The 56th APPA Forum hosted by the Office of the Information and Privacy Commissioner for British Columbia

The Office of the Information and Privacy Commissioner for British Columbia (OIPC-BC) hosted the 56th Asia Pacific Privacy Authorities (APPA) forum from November 30-December 2, 2021.

The forum was attended by 18 APPA members. A number of guests were also in attendance from around the globe, including other data protection authorities, and observers from industry, government, academia, and civil society.

Over three days, members discussed several common privacy issues and enforcement challenges, shared their knowledge and experience, and continued to build relationships with a view towards enhanced cooperation.

The discussions focused on the following key themes:

  • Enabling cross border data flows. The free flow of data with trust between jurisdictions is foundational to economic growth and social development. There are different legal instruments and systems in place, both at the national and international level, that address the cross-border transfer of personal information. These arrangements seek to ensure adequate protection of personal information based on common privacy rules and high standards. The enforcement of these standards relies on the work of data protection authorities.
  • Guidance and Enforcement. The use of guidance to help organizations understand and implement data protection laws is a common practice among regulators. Guidance outlines the expectations and articulates the regulators’ general views and is intended at ensuring consistency. At the same time, regulators are charged with enforcing the rules upon which that guidance is based. This can present a tension for regulators. While they try to point organizations in the right direction, ultimately those organizations remain accountable for their activities and compliance with data protection laws.
  • Virtual Health Care. Medical services are becoming increasingly available through online tools and devices. This trend has become more pronounced due to the physical distancing requirements brought on by the pandemic. While these services represent new opportunities for care, they also involve the processing of new personal information. Understanding the privacy implications of these new tools is important for ensuring that they can be used in a manner that does not compromise patient privacy.
  • The COVID-19 pandemic. Privacy issues and concerns related to the pandemic are an ongoing consideration for APPA members. In this forum and in others, members discussed the privacy implications of different technologies and processes meant to understand and counter the spread of COVID-19. Privacy considerations and oversight are important to build trust in the actions undertaken by governments and organizations in response to the pandemic.

Day One (Members-only sessions)

The forum opened with a traditional welcome from a Songhees First Nation elder, on whose traditional territories the OIPC-BC is located.

The focus of Day One was on APPA’s standing agenda items. Members agreed to re-appoint the OIPC-BC for an additional term as APPA Secretariat and chair of the Governance Committee.

Members also reviewed the structure of the APPA Governance Committee. The Committee was created five years ago to support and help guide the work of the forum. The Committee is composed of the Chair, the two upcoming forum hosts, and the convener of each working group.

The focus of Day One was on jurisdiction reports. Members gave a short update on a key privacy development in their area. These updates were organized into four categories: COVID-19 related matters; investigations and enforcement; law reform; and education and outreach. The updates provided a broad overview of recent issues and work being done across the region.

Members also heard presentations on data breach notification reporting, and on technical approaches and laboratory capabilities that can help support both policy and compliance efforts.

Day Two (Members-only and closed sessions)

Many APPA members take part in or lead other privacy networks and organizations. At the outset of Day Two, several members gave updates on these groups and their initiatives, some of which impact members and their jurisdictions or provide opportunities for collaboration.

The global privacy landscape was also featured with a presentation on China’s new data protection law, and a session on current frameworks and initiatives for transferring personal data across jurisdictions.

The focus for the latter half of Day Two shifted to more specific privacy matters. Physical distancing requirements have brought greater emphasis and attention to virtual health care services. Members heard presentations on the extent to which one such service complies with health information law, and on guidelines for the use of telemedicine in response to COVID-19.

One of the common measures used to protect personal data, including health information, is de-identification. While there are concerns about a potential reduction in the utility of such data, de-identified data sets can be used safely and effectively. This was the focus on a session on how to safely use and link pseudonymized data.

When personal information is shared, particularly online, it involves certain privacy risks. The session also covered the risk of identity-based harm in the digital environment.

Finally, the Future of Privacy Forum, which has recently opened an office in the Asia Pacific and engaged with several APPA members, gave an update on some of its work in the region.

Day Three (Closed sessions)

On the final day of the forum, APPA members and other data protection authorities were joined by guests from industry, academia and civil society.

APPA members heard from the Centre for Information Policy Leadership on their recent white paper, which focuses on organizational accountability in data protection enforcement.

APPA members and other data protection authorities commonly issue guidance to help organizations understand and follow requirements in their jurisdictions. At the same time, those regulators are charged with enforcing those requirements. How to effectively balance this tension was discussed by a panel of members.

The focus then returned COVID-19 and its impact on privacy. Members heard about a recent report from the University of Toronto’s Citizen Lab, which examined the technological tools deployed in response to the pandemic, whether privacy and other laws impeded that response, and the consequence of reforming those laws in anticipation of future emergencies.

Having had an overview of developments and ongoing issues, the final session of the agenda looked forward to the future of privacy regulation. Commissioner McEvoy led a discussion on this topic that featured Blanca Lilia Ibarra Cadena, the Commissioner President of the National Institute for Transparency, Access to Information and Personal Data Protection of Mexico; Elizabeth Denham, CBE; and Jane Horvath, Chief Privacy Officer of Apple Inc.

Commissioner arrivals and departures

The meeting recognized the following appointments in member authorities:

  • Appointment of Lina Khan as Chair of the Federal Trade Commission.
  • Renewal of Angelene Falk’s appointment as Commissioner of the Office of the Australian Information Commissioner.
  • Appointment of Liz MacPherson as Deputy Privacy Commissioner of the Office of the Privacy Commissioner, New Zealand. Ms MacPherson will be assuming the functions of the New Zealand Privacy Commissioner from 10 December 2021 until the position is filled.
  • APPA members also thanked and acknowledged the contributions of Commissioners Philip Green, from the Office of the Information Commissioner, Queensland, and John Edwards, from the Office of the Privacy Commissioner of New Zealand, who are moving on from their current appointments.

Next meeting

Planning is underway for the 57th APPA Forum.

56rd APPA Forum attendees

  • Federal Trade Commission, USA
  • Information and Privacy Commission, New South Wales
  • Korea Internet and Security Agency
  • National Authority for Data Protection, Peru
  • National Institute for Transparency, Access to Information and Personal Data Protection, Mexico
  • National Privacy Commission, Philippines
  • Office of the Australian Information Commissioner
  • Office of the Information and Privacy Commissioner, British Columbia
  • Office of the Information Commissioner, Queensland
  • Office of the Privacy Commissioner of Canada
  • Office of the Victorian Information Commissioner
  • Office for Personal Data Protection, Macao SAR, China
  • Office of the Privacy Commissioner, New Zealand
  • Personal Data Protection Commission, Singapore
  • Personal Information Protection Commission, Japan
  • Personal Information Protection Commission, Korea
  • Office of the Privacy Commissioner for Personal Data, Hong Kong, SAR, China
  • Superintendence of Industry and Commerce, Colombia

The following organizations and guests attended the meeting as observers:

  • Apple Inc.
  • Beijing Institute of Technology
  • Centre for Information Policy Leadership
  • Citizen Lab, University of Toronto
  • Elizabeth Denham, CBE
  • Future of Privacy Forum
  • Ministry of Communications and Informatics, Indonesia
  • Office of the Information and Privacy Commissioner of Alberta
  • Office of the Privacy Commissioner of Bermuda
  • Personal Data Protection Authority of the Republic of Turkey
  • Thammasat University
  • United States Department of Justice