Category Archives: Other

Elizabeth Denham, UK Information Commissioner and outgoing Chair of the Global Privacy Assembly, delivered the following speech at the 43^rd Global Privacy Assembly conference, hosted digitally by INAI, Mexico.

—

I’m here to discuss convergence and international standards. I want to talk about three foundations for convergence that already exist. And then I want to talk about three ways we can build on those foundations in the future.

First, let’s briefly discuss why convergence has a role to play.

Our digital world is international. Data flows around the world in a heartbeat. I open up my phone, check an app, and in a moment my data travels around the globe. Services like geolocation and cloud computing all rely on international data flows.

But the checks and balances on this data are domestic.

That brings problems.

It can mean that when a multinational company doesn’t follow the rules, or when there is an international data breach, the ability for regulators to work together across jurisdictions can be limited, as we try to match up our differing legal systems and approaches.

It can mean that businesses have to follow several sets of rules to reach a single customer base, spread across jurisdictions. Or that people are unsure what their protections are, or where to turn for help.

And it can mean a system for international data flows based on assessments of how other nations’ laws measure up to our own, no matter how many flaws we may be willing to acknowledge in our own systems.

The result is an international problem that could be costing economies around the world billions of dollars.

Convergence – through common standards and better architecture between our laws, could reduce those problems. But how do we achieve that? That is what I want to discuss today.

 

Mexico

Before I begin discussing the foundations for convergence that already exist, and how we can build on them, allow me a brief tangent.

We were, of course, originally scheduled to be discussing this topic in person, in Mexico City. I’ve been fortunate enough to attend a number of GPA and ICDPPC conferences, and been lucky enough to see some incredible parts of the world as a consequence – including Mexico back in 2011. And much as I love London, it isn’t the same as enjoying Mexican hospitality.

So while we can’t travel to Mexico, I’ve tried to bring a little of Mexico to us today. I’ve themed my speech today around some of the incredible historic sights the country has to offer. I hope one day I can again experience these sites in person.

 

Building on the foundations of convergence

Let’s begin with my next slide, the Pyramid of the Sun at Teotihuacan. A step pyramid built around 1,800 years ago, it is 75 metres high and more than 200 metres across.

Having climbed to the top myself, I can tell you that’s high.

It was built from two and half million tonnes of stone and earth, with each tier rested securely on the wider tier below.

This is how our moves towards greater international convergence must be constructed, if we are to reach the heights we aspire to. We must build on the carefully constructed work already completed.

The GPA has been central to the work in this area. The Assembly exists to bring together data protection and privacy authorities from around the world, and that international collaboration is the very first foundation of any convergence. What’s more, work by a GPA working group to analyse ten global frameworks from across the world showed strong commonalities. In particular, there were overlaps in the core principles and data subject rights, and also in requirements for independent supervisory bodies.

Those findings should perhaps come as no surprise. The development of data protection legislation in the last decade has seen a model of building ‘best of breed’ laws, with the newest privacy laws, such as those in Brazil and California, standing firmly on the shoulders of other existing laws.

That’s a sensible approach, as common features across laws bring a greater ability to share expertise and even work together on investigations, as well as increasing the potential for free flow of data between countries.

That free flow of data was a central motivation for the recent meeting of G7 data protection and privacy authorities, another part of the pyramid we can build upon. The meeting grew from the ambition of ‘data free flows with trust’, a central part of the 2019 G20 in Japan. We discussed at our G7 meeting how we could better work together on topics like AI, cookies and national security. The focus was on where we could commit to making progress that would have a positive impact for each of us domestically.

It is clear that we have a considerably wide base with which to build further convergence. I’ve not touched on the Council for Europe’s work in this area, for instance. But it is clear too that our work only goes so far. There are no easy answers here – if there were, we would already have taken them.

 

Respecting cultural differences

I’ll move now to my next historic sight of Mexico, and the UNESCO protected Cozumel reef. The reef is part of the second largest system in the world, which is home to more than a thousand marine species, living side by side.

That respect for one another’s cultures and approaches is another key foundation for convergence.

