Entries submitted
B1- Entry by: Agency for Access to Public Information (AAIP)
Description of the initiative:
The Personal Data Protection Module was created collaboratively through a roundtable process involving key players in the field of data protection and integrity. The goal was to develop a tool that guides organizations in understanding their status, promotes accountability and due diligence practices, and strengthens the privacy strategies of companies and entities.
The module is divided into seven interactive components: Personal Data Protection Plan, Risk Assessment, Personal Data Protection Area, Senior Management Commitment, Accountability, Training and Communication Channel. Each component covers institutional, organizational, budgetary, Privacy Impact Assessment and internal best practices and policies related to personal data protection.
The components are accompanied by compliance bars that allow the measurement of each organization’s level of compliance. The tool enables the gradual input of information and its updating to reflect the state of the company or entity.
The module addresses these issues by classifying organizations into three levels: small, medium and large. This approach segments the questionnaire according to the size of the organization, which allows self-assessment to be carried out taking into account the reality of each controller or processor.
In addition, the platform provides guidance pop-ups with definitions and a toolbox containing various resources such as guides, regulations, and instructions to facilitate the implementation of personal data protection legislation and the adoption of best practices.
The RITE Personal Data Protection Module is a valuable tool designed to help public and private sectors adopt best practices and enforce compliance and accountability policies. The Organisation for Economic Co-operation and Development (OECD), in its publication “A Resource Guide on State Measures for Strengthening Business Integrity,” recognizes 3 RITE as an exemplary public policy supporting private organizations and public companies in understanding regulations.
Why the initiative deserves to be recognised by an award?
The Personal Data Protection Module is the first free online tool for compliance with personal data protection in Argentina. The MPDP is the result of coordination and cooperation between public organizations. This is a good practice that comes from authorities that not only exercise a control role but also promote compliance. The module was created through collaboration with business actors, cooperatives, public companies and civil society organizations. The contribution of multiple stakeholders to the PDPM enabled consensus-based development. This tool incorporates the needs and concerns of companies and entities during the design process, including small, medium and large ones. The module makes it an economically viable tool for companies in the creation phase. The module is a valuable tool for organizations, allowing them to self-assess their level of compliance and receive an updated status report. It also helps organizations improve their practices by providing educational resources and a toolbox to develop data protection measures for businesses and SMEs, such as due diligence best practices, privacy policies, PIAs, and accountability programs.
B2 – Entry by: Danish Data Protection Agency
Description of the initiative:
In 2020 the Danish DPA built a platform on top of our case handling system, that enables automated handling of data breach notifications. In early 2023, the Danish DPA initiated a project to further classify each data breach according to a detailed threat taxonomy, and to use this classification to include directed guidance to the entities reporting the data breaches.
First step in providing the directed guidance, is a preliminary screening of all data breaches. During this screening, the data breaches are classified into one or more categories (following the 2016 ENISA threat taxonomy). For many, but not all, of these threat categories, we include specific guidance material. This consists of a short explanatory text, and a link to known and valuable guidance material, made available by the Danish DPA or other governmental agencies.
Thus, within a few days of receiving a data breach notification, the Danish DPA sends a letter to the entity reporting the breach, that can include directed guidance on the specific topic of the breach. Based on this guidance, the reporting entity can start improving their security measures quickly after the data breach is reported to the Danish DPA.
After the data breach is screened, the system merges the letter from the Danish DPA with the relevant guidance, and sends it digitally to the reporting entity. Based on all the information contained in the data breach notification, the selected threat taxonomy category with underlying guidance and other relevant data, the underlying case is updated with metadata in the case handling system, which enables the Danish DPA to track emerging trends in current threats and the behavior of specific organizations or lines of industry.
All case handling, including sending the letter to the entity reporting the data breach, is done automatically, with an RPA-like functionality. In the future, this very detailed and accurate level of metadata could be very useful to train an in-house AI model to further enhance the efficiency of our data breach handling.
Why the initiative deserves to be recognised by an award?
Our initiative, as described above, enables us to handle over 9.000 breaches per year, while both being very efficient on resources and being able to give immediate and directed guidance to the entities reporting data breaches. When a data breach has occurred, time is of the essence. Our system is ground breaking in this regard, as it enables us to provide the entities reporting the data breaches with immediate and directed guidance, which is unique and can be easily customized, when the need for further guidance arises.
