55th APPA Forum — Communiqué

The Personal Information Protection Commission (PIPC) of the Republic of Korea hosted the 55th Asia Pacific Privacy Authorities (APPA) Forum on 16 to 18 June 2021. A wide range of issues were discussed at the Forum in response to a rapidly changing landscape where both data protection and safe use of data have become increasingly important in the digital economy, especially in the post Covid-19 recovery. The key themes discussed at the Forum are as follows:

  • The new normal post Covid-19. Although effective responses to the pandemic require the use of sensitive data of individuals such as health data, appropriate safeguards must be put in place to protect personal data, including by adhering to key data protection principles such as data minimisation, use limitation, data security and transparency. Public authorities processing vaccine passports and vaccine certificates that include individuals’ health data must also follow such principles. Discussion should also continue to prepare for the new normal post Covid-19.
  • Use of emerging technologies and engagement with industry. APPA members shared the view that engagement with industry is essential to ensuring the protection of personal data in a rapid transition to digital economy that comes along with the increased use of emerging technologies such as artificial intelligence, digital identity and biometrics. Joint efforts will also continue across the Asia Pacific Region to ensure that the use of new technologies is in compliance with key data protection principles and to engage with controllers to encourage them to adapt to a changing regulatory landscape by supporting policy making and issuing guidelines.
  • Children’s and adolescents’ privacy. APPA members have shared the view that online services are now accessible to children and adolescents at younger ages, requiring stronger protections to counter increasing threats to privacy of underage users. Discussion should continue to come up with ways to protect underage users in the online environment by developing guidelines and programmes to promote and raise their awareness of privacy.
  • Formulating global standards in data protection. APPA members observed that ongoing and/or future modifications of data protection legal frameworks in their jurisdictions should ensure interoperability with global frameworks in the digital market and facilitate cross-border data flows. They acknowledged the importance of strong, globally aligned powers to effectively regulate the digital economy. APPA members recognised the value of interoperable data portability regimes, that offer commensurate privacy protections for consumers, wherever their personal data flows. They also acknowledged the importance of data protection authorities being provided with effective regulatory powers, as with the case of PIPC Korea whose status has been elevated to that of a ministerial-level government agency through the recent amendment to its Personal Information Protection Act. The introduction to developing a global data protection index and a global data safe-utilisation index, in particular, paved the way for further discussion about how to promote global interoperability among data protection frameworks and the safe use of personal information.

Background

The APPA Forum founded in 1992 brings together privacy authorities in the Asia Pacific region, giving them an opportunity to strengthen cooperation, discuss best practices, and share information on emerging technology, trends, etc.

The 55th APPA Forum was the third APPA Forum to take place virtually due to the Covid-19 pandemic, and was attended by APPA members and five invited speakers.

Day One (Members only sessions)

PIPC Chairperson Jong-In Yoon opened the 55th APPA Forum and welcomed APPA members to Korea. Prime Minister Boo Kyum Kim also gave welcoming remarks on behalf of the Korean government in celebration of the first international conference hosted by the PIPC Korea since its restructure as a ministry-level central administrative agency. The opening session concluded with the traditional group photo.

The formal agenda began with an update from the Office of the Information and Privacy for British Columbia in its capacity as APPA Secretariat and Chair of the APPA Governance Committee. This was followed by reports on the activities of the three APPA Working Groups – the Communications Working Group, Technology Working Group and Comparative Privacy Statistics Working Group.

Members then presented jurisdiction reports, sharing recent developments under themes Law reform & regulatory changes, Enforcement & investigation, Data protection measures in response to Covid-19, and Awareness and outreach.

The Office of the Privacy Commissioner for Personal Data, Hong Kong, China, introduced its government’s proposal to amend the data protection law to combat doxing activities.

Following up on the report by the Technology Working Group, the Personal Data Protection Commission, Singapore shared its research finding on common data breach types in Singapore.

The Office of the Privacy Commissioner, Canada then presented an overview of recent law reform developments in Canada, focusing on private and public sector privacy.

Next was a session on Data Breach Notifications with presentations from OPC Canada and the Office of the Privacy Commissioner, New Zealand.

Day One concluded with closing remarks from PIPC Chairperson.

Day Two (Members only and closed session)

The second day of the Forum commenced with opening remarks from PIPC Vice Chairperson, followed by a presentation from PDPC Singapore on AI Bot.

This was followed by a session on digital identity, including presentations from the Office for Personal Data Protection, Macao SAR, China, PDPC Singapore, the Office of the Government Chief Information Officer of the Hong Kong SAR Government and the National Privacy Commission, Philippines. APPA members shared the view that measures should be put in place to ensure personal data is well protected especially when such emerging technologies as biometrics are used.