I think this is an important point. Historically, convergence has too often been seen as a shorthand for ‘why don’t you converge with my approach, or my law’. And that hasn’t worked.

Convergence has to be a meeting in the middle, and I think there’s a much better appreciation of that now. Our countries all have different legal structures, different administrative setups, and different cultures built on different histories.

Convergence must not mean leaving those differences behind. Instead, it needs to be about finding ways to join together these differences, and to weave a meaningful safety net of protections that work globally.

As an aside, that respect for another’s cultures has been one of the real impressive aspects of our conference this week.

For someone who has worked in data protection as long as I have, hearing so many bright minds engaged in discussing privacy is so positive. There has always been expertise in this field, but the diversity of knowledge now is what stands out. We have the brightest minds in academia, business, in law and in the regulatory and policy space all wanting to work on privacy issues. And we have the international diversity too – the Global Privacy Assembly really does bring voices together from all parts of the world. That diversity gives us so much collective wisdom.

 

Our response to the pandemic

Which brings me on to the third foundation of convergence

This is the Hospital de Jesus Nazareno in Mexico City. It is said to be the oldest hospital on the continent, and to have been built at the behest of controversial Spanish Conquistador Hernán Cortés.

It remains in operation today, and like most hospitals around the world, has spent the past couple of years facing the challenges of the COVID-19 pandemic.

The pandemic has brought a great number of challenges to our community.

But it has shown the value of privacy too, and how we benefit from our shared expertise.

I saw this first hand in the UK. When the UK government wanted to develop a contact tracing app, it considered data protection at an early stage, and it consulted with my office. The government understood that answering the questions we posed on transparency, legality and fairness would help to develop an app trusted by more people.

The advice my office provided government was informed by conversations we had with colleagues across the Global Privacy Assembly network. Regulators across the world were facing similar challenges, and we all  benefited from the shared wisdom of the Assembly.

Crucially – and this goes back to my conference opening yesterday – I saw our community asking the right questions. Do we understand how people feel? And how can we make sure our input is providing practical value?

When I look now through the ICO’s opinion on contact tracing apps, and through the GPA’s Compendium of Best Practices, I think the benefits of focussing on those two questions shines through. Privacy remained relevant.

And if you’ll allow me just a moment’s reflection, I believe the success of our community’s response to COVID-19 was built on the modernisation of the GPA.

We are now a year round assembly, able to respond quickly to challenges that arise between conferences, such as the COVID-19.

We are more collaborative than ever, able to share our expertise and to speak with one voice, as we did when we emphasised the importance of continued protections for people’s data rights during the pandemic.

And we are more outward facing than ever before, working with so many of you, including the likes of the OECD, the UN and the WHO, to make sure the advice we offered through the pandemic is rooted in practical benefit.

Our teamwork, across the privacy community, showed that we can work together, no matter our differing laws and cultures.

The pandemic showed how convergence could work.

 

Building common principles

But it showed too that we still have further to travel, if we are to truly benefit from the potential of convergence.

I will now set out the three areas where our experience shows that more must be done, to build on the foundations of convergence already in place.

The Kukulcán is a step pyramid in the south of Mexico. Across its four sides, the pyramid has a total of 365 steps, one for each day of the Mayan year.

Early separation of the year into formal calendars gave a framework for Mayan society, and was important for trade, agriculture and religion.

As we look to the next stage of international convergence, we need to find our own framework. We need recognisable common principles that can translate across borders.

Aspects like transparency and fairness are not specific to a single law or regulatory approach, and so can act as a bridge to better international collaboration and cooperation.

This is work that is already underway within the GPA. Our Global Frameworks and Standards Working Group has focused this year on key principles that members can agree on, touching on aspects including the independence of data protection authority, international transfer mechanisms and government access to data. The latter has resulted in a resolution we’ll discuss in the closed session later this week.

The Council of Europe’s work around C108 and C108+ has also looked to set common principles. And there is potential too for further exploration of how codes and certifications, including those led by business and trade groups, could assist in this area.

But it is clear that there is room for further progress.

