54th APPA Forum — Communiqué

The 54th meeting of the Asia Pacific Privacy Authorities (APPA) was hosted in Melbourne this week. The discussion focused on the following key themes:

  • Privacy implications of the COVID-19 pandemic. Although responses to the pandemic have required strong action by governments to protect the community, these actions must be proportionate to the harm they are seeking to address and need not come at the expense of respect for the protection of personal information. Privacy authorities should continue to provide pragmatic and contextual advice about how to appropriately balance these issues.
  • Facial recognition and artificial intelligence. Asia Pacific privacy regulators are responding to the increasing utilisation of facial recognition and artificial intelligence technologies through cross-jurisdictional collaboration and the development of new policies and guidance to protect privacy by design.
  • The future of privacy frameworks. Community expectations about privacy continue to change, while the amount of information collected by organisations and the ways that it can be collected, used and disclosed is growing. Governments must find ways to protect privacy as technological change accelerates, and in order to meet community expectations of strong privacy protection.

The authorities resolved to continue to work collaboratively to address these and other issues as they arise in the Asia-Pacific region.

Background

The Office of the Victorian Information Commissioner (OVIC), Australia, hosted the 54th Asia Pacific Privacy Authorities (APPA) Forum from 8 – 10 December 2020. This was the second APPA Forum to be held virtually, due to COVID-19.

Over three half days, APPA members and invited guests discussed global privacy trends and developments; exchanged policy and regulatory experiences, including in relation to COVID-19; and sought opportunities for cooperation on enforcement activities.

The Forum was organised with the support of the APPA Governance Committee and was attended by all 19 APPA member authorities and eight observers.

Day one (Members only sessions)

Information Commissioner Sven Bluemmel opened the 54th APPA Forum, welcoming members to the virtual meeting. A Welcome to Country was performed, acknowledging the Wurundjeri people of the Kulin nation as the traditional owners of the land on which OVIC is based.

The formal agenda began with an update from the Office of the Information and Privacy Commissioner for British Columbia in its capacity as APPA Secretariat and Chair of the APPA Governance Committee. This was followed by the presentation of reports on the activities of the three APPA Working Groups – the Communications Working Group, Technology Working Group and Comparative Privacy Statistics Working Group.

Members then presented updates from their jurisdictions, speaking about recent developments under the themes Law reform and regulatory changes, Guidance and advice in response to COVID-19, Misuse of personal information and Investigations and notable complaints.

Following the jurisdiction reports was a session on facial recognition technology, including presentations by four member authorities on recent matters in their jurisdictions. This included a discussion of meaningful remedies, both to compensate individuals whose privacy has been compromised by the use of facial recognition technology and to act as an incentive for organisations who develop or deploy such technologies to do so in a way that respects privacy.

APPA members acknowledged that while facial recognition technology can have benefits, it can also have significant and adverse impacts on individuals’ privacy and other human rights. This unique technology has the capability to enable the mass collection of biometric personal information, which can be used in unauthorised ways that pose substantial risks to individuals’ privacy and lead to intrusive surveillance. APPA members recognise the growing need for regulators to engage in informed and effective oversight in the deployment of facial recognition technology. This can mitigate the risk of harm to privacy before the legal and ethical challenges associated with the technology become too great to overcome.

Day one concluded with closing remarks from OVIC.

Day two (Members only and closed sessions)

Day two began with member reports on data breach notifications in their jurisdictions and lessons learned, and a presentation from the Office of the Privacy Commissioner, New Zealand on its privacy breach reporting tool.

This was followed by sessions on reflections and lessons from the response to COVID-19, with discussions on the operational impacts of COVID-19 on member authorities, and contact tracing efforts. These sessions highlighted the ongoing importance of protecting privacy in the face of new and unprecedented challenges, including public health emergencies such as COVID-19. The global situation has also highlighted the benefits and importance of international platforms and networks such as APPA, which have provided governments and regulators alike with the opportunity and means to collaborate and learn from each other’s experiences.

