The Nymity team recently had the pleasure of attending the 39th International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Hong Kong. This was the first time in nearly 20 years that this type of conference took place in Asia, marking a very significant milestone.
The conference brings together over 80 DPA from across the globe, providing a forum for discussion, and the sharing of techniques and ideas regarding various approaches to privacy and compliance.
In today’s blog, we will take a look at the four main themes of the conference. In the second part of this two-part series, we will share the biggest takeaways from the conference’s side events, including Nymity’s workshop on “Demonstrating Compliance to Regulators”, and the CIPL Industry Roundtable.
Theme 1: Data Privacy in Asia
Data Privacy in Asia is becoming an increasingly important topic of discussion. Though the EU has been leading the charge in developing global standards for data processing, legislation in Asia is also rapidly changing to support ethical processing practices.
During the conference, the Hong Kong Privacy Commissioner, Stephen Kai-yi Wong, touched on the idea that we are moving from an era of Information Technology to an era of Data Technology. In order to effectively make this transition, in his opinion, it is critical that good privacy legislation is in place. Commissioner Wong elaborated on the fact that Hong Kong has its own basic law that is somewhat separate from China. Included in this separate, basic law is a respect for civil rights, including the right to privacy.
While the right to privacy as we know it in the West does not currently exist in China, the concept is something that is commonly held within Chinese culture. Mr. Li-ming Wang, from the Renmin University of China, explained that though the constitution does not recognize this legal construct, the civil code in China is currently under revision, and the revised version will recognize the right to privacy for Chinese citizens. In Mr. Wang’s opinion, this discrepancy can be helpful since the constitution can only be interpreted by the People’s Congress, but the civil code can be applied by the courts.
Later, we heard from the privacy commissioner of Japan (Japan has recently become a full member of the ICDPPC, with voting rights), from Macau and from the Philippines, where a great deal of time and effort has gone into educating citizens on both data protection and tech savvy-ness.
While many speakers stressed that the right to privacy was inspired by the West, they were sure to state that its application in Asia will be implemented in accordance with Eastern traditions.
Theme 2: Notice and Consent in Latin America
The Standards of Personal Data Protection in Latin America was recently released and made available to the public. Historically, privacy legislation in Latin nations has been heavily consent-based, and in many cases, consent has been the only legal basis for processing data. This has left very little room for any other legal bases, for instance, legitimate interest. This new legislative document, however, makes many suggestions for revisions, and presents itself as an important way forward, modelling the drafting of legislation for nations new to privacy protection.
Theme 3: Cross-Border Data Transfer - The Global Regulatory Landscape
Jane Horvath, Sr. Director, Global Privacy Law and Policy for Apple presented the conference with a very direct, straight-forward discussion about data localization laws. In her opinion, these laws have become very disjointed from their original aim. The question she posed was this: Is it best for the law to determine where data is stored, or is it better if the engineers decide how to provide the subject with the fastest and most secure experience?
Nigel Cory, Trade Policy Analyst for the Information Technology and Innovation Foundation, stated that in many countries that have enacted data localization laws, research is proving that the data is far safer when kept inside their borders. In his opinion, security is best protected when law enforcement retains access to the data.
Adequacy and Data Transfer in the GDPR
During this portion of the discussion, we heard from Bruno Gencarelli, Head of International Data Flows and Protection Unit of the European Commission, and Nymity’s own Jennifer Stoddard, Regulator Advisor for the Demonstrating Compliance Project and former Privacy Commissioner of Canada.
An increasing number of countries are joining the EU in drafting legislation that supports privacy as a fundamental human right. As the EU continues to work with stakeholders to expand methods of safe data transfer, including the new certification instruments introduced by the GDPR, cross-border privacy will also begin to play a role, in addition to partial adequacy agreements like Privacy Shield.
While adequacy remains the gold standard for enhancing international data flows, Ms. Stoddard affirmed that she believes more transparency would be welcomed, especially in relation to the third country assessments that are drawn up by the EU. Discussions need to be had surrounding how data can be used for national security purposes with mutual respect for subjects’ safety. Adequacy should not simply be looking in the mirror - it’s the identification of fundamental issues that need to be taken into account. With more and more countries and regions relying on adequacy decisions to allow cross-border data transfers, adequacy is no longer a one-way street.
Theme 4: Challenges of New Technology - Focusing on Ethics by Design in AI
Looking forward into the future of data processing, there is a high likelihood that we will increasingly need to rely on Artificial Intelligence (AI) for cyber security efforts. Legislation needs to ensure that people will come first, and enhance the accountability and transparency of data stewardship.
Here we heard from Martin Abrams, Chief Strategist and Executive Director of the Information Accountability Foundation. The organisation recently released the Ethics Product Package, including a policy paper, “Essential Elements of Accountability for AI Learning”. In the paper, it is suggested that all accountability documents and work sheets will need be updated to reflect how these operations would be ethically managed through AI. In order for this to take place, it is critical to develop a clear definition of “ethics” in data processing.
The big question that needs to be asked is: How does a company go from high level guiding principles to an objective? How can we align stewardship, values, and direction?
The discussion on AI and ethical data processing kicks off a year of discussions around related issues, culminating in next year’s 40th International Conference of Data Protection and Privacy Commissioners in Brussels, jointly hosted by the European Data Protection Supervisor and the Bulgarian Data Protection Commissioner. Updates will be available throughout the year at http://www.privacyconference2018.org and https://www.icdppc.org.
ICDPPC Part 2
In our next blog post, we will detail some of the side events that took place at the conference. In particular, we will take a close look at Nymity’s workshop, “Demonstrating Compliance to Regulators”, as well as the CIPL Industry Roundtable.
For more information on the four main themes of the ICDPPC, watch our most recent webinar by clicking the following link: