The ICDPPC Working Group on Data Protection in Telecommunications adopts a Working Paper on Connected Vehicles

As vehicles become increasingly connected to the Internet and to other vehicles, more and more personal data will be collected and processed by the vehicles. Relevant types of data collected by the vehicle’s sensors may concern driver behaviour or information about other people inside or outside the vehicle. This data may be processed by the vehicle’s IT systems, or when other personal devices connect to it. The advent of autonomous vehicles will raise additional privacy issues, as their functioning will require the collection and use of significant amounts of data.

The ‘Berlin Group’ Working Paper on Connected Vehicles analyses the different types of data that can be collected, generated, transmitted, processed or retained by connected vehicles and identifies the privacy risks involved in these processes. The paper provides recommendations for manufacturers, third party service providers, standardization bodies, public authorities and rule makers as well as for drivers of connected vehicles on how to effectively avert these risks. This initiative also follows up on the ICDPPC Resolution on Data Protection in Automated and Connected Vehicles adopted last year.

The Working Paper is available for download

 

 

ICDPPC Awards 2018: may the best one win!

For its second edition, the ICDPPC Global Privacy and Data Protection Awards have gathered a total of 64 projects submitted by ICDPPC members, now publically available online. A look through the many diverse and inspiring entries presented in the four different categories (Education and public awareness, Innovation, Accountability, Dispute resolution and enforcement) shows the vitality and commitment of privacy and data protection authorities throughout the world in fulfilling their tasks and delivering on their missions.

An online vote will be organised in September 2018 so that each ICDPPC member can cast its vote and designate the award winner in each category. In addition, all entries submitted will compete in the ‘People’s Choice’ category, for which all member authorities’ staff will be invited to vote.

The winning entries to be announced at the 40th Annual Meeting in Brussels, on Monday 22nd October 2018. May the best one win!

 

Chair news #4: Listening, opening up and building

Fast forward. Never a dull moment. That’s how the past months have been going for all of us! While Europeans have been busy with the application of the GDPR, the rest of the world also had to address many privacy and data protection concerns, not to mention the fallout of the Cambridge Analytica revelations. All this of course in addition to our daily tasks and business, and with many eyes looking at the DPA community at international level.

We are certainly not alone, and people are more and more turning to us for guidance and answers. I have experienced this while in Washington late March at the IAPP global summit, and even more in May at the RightsCon Conference in Toronto, a global summit on human rights in the digital age which gathered more than 2000 participants from all horizons. Discussions there were vivid and refreshing, making the case for something which is already obvious for most of us: privacy and data protection can no longer be considered as a mere legalistic issue. It’s now part of our daily life and at the crossroad of many of today’s hot topics such as artificial intelligence, fake news and the right to information, freedom of expression, etc… We can no longer think in silos. We need to open up. And we need to keep our ears wide open and to listen.

The ICDPPC has actually been in an intense listening mode this year! A last consultation round on the future of the Conference has been held in the margins of the European Spring Conference in Tirana in May, and we opened a public consultation to hear views from external stakeholders on our future objectives and missions. Together with colleagues from the OPC Canada, we also took the opportunity of the RightsCon conference to hold a side meeting with representatives of civil society organisations from all around the globe. We gain valuable insights on current expectations towards authorities at international level which will share with you. Oh, and by the way, the Canadian spring was gorgeous and very sunny!

I’m most pleased to see that the strategic consultation agreed in Hong Kong has been a real success, and above all, a healthy exercise which allowed the direct and indirect contribution of most of the ICDPPC members. In total, almost 70 authorities took part to the various consultation rounds held throughout the year and around the globe! Even our website opened up, featuring 5-minutes interviews with key stakeholders such as the UN Special Rapporteur on the right to privacy, the Internet Freedom Foundation of India and Max Schrems. By listening, both internally and around us, one thing is already clear: our future missions and challenges will have to be addressed collectively and inclusively. Cooperation and inspiration beyond our own remits will be key to shape our future objectives and common project.

So, we’ve been listening, we’ve opened up and we now need to start thinking and building. That’s actually our programme for Brussels in October (registration is now open with a special rate for early birds, don’t forget!). In order to get ready for this, we welcomed in Paris two weeks ago a meeting of the Working Group on the future of the Conference. On that same day, the ICDPPC drafting team on artificial intelligence also gathered in our building to prepare for the debate and deliverables in Brussels on one of the top challenge ahead of us. I’m not sure participants had a chance to enjoy the charms of Paris, but the sacrifice was probably worth it, since we made really good progress!

