Update from 51st Asia Pacific Privacy Authorities Forum in Japan

The Asia Pacific Privacy Authorities (APPA) is an important forum for progressing regional collaboration on matters of direct relevance to the work of the Office of the Australian Information Commissioner (OAIC).

Australian Information Commissioner and Privacy Commissioner Angelene Falk and Assistant Commissioner Melanie Drayton attended the 51st APPA Forum in Tokyo from 29 to 30 May 2019.

The Forum hosted 14 APPA member authorities and guest speakers from the US Department of Commerce, EU data protection authorities and the Chair of the European Data Protection Board, as well as regulated global entities.

Cross border privacy

APPA members were briefed by representatives from TrustArc (US) and JIPDEC (Japan). Both organisations are ‘accountability agents’ responsible for assessing compliance with the APEC Cross Border Privacy Rules (CBPR) system. The OAIC is currently working with the Attorney-General’s Department to implement the APEC CBPR system in Australia, which includes the selection of accountability agents.

Trust marks and certification

Privacy and data protection authorities from Singapore and New Zealand shared their experiences of implementing certification and trust mark schemes. The New Zealand trust mark is awarded by the Privacy Commissioner to a product or service which warrants recognition for excellence in privacy. The Singapore Data Protection Trust Mark helps organisations verify their conformance with personal data protection standards and best practice. The OAIC will continue to monitor the implementation of these schemes as part of its consideration of a possible certification scheme for Australian entities.

Digital Platforms

The meeting also considered privacy and data protection in relation to digital platforms. The Information Commissioner’s Office (UK) briefed members about its consultation on a Code of Practice to help protect children online. The Code will help inform the OAIC’s work on a binding code for digital platforms.

Other topics

• Implementation of the General Data Protection Regulation (GDPR) including a presentation from the European Data Protection Board (EPDB), which contributes to the consistent application of the GDPR, and the Commission nationale de l'informatique et des libertés (CNIL), the data protection authority in France
• Data portability and open banking, with a number of APPA members expressing interest in the implementation of the Consumer Data Right in Australia as similar mechanisms are being considered in their jurisdictions, including in Canada and Singapore
• Terrorism and social media, which covered the Christchurch Call to Action and legislative responses following the mosque shootings of 15 March 2019. Commissioner Falk briefed the meeting on the passage of the Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019
• Artificial intelligence (AI) – including the development of the OECD AI principles and similar ethical frameworks in APPA jurisdictions
• Data breach notification – APPA members shared their experiences of mandatory data breach notification schemes as well as strategies to address increases in workload

For more information about the 51st APPA Forum, including the issues that were discussed, see the Communiqué.

International Seminar on Personal Data – a G20 Summit Side Event

Commissioner Falk also addressed the ‘International Seminar on Personal Data – The Creation of Global Free Flow of Personal Data with Adequate Protection’ G20 Summit Side Event, which followed the APPA forum. The Seminar was attended by data protection regulators, privacy experts and representatives from government and business from around the world.

Commissioner Falk spoke on the role of stakeholders in establishing trust in the data economy. Her speech emphasised that regulators must ensure trust in the system of oversight, protect personal information wherever it flows, and collaborate with other data protection authorities around the world to ensure consistency in policy, guidance and enforcement.

The Commissioner outlined developments in Australia such as the proposed binding code for digital platforms, the Australian Government Agencies Privacy Code, the Notifiable Data Breaches scheme and collaborating with the Australian Competition and Consumer Commission on the Consumer Data Right. The Commissioner noted how these laws, policies and practices can all contribute towards better protection of personal information and help build trust in the digital economy.

Topics covered by other speakers included the mechanisms under the GDPR for personal data transfer outside the EU; use of certification schemes in the context of cross border data flows that also ensure trust; and how the interoperability of data protection laws and schemes should be the focus of governments and data protection authorities into the future. In this regard, Japan and the EU’s recent mutual recognition of each other’s laws was noted as a model that bridges the APEC and EU systems.

Side meetings

Outside the APPA Forum and International Seminar on Personal Data, Commissioner Falk met international counterparts to discuss mutual assistance and information sharing, international cooperation mechanisms, and ongoing investigations and enforcement matters. Privacy and data protection were also a focus in the Commissioner’s meeting with Australia’s Ambassador to Japan, the Hon Richard Court AC.