Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
The importance of international collaboration in privacy and data protection continues to increase. Our news feeds and inboxes have been filled with the new European data protection regulations, the GDPR, in recent months, as well as compliance and enforcement issues over data giants who cross borders and collect personal information from billions of people.
New Zealand participates in a number of networks which have data protection or privacy as their core connector, or as a component. My staff regularly join telephone conferences with colleagues around the Pacific for the Global Privacy Enforcement Network (GPEN). Assistant Commissioner Blair Stewart is New Zealand’s delegate to the APEC Data Privacy Subgroup, which is this year meeting Papua New Guinea. We participate in initiatives from the Organisation for Economic Co-operation and Development, and last year New Zealand concluded a three year term as Chair of the International Conference of Data Protection and Privacy Professionals.
One forum we haven’t participated in to date is the Council of Europe. Obviously enough, you might say – we are after all about as far from Europe as it is possible to be!
The Council of Europe is Europe’s leading human rights institution with 47 member states (compared with 28 members of the European Union).
The Council of Europe’s headquarters in Strasbourg, France.
The Council is home to the only international treaty on data protection, the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”, known as Convention 108. Signatories to the Convention undertake to enact local laws meeting their treaty commitments. It has been a slow burner. It has been open for accession since 1981, but only a handful of non-European nations have signed up. However in recent years the pace has picked up. Recent accessions include Mauritius, Mexico, Cabo Verde, Tunisia, and Uruguay, with Morocco, Burkina Faso, and Argentina invited to join.
New Zealand applied for and gained “observer” status in 2017, and last month I attended the 36th Plenary Meeting of the Committee of Convention 108 as part of a process to investigate whether I should recommend that the New Zealand Government apply to accede to the convention.
The opening of the 36th Plenary Meeting of the Committee of Convention 108.
The meeting was held in Strasbourg, France, headquarters of the Council of Europe, and European Parliament. It was a working meeting, at which members and observers debated the detail of recommendations and papers ranging from artificial intelligence (something of a theme in for 2018 in international data protection circles) to the protection of health data, and the relationship between the convention and other arrangements for international cooperation such as the Conference of Data Protection and Privacy Commissioners, and the Internet Corporation for Assigned Names and Numbers.
A Strasbourg street in the evening.
Most interesting for me was the presence of a wide range of non-European state observers (the committee also approves non-governmental observers such as Privacy International, the Privacy Foundation, and The International Committee of the Red Cross).
This year the Convention has been modernized and updated, and the new convention (108+) will soon be open for signature.
Representatives from Africa, Asia and South America were present to participate in the proceedings in Strasbourg and find out about the effects of 108+ and its relationship with the GDPR. Some, such as Korea and Japan are in the process of seeking adequacy status with European rules (which New Zealand achieved in 2012) and were interested in determining whether they should also accede to 108+. Argentina, which like New Zealand also has adequacy status, is interested in studying 108+ and possibly signing up as a commitment to maintaining adequacy (all EU adequate countries will be subject to a “post-GDPR” review within the next 4 years). Israel, also adequate, is looking at 108+ for similar reasons. Ghana and Senegal are interested in demonstrating their commitment to human rights, but are also looking at 108+ because of the economic benefits that come with opening up their countries to the world. Mauritius, also driven by business demands to freely trade with Europe, acceded to the 108 and committed to 108+.
New Zealand’s seat at the Council of Europe. The Council granted New Zealand “observer” status in 2017.
There are a number of gaps in international law at the moment that complicate international trade in the digital economy. Convention 108+ has potential to fill some of those gaps and set a new international standard. The current state of New Zealand law would prevent us from taking on the legal obligations of 108+, but with the Privacy Bill currently before the Justice Select Committee, we have a singular opportunity to bring our law closer to what may well emerge as a benchmark.
My trip to Strasbourg was opportunistic, in that it coincided nicely with the 49th Asia Pacific Privacy Authorities (APPA) meeting in San Francisco. Hosted by the US Federal Trade Commission, delegates took the opportunity of the proximity of Silicon Valley to hear about emerging issues in data protection and privacy in tech, with artificial intelligence again high on the agenda.
A presentation at the 49th Asia Pacific Privacy Authorities (APPA) meeting in San Francisco.
While we were there, California (the fifth largest economy in the world!) passed a privacy law comparable to those in Europe and its northern neighbours.
More info: "Big Tech Plans to Fight Back Against California's Sweeping New Data Privacy Law"
In addition to the formal APPA proceedings (which my colleague General Counsel Jane Foster will be posting about shortly) these meetings always represent an opportunity to catch up with representatives from Google, Apple (including a very special visit to their extraordinary new headquarters) and Facebook.
The Facebook meeting was the first opportunity to discuss with senior executives, the jurisdictional issues which became disputed in New Zealand earlier in the year. It is very good to see that from 14 July the terms and conditions under which Facebook provides services to New Zealand citizens will include a provision noting the company’s commitment to applying the law in the jurisdiction of operation.
Read Facebook’s new terms and data policy
An advertisement for Facebook that I spotted in San Francisco