B3- Entry by: Dubai International Financial Centre
Description of the initiative:
Applying Regulation 10 requirements to AI systems should serve as further organisational measures to integrate into a robust data protection compliance program vis a vis the DIFC DP Law. The Commissioner’s objectives in issuing regulations, conducting use case testing and developing detailed guidance will better protect the Personal Data that forms the core of most processing operations. Further, these things protect the rights of data subjects to understand and, to the extent possible, control how their data is processed.
For instance, Regulation 10 activates a key protection provided for in the DP Law 2020 that until now has had limited exposure – that is, Article 29(1)(h)(ix), which states that where advanced technology is deployed that does not permit the exercise of data subjects’ rights the deployer / controller must provide sufficient notice in that regard and satisfy itself that the data subjects understand the impact. The regulation also requires evidence of privacy by design in such systems, and demonstrating accountability when a system is deployed.
Another key feature of Regulation 10 is that it creates space for DIFC to be a platform for interoperability of guidelines and principles in an environment where national governments and organisations are developing their own. Regulation 10 allows for a “plug and play” environment, where any template principles or frameworks, within reason and subject to consultation if requested by the Commissioner, can form the basis of generative technology development.
Regulation 10, is outcomes based, and looks to practical risk prevention procedures to safeguard Personal Data. Inherent in this approach is that a Deployer, Operator or Provider in its capacity as a Controller must by law assess whether it is conducting High Risk Processing even before the system has a chance to see the light of day, and take appropriate actions to:
- control the processing environment locally and internationally
- apply additional safety measures
- appoint a Autonomous Systems Officer
- assess ongoing risks of processing in such Systems
The advisory committee was established to provide best practice recommendations to the Commissioner for improvements in the Regulation and associated guidance.
Why the initiative deserves to be recognised by an award?
Regulation 10 marks a pivotal moment in data protection as it creates a unique platform to encourage interoperability among the diverse guidelines and principles issued by sovereign governments and NGO’s. It aims to promote responsible and ethical personal data processing within AI and autonomous systems.
Regulation 10 is the first of its kind to address processing personal data in AI systems, an approach many governments and NGOs are taking now. The Advisory Committee is made up of experts from all fields, including other GPA members, CIPL, FPF and IAPP, and will set a high bar for accountability of the Commissioner in administering the Regulations.
One example of the Committee’s work is establishing a governance framework and a robust accreditation and certification process applied where a System is used to engage in High Risk Processing Activities as per the DIFC DP Law. It will help to develop the obligations and “job description” of the Automated Systems Officer. Finally, Reg 10 will be the springboard for establishing an “accelerator” to review privacy by design built into a system. The accelerator will be compatible with any sandbox environment.
It is a forward thinking, innovative and interoperable piece of legislation supported by trusted advisors.
B4- Entry by: Hellenic Data Protection Authority
Description of the initiative:
The information and guidance tool for the notification of incidents of personal data breach to the DPA guides the data controller to an interactive wizard of questions, where depending on its answers regarding the circumstances of the specific incident, after being notified of relevant explanatory and informative material, is guided about the necessity to notify the incident to the DPA.
The data breach wizard identifies six broad categories of data breaches and for each one of them, though a series of questions that are easily answered (mostly yes/no) provides guidance on how a data controller should act to mitigate the breach, whether a notification to the HDPA is necessary and also if it is advisable/necessary to inform the affected data subjects on the data breach and its consequences. The tool is available under https://eservices.dpa.gr/wizard/?id=1331560
The information material is enriched by short animations which provide useful examples of security incidents that can be characterized as a breach of personal data and include the appropriate way to react to them. They cover accidental disclosure of personal data and malicious security incidents. The animations are available under: https://www.dpa.gr/index.php/el/foreis/asfaleia_dedomenwn/gnwstopoiisi_paraviasis
Why the initiative deserves to be recognised by an award?
The HDPA has identified that it receives a relatively small number of data breaches, in comparison to other EU/EEA countries. Since Greek businesses are mostly SMEs (and notably most of them belonging to the small SMEs category), providing practical and easy guidance is crucial for such enterprises. The rationale behind this tool is to provide SMEs with a relatively simple tool, that they can easily use when they face the potential of a data breach, without having to read large texts with legal terminology.