Finally, please pay attention to the upcoming communications from the secretariat, as the closed session is taking shape and you will soon receive more news and details. The work undertaken ahead of our next annual meeting already shows that we are now more than a yearly gathering of authorities. But are we ready to build a new governance model? A real international organisation? We need to build answers to these questions. We also need to build bridges. All this takes time, maybe several years… but we have the whole summer to start making plans and propose some kind of evolution at our October meeting!

 

Cheers!

 

Isabelle Falque-Pierrotin

Chair of the International Conference Executive Committee

5 min with Apar Gupta, Co-Founder and Trustee, Internet Freedom Foundation, India

What were your main takeaways from your participation to the last annual meeting of the International Conference in Hong Kong?

The IDPPC conference is a unique event which through an annual conference brings the regulators tasked with implementing and forming data protection laws in their countries. It brings incredible expertise, sharing of insights, and builds a necessary dialogue to further engage with civil society and the global digital rights community. This realisation seemed to be increasingly felt by the attendees and I hope it is carried forward in subsequent editions. Much more substantively, it was fascinating to note a high level of similarity among the data protection frameworks of various jurisdictions who have adopted privacy principles from the OECD and are looking towards EU’s GDPR as a global code of best practices. While there are many disagreements on nuances, there seems to be broad consensus that the open internet and global data flows require an integrated, international approach to data protection.

How do you do you foresee the role of the International Conference in promoting privacy and data protection at international level?

Such a conference can play an anchoring role at the international level. While already many DPAs, through closed and open sessions, exchange on local challenges and regulatory responses, the presence of civil society can help bridge demands and bring greater understanding of a rights based framework for data protection. The Conference needs to develop diversity in its attendee profile to drive greater legitimacy in joint efforts at international harmonisation, through joint declarations and frameworks, which may with time take the form of treaty texts.

Can you tell us more about the ongoing news for the Internet Freedom Foundation and the most recent privacy and data protection developments in India?

The Internet Freedom Foundation is a digital rights advocacy organisation. We drive towards outcomes through strategies of public engagement, regulatory and litigation for user rights in India. We have over the past two years done considerable work on data protection and privacy organisationally, which include regular comments on draft regulations and public consultations. In order to facilitate and spur on civic action, we simplify and create explainers for our responses to these regulatory exercises. We have even approached the Courts on tenuous issues, such as the sharing of data between Whatsapp and Facebook at the Supreme Court of India, with a view to offer expert views through an intervention on a case seeking to create a right to be forgotten on public records. Much more recently, we have sent a legal notice to the Government on its plans to create a, “Social Media Communication Hub” which will survey and profile social media accounts of users in India. To us many of these problems arise from the absence of a user rights oriented data protection law in India. We have supported a community effort at putting forth a model citizen’s draft through the online campaign saveourprivacy.in.

According to you, what is the “next big thing” in the field of privacy and data protection?

The next big thing in privacy is the old last thing. It is a regulatory acknowledgment in India that innovation cannot be a blanket immunity from data protection laws. It is surveillance reform that brings a rule of law framework to the practices of intelligence organisations. It is holding large online platforms and compulsory biometric identification programs accountable and gauging their permissibility. While scholarship and expert commentary is progressing to fields of machine learning and artificial intelligence, many countries especially India have evaded their constitutional duties to even take care of the bare minimum.

Which word comes first to your mind if you think about privacy?

A sense of freedom, of autonomy, that makes me smile. It is a long walk, a short run, a gentle conversation with a friend, even an argument with my partner. All these experiences and my existence without a sense of a third eye watching over me, trying to actively manipulate my behaviour or putting me at risk. Privacy is about physical and mental freedom from an electronic leash. Privacy is about me being in control of my own life.

5 minutes with Max Schrems, Chairman NOYB

How do you do you foresee the role of the International Conference in promoting privacy and data protection at international level?

I think it will be crucial for the free flow of data to have a widely shared common understanding of rules and interpretation of these rules. Already within Europe the coordination aiming at a common understanding of laws and a similar approach to the enforcement is a complicated task – but the internet and data flows are global. It will be crucial for business and users to work on interoperability and common approaches.

 

With just a few days before the effective application of the GDPR, can you tell us more about your ongoing news and in particular the recent creation of NOYB?