Next were presentations on global privacy developments and networks, including updates on the activities of the:

  • Global Privacy Assembly (GPA), presented by the Information Commissioner’s Office, UK;
  • GPA International Enforcement Working Group, presented by OPC Canada;
  • GPA Digital Citizen and Consumer Working Group, presented by the Office of the Australian Information Commissioner, Australia and OPC Canada;
  • GPA Policy Strategy Working Group – Workstream 3, presented by OPC Canada;
  • Global Privacy Enforcement Network, presented by OPC Canada, OIPC British Columbia and OPC New Zealand;
  • Ibero-American Network of Data Protection, presented by the National Institute for Transparency, Access to Information and Personal Data Protection, Mexico;
  • APEC Cross Border Privacy Rules (CBPR) System, presented by the Federal Trade Commission, USA; and
  • ASEAN Model Contractual Clauses, presented by PDPC Singapore.

INAI Mexico also provided an update on the hosting of 2021 GPA in October.

As part of the item on children’s privacy, member authorities including OPDP Macao, NPC Philippines and the Korea Internet and Security Agency, Korea presented on their recent initiatives to raise awareness on children’s privacy. As an invited guest, ICO UK presented on OECD’s recent work on children’s privacy and provided an update about ICO’s Age Appropriate Design Code.

Day Three (Members only and closed session with invited speakers)

On the third day of the Forum, OPC New Zealand, OPDP Macao and OPC Canada provided updates on biometrics in their jurisdictions. Members agreed that biometrics are unique, sensitive physical characteristics and therefore require further privacy protections.

This was followed by a discussion on privacy issues in the new normal post Covid-19, where PCPD Hong Kong, NPC Philippines and the Personal Information Protection Commission, Japan provided updates on data protection initiatives in their jurisdictions in response to the global pandemic. Members shared the view that the global pandemic has changed the way we live our lives and that now is a good time to discuss how we should adapt to the new normal in the post Covid-19 recovery, with Privacy-by-Design adopted in relevant measures.

Next was a session on “Issues around privacy and the use of data in the rapidly changing digital economy” that began with a presentation by President of Korea Online Privacy Association. Invited speakers from Microsoft, Samsung Electronics and Naver Corporation also presented on challenges they have to deal with in their daily business operation to strike a right balance between privacy and the utilisation of data.  This session served as an opportunity for data protection authorities to listen to the voice of industries.

In the following session, PPC Japan provided an update on its efforts to facilitate data free flow with trust. The OAIC Australia provided a presentation on Australia’s Consumer Data Right framework, which is a data portability framework built on a foundation of strong privacy protections. This was followed by a presentation by Asia Business Law Institute (ABLI), sharing its finding on how to fix the notice and consent issues in the Asia Pacific region. Meanwhile, KISA Korea, at the request of PIPC Korea, presented on developing a global personal information protection index and a global personal information safe utilisation index, paving the way for discussion about how to promote global interoperability in data protection.

The Forum concluded with the release of the APPA 55 Communiqué, a presentation on APPA 56, closing remarks from the APPA Secretariat and PIPC Korea.

Commissioner arrivals and departures

Ms. Blanca Lilia Ibarra Cadena as Commissioner President for the 2020-2023 period, replacing Dr. Francisco Javier Acuna Llamas who will continue as Commissioner until March 31, 2023.

Next meeting

The 56th APPA Forum is scheduled to take place from November 30-December 2/December 1-3, 2021 and will be hosted by the Office of the Information and Privacy Commissioner for British Columbia.

55th APPA Forum attendees

Office of the Australian Information Commissioner, Australia

Office of the Information and Privacy Commissioner, British Columbia

Office of the Privacy Commissioner, Canada

Superintendence of Industry and Commerce of Colombia

Office of the Privacy Commissioner for Personal Data, Hong Kong, China

Personal Information Protection Commission, Japan

Korea Internet and Security Agency

Personal Information Protection Commission, Korea

Office for Personal Data Protection, Macao SAR, China

National Institute for Transparency, Access to Information and Personal Data Protection, Mexico

Office of the Privacy Commissioner, New Zealand

National Authority for Data Protection, Peru

National Privacy Commission, Philippines

Office of the Information Commissioner, Queensland

Personal Data Protection Commission, Singapore

Federal Trade Commission, United States

Office of the Victorian Information Commissioner

55th APPA Forum invited guests

Information Commissioner’s Office, United Kingdom

The Office of the Government Chief Information Officer, Hong Kong SAR Government

Asian Business Law Institute (ABLI)

Microsoft

Samsung Electronics

Naver Corporation