41st APPA Forum — Communiqué
The 41st Asia Pacific Privacy Authorities (APPA) Forum was hosted by the Korea Personal Information Protection Commission in Seoul on 17–18 June 2014. Delegates discussed a wide range of issues over two days. Selected highlights of those discussions follow.
Common themes across the Asia Pacific region
APPA’s 17 member authorities are from Hong Kong, Macao, Korea, Singapore, Australia, New Zealand, United States, Canada, Mexico, Colombia and Peru. While there is diversity in APPA membership, common themes in the members’ work continue to emerge, including the reform of privacy laws, cross-border transfer of personal information, cross-border cooperation, and regulatory tools to enforce privacy laws and encourage compliance. The challenges posed by new technologies and privacy education are also key themes.
Reform of privacy laws
APPA members reported on reforms to privacy and data protection laws in their jurisdictions, including in Korea, Australia, Singapore and Japan. Major reforms to Victoria privacy and information security laws were introduced into Parliament in June 2014 and the New Zealand Government is expected to introduce draft privacy reform legislation for public consultation by April 2015. The ‘personal data protection’ provisions of the Singapore Personal Data Protection Act will come into force in July 2014.
Cross-border transfer of personal information
APPA members discussed a range of measures to protect personal information that is transferred across borders, including privacy principles and laws, ‘white lists’ of jurisdictions that have similar laws for the protection of personal information, international cooperative arrangements and technological solutions such as the encryption and ‘tokenisation’ of personal information.
APPA members continue to collaborate internationally. The meeting reported on important global privacy developments and the work of various international networks including the work of the International Conference of Data Protection and Privacy Commissioners, the Global Privacy Enforcement Network, the APEC Data Privacy Subgroup and the Cross-border Privacy Enforcement Arrangement.
Representatives from PHAEDRA, a research project to help provide practical cooperation and coordination between privacy and data protection regulators, attended the Forum and discussed European Union data protection regulation and provided a regional perspective on improving international cooperation.
Regulatory tools to enforce privacy laws and encourage compliance
APPA members reported on significant data breaches in their jurisdictions and discussed strategies to assist organisations to prevent these incidents. Discussion also focused on whether APPA member laws provide for mandatory data breach reporting or voluntary reporting schemes.
Members noted a number of enforcement actions in their jurisdictions, and reported that they are using a range of regulatory tools to enforce the law, including enforcement notices, civil and criminal penalties and audits. Members also discussed other tools to encourage compliance and best practice in relation to information handling practices, including ‘privacy by design’ approaches, privacy impact assessments and Privacy Management Programmes.
APPA members were also briefed on the judicial process in Korea by a Judge of the Seoul High Court and privacy regulation in Eastern Europe by the Inspector General for Personal Data Protection, Poland.
Technology continues to be a key theme of APPA forum meetings. APPA members considered the recent Court of Justice of the European Union decision that will require Google to remove some search results that include personal information upon request.
The implications of this development, including the possibility of APPA members engaging with Google and other search engines to discuss this decision, will be further explored and a report with recommendations made at the next APPA forum.
APPA members discussed the privacy implications of big data, open government and open data policies and ‘the internet of things’. Members also outlined a number of issues and enforcement activities related to technologies such as cloud computing, social networking, smart phone applications and geo-location technology.
Education and awareness
APPA members have conducted a range of education and awareness campaigns over the last 12 months. These campaigns have related to major reforms to privacy and data protection laws as well as specific privacy issues such as the online privacy of children and young people and the development of privacy policies.
Members have also held events and hosted online learning modules on privacy awareness and internet security, facilitated networks of privacy professionals in the public and private sectors and conducted surveys and media campaigns.
APPA members confirmed the dates of Privacy Awareness Week (PAW) 2015 as 3–9 May 2015, and discussed APPA’s joint education product on mobile apps privacy released during PAW 2014 (see www.privacyawarenessweek.org).
The 42nd meeting will be hosted in Vancouver, Canada by the Office of the Information and Privacy Commissioner, British Columbia on 1–3 December 2014. The host of the 43rd meeting will be confirmed at that meeting.
The 44th meeting will be hosted in Macao by the Office for Personal Data Protection, Macao in December 2015.
The following member authorities participated in the meeting:
- Personal Information Protection Commission, Republic of Korea
- Office of the Australian Information Commissioner, Australia
- Office of the Information and Privacy Commissioner, British Columbia
- Office of the Privacy Commissioner for Personal Data, Hong Kong
- Korea Internet and Security Agency, Republic of Korea
- Office for Personal Data Protection, Macao
- Office of the Privacy Commissioner, New Zealand
- Personal Data Protection Commission, Singapore
- Federal Trade Commission, United States
- Office of the Victorian Privacy Commissioner, Victoria
Officials from the following Government organisations attended the meeting as observers:
- Consumer Affairs Agency, Japan
- Specific Personal Information Protection Commission, Japan
- Korea Communications Commission, Republic of Korea