So far we were great in Europe in passing laws and having conference on privacy – what was often lacking, was the enforcement. This was largely due to limitations in the national laws, that made enforcement for DPAs very hard, but also a certain culture in the “privacy bubble” that was seeing this fundamental right as a soft law issue. Article 80 of the GDPR foresees NGOs to have a role in supporting data subjects to also allow NGOs to bring their own cases. We think that noyb.eu can thereby facilitate the enforcement by being an outside pace maker. DPAs should also benefit by getting more targeted and researched complaints on their table.

 

According to you, what is the “next big thing” in the field of privacy and data protection?

I think after GDPR the next big thing will be putting this law into practice, despite all legal uncertainty in the law and the enormous economic interests to limit the impact of the law. On the regulatory front I think we will have to take a closer look at monopoly building, which often has a big overlap with privacy issues and then obviously the big issue of algorithms and AI – where we still have very limited understanding of how to tackle this issue.

 

Which word comes first to your mind if you think about privacy?

Lifelong battle…

Promoting data protection and privacy rights at global level: have your say on the future of the International conference!

Public consultation on the future of the International Conference of Data Protection and Privacy Commissioners (ICDPPC)

The Conference seeks to provide leadership in data protection and privacy at the international level. It does this by connecting the efforts of 119 privacy and data protection authorities from across the globe.

The ICDPPC is a unique network which purposes and main objectives at present are: to promote and enhance internationally personal data protection and privacy rights; to improve data protection and privacy by providing a forum that encourages dialogue, cooperation and information sharing; to draft and adopt joint resolutions and declarations on subjects that warrant the common interest or concern of the accredited members, and promote their implementation; to be a meeting point between accredited members and other international fora or organisations that share common objectives; to encourage and facilitate cooperation and the exchange of information among accredited members, in particular regarding enforcement actions; to promote the development of international standards in the field of protection of personal data.

The Conference is headed by its Executive Committee and is also composed of numerous working groups. It meets annually in a closed session of its members and observers; an open session is also organized in which leading privacy experts from industry and civil society participate.

At its latest annual meeting in Hong Kong in September 2017, the ICDPPC initiated a strategic consultation among its members in order to further define its objectives, identity and structure (Project Page). With a view to complement this internal process, the ICDPPC is launching a public consultation open to all individuals or organisations willing to give their views about the future of what has been the premier global forum for data protection authorities for nearly four decades now.

Should you wish to participate in this consultation, please consider the following indicative questions in order to develop your contribution:

  • In your view, what should be the main objective of the ICDPPC as an international network of data protection authorities? What are your main expectations regarding the ICDPPC activities and outcomes in the field of privacy and data protection for the years to come?
  • Which key privacy and data protection challenges should the ICDPPC address as a priority in the future? Do you consider that organisational or structural changes are needed for the Conference to succeed in delivering on such challenges?
  • As an external stakeholder, do you foresee the need for an increased role and visibility of the ICDPPC at the international level? If yes, which tools and activities should the ICDPPC develop for this purpose?

When submitting your contribution, please, indicate the response to the questions below:

  • What interest group do you belong to? (select)
    • Observer of the ICDPPC
    • NGO
    • Business /industry
    • Academic /think tank
    • Public authority
    • Government
    • Other (please specify)
  • Have you participated in the ICDPPC as a delegate or a speaker in the past five years? Yes/No.
    If yes, what was your main objective to achieve at the conference? (please select all that apply).

    • Networking with privacy enforcement authorities
    • Understanding the latest developments in privacy/data protection
    • Networking with other non-privacy enforcement authority delegates
    • Speaking on a specific topic (keynote, panel etc) or exhibiting
    • Other (please specify)

  Read More

Conférence Internationale sous le thème : « La protection de la vie privée et des données personnelles : un levier de développement en Afrique »

Casablanca, jeudi 22 février 2018

Allocution de Mme Isabelle FALQUE-PIERROTIN, Présidente de la Commission Nationale de l’Informatique et des Libertés (CNIL), Présidente de la Conférence Internationale des Commissaires à la Protection des Données et à la Vie Privée (ICDPPC)

 

– Seul le prononcé fait foi –

 

Monsieur le Président du Réseau Africain des Autorités de Protection des Données Personnelles,

Mesdames et Messieurs les Présidentes et Présidents d’autorités,

Monsieur le Secrétaire Général,

Mesdames et Messieurs, Chers Collègues,

 

C’est un honneur d’être parmi vous aujourd’hui en tant que Présidente de la Conférence des commissaires à la protection des données et à la vie privée. Je tiens à remercier vivement le Réseau Africain et la CNDP du Maroc pour l’organisation de cette conférence et l’opportunité qui m’est donnée de m’adresser à vous sur le sujet de la protection de la vie privée et des données personnelles en Afrique.

