37th APPA Forum — Communiqué

APPA members at the 37th APPA forum, Hong Kong

The 37th Asia Pacific Privacy Authorities (APPA) forum was hosted by the Office of the Privacy Commissioner for Personal Data, Hong Kong in Hong Kong on 14–15 June 2012.

Participants discussed and agreed actions for a wide range of cross-border policy, education and enforcement issues over the two days of the meeting. Selected highlights of those discussions and agreed actions follow.

Global Privacy Enforcement

The meeting analysed current global privacy enforcement issues, such as recent significant data breaches, and the latest activities in international forums. Discussions covered effective international collaboration in enforcement, interoperability and development of cross-border privacy rules, privacy reform in the United States and the EU. Updates on the APEC Privacy Framework and Cross-Border Privacy Enforcement Arrangements (CPEA), the Global Privacy Enforcement Network, and the current review of the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data were also discussed.

Members agreed that greater cooperation between Data Protection and Privacy Authorities was essential in an environment where the cross jurisdictional transfer of personal information was growing exponentially. Members supported the ongoing work in this area being undertaken through fora such as APEC and the OECD.

Update on International Conference of Data Protection and Privacy Commissioners

The meeting discussed the theme “Privacy and Technology in the Balance” for the 34th International Conference of Data Protection and Privacy Commissioners (ICDPPC) which will be hosted by the Personal Data Control Regulatory Unit (URCDP), in Punta del Este, Uruguay from 23–26 October 2012.

Privacy Awareness Week 2012

Privacy Awareness Week (PAW) took place from 30 April to 5 May 2012. The Communications Working Group reported on the success of various activities held as wells as creative promotional materials produced and used in members’ jurisdictions to promote privacy awareness. To encourage and facilitate access to information on personal data protection throughout the Asia Pacific region, APPA members compiled a list of useful resources available at www.privacyawarenessweek.org/youth.html.

Google’s new privacy policy

The Technology Working Group (TWG) reported on its ongoing dialogue with Google to clarify its privacy policy that took effect on 1 March 2012. Noting the clarifications and improvements made by Google, members agreed that their collective efforts via the TWG in the immediate term would be to keep in view the ongoing enquiries being conducted by the Commission nationale de l’informatique et des libertés (CNIL). The TWG would consider its next steps having seen the responses to the CNIL enquiries.

Information on Public Registers

The topic of public registers was revisited by Members against the context of technological advancement. Tensions between the openness and transparency principle to allow public access to government information and the individual’s personal data privacy rights is heightened with ever-increasing ease of access to public registers through various online and mobile technologies. From the perspective of privacy protection, the question of how to strike the right balance between public access and protection of personal data privacy is increasingly challenging.

Members agreed to consider the issue on a high-principle basis, focusing on an approach that enables public access to government information with commensurate protection for individual privacy.

Smart Phone Applications

The Technology Working Group reported to members on privacy risks relating to smartphone applications, including the non-consensual extraction of personal information. Members expressed concern with this evolving and complex area and agreed to share relevant studies and codes of practice for apps developers. Members agreed to liaise with the International Working Group on Data Protection in Telecommunications (“the Berlin Group”) on its latest actions with the aim of exploring the possibility of developing joint educative and guidance material for consumers and apps developers.

Legal Assistance to aggrieved data subjects

Members discussed avenues available to individuals for assistance with meeting costs associated with taking action against organizations in cases of an alleged breach of privacy. Each jurisdiction outlined what avenues were available in their jurisdictions.

Upon deliberation, members found that the proposed legal assistance scheme under the Hong Kong Personal Data (Privacy) (Amendment) Bill is unique amongst APPA members. There was however other experiences regarding award of damages for privacy infringement that members shared with Hong Kong.

Regulation of direct marketing activities

The proposed regulatory requirements on direct marketing activities under the Hong Kong Personal (Privacy) (Amendment) Bill are amongst the most stringent. Members noted the growing trend of conferring on individuals a right to trace the source of personal data from direct marketers and that Hong Kong’s proposed regulatory control will provide a good reference for other APPA members in their future review of privacy protection.

Open session

The Hong Kong privacy community shared and exchanged views and experiences with APPA members in the open session on the following privacy issues:

  • eHealth records in Hong Kong
  • Privacy concerns of social networking sites in Hong Kong
  • Privacy issues concerning geo-location information and mobile service devices
  • Cloud computing and data protection

Next meeting

The next meeting of the Forum will be hosted by the U.S. Federal Trade Commission. It will take place in San Francisco on 3–4 December 2012.

Participants

The meeting was attended by representatives from:

  • Office of the Australian Information Commissioner, Australia
  • Office of the Privacy Commissioner of Canada, Canada
  • Office of the Privacy Commissioner for Personal Data, Hong Kong
  • Korea Internet & Security Agency
  • Personal Information Protection Commission of Korea
  • Federal Institute for Access to Information and Data Protection, Mexico
  • Office of the Privacy Commissioner, New South Wales
  • Office of the Privacy Commissioner, New Zealand
  • Office of the Information Commissioner, Northern Territory
  • Federal Trade Commission, United States
  • Office of the Victorian Privacy Commissioner

Representatives from the following organisations joined the meeting as observers:

  • Office of Personal Information Protection Consumer Affairs Agency, Japan
  • Office for Personal Data Protection, Macao
  • Data Protection Authority, Comissão Nacional de Protecção de Dados, Portugal