 

Architecture to join our laws

Let’s move to our next sight.

The Copper Canyon is a network of canyons covering 65,000 square kilometres. The Canyons are linked by the Chihuahua al Pacifico, a railway passing over 37 bridges and through 86 tunnels.

The architecture needed to join the different canyons is a neat analogy for the second area where we need to build on the foundations for convergence.

It is accepted that the flow of data, from individual to organisation, from organisation to organisation, from country to country, is integral to digital innovation.

It is accepted – I hope – that such data flows rely on the public trust earned through sensible data protection regulation.

And yet we continue to consider those protections domestically.

We do have systems to transfer data internationally, of course. CBPRs enable data flows in parts of the world, while elsewhere adequacy agreements have their place.

But it remains the case that we are working with a series of bridges, rather than a single railroad.

What we need is better architecture to join together our world, and to allow different laws to work side by side. We need a railroad through the canyons.

 

A new approach

Which brings me to our final Mexican historic site. The Temple of San Agustin is a 16^th century church. A beautiful white stone building built as a convent, with an eye-catching bell tower and historic murals.

But it is also abandoned. The convent was built near a lake, and flooding in the 17^th and 18^th century kept washing away the friars’ work. Eventually, they gave up fighting the waters, and moved away.

There is a lesson there for today. We are all proud of our domestic laws, built with good intentions. But if the waters of international digital innovation keep washing away our work, at what point do we need to move to a new approach?

It is my view that there is a real urgency to this work. The pace of acceleration in digital uptake, and the increasing use of data in innovation brings those flood waters ever closer.

We are not making quick enough progress in our response. Talk of convergence has, for too long, stalled around a sense of us needing to pick a favoured legislative approach or scheme, and insist it is extended to all four corners of the world. As our community spends time focusing on faults with one another’s regime, businesses are left with unwieldy processes that increasingly make privacy and data protection feel like too heavy a burden.

To put is simply, we risk all of our good work being washed away.

It is my own view that fresh thinking is needed. What is needed is a Bretton Woods for data, repeating the 1944 conference that brought together 730 delegates from almost 50 countries to consider how the world could rebuild from war. Delegates came from diverse cultures, and brought diverse ideas, but with a united understanding: the old system had failed, and a new one, built on international cooperation, was needed.

A Bretton Woods conference could provide the melting pot of ideas needed to take this forward, something I have spoken about recently at Oxford University.

That could be in the shape of a global data protection accord. An accord that found common ground between nation’s data protection regimes would enable member nations to better work together, and could allow for the transfer of low risk data to countries who were fellow members.

But that’s only one idea – we need more ideas, and more discussion.

I know the data protection community stands ready to be part of the solution. I see that in my work with the GPA. I see the ambition when I talk with my G7 colleagues.

But that challenge must now go further.

The challenge must go to governments and international organisations like OECD, Council of Europe and WTO, bodies with the convening power to make a Bretton Woods conference for data happen.

And then the challenge must go further afield. Data is such a broad, cross societal issue that impacts every facet of our lives. And so the solutions must come from the bright minds across society from think tanks, academia, from civil society, from businesses and from the people whose trust so much relies on.

 

Conclusion

I want to be clear. My view is that finding a solution here – building on our existing foundations, and finding a way for international convergence – is achievable. We can make this happen.

But we must decide to do this. As a community, regulators, business, civil society, and especially policy makers, must commit to making it happen.

• That will mean compromise.
• It will mean conversation.
• It will mean accepting that there is not a perfect solution.

If we get it right, there is no limit to how high we can build our pyramid.

The Global Privacy Assembly’s (GPA) Chair and Executive Committee are delighted to announce Shoshana Zuboff as the first winner of the Giovanni Buttarelli Award.

Dr. Zuboff, Professor Emerita at Harvard Business School and author of The Age of Surveillance Capitalism, has been recognised for her exceptional contribution to international data protection and privacy.

Elizabeth Denham, outgoing GPA Chair and UK Information Commissioner, said: “Shoshana’s work as an academic and an author has revolutionised the way we look at data and data protection. The Executive Committee and I could not have been more excited about this choice. Many congratulations!”