B5- Entry by: Hellenic Data Protection Authority
Description of the initiative:
The initial version of the Platform became operational in September 2023 with:
- a space for discussion and exchange of views (for registered users – data protection professionals). See here https://collab.dpa.gr/community/
- and a digital library with supporting material (open to all). See here https://collab.dpa.gr/%cf%88%ce%b7%cf%86%ce%b9%ce%b1%ce%ba%ce%ae- %ce%b2%ce%b9%ce%b2%ce%bb%ce%b9%ce%bf%ce%b8%ce%ae%ce%ba%ce%b7/
It operates under the guidance and supervision of the Hellenic DPA’s staff, but is not intended to provide specific advice or answers in individual cases or to replace DPOs.
The aim of the platform is to share specialised knowledge by topic, in order to facilitate the practical application of data protection principles by data protection professionals (DPOs, specialists with a relevant background, IT professionals involved in/implementing relevant projects, etc.). The discussions and the information available on the platform are categorized into 10 thematic areas (topics). Professionals can browse the library without any need for registration, while, if they wish to ask a question or raise an issue of interest among their peers, they have the opportunity to register (using just an email) to the platform and post their question under the appropriate thematic area. Staff from the HDPA is also participating in the discussions. The HDPA is also able to receive feedback from the platform, to be considered during its prioritization process. The platform aims to bring a solution to the need of DPOs and Data Protection Professionals for specialised guidance and the limited HDPA resources, mobilizing its participants to share knowledge and ideas.
For the creation of an e-platform for the cooperation and exchange of views of DPOs and data protection professionals it was necessary to carry out a survey, among privacy professionals, first of all to identify those professionals and furthermore to point out as accurately as possible their needs and concerns on data protection related matters and to specify the main thematic areas on which the platform should focus on during its initial operation.
After the submission and evaluation of the questionnaires two workshops were organized in the second quarter of 2023 in order to discussthe findings of the survey, to present basic functionalities of the platform and to determine precisely its content and how it works.
The first seminar took place on Monday 29 May 2023 at the University of Piraeus and the second one (with the same content) was held on-line on June 1st (2023). During the seminars the participants became acquainted with the e-platform. They also had the opportunity to raise questions on the platform operation and make constructive comments in relation to its use 360 DPOs and professionals that had already expressed their interest to participate in the events were invited and most of them accepted and registered to the events. In the end, 59 DPOs and privacy professionals participated in the F2F event and 82 participated in the remote event.
Following the identification of the needs of privacy professionals and the results of the survey carried out for this purpose, the collaboration platform was developed. Up to now, more than 300 DPOs and Data Protection Professionals have registered to the platform (which is available in Greek).
Why the initiative deserves to be recognised by an award?
The platform (named collab.dpa.gr) introduces a new approach to the guidance of DPOs and Data Protection Professionals. The HDPA, recognized the need to provide specialized guidance, beyond a basic level (e.g. beyond a general knowledge of the GDPR and relevant legislation and the official guidance offered by the EDPB). At the same time, the HDPA (as mοst DPAs) suffers from limited resources and a large number of cases to be handled.
In order to find a proper balance, the HDPA decided to bring the principles of “crowdsourcing” to the field of Data Protection. Thus, the platform is used as a “safe” space for the exchange of knowledge of professionals of the field. The HDPA expects that in the future, as more items are discussed on the platform, DPOs and Data Protection Professionals will be able to use a valuable space of specialized resources.
At the same time, the electronic library acts as a repository of guidance texts that are recognized by the HDPA as of importance for the specific item. These texts include open resources, like court judgments, official authority guidance, and technical guidance by recognized organizations or international standards. Each participant can propose a text, thus contributing to the improvement of the platform.
Operation of the platform is governed by a flexible regulation, issued by the HDPA and drafted in cooperation with its participants.
B6- Entry by: Hellenic Data Protection Authority
Description of the initiative:
The HDPA had created a website for young people in 2010 which contained useful information for their online presence. Over the years, it proved to be a valuable source of information not only for children, but also for educators and organizations acting for the benefit of children. Although the information available was updated at several occasions, the format of the presentation became obsolete and not appealing to young people. In addition, the online presence of young people has changed their way of life and brought new challenges to Data Protection.