Le sujet des données et de leur protection est en effet de plus en plus central dans tous nos pays. L’Europe vient de se doter d’un encadrement juridique nouveau (RGPD), la Cour suprême indienne  a reconnu il y a quelques mois le droit à vie privée comme un droit fondamental,  le Congrès américain a approuvé il y a quelques semaines la ré-autorisation des programmes de surveillance des services de renseignement se fondant sur la fameuse section 702 du FISA, et ce malgré les nombreux appels au niveau international pour introduire des garanties supplémentaires.

En Afrique, ce sujet résonne avec de nombreux enjeux qui sont les vôtres, que ce soit ceux liés à l’économie numérique, à la sécurité ou à l’état de droit.

Vu de toutes les capitales,  l’Afrique numérique est en effet en marche.

Un récent rapport de la Conférence des Nations Unies sur le commerce et le développement (CNUCED) montre que l’économie numérique connaît une croissance sans précédent en Afrique, et certains décrivent le continent africain comme la « nouvelle frontière » ou « terre promise » de la révolution numérique : en effet, si l’Afrique est la région qui affiche la plus faible pénétration de l’Internet haut débit, elle possède le taux de croissance le plus élevé en la matière, et la hausse des abonnements à l’Internet mobile s’est accompagnée d’une augmentation significative des importations d’équipements de communication. Le nombre d’abonnés à la téléphonie mobile devrait dépasser le milliard en 2020. De fait, l’Afrique semble effectuer un bon en avant technologique, le fameux leapfrog, passant de la quasi-absence de connexion directement à la technologie 4G.

  • Ces évolutions seront discutées et débattues dans le détail au cours de cette conférence, mais je voudrais partager avec vous le fait que ce contexte offre aux autorités de protection des données une opportunité singulière. L’opportunité d’intégrer le plus en amont possible la protection des données dans les plans de développement et d’assurer ainsi un cadre de confiance attendu par les consommateurs et les investisseurs.

Plusieurs raisons vont dans ce sens.

La confiance repose tout d’abord sur les systèmes d’information qui vont être mis en place pour cette économie numérique et les conditions dans lesquels les flux de données, commerciales notamment, circulent. Or, assurer la protection des données personnelles c’est d’abord assurer leur sécurité. Et à l’heure des failles géantes et répétées comme celle ayant affecté les comptes de millions d’utilisateurs de Yahoo, celle des poupées connectées en Europe, ou encore la faille du « Master Deeds » en Afrique du Sud, nous voyons que cet impératif de sécurisation des données est devenu une priorité partout dans le monde.

La confiance est également nécessaire du côté des usagers et des consommateurs. A l’heure du numérique et de la volatilité croissante des mobinautes, un tel facteur est de plus en plus déterminant pour les affaires. Dans tous les pays, les consommateurs comparent, la société civile commente et, le cas échéant, se mobilise.  Dès lors, c’est par la définition d’un cadre juridique qui garantit les bonnes relations entre les utilisateurs et les opérateurs, les conditions de l’exportation des données ou de la sous-traitance que l’économie africaine pourra se développer.

D’ailleurs, cette transparence sur l’utilisation des données, cette responsabilisation accrue pour ceux qui les traitent, c’est aussi la philosophie du règlement général sur la protection des données (RGPD) ; par ce texte, les européens expriment la conviction que la protection des données peut constituer un véritable avantage concurrentiel dans une économique numérique globalisée de par la confiance accrue des consommateurs qu’elle suscite.

J’aimerais  que vous puissiez partager cette conviction et convaincre vos gouvernements et vos entreprises de sa pertinence.

L’Afrique peut aussi tester des modèles plus innovants autour des données qui répondent mieux aux exigences ou contraintes spécifiques de son marché : des technologies et applications moins consommatrices en données et construite sur la base d’une architecture nouvelle, plus décentralisée et multipolaire. D’aucuns parlent d’une « innovation frugale » et ces nouvelles approches peuvent séduire au-delà du continent africain tant elles résonnent avec des principes comme celui de minimisation des données en Europe par exemple.

Finalement, et à la différence d’autres régions du monde où les écosystèmes héritent d’un passé souvent lourd à faire évoluer, l’Afrique peut faire de son rattrapage numérique un véritable argument en faveur d’un modèle de protection des données très innovant,  protection prise en compte en amont dans sa stratégie numérique et lui apportant le cadre de confiance indispensable pour ses consommateurs ou investisseurs.