The inaugural GPA Giovanni Buttarelli Award was presented at the Open Session of the 43rd Global Privacy Assembly Conference on 19 October 2021.

The Award was created by the GPA Executive Committee in 2021 in memory of Giovanni Buttarelli, former European Data Protection Supervisor and Executive Committee Member. It aims to recognise Giovanni’s invaluable contribution to the international data protection and privacy community as a leader and as a passionate advocate for international collaboration.

Ms. Denham said: “Giovanni was an inspiring leading figure in the GPA community. He understood that the only way to face today’s challenges was by working together. Most important of all, Giovanni had a vision to ensure a fairer digital future for all. This Award will help to carry on his legacy in the years to come.”

Mr. Wojciech Wiewiórowski, European Data Protection Supervisor, said: “Professor Zuboff’s ideas and forward-looking vision have captured the general public attention on how digital market dynamics are deeply affecting societies, freedoms, and rights. Her ideas have inspired a wider change on how the privacy-specialised community approach these topics.”

Dr. Zuboff said: “I shall not rest until the digital lives in democracy’s house… a world in which we all benefit from new knowledge, where data collection is tethered to fundamental rights, and data use is defined by public service and democratic flourishing. This is the future that the world yearns for and deserves.”

Watch the Award acceptance video below.

The GPA Executive Committee would also like to sincerely thank the Buttarelli family for their support and for endorsing this Award.

For more information on the GPA Giovanni Buttarelli Award visit: https://globalprivacyassembly.org/news-events/giovannibuttarelliaward

Ce communiqué de presse est disponible en français.

Este comunicado de prensa está disponible en español.

Privacy is getting increasingly important in the digital age, so what can data protection and privacy authorities do to further uphold people’s fundamental rights?

These were central issues under discussion as the Global Privacy Assembly joined together for their 43rd Closed Session (20-21 October).

The virtual conference was hosted by National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), Mexico, and brought together more than 90 members and observers to consider key data protection challenges. It followed an open session earlier in the week.

Opening the session, Elizabeth Denham CBE, outgoing GPA Chair and UK Information Commissioner, praised the work of the privacy community through the pandemic, calling for the Assembly to continue to be impactful.

Ms Denham said: “We were already in a data-driven age, even before the pandemic supercharged that acceleration of digital growth. Now data-driven innovation is helping us through health crises, and influencing every facet of society.

“Our community’s work is central to that, ensuring people trust that innovation. But we cannot assume that privacy will always have a seat at the table. Our input into discussions on key societal issues is dependent on an understanding that data protection and privacy supervisors bring a valuable insight, a practical mindset and we can respond promptly.”

Resolutions were discussed and agreed at the conference, giving a shared view on a range of important current topics:

• Data sharing for the public good;
• Children’s digital rights;
• Government access to data; and
• The future of the Global Privacy Assembly

Other topics discussed in detail included international enforcement cooperation and regulatory sandboxes.

The Assembly also adopted a strategic plan for the next two years, committing to a continued focus on advancing global privacy, maximising the GPA’s influence and building capacity for members.

The Global Privacy Assembly brings together more than 130 members and observers from around the world. At the closed session, the following new members and observers were welcomed:

New members:

• Commissioner of Data Protection, Abu Dhabi Global Market
• Office of the Queensland Information Commissioner, Australia

New observers:

• National Data Protection Authority (ANPD), Brazil
• Saudi Data and Artificial Intelligence Authority, Saudi Arabia
• Ministry of Transport and Communication, Qatar
• Data Protection Office, Qatar Financial Centre
• Privacy and Civil Liberties Oversight Board, United States
• Consumer Financial Protection Bureau, United States
• Asia Pacific Privacy Authorities (APPA) Forum
• Inter-American Institute of Human Rights (IIHR)

The results of the GPA Executive Committee election were also announced:

• Marguerite Ouedraogo Bonane, from Burkina Faso’s Commission for Information Technologies and Civil Liberties, stood down having