38th APPA Forum — Communiqué

APPA members at the 38th APPA forum, San Francisco

The 38th Asia Pacific Privacy Authorities (APPA) forum was hosted by the United States Federal Trade Commission, chaired by Commissioner Edith Ramirez, in San Francisco, California, USA, on December 3–4, 2012.

Participants discussed and agreed on actions for a wide range of cross-border policy, education and enforcement issues over the two days of the meeting.  Selected highlights of those discussions and agreed actions follow.

Data Breach Notifications

A number of agencies expressed their support for mandatory data breach notification laws. After a discussion of different experiences, participants noted that many data breaches are the result of internal controls problems. Recent changes to strengthen California’s data breach notification statute were noted.

Global Privacy Developments and Enforcement

APPA members received updates on the Global Privacy Enforcement Network (GPEN) and the APEC Cross-Border Privacy Enforcement Arrangement (CPEA), and discussed specific examples of enforcement cooperation in action among members of these networks. Members were encouraged to join GPEN and use the cooperation tools it offers. Members also received an update on an APEC Enforcement workshop, to be held in New Zealand in July 2013.

APPA also discussed updates on the International Conference of Data Protection and Privacy Commissioners (ICDPPC) Enforcement Cooperation Working Group, which has issued a set of principles to guide enforcement cooperation. An enforcement cooperation meeting consistent with these principles is planned to take place in Washington, DC, around the March 2013 International Association of Privacy Professionals (IAPP) meeting.

Global Privacy Enforcement Network

APPA members received an update on the activities of the Global Privacy Enforcement Network (GPEN), including its initiatives to further facilitate and improve global privacy enforcement cooperation.

Update on International Conference of Data Protection and Privacy Commissioners

Members also received an update on the ICDPPC, which was held in Punta del Este, Uruguay, October 23–24, 2012. The main agenda item for the conference was profiling, and members received an update on the Uruguay declaration on profiling, the resolution on cloud computing, and a resolution on the “future of privacy” calling for increased global enforcement and policy cooperation.

Privacy Awareness Week 2013

APPA members received recommendations from the Communications Working Group regarding the development of an infographic for coordinated deployment by member authorities during Privacy Awareness Week in early May 2013. APPA members supported the idea and agreed to accept the recommendations of the Communications Working Group.

Privacy and Technology Working Group Report

The Privacy Commissioner for Hong Kong delivered the report of this working group, noting privacy related developments at Internet Corporation for Assigned Names and Numbers (ICANN) and the participation of certain APPA members in a joint letter to Google regarding its privacy policy changes.

Cross-Border Interoperability

APPA members discussed the development of voluntary but enforceable codes of conduct, such as the APEC Cross-Border Privacy Rules, as a mechanism for promoting interoperability between different privacy regimes. Several agencies reported that their statutes permitted them to develop codes of conduct, and some were developing such tools. Others were awaiting government decisions as to their participation in the APEC system. The United States reported on the Obama Administration’s multi-stakeholder discussions to develop a mobile privacy code of conduct, coordinated by the U.S. Commerce Department.

Outside Speakers

APPA attendees interacted with local outside speakers from the technology sector, privacy advocacy organizations, and academia, on a variety of privacy issues, including mobile privacy, comprehensive data collection, and Do Not Track. APPA members also visited the office of a major Internet company, and engaged in a fruitful discussion with its engineers, privacy professionals, and product and advertising staff.

Next meeting

The next meeting of APPA will be in July 2013 in New Zealand, and is planned to be held in conjunction with an APEC enforcement workshop.

Participants

The meeting was attended by representatives from:

  • Office of the Australian Information Commissioner
  • Office of the Victorian Privacy Commissioner
  • Office of the Privacy Commissioner, Canada
  • Office of the Information & Privacy Commissioner, British Columbia
  • Office of the Privacy Commissioner for Personal Data, Hong Kong
  • Korea Internet & Security Agency
  • Personal Information Protection Commission, Korea
  • Office for Personal Data Protection, Macao, China
  • Federal Institute for Access to Information and Data Protection, Mexico
  • Office of the Privacy Commissioner, New Zealand
  • Federal Trade Commission, United States

Representatives from the following organizations joined the meeting as observers:

  • Attorney General’s Office, California
  • Consumer Affairs Agency, Japan