The Personal Data Protection Commission Singapore (PDPC Singapore) hosted the 58th Asia Pacific Privacy Authorities (APPA) forum on 29 and 30 November 2022 in Singapore, with both in-person and virtual attendance. The forum was attended by 17 APPA members across the Asia-Pacific region. A number of observers were also in attendance from around the globe, including other data protection authorities and global forum, together with guests from the think tanks, industry, civil society and trade associations. Over the two days, APPA members, observers and guests shared and discussed on a wide array of global privacy issues, regulatory developments and enforcement experiences, and reconnected with one another for enhanced cooperation and collaborations.
Key themes that were discussed included:
- Cross-Border Privacy Rules. With the expansion of the Cross-Border Privacy Rules (CBPR) from APEC to Global, there is the potential to achieve a global network based on a neutral, inter-operable framework that is implemented at the business-to-business level with the support of governments, promoting free flows of data with trust. Like-minded countries should work together to address practical issues as they bring the Global CBPR forward, including refinement of privacy program requirements as well as enhanced crossborder enforcement cooperation among privacy enforcement authorities.
- Children’s Online Privacy. Amidst the rapid digitalisation of the internet economy today, regulators are expected to create safer zones for children. However, in designing regulatory guidelines and policies, regulators must increase privacy safeguards for children online yet continue to promote the benefits of the digital world and not stifle their curiosity in the process.
- Privacy-enhancing Technologies. Privacy-enhancing technologies (PETs) are an emerging tool within the data protection field that allows businesses to extract insights from data without exposing sensitive or confidential data. This increases opportunities for business-to-business data collaboration, cross border data flows and development of AI systems. Regulators will need to understand this new class of technologies and work with the industry to establish best practices and policy guidelines around PETs.
- Artificial Intelligence. As personal data of individuals is used by businesses to personalise content and search engines, using algorithms to make decisions or recommendations to them, regulators face an increasing need to ensure accountability in how such data is used. Some jurisdictions are looking at comprehensive AI regulations while others are planning to introduce explainability requirements in personal data protection laws. Underlying these approaches is the principle of accountability.
Day One (members-only session before lunch; closed session after lunch)
Mr. Yeong Zee Kin, Deputy Commissioner of PDPC Singapore, opened the 58th APPA Forum and the proceedings commenced with a message from Mr. Lew Chuen Hong, Commissioner of PDPC Singapore, welcoming APPA members to Singapore. Mr. Yeong gave an overview of Day One’s agenda before a roundtable introduction by APPA members both in-person and virtual. The opening formalities ended with the approval of the 57th APPA Forum’s meeting minutes.
The formal agenda began with an update from the Office of the Information and Privacy Commissioner for British Columbia (OIPC British Columbia) in its capacity as APPA Secretariat and Chair of the APPA Governance Committee. This was followed by presentations of reports on the activities of the Communications Working Group and the Technology Working Group.
Members then took turns to present their jurisdiction reports and gave updates on their key privacy developments under three themes: Law Reform & Regulatory Developments; Investigations & Enforcement; and Education and Outreach. A group photo-taking was arranged between the first two themes.
After lunch, the Personal Information Protection Commission, Japan (PPC Japan), presented their data breach notification report on directions of law enforcement to local governments.
Subsequently, in the session on “Guidance on Data Security Measures and Enforcement Strategy by Regulators to Safeguard Personal Data”, the Office of the Privacy Commissioner for Personal Data, Hong Kong, China (PCPD Hong Kong), shared their Guidance Note on Data Security Measures for Information and Communications Technology while PDPC Singapore shared on their enforcement strategy to control unsolicited marketing messages. In the session on “Biometrics Technology”, the Office of the Privacy Commissioner, Canada (OPC Canada), shared on building and maintaining public trust for biometrics at the border, and on voice-ID investigations.
Finally, a roundtable discussion on “Privacy in the Pandemic: Sharing Lessons and Experiences from Enforcement to Guidance” was moderated by Philippe Dufresne, Commissioner, OPC Canada, who was joined by his deputy, the Office of the Australian Information Commissioner (OAIC Australia); PCPD Hong Kong; the National Institute for
Transparency, Access to Information and Personal Data Protection, Mexico (INAI Mexico); PDPC Singapore; and the Federal Trade Commission, United States (FTC United States).
Day One concluded with a discussion of the draft Communiqué and closing remarks by Deputy Commissioner Yeong of PDPC Singapore.
PDPC Singapore hosted a welcome dinner at Flutes Restaurant, located at the National Museum of Singapore, which was attended by the heads of delegation of APPA members; the Ministry of Communication and Information Technology, Indonesia; the Spanish Data Protection Authority; and the Organisation for Economic Co-operation and Development (OECD).
Day Two (closed session before morning tea; broader session after morning tea)
Deputy Commissioner Yeong of PDPC Singapore opened Day Two of the Forum with an overview of Day Two’s agenda, followed by an introduction by the California Privacy Protection Agency on their agency and how their plans may affect the work that APPA members may do.
Next was a panel discussion involving global privacy networks and organisations, who shared updates on their activities, their priorities for the coming year and how APPA members may be involved in their work.