The new micro-site of the HDPA aims to be the central point of reference for valid and complete information on how a young person can benefit from the opportunities of the internet while being able to control how his/her personal data are used online. The content includes material presenting ways to stay safe online. It contains four main thematic sections on
- Privacy,
- Publications,
- Online contacts,
- Social Networks.
It is accompanied by a Glossary of privacy terms for young persons. It has also been built in such a way that more thematic areas can be added. For a more effective understanding of the instructions and content, each section of the material includes Key Takeaways and interactive applications like Quizzes, and also Videos in every section. The HDPA is currently constantly updating the mini-site. It is noted that the mini-site is built using templates and can be easily upgraded and stay “fresh” and current.
Why the initiative deserves to be recognised by an award?
The microsite aims to raise young persons’ awareness of their rights and responsibilities in relation the protection of their privacy online. It includes practical knowledge and instructions which are organized in thematic sections (Privacy, Publications, Online contacts, Social Networks). The material includes a useful Glossary, Key Takeaways and interactive applications like Quizzes, and also Videos for every thematic section. This activity constitutes an easy point of reference for young persons, whgenever they face a problem with their online personal data, while at the same time it is a useful resource for educators.
B7- Entry by: Information Commissioners Office (ICO)
Description of the initiative:
Protecting people online has been high on the policy agenda for many countries worldwide in recent years, with governments across the world enacting legislation to tackle illegal harms and protect children. The UK is a front-runner in this space, with the 2023 Online Safety Act setting out new legal duties for online services to keep users safe. Similarly, the Australian Online Safety Act 2021 provides safeguards against certain types of online abuse, and in the EU the Digital Services Act updates rules for digital services to prevent illegal and harmful activities online.
These developments have raised new questions about how online safety requirements interact with privacy legislation, and what this means in practice for organisations that use people’s data to implement online safety systems. It is important that companies design and deploy their safety measures with both privacy and safety in mind.
The ICO’s guidance on content moderation and data protection addresses complex and novel questions in this space. It provides online services with practical advice to help them comply with the UK GDPR and the Data Protection Act 2018 (DPA 2018) when developing and deploying content moderation tools. It is aimed at supporting services in scope of the UK’s new Online Safety Act and provides clarity on areas of intersection between the online safety and data protection regimes.
This work is one of the first pieces of guidance that explains the interactions between data protection and content moderation. It was produced in close collaboration with Ofcom, the UK’s online safety regulator. It represents a forward-thinking and collaborative approach to data protection regulation that has been successful in providing clarity for organisations as they work on implementing innovative tools to moderate content on their services.
The guidance was underpinned by an extensive programme of stakeholder engagement to understand how content moderation is used in practice and the data protection challenges services face when deploying content moderation processes. This included an open call for views alongside direct engagement with over 20 online services and trade associations across different sectors of the digital economy.
Why the initiative deserves to be recognised by an award?
The ICO guidance on content moderation deserves to be recognised by the GPA award for the following reasons: • Firstly, the unique innovation of this work is that it provides clarity for organisations in a cutting-edge technological area that spans across different regulatory regimes. It is one of the first products of its kind, providing guidance on complex areas of intersection between the data protection and online safety regimes in the UK. Feedback on the guidance shows that services have found it to be helpful, clear and pragmatic, with some services using the guidance to review and strengthen their data protection compliance. Services told us that our case study examples were especially helpful.
- Secondly, the guidance is a proactive and timely intervention, published at the beginning of the UK online safety regime enactment. It will provide greater regulatory certainty and confidence to organisations in the UK’s growing safety tech sector, encouraging investment and fostering an environment for services to develop innovative solutions to keep users safe online.
- Finally, the guidance was underpinned by excellent cross-regulatory collaboration with Ofcom, the UK’s online safety regulator. We have worked with Ofcom to proactively address key areas of uncertainty and ensure coherence between regulatory regimes.