  • Les autorités de protection des données ont un rôle central à jouer dans ces évolutions.

Elles commencent à se mettre en place dans les différents pays au fil des lois qui sont adoptées sur le sujet. Nous avons pu voir une évolution positive et rapide dans de nombreux pays africains, avec l’adoption progressive ces dix dernières années de nouvelles lois sur la protection des données, la création d’une douzaine d’autorités de contrôle et la création récente du Réseau Africain. Tout ceci est la preuve que ce développement règlementaire peut aller vite et de manière effective.

Mais de grandes économies africaines comme l’Ethiopie ou le Kenya, ou des pays en pointe dans le développement numérique comme le Rwanda, ne disposent à ce jour ni de législation spécifique, ni d’autorité indépendante pour garantir le droit à la vie privée et à la protection des données personnelles.

En outre, lorsqu’elles existent, il est essentiel que les états donnent à leurs autorités nationales les capacités et les moyens pour remplir leurs missions. Cette exigence ne se pose pas uniquement ici en Afrique, nous devons la défendre également en Europe et ailleurs dans le monde.

Il y a naturellement un effort pédagogique à mener auprès des gouvernements mais aussi des entreprises pour faire passer ce message. Trop souvent, nos autorités sont perçues comme des contrepouvoirs agaçants, des empêcheurs d’innover en rond. Trop souvent, la protection des données est exclusivement identifiée comme un enjeu de droit de l’homme et certains s’en méfient ! Il faut clarifier notre positionnement : notre métier, n’est pas celui de la liberté d’expression même si il lui est intimement lié. Il est de favoriser l’utilisation des données personnelles par les acteurs publics ou privés mais en respectant les droits des personnes. En matière de développement numérique, nous pouvons aider, nous  ne sommes pas un obstacle au développement ou à l’innovation ;  au contraire, nous les accompagnons et nous aidons à construire une innovation plus durable car respectueuse des personnes et plus sécurisée.  Dans la période qui a débuté en 2011, post-Snowden,  les individus sont demandeurs de garanties accrues sur le traitement de leurs données, que ce soit par les gouvernements ou les entreprises.

Vous pouvez donc être des partenaires légitimes de la révolution numérique africaine, en respectant votre rôle et vos attributions spécifiques, y compris pour favoriser l’innovation et la libre circulation des données. Le pari européen en la matière avec l’application effective du RGPD pourra, je l’espère, en faire la démonstration pour d’autres régions dans le monde.

Au-delà de l’économie numérique, les autorités de régulation ont un rôle essentiel à faire valoir dans la mise en place et la défense d’un état de droit. Le monde est de plus en plus global et nous partageons des enjeux communs comme la lutte contre le terrorisme. Mais, comme le groupe des autorités européennes a pu le dire dans son avis sur le Privacy shield, il faut que des garanties essentielles soient respectées lorsque les Etats ou leurs services de renseignement ont accès aux données des citoyens. Si les pratiques et cultures peuvent différer d’un pays ou continent à l’autre, l’on voit bien que le respect des droits des personnes est une revendication croissante des populations, une société civile internationale se met progressivement en place, et nos gouvernements doivent en prendre la mesure.

Là aussi, les autorités africaines doivent être considérées comme un partenaire dans le développement de l’usage régalien des données personnelles, en jouant leur rôle d’aiguillon pour que soit maintenu le cadre démocratique et le pacte sociétal qui s’impose aux gouvernements.

Donc, que ce soit vis-à-vis des entreprises comme des autorités publiques, les autorités africaines de protection des données africaines, ont, j’en suis convaincue, un fort intérêt à consolider ce rôle de partenaire, ce qui leur permettra d’accompagner au mieux la prise de conscience politique au niveau régional des enjeux relatifs à la protection de la vie privée et des données personnelles.

Le travail en cours au sein de l’Union Africaine pour la définition de lignes directrices sur la protection de la vie privée et des données personnelles est à ce titre une opportunité à saisir. A l’image du G29 en Europe, le RAPDP peut devenir l’interlocuteur privilégié des organisations supranationales africaines, pour que la révolution numérique en Afrique soit aussi un catalyseur pour l’innovation et le renforcement des droits des personnes.

  • Tous ces développements justifient que l’Afrique soit plus présente dans la communauté mondiale des autorités de protection des données et y fasse entendre sa voix. Qu’elle puisse prendre part au débat sur les modèles de gouvernance à définir au niveau international.