Next were presentations on global privacy developments and networks, including updates on the activities of the:

  • Global Privacy Assembly, presented by the Office of the Australian Information Commissioner and Office of the Privacy Commissioner, Canada;
  • Global Privacy Enforcement Network, presented by the Office of the Privacy Commissioner, Canada, Office of the Information and Privacy Commissioner for British Columbia, and Office of the Privacy Commissioner, New Zealand;
  • Ibero-American Network of Data Protection, presented by the National Institute for Transparency, Access to Information and Personal Data Protection (INAI), Mexico; and
  • Asia-Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules System, presented by the Federal Trade Commission, United States.

Other matters discussed on day two included the Enforcement Cooperation Handbook and sessions on the future of remote work and learning. Discussions covered the privacy and security challenges of working remotely, and the impacts of remote learning tools on children’s privacy. These sessions recognised that COVID-19 has changed the way we work and learn, possibly forever, and provided APPA members with the opportunity to share learnings from their jurisdictions regarding the associated privacy challenges and their efforts to manage them.

Day two ended with a virtual social event, providing an opportunity for delegates to meet each other through informal group discussions.

Day three (Closed session)

The third day of the Forum commenced with a discussion of cultural attitudes towards privacy. This session provided an insight into different cultural perspectives on privacy and the influences that affect the way individuals from different backgrounds think about their privacy. The discussion highlighted that privacy can mean something different to different groups, and that our privacy laws may not necessarily reflect community expectations of how their personal information should be protected.

Other sessions on day three included updates from member authorities on developments in artificial intelligence in their jurisdictions; a presentation from the Office of the Privacy Commissioner, New Zealand on its compliance and regulatory action framework and an own motion inquiry into credit reporting practices; and a discussion on the future of privacy frameworks.

As part of the item on the future of privacy frameworks, member authorities presented on recent or proposed law reform activities in their jurisdictions, and how these laws or proposals are advancing privacy protections for individuals. In this session, APPA members highlighted important shifts in privacy regulation that are taking place, or should take place, to ensure that privacy protections endure in our ever-changing society.

The Forum ended with the release of the APPA 54 Communiqué, a presentation on APPA 55, and closing remarks from OVIC and the APPA Secretariat.

Commissioner arrivals and departures

The Forum acknowledged the following Commissioner appointments among member authorities:

  • Mr Lew Chuen Hong, Personal Data Protection Commission, Singapore
  • Ms Ada Chung Lai-ling, Office of the Privacy Commissioner for Personal Data, Hong Kong, China
  • Mr Jong In Yoon, Personal Information Protection Commission, Korea

Next meeting

The 55th APPA Forum is scheduled to take place in June 2021, to be hosted by the Personal Information Protection Commission, Korea.

54th APPA Forum attendees

Office of the Australian Information Commissioner, Australia

Office of the Information and Privacy Commission, British Columbia

Office of the Privacy Commissioner, Canada

Superintendence of Industry and Commerce of Colombia

Office of the Privacy Commissioner for Personal Data, Hong Kong, China

Personal Information Protection Commission, Japan

Korea Internet and Security Agency

Personal Information Protection Commission, Korea

Office for Personal Data Protection, Macao SAR, China

National Institute for Transparency, Access to Information and Personal Data Protection, Mexico

Information and Privacy Commission, New South Wales

Office of the Privacy Commissioner, New Zealand

Office of the Ombudsman, Northern Territory

National Authority for Data Protection, Peru

National Privacy Commission, Philippines

Office of the Information Commissioner, Queensland

Personal Data Protection Commission, Singapore

Federal Trade Commission, Unites States

Office of the Victorian Information Commissioner

54th APPA Forum observers

Organisation for Economic Cooperation and Development

Office of the Information Commissioner, United Kingdom

Office of the Privacy Commissioner, Bermuda

Office of the Health Complaints Commissioner, Victoria

South Australia Privacy Committee

Office of the Information Commissioner, Western Australia

Ministry of Digital Economy and Society, Thailand

Ministry of Post and Telecommunications, Laos