B8- Entry by: Information Commissioners Office (ICO)
Description of the initiative:
The ICO started engaging with key organisations developing and using generative AI in Spring 2023. This process, along with the exercise of our information gathering powers, led us to the conclusion that greater regulatory certainty was needed in how specific aspects of data protection law applied to generative AI development and use. The following areas were identified as lacking regulatory certainty and became the focus of the consultation series:
1) The lawful basis for web scraping to train generative AI models
2) Purpose limitation in the generative AI lifecycle
3) Accuracy of training data and model outputs
4) Engineering individual rights into generative AI models
5) Allocation of accountability across the AI lifecycle and supply chain
Calls one to four have been published at the time of writing, while the fifth is due to be published in July 2024. Additionally, we will convene three roundtables on issues raised by stakeholders through the calls for evidence with a) technology sector representatives b) creative industries representatives and c) civil society groups. These roundtables will ensure to ICO receives evidence and views from a diverse range of perspectives in shaping our policy positions on these critical issues. This engagement will also provide those stakeholders most affected by our regulatory approach with an opportunity to engage with us and challenge our thinking.
Following the conclusion of the consultation, the ICO is committed to publishing a summary report by the end of 2024 and incorporating final positions into the next iteration of our guidance on AI and data protection.
Our draft positions clearly signal to the market our regulatory expectations, and should help inform the thinking of our international counterparts in terms of generative AI regulation. More broadly, we hope this consultation series has moved the wider data protection and privacy community one step closer to regulatory certainty on the issue of generative AI compliance with data protection law.
Why the initiative deserves to be recognised by an award?
This is an evidence-led initiative to promote accountability across the generative AI supply chain. It was born out ICO’s engagement with strategically important generative AI developers and users, which identified areas of regulatory uncertainty around how data protection law applies to this rapidly growing subset of AI.
Organisations cannot easily be held accountable when the regulatory expectations around how they should manage their data protection responsibilities are not clear enough. This is why we launched this series of consultations on our interim positions. By putting these generative AI positions in the public domain we signalled our expectations to the market but also demonstrated transparency around how and why we reached our policy positions.
This consultation ensured all relevant stakeholders have the opportunity to provide evidence and views, ensuring the ICO’s policy positions are as robust as possible. The format of this consultation offers the opportunity to regulated entities to hold us accountable by challenging our thinking, and by providing regulatory certainty to the market, it will also enable us as regulators to hold generative AI developers and deployers to account.
B9- Entry by: Institute of Transparency, Access to Public Information, Protection of Personal Data and Accountability of Mexico City (INFOCDMX)
Description of the initiative:
During the COVID-19 pandemic, INFO CDMX faced the challenge of continuing to execute the procedures outlined in the Personal Data Protection Law of Mexico City. In this trying context, SIVER was developed to enable virtual and efficient verification of the treatment of personal data by those responsible in Mexico City. The main functions of SIVER are: scheduling and planning verifications; creating an effective communication channel between the guarantor agency and the responsible parties; providing timely and reliable information on the verification stages; conducting more verifications in a user-friendly digital environment; orderly storing and archiving the information and results of the verifications; annually increasing the information and results of the verifications and audits; and generating annual evaluations by responsible parties.
For its operation, SIVER has six types of users: Administrator (Director of Information Technology); Director of Personal Data; Deputy Director of Verifications; Verifiers; Advisor to accompany the responsible party; and the Responsible party. Each user has different roles, and they execute them according to their regulatory powers. Additionally, it is configured in five stages: initiation, review, accompaniment, follow-up, and compliance, adjusted according to the deadlines determined in the regulations.
SIVER strengthens the principles, duties, and obligations for the protection of personal data by allowing the review of its compliance in a systematized, controlled, and orderly environment. In addition to this, the SIVER was developed in open source to be shared with other guarantor agencies in the country, to effectively verify and consolidate cooperation as a good practice that adds value and institutional and citizen trust to the guarantor agency that implements it.
Why the initiative deserves to be recognised by an award?