Cette communauté des autorités existe depuis environ 40 ans. Elle se traduit jusqu’à présent principalement par l’organisation d‘une conférence annuelle qui voit ses membres régulièrement augmenter : près de 120 membres en 2017 àong-kong Hong-Kong en octobre dernier. En filigrane de cette manifestation se nouent aussi depuis quelques années des relations plus opérationnelles entre les membres, sur les contrôles ou sanctions communes, sur l’éducation au numérique.

Face à ce foisonnement de membres, face aux besoins croissants de bénéfices plus opérationnels qui s’expriment entre eux,  la Conférence mondiale s’interroge aujourd’hui sur sa stratégie, sur son identité propre dans le monde numérique transfrontière. Ce questionnement n’est pas une remise en cause du passé mais il illustre plutôt la nouvelle maturité de cette enceinte qui se vit de plus en plus comme un réseau, à l’image de l’organisation du monde numérique. D’ailleurs, c’est là que réside notre force : les enjeux et défis que j’ai pu mentionner ne peuvent être relevés que si les autorités de protection des données sont capables d’agir ensemble, à la même échelle que les acteurs numériques que nous connaissons et de bâtir un écosystème de régulation combinant l’échelle mondiale et régionale.

Dans ce contexte, nous avons besoin d’entendre la voix de l’Afrique, de ses besoins et de ses spécificités. A cet égard, l’élection de Marguerite Ouédraogo au sein du Comité exécutif de la conférence internationale est un signal fort. Je me réjouis  aussi que le Réseau Africain consacre une partie de son assemblée générale de demain à la réflexion stratégique sur l’avenir de la Conférence Internationale, un processus qui pourra j’en suis sûre aussi servir les objectifs de développement et de coopération entre les autorités africaines.

La Conférence internationale doit être envisagée comme un forum ouvert et continu de dialogue et de coopération entre autorités au niveau international, s’articulant avec les forums régionaux. Ce dialogue se traduit par une approche de plus en plus multilatérale, où chaque pays ou région peut être entendu et faire valoir son modèle. Les solutions qu’appellent le numérique sont d’ailleurs souvent à l’intersection de plusieurs cultures juridiques et elles se nourrissent des contraintes des uns et des autres, qui nous poussent à innover.  Nous pouvons tous en tirer parti mutuellement, les autorités nouvelles comme les plus anciennes. Et nous pouvons être plus efficaces dans nos objectifs de développer des outils communs afin que les différents cadres juridiques existant en matière de protection des données puissent « se parler » et « s’entraider ».

Le RAPDP, en grandissant et en s’affirmant au sein de ce forum mondial pourra également contribuer à l’émergence d’une souveraineté numérique africaine bénéficiant au développement et aux droits de chacun.

Enfin, faire entendre la voix de l’Afrique est aussi essentiel pour nos discussions de fonds. Je pense ici en particulier aux questions relatives aux algorithmes et à l’intelligence artificielle. Nous attendons avec impatience vos contributions futures sur l’ensemble de ces sujets.

 

Conclusion

Chers amis, je me réjouis de ce moment que nous allons passer ensemble. Je tiens à remercier à nouveau vivement nos hôtes marocains. Je suis sûre que nous allons apprendre beaucoup les uns des autres.

Je souhaite pour terminer ajouter un dernier élément qui je l’espère pourra alimenter nos discussions aujourd’hui : un des atouts majeurs pour l’Afrique dans cette révolution numérique c’est probablement sa jeunesse, qui s’empare des nouveaux usages et invente de nouveaux modèles de coopération et d’innovation. C’est un atout que les autorités africaines devraient également prendre en compte en l’accompagnant, notamment en s’ouvrant encore plus sur les relais que peuvent représenter les organisations de la société civile, pour soutenir ensemble le développement numérique de l’Afrique.

Je vous remercie.

5 minutes with Joe Cannataci, UN Special Rapporteur on the right to privacy

You have addressed the International Conference at its annual meeting this year, what are your main takeaways from the discussions held in Hong Kong?

I would like to see more harmony in meetings, more efforts to become really global. Clearly the conference has a decision to take: either be a club for those people who are already serious about data protection or a club of for those who want to be serious about data protection. Can it be both? Probably yes. Should it be both? Probably yes.

How do you do you foresee the role of the International Conference in promoting privacy and data protection at international level?

More or less the same but with more innovation, especially in other privacy-related areas, beyond the issue of data protection. I am keen to see the Conference to take a more active role in surveillance. Not surprising! I would be very happy if this could work in synergy with my UN mandate.

