacy Commissioners and Data Protection Authorities met in Brussels for their annual conference for the 40th time.

In an unprecedentedly high-profile public session, we heard from Pope Francis, Apple CEO, Tim Cook, Facebook founder and CEO Mark Zuckerburg, the President of Italy, and the King of Spain, (not listed in order of priority, importance, or influence!).

More on that later.

Workshop on protecting children

My office has always tried to make the most of the effort and expense of travelling to the other side of the world, so I headed over a week before the conference to participate in associated events in Zurich and Paris.

We had been invited to participate in a workshop on the Protection of Children in a Connected World. The meeting, jointly hosted by the OECD and the University of Zurich, had a significant privacy component and I had been asked to act as moderator for those parts.

The OECD is committed to promoting and supporting evidence-based policy among its member governments, and the assembled experts were not reticent in pointing out that many of the “received wisdoms” about the risks and benefits of children’s online lives did not stack up. We heard that “screen time” in itself is not a bad thing. Limiting screen time does not promote healthier activities, and children and young people do in fact care deeply about privacy online and take steps to protect it.

The meeting was intended to examine whether the OECD’s 2012 recommendations still stood up or needed amendment in the light of technological, social and legal developments. Despite live streaming, fake news, and GDPR all coming into existence since that report, many of its conclusions remained relevant.

Mandatory breach reporting

We convened in Paris later that week, also with the OECD, to discuss how we might usefully compare the experiences of different economies as they implemented their mandatory data breach notification laws – laws that are coming to New Zealand next year.

The OECD’s Directorate for Science, Technology and Innovation has taken on this work as part of the Digital Economy workstream flowing from the 2016 Digital Economy Ministerial. It had surveyed 40 or so privacy enforcement authorities.

We are deep into our planning for implementing our own data breach notification regime, as recommended by the Law Commission in 2011, and I was particularly interested in the experience of our peers, as captured by the survey.

International conference

The International Conference of Data Protection and Privacy Commissioners (ICDPPC) has followed a similar format for several years now, a closed session, attended only by members meeting the criteria of independence, and an open session, as the name implies, open to all, from civil society to industry, government, academia, and the public.

Closed session

This year’s closed session had quite an introspective theme. We spent a lot of time discussing how we might best constitute our conference to meet the needs of members. This included considering resolutions for working groups and the possibility of funding a permanent secretariat to service the ICDPPC’s executive committee and membership on a year-round basis.

We talked about how we might make our resolutions more effective, and we made more resolutions, this time on:

• Ethics and data protection in artificial intelligence 
• E-learning platforms 
• Conference census
• Collaborating between data protection authorities and consumer protection authorities for better protection of citizens and consumers in the digital economy

Public session

The public session broke new ground and records. It was jointly hosted by the Bulgarian Data Protection Authority in Sofia and the European Data Protection Authority in Brussels. It had over 1,400 registered participants and no sponsorship. It featured heads of state and CEOs, and it focused on ethics, rather than law.

The theme of the event was Debating Ethics: Dignity and Respect in Data Driven Life. It was encouraging to see what the CEOs, heads of state, academics, researchers, NGOs and regulators thought about the question of “what should we do with data”, rather than “what can we do”. Check out the hashtags #DebatingEthics and ICDPPC2018 for more information.

In a keynote speech that was extensively reported, Tim Cook called out the tech industry for using personal information against consumers, saying “our own information, from the everyday to the deeply personal, is being weaponised against us with military efficiency”. You can watch the speech here.

Apple and Facebook made unequivocal commitments to support a comprehensive federal consumer Privacy Act for the United States with equivalent safeguards and protections for personal data like those enacted this year in Europe as the General Data Protection Regulation (GDPR).

GDPR

GDPR was a significant theme with commissioners from across Europe sharing their experiences with implementation. Some of those, such as UK’s Elizabeth Denham and Berlin’s Maja Smoltczyk will be in New Zealand next month for meetings and will be sharing their GDPR insights at our International Privacy Forum on 4 December.

In addition to the closed and open sessions of the ICDPPC conference, there were many side events. It was simply impossible to attend them all. I made my selections based on the priorities for our office and for New Zealand. I went to briefings on the GDPR; one on the only international treaty on data protection (the Council of Europe’s Convention 108 which has been modernised to 108+); another on privacy and counter-terrorism within the Five Eyes; and one on privacy during a state of emergency (such as the Christchurch earthquakes) and humanitarian need.

I had bilateral meetings with colleagues from the US Department of Justice and the European Commission, as well as with newer members of, or observers to, our conference, including Abu Dhabi, and Saudi Arabia.

Several people asked about the much reported (but poorly understood) reforms to New Zealand’s Customs legislation. I was able to reassure them that rather than representing an unprecedented intrusion, the legal framework is among the most protective of rights around border searches.

Others raised another topical story from our region - Australia’s proposal to require law enforcement access to encrypted data and devices. But it was a subject I was less able to provide a perspective on.

Image credit: The Atomium in Brussels - by Mike Cattell via Flickr

Global Privacy Assembly (GPA), International, data