With the implementation of SIVER, the following results have been obtained: cost savings, as verifications are now online; printing of files decreased, which contributes to environmental care; the time to verify was reduced by 60%; the number of verified responsible parties was increased; the number of verified personal data treatment operations increased; the provisions of the regulations are evaluated on a weighted basis; reports and statistics that allow comparative analysis of the results of the verifications are obtained. The verification data is the basis for generating diagnostics to develop work programs focused on data protection. In 2023, INFO CDMX issued the call “SIVER in your local guarantor agency”, in which ten out of thirty-one local guarantor agencies requested the donation of the software, thereby strengthening cooperative federalism among guarantor agencies to ensure compliance with the provisions on personal data protection in Mexico. Undoubtedly, technology has been used for the benefit of INFO CDMX and those responsible, in addition to providing other guarantor agencies with a tool that contributes to the protection of personal data.
B10- Entry by: Jersey Office of the Information Commissioner (JOIC)
Description of the initiative:
We’re trailblazing! Our innovative and unique mock privacy trial court case allows students to step out of the classroom and into the courtroom to explore the realities of mishandling personal data – by bringing data protection law to life!
In a highly engaging and interactive session led by a real advocate acting as a judge, young people aged 16 to 18 take on prosecution, witness and defence roles to delve deep into Jersey’s data protection law, whilst developing life skills and personal values!
The team at the Jersey Office of the Information Commissioner (JOIC), work in partnership with an advocate, our External Legal Counsel, to enable the students to dip their toes into prosecution and defence investigations and explore contraventions of data protection law, with real court etiquette. 
Students are provided with courtroom bundle resources to prepare legal arguments, think critically and develop a sound knowledge and understanding of the law.
The JOIC team and Advocate Blackmore work with the students to set a cast list and provide witness statements in preparation for the 90-minute-long mock trial, challenging witnesses about their data protection knowledge, organisational training, mpacts on individuals and responsibilities, culminating in the delivery of the longawaited verdict.
This initiative supports the students’ understanding of the critical importance of data protection at a local and international level, as well as the magnitude, implications, and sanctions and enforcement powers available to global data protection authorities, both civil and criminal, following unlawful disclosure.
STUDENT TESTIMONIAL – “I remember this workshop. It was a great opportunity to improve crucial skills like teamwork as well as presentation of an idea and clear communication throughout the discourse between the sides of the case.”
Why the initiative deserves to be recognised by an award?
This unique approach supplements traditional learning by developing essential skills and critical analysis, helping the next generation to develop their understanding that data protection law touches every aspect of their lives and gain insights into how Jersey’s legal justice system works.
We want to increase the respect among young people for their personal information and create a team of young privacy ambassadors ready to be curious and confident.
Student Benefits include:
- Learning to interpret a law and see how it interacts with ‘real life’.
- Networking with industry, meeting lawyers, data protection officers and other key professionals who may be able to assist with career guidance.
- Working with transferrable skills and peers in developing high-level communication skills under pressure, useful for many careers.
- Invaluable experience for students who want to study and work in law, finance and technology-related industries such as AI, as well as media/journalism.
- Extra-curricular experience for university applications (via the ‘Universities and Colleges Admissions Service’ in the UK), Curriculum Vitaes, references/interviews.
- Multi-disciplinary involvement.
- Mock interview and possible work shadowing opportunities
PRIVACY PROFESSIONAL – “What a great initiative.”
PRIVACY PROFESSIONAL – “I wish this challenge was run in our jurisdiction.”
B11- Entry by: New Zealand Office of the Privacy Commissioner
Description of the initiative:
New Zealand does not have specific rules for biometric information. OPC is proposing to create some, by a code of practice under the Privacy Act 2020. Our challenge was to consult both a legal and non-legal audience on our draft exposure code (a technical document).
We had several challenges:
- We are a small office with limited resources for this work.
- We needed to talk to a wide group of people about a technical issue.
- We knew that biometric information was tapu (sacred) for Māori (New Zealand’s indigenous people) and we needed to take special care to listen to this group.
- We didn’t have money for design and had to work with a website that wasn’t modern.
We created a hierarchy/ layers of information that people could engage with at their level. This included the most technical (the code itself), a detailed consultation document written in plain language, an infographic that presented the code as a graphic, and a one-page consultation, that centred around summarising the main changes of the code into three questions. We used inhouse skills and the organisation’s Canva account.
Because we were a small team we front-footed questions with a clear banner on our web page and a detailed autoreply message, to ensure time was spent well.