Can you tell us more about the ongoing project of a Draft legal Instrument on Government-led surveillance? Which are the next steps and what are your expectation in terms of outcome and delivery?

The legal instrument, developed jointly with EU support and under the special mandate of the UN, led common meetings gathering all stakeholders (e.g. intelligence community, police, civil society, lawyers). All of them behind closed doors in New York, Miami, Paris, Malta… Last week we had the first public meeting in Rome. Each meeting, more people… I am encouraged by the progress made. The text is now public. Nobody contested that we need a clear comprehensive global framework which deals with surveillance but some governments have opposition or reservations on a legally binding agreement. One the contrary, some governments are in favor. We received positive feedbacks on several aspects from the European bar associations, Europol, several Data Protection Authorities, some members from civil society and experts from the Council of Europe. Companies such as Facebook, Microsoft, Google, and Yahoo participated in these meetings as well. All of this is very encouraging.

We should keep on going. The text is far from being in a position to be something ready for inter-governmental discussion let alone signature. We  are not there yet. My role so far was has been to facilitate the discussion while identifying issues. And there are still issues of timing to sort out. Two questions are ahead of us: Is the draft ready? No. The answer is clear. There is a need for more consultation and further refinement of ideas, wording and solutions. Is the world ready? No, because as demonstrated, for example, in June 2017 with the issue of IT system security, the world is not able to come to an agreement on matters such as cybersecurity and international law in the field cybersecurity. The failure of the UN GGE (Group of Governmental Experts) is one of the most recent examples and a serious reminder that some countries in the world are not yet ready to come to the table in good faith even if many others are willing to make progress. Nobody can ignore the international climate of distrust, nor the lessons of history looking at how other instruments at UN level were born. They require a long period of preparation and especially time is required for countries to coalesce around the idea.

History teaches us that at least one region, preferably two or three, from the UN family should take the initiative before a new instrument is born.  So it needs to be encouraged by a significant number of countries. The next steps are for the MAPPING Project to present the instrument to the EU Commission and EU Parliament in 2018. We look forward to creating synergies over the next three years in order for the draft legal instrument to become part of the EU strategy and part of the EU roadmap on how to engage with the world when it comes to privacy, surveillance and Internet governance. I will be in Geneva on March 5th at the Human Rights Council as special rapporteur, presenting a summary of discussions and I will be including the current text in annex to give an idea of what parts of a future text could look like. But taking into account the timing consideration, I do not foresee making more concrete recommendations just now, I would rather expect that progress at regional level and cross regional collaboration would put the Human Rights Council and the UN General Assembly into a far more receptive mood in three or four  years’ time. Those three or four years will be full of work and the ideas that are now public will thus have the time to be refined further, with more consultation with stakeholders in order to gain a better understanding of what can be practically achieved. Baby steps at first…with more to be achieved during upcoming years!

According to you, what is the “next big thing” in the field of privacy and data protection?

Everything that is “smart”, especially in the context of smarts cities, IOT, connected things including AI.

Which word comes first to your mind if you think about privacy?

“Personality”, Privacy is an essential component when it comes to exercising my overarching right to the free development of my personality.

Chair news #3: Looking for sun!

Hello to all of you, “The future is bright”. This was one of the slides presented by a speaker from civil society at last week’s conference in Casablanca. The African Network of data protection authorities was meeting and analysing how data protection could be a development leverage for the continent.  The discussion was truly inspiring, so many ideas and so much energy among all actors. Of course, a lot of challenges remain. But the African “digital revolution”, as some may call it, could offer a real opportunity to integrate from the start privacy and data protection in the digital ecosystem they want to build, attractive for consumers and investors.

The day after the conference, sun was still shining in Casablanca. The African network held its general assembly, starting with a discussion on the future of the International Conference, making its voice heard on the road we want our organisation to take.  With all these regional conversations through which ideas and needs are expressed, I believe we have a unique opportunity to build a collective project for our Conference. And I am eager to see the working group in charge making the most of these inputs.

Three weeks ago, a bright sun in Brussels also welcomed the election of our colleague Andrea Jelinek as the new Chair of the Article 29 Working Party. I had the opportunity to pass on all my wishes of success to Andrea, whom I am sure will deliver on the upcoming new chapter for data protection in the EU with the effective application of the GDPR as of 25th May.

