51st APPA Forum — Communiqué

The Personal Information Protection Commission of Japan (PPC Japan) hosted the 51st Asia Pacific Privacy Authorities (APPA) Forum on 29-30 May in Tokyo, Japan.

Over the two days, APPA members and invited guests discussed global privacy trends, exchanged domestic experiences and sought opportunities for cooperation on education and enforcement activities across the Asia Pacific Region.

The Forum was organized with the support of the six-member APPA Governance Committee and was attended by fourteen (14) APPA member authorities.

Day One (Members-only and closed sessions)

Katsuhiko Ogawa, Commissioner of PPC Japan, opened the APPA Forum and welcomed members to Tokyo, Japan.

The first day began with an update from the OIPC-BC, in its capacity as APPA Secretariat and chair of the Governance Committee.

The Communications Working Group tabled its report on Privacy Awareness Week and continuing compilation of member education resources, and the idea of having a mascot to represent APPA was proposed. In addition, the OAIC highlighted the resources and guidance published by APPA members on social media and mobile apps.

The Technology Working Group chaired by PCPD Hong Kong gave an update on the information repository for technology related publications. APPA members not represented at the working group are invited to nominate representatives to the Group. The PDPC Singapore was appointed as the chair of the Technology Working Group, succeeding PCPD Hong Kong, having served in this Working Group since 2010. A new publication, “Guide to Data Protection by Design for ICT Systems”, jointly developed by PDPC Singapore and PCPD Hong Kong, was also introduced and APPA members are asked for feedback.

The Comparative Statistics Working Group tabled its report. APPA membership approved OPC New Zealand to assist the Secretariat to develop regional benchmarks for timeliness of complaints resolution. The Working Group proposed three questions for a twice yearly APPA member template to record complaint handling statistics. OPC NZ will assist the Secretariat to develop a template based on these questions.

Two sessions followed as action items from APPA 50. OPC New Zealand and PDPC Singapore gave an update on Trust Marks. OPC Canada gave an update on Open Banking with contribution from the OAIC.

In the agenda item on Jurisdiction Reports, members shared information and opinions on, and discussed their significant developments in the field of protection of privacy, including law reform, research, investigations and enforcement, and education and outreach. They also shared lessons learnt from remarkable data breach cases. With regard to data breach notification – authority systems and processes in member jurisdictions, OPC New Zealand presented an update to the report previously presented at APPA Forum 50 in New Zealand. Three updates were received from OPC Canada, OPC New Zealand and NPC Philippines. In addition, Singapore PDPC shared on their systems and processes. The report will now be published on the APPA website. APPA membership approved that future updates would be made by the Secretariat with assistance from OPC NZ.

PDPC Singapore, OPC Canada, KISA Korea, UK ICO and CNIL France presented their own activities regarding investigation and enforcement for data protection.

OPC New Zealand led the discussion to find ways to prevent online dissemination of terrorist and violent extremist content following the Christchurch event in March 2019, and spoke about the subsequent Christchurch Call to Action. This was followed by Singapore’s sharing on its new Protection from Online Falsehoods and Manipulation Act.

Under the theme of privacy practice in the world one year after GDPR, EDPB and CNIL reflected on their experience of the implementation and application of the GDPR, as well as its expected future.  This was followed by the NPC Philippines presenting on their initiatives to improve, advocate, and promote privacy practice in the Philippines, given that the Data Privacy Act, its Implementing Rules and NPC issuances are heavily referenced to the GDPR.

Day One also included discussions on the following topics:

  • Updates on the International Conference of Data Protection and Privacy Commissioners by ICO UK;
  • Updates on the Global Privacy Enforcement Network by OPC Canada, OPC NZ, OIPC BC, OPDP Macao and PCPD Hong Kong;
  • Updates on Ibero-American Network of Data Protection by INAI Mexico;
  • APEC Cross Border Privacy Rules system by PPC Japan;

The day concluded with a presentation by the host of the 52nd APPA meeting, NPC Philippines, and a group photo.

Day Two (Broader sessions)

Day Two started with presentations on Artificial Intelligence by several authorities. FTC US introduced recent developments in the privacy aspect on AI technologies, followed by PCPD HK on “Artificial Intelligence in Hong Kong and Mainland China”, PDPC Singapore on “Singapore’s AI Governance and Ethics Initiative”, and PPC Japan on the government initiatives including “Social Principles of Human-centric AI”.

Next, there were presentations on matters of cross-border transfer of personal data. US DoC discussed interoperability. TrustArc and JIPDEC presented on opportunities as well as challenges of the APEC CBPR system, especially regarding Accountability Agents in such a system, and Certifiers and Trust Marks in general. PPC Japan explained its new initiatives to establish global frameworks on cross-border transfer of personal data.

The Centre for Information Policy Leadership introduced accountability framework for trusted digital age, which requires organizations to implement verifiable and demonstrable privacy management programs and encourages effective regulators to promote and incentivise accountability. Then, IT renmei presented on the certification system for “Trusted Personal Data Management Service”, followed by ABLI overviewing privacy accountability in Asia.

Finally, children’s privacy was discussed by ICO UK on “Age Appropriate Design Code”, FTC US on investigation on the TikTok case, PPC Japan on its activities on public information, and Ubisoft on their experience developing and publishing videogames on mobile, PC and consoles and processing the data of millions of players, who can often be children.

Commissioner arrivals and departures

The meeting recognized the following appointments in member authorities:

Ms. Minako Shimada was appointed as the Chairperson of the Personal Information Protection Commission, Japan, succeeding the former Chairperson Mr. Masao Horibe.

Mr. Il Jae Kim will be appointed as Acting Chairperson of the Personal Information Protection Commission, Korea on May 30, succeeding the former Chairperson Mr. Hong-Sub Lee.

Mr John Edwards was reappointed as Privacy Commissioner of New Zealand for another five year term ending in 2024.

Next meeting

The 52nd APPA Forum will be hosted by the National Privacy Commission, Philippines. It will be held in Cebu from December 02-04, 2019.

51st APPA Forum attendees

  • Personal Information Protection Commission, Japan (Host)
  • Office of the Australian Information Commissioner (OAIC)
  • Office of the Information and Privacy Commissioner, British Columbia (OIPC-BC)
  • Office of the Privacy Commissioner of Canada (OPC-Canada)
  • Privacy Commissioner for Personal Data, Hong Kong, China (PCPD)
  • Korea Internet & Security Agency (KISA)
  • Personal Information Protection Commission, Korea (PIPC)
  • Office for Personal Data Protection, Macau SAR, China (OPDP)
  • National Institute for Transparency, Access to Information and Personal Data Protection, Mexico (INAI)
  • Office of the Privacy Commissioner, New Zealand (OPC)
  • National Privacy Commission, Philippines (NPC)
  • Personal Data Protection Commission, Singapore (PDPC)
  • Federal Trade Commission, USA (FTC)
  • Office of the Victorian Information Commissioner (OVIC)

Officials from the following organizations attended the closed and/or broader session(s) as guests:

  • Information Commissioner’s Office, UK (ICO)
  • Commission Nationale de l’Informatique et des Libertés, France (CNIL)
  • European Data Protection Board (EDPB)
  • U.S. Department of Commerce (DoC)
  • Office of the Information Commissioner, Jersey
  • JIPDEC
  • Trust Arc
  • Center for Information Policy Leadership(CIPL)
  • Information Technology Federation of Japan (IT renmei)
  • Ubisoft
  • Asian Business Law Institute (ABLI)

Officials from the following organizations attended (but not spoke) at the closed and/or broader session(s) as guests:

  • Korea Communications Commission (KCC)
  • Google