We met face-to-face with Māori stakeholders to make sure we heard their concerns appropriately. We also worked to develop detailed stakeholder lists that were highly segmented with bespoke messaging to spark the interest of our many user groups: government, business, legal, health, NGOs and civil liberty groups, and individuals that had self-nominated to be notified when consultation opened.
Our work was supported with a media campaign, launching with a 20-minute interview with the Privacy Commissioner on RNZ, our national broadcaster.
During the four-week consultation period our biometrics web page had over 3000 unique visitors.
Our goal for success was 50 submissions from the public and 50 from experts or organisations. As a result of this campaign, we received 70 submissions from experts and organisations and 179 submissions from individuals. Their feedback will inform the design of a final biometrics code.
Why the initiative deserves to be recognised by an award?
Biometric technologies are likely to become part of every New Zealander’s life, but many do not know that yet. As an Independent Crown Entity, we could have written a legal document and then let the experts comment. However, we chose to widen the circle and include, through clear and plain language and an engagement plan, a wider range of people who will ultimately be affected by this work.
This approach, especially the activities like creating an infographic and distilling the code to three core questions, was a new and at times challenging way of working for the team. However, by all pulling together for a common goal we were able to present a technical document in a way that was accessible and therefore received a wider range of submissions.
New Zealand is known as a country of people who are innovative. We took that spirit, and that of our Noble Prize-winning chemist Ernest Rutherford who famously said, “We haven’t got the money, so we’ll have to think.”
Our exposure draft is rightly a very technical legal document and OPC presented it in several ways to ensure that it could be understood and engaged with by a large audience.
View more information.
B12- Entry by: Spanish Data Protection Authority (AEPD)
Description of the initiative:
Created and launched in 2023, this initiative proves that age verification on the Internet can be executed without endangering children to targeted attacks or infringing on individuals’ data protection rights.
Our initiative champions an innovative approach where child protection does not require identifying children or collecting data from them. Instead, the responsibility lies with adults to prove that they have permission to access adult content. This approach automatically safeguards children without requiring any action from them or their devices, ensuring they cannot access harmful content.
By adhering to the set of proposed principles, which are derived from the GDPR, the implementation of this approach would effectively uphold the fundamental rights of citizens on the Internet. It would protect their anonymity and shield them from any unlawful processing of their personal data.
Moreover, this approach leverages existing identity documents, eliminating the need to create new identity infrastructures. This preserves individuals’ right to their own identity and allows for universal implementation across different countries.
Summarizing this initiative:
First, provides a risk assessment of the available age verification systems (released as an infographic) to establish a Decalogue of principles that particularizes the GDPR principles to this application domain.
Second, implements three different proofs of concept (PoCs) demonstrating that compliance with this Decalogue is possible and that the proposed approach could already be offered with a clear separation between identity management, content filtering and the age verification itself. These PoCs show that age verification can be performed on the data subject’s device, which has complete control over their identity and age data and allows for fully auditable and transparent solutions. The implemented PoCs can be seen in these videos:
– PoC on for PCs and consoles (Windows)
– PoC for smartphones (Android)
Third, is the key element of an ambitious Global Strategy on Children, Digital Health and Privacy promoted by the Spanish DPA that includes 35 measures focusing on education, digital health and well-being.
Why the initiative deserves to be recognised by an award?
This initiative is committed to children’s protection, aligning data protection rights and evidence-based innovation to improve online safety standards. Recognizing this initiative with an award highlights the importance of this alignment and encourages further development.
The initiative has been already awarded at a national level, for example:
- Data Cybersecurity Award Socinfo Digital Awards (February 2024).
- Public project award on II National Computer Awards (March 2024).
- Public sector award at @aslan Awards (April 2024).
However, its impact extends beyond national borders, and the initiatives’ success resonates globally. This allows the AEPD to contribute to a safer digital environment by collaborating with the ISO (in the elaboration of the 27566 standard), the European Data Protection Board (drafting a new statement) or the European Commission (participating in the Task Force on Age Verification under the Digital Services Act), to mention only some significant examples.
Since the initiative focuses on actionable steps, we are also collaborating with both, the Spanish and European pilot projects to provide harmonised solutions for age verification based on our initiative. Furthermore, significant efforts have also been made in dissemination and awareness, actively sharing knowledge through different conferences and scientific publications (at the Annual Privacy Forum 2024).