25th May, this date has been repeated over and over during the last two years. Some commentators made it an absolute deadline, sometimes depicting it as a global data protection big bang. But it is not a revolution, most of the principles are known since 1995. It is actually more like a step forward, or a jump ahead, for which companies around the globe as well as data protection authorities have been preparing intensively. Europeans are now busy finalising the setting up of the European Data Protection Board, the final stage of the new EU governance model, which will be key to ensure the consistent application of the new European data protection regime, but also its interactions with authorities outside the Union.

In Brussels, the Article 29 Working Party also organized its session on the future of the Conference. I had the pleasure to chair the meeting together with a representative of the Office of the Privacy Commissioner of Canada. A report on the talks is already available.

Now I’m back in Paris. We are freezing below zero and there is no sun. But light can come from virtual things nowadays! I am glad to tell you that, through the poll that has been organized, our members have chosen artificial intelligence as the key theme for our closed session in October. Artificial intelligence being the new buzzword in the media, the next big thing or even sometimes the subject of fanciful analysis, it may be useful for us to take a clear stance on the matter, and to define our common interpretation on how best to address this technological development from a privacy and data protection perspective in the future.

As you can imagine, the Brussels annual conference already keeps the ICDPPC Executive Committee busy, with the preliminary work on the preparation of the closed session, on which I’ll be keen to keep you updated in future communications. I know for sure that we won’t be missing topics for discussion in Brussels since, when it comes to privacy and data protection, there is always something new under the sun!

 

Yours truly,

 

Isabelle Falque-Pierrotin

Chair of the International Conference executive committee

Chair news #2: from Vancouver to Paris!

For this first message since Hong-Kong and even if it was quite a long time ago I would like to start by thanking Stephen Kai-yi Wong and the Office of the Privacy Commissioner for Personal Data in Hong Kong for hosting such a wonderful Conference. It was a great moment but also a symbolic one because we, collectively, as the Conference, decided to set up the scene for our future. This is extremely positive since it shows that we have come to a mature stage where we can ask fundamental questions such as: who are we and where do we want to go collectively? How can we make a difference and bring added value in the current global ecosystem?

Based on the solid work conducted on the future size and membership of the Conference the past year, we have decided, with my co-Chair of the Working group, Daniel Therrien, to rely on existing networks to gather as much as we can our views and feed our reflections with this substance. The more open the process will be, the more fruitful and legitimate the output will be.

In November, I joined Daniel for the 48th APPA Forum in Vancouver where we kicked off this first discussion. Participants expressed views on a wide range of issues such as the Conference’s influence and policy leadership, its global outreach and cohesion, but also its governance, structure and cooperation methods. For sure, the ideas put forwards in Vancouver will be a valuable input in defining new objectives and the necessary means to achieve them. On top of it, we had the chance to discover the extraordinary Vancouver scenery and had a great time with our colleagues.

This month, the French-speaking data protection authorities network (AFAPDP) held a meeting in Paris on the occasion of its 10th anniversary and also dedicated a session to the future of the International Conference. Again, with Daniel, we organised the discussion and, after a lively debate, many concrete proposals were put on the table. As in Vancouver, the exercise was not to agree on a position but to hear all views and gather all inputs in order to trigger the reflexion process. Then the authorities viewed the exhibition “Terra Data” within the Paris Sciences and Industry Museum. A great attempt to give concrete life to our subjects, which are sometimes a bit theoretical for the general public. If anyone is interested, this exhibition can tour!

The next rendez-vous for the consultation process will be in February in Brussels where EU authorities, members of the Article 29 Working party will get involved; other networks will follow in the upcoming months, so let the discussion continue!

Discussions reports of the APPA and AFAPDP meetings will be sent to you shortly and to the members of the working group on the future of the Conference.

On the European side, please let me just give you a quick update on our progress made regarding the GDPR implementation. We are finalising our guidelines and we expect to adopt most of them by the end of February in order to give as much as possible a clear interpretation of this new EU legal framework. All these documents are available online, so please feel free to have a look, and let us know what you think of them. Also, I am happy to share with you that a GDPR event will be organized in Brussels in October 2018, at the next international conference. Having all of us gathered at the same time in Europe the year the Regulation enters in application, just seems the perfect opportunity to have a “GDPR Talk”. Additional details will be communicated in due time but, for now, please pin down this event in your calendar!

This is all I can tell you now, before the year ends. I will end my note by wishing you, in all languages, a very, very Happy New Year 2018. I hope to see you join the conversation on the future of our Conference and I very much look forward to continuing the discussion with you,.

 

Yours truly,

 

Isabelle Falque-Pierrotin

Chair of the International Conference executive committee