36th APPA Forum — Communiqué

APPA members at the 36th APPA forum, Melbourne

The 36th Asia Pacific Privacy Authorities (APPA) forum was hosted by the Office of the Victorian Privacy Commissioner in Melbourne, Australia on 1–2 December 2011.

Participants discussed a wide range of matters over the two days of the meeting. Selected highlights of those discussions follow.

APPA members welcome FTC / Facebook settlement

APPA members discussed the exponential growth in the use of social media sites and welcomed the settlement reached by Facebook and the United States Federal Trade Commission (FTC).  One of the terms of this settlement requires Facebook to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order. These audits must be conducted every two years for the next 20 years.  In future, Facebook must also obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences.

The settlement was strongly supported by APPA members as an important step in strengthening privacy protections for Facebook users.

Privacy Awareness Week Survey results released and PAW 2012

Results of the 2011 Privacy Awareness Week survey on social networking were tabled at the meeting.  The results showed that people value the benefits of social networking, but have concerns about whether they can control who sees information they put on social networking sites.

See media release People care about privacy on social networking sites: survey by international privacy commissioners for more information.

Privacy should not be used as an excuse

Meeting participants expressed concern that many organisations used privacy as an excuse for not sharing personal information when in fact privacy laws allowed them to do so.

Members agreed that the failure to share information when it should be shared can have serious consequences for the individuals concerned. It is essential that organisations ensure their staff are properly trained in the laws that they work to and are then able to make the right decision. This protects the individual and allows the organisation to do its work.


The meeting discussed examples of data breaches involving the personal information of millions of Asia-Pacific citizens. These incidents highlighted the importance of implementing robust security measures to protect both personal information and an organisation’s reputation.

Several members shared information about the way they had handled the recent Sony PlayStation data breach. Participants also discussed the potential for future joint enforcement activities and explored enhancing coordination when investigating similar matters.  These joint enforcement initiatives include the Global Privacy Enforcement Network and the APEC Cross-border Privacy Enforcement Arrangement.

International privacy developments

Members discussed the recent 33rd International Conference of Data Protection and Privacy Commissioners, which was hosted by the Federal Institute for Access to Information and Data Protection (IFAI) in Mexico City from 2–4 November 2011.  Members congratulated IFAI on running a successful Conference and welcomed the Mexico City Declaration (231 KB) as an important step in increasing cooperation between data protection authorities.

Privacy is not just about technology, but encompasses many other areas.  For example, the Conference endorsed a practical approach to information sharing in natural disasters and promoted ethical frameworks that enable data sharing.

Cloud computing

Brendon Lynch, Chief Privacy Officer at Microsoft, delivered a presentation about the privacy impacts of cloud computing. While acknowledging the many benefits that cloud computing can offer, members stressed the need for organisations to ensure that they understand the privacy implications of storing information in the cloud, and that any personal information they store in the cloud is appropriately secured.


Mike Thompson, Director of Linus Information Security Solutions, made a presentation to the meeting about the privacy implications of biometric technologies.  Attendees agreed that biometric technologies can be useful if they are applied appropriately. They also expressed concerns about the continued unreliability of many biometric technologies and the trend for the use of centralised databases. A major area of concern is the need to guarantee the security of biometric databases. If these databases are stolen or compromised, identity thieves may gain access to the biometric data of individuals.

Privacy and freedom of expression

APPA members examined how the right to privacy should be balanced against the right to freedom of expression. They noted examples of when these rights would need to be balanced when considering whether an individual’s privacy has been breached.  Participants outlined the extent to which the media and its activities are regulated under data protection laws in their jurisdictions.

Credit reporting

Credit reporting reforms are underway in a number of APPA jurisdictions. Members discussed the benefits and risks of comprehensive credit reporting, and shared information about the different approaches taken to credit reporting in different countries.

Civil society

The meeting was addressed by Georgia King-Siem, Senior Vice-President, Liberty Victoria on behalf of civil society organisations. Ms King-Siem stated that civil society organisations welcome greater cooperation and increasing standardisation between jurisdictions. They believe that data breach notification is an area of concern and are pushing for a uniform approach to this issue. Civil society groups encourage their involvement in privacy forums, such as APPA, where possible.

Next meeting

The next meeting of the Forum will be hosted by the Office of the Privacy Commissioner for Personal Data, Hong Kong.  It will take place in Hong Kong in June 2012.


The meeting was attended by representatives from:

  • Office of the Australian Information Commissioner, Australia
  • Office of the Privacy Commissioner for Personal Data, Hong Kong
  • Korea Internet & Security Agency
  • Federal Institute for Access to Information and Data Protection, Mexico
  • Office of the Privacy Commissioner, New South Wales
  • Office of the Privacy Commissioner, New Zealand
  • Office of the Information Commissioner, Northern Territory
  • Office of the Information Commissioner, Queensland
  • Federal Trade Commission, United States
  • Office of the Victorian Privacy Commissioner

Representatives from the following organisations joined the meeting as observers:

  • Office for Personal Data Protection, Macao
  • Consumer Affairs Agency, Japan
  • Privacy Committee of South Australia
  • Attorney-General’s Department, Australia