- Global Privacy Assembly (GPA), presented by Josefina Román Vergara, Commissioner, INAI Mexico;
- GPA International Enforcement Cooperation Working Group, presented by Joyce Liu, Senior Legal Counsel (Acting), Head of Global Affairs & Research, PCPD Hong Kong;
- GPA Digital Citizen and Consumer Working Group, presented by Sarah Ghali, Acting Assistant Commissioner, OAIC Australia;
- GPA Data Protection and Other Rights and Freedoms Working Group, presented by Philippe Dufresne, Privacy Commissioner, OPC Canada;
- Global Privacy Enforcement Network, presented by Brent Homan, Deputy Commissioner, OPC Canada;
- Ibero-American Network of Data Protection, presented by Alejandro Londoño Congote, Advisor to the Deputy Superintendent for the Protection of Personal Data, the Superintendence of Industry and Commerce of Colombia;
- APEC Cross Border Privacy Rules (CBPR) System, presented by Guilherme Roschke, Counsel for International Consumer Protection, FTC United States; and
- OECD, presented by Clarisse Girot, Head of Data Governance and Privacy Unit, OECD.
Following the morning tea, four panel discussions spanned the rest of Day Two. First, “From Regional to Global: Bridging the APEC CBPR and the Global CBPR” moderated by Guilherme Roschke, Counsel for International Consumer Protection, FTC United States. The panelists included Akira Nakaminato, Commissioner for International Cooperation, PPC Japan; Haksoo Ko, Chairperson, Personal Information Protection Commission, South Korea (PIPC Korea); Leandro Angelo Y. Aguirre, Deputy Privacy Commissioner, National Privacy Commission, Philippines (NPC Philippines); and Yeong Zee Kin, Deputy Commissioner, PDPC Singapore.
Second, “Safeguarding Children’s Online Privacy: Making it a reality for children to explore, learn and play safely in the digital environment” moderated by Clarisse Girot, Head of Data Governance and Privacy Unit, OECD. The panelists included Elizabeth Hampton, Deputy Commissioner, OAIC Australia; John Henry D. Naga, Privacy Commissioner, NPC Philippines; Elizabeth Denham CBE, Trustee, 5Rights Foundation; and Timothy Ma, Head of International Privacy and Data Protection, Tencent.
Third, “Collaborative Approaches for Regulators and Industry to Establish Best Practices and Policy Guidelines Around Privacy-enhancing Technologies” moderated by Yeong Zee Kin, Deputy Commissioner, PDPC Singapore. The panelists included Haksoo Ko,
Chairperson, PIPC Korea; Clarisse Girot, Head of Data Governance and Privacy Unit, OECD; Josh Lee, Managing Director for APAC, Future of Privacy Forum; Angela Xu, Senior Privacy Counsel for APAC, Google; and Derek Ho, Assistant General Counsel, Mastercard.
The final panel discussion was on “Explainability: Applying the principle of accountability to the regulation of artificial intelligence” moderated by Bojana Bellamy, President, Centre for Information Policy Leadership. The panelists included Philippe Dufresne, Privacy Commissioner, OPC Canada; Lee Wan Sie, Director for Data-Driven Tech, Infocomm Media Development Authority Singapore; Goh Peng Fong, Chief Operating Officer, DBS Bank; Polina Zvyagina, Privacy and Data Policy Manager, Meta; and Laura Gardner, Senior Corporate Counsel, Microsoft; Neal Liu, Chief Commercial Officer, UCare.AI.
The Forum concluded with the release of the Communiqué of the 58th APPA Forum, closing remarks from PDPC Singapore and OIPC British Columbia, and an invitation to the 59th APPA Forum by INAI Mexico.
Commissioner arrivals and departures
The meeting recognised the appointment of Dr Haksoo Ko as the Chairperson of the Personal Information Protection Commission of the Republic of Korea.
APPA members also thanked and acknowledged the contributions of Dr Jong In Yoon, the former Chairperson of the Personal Information Protection Commission of the Republic of Korea.
The 59th APPA Forum will take place in Mexico.
58th APPA Forum attendees
- Office of the Australian Information Commissioner, Australia
- Office of the Information and Privacy Commissioner, British Columbia
- Office of the Privacy Commissioner, Canada
- Superintendence of Industry and Commerce of Colombia
- Office of the Privacy Commissioner for Personal Data, Hong Kong, China
- Personal Information Protection Commission, Japan
- Korea Internet and Security Agency
- Personal Information Protection Commission, Korea
- Office for Personal Data Protection, Macao, China
- National Institute for Transparency, Access to Information and Personal Data Protection, Mexico
- Office of the Privacy Commissioner, New Zealand
- National Authority for Data Protection, Peru
- National Privacy Commission, the Philippines
- Office of the Information Commissioner, Queensland
- Personal Data Protection Commission, Singapore
- Federal Trade Commission, the United States
- Office of the Victorian Information Commissioner
58th APPA Forum Invited Observers and Guests:
- Authority for Info-communications Technology Industry of Brunei Darussalam
- Ministry of Communication and Information Technology, Indonesia
- Spanish Data Protection Authority
- Infocomm Media Development Authority Singapore
- California Privacy Protection Agency
- Directorate-General for Justice and Consumers, European Commission
- Organisation for Economic Co-operation and Development
- 5Rights Foundation
- BSA | The Software Alliance
- Centre for Information Policy Leadership
- The Future of Privacy Forum
- The Law Society of Singapore
- US-ASEAN Business Council
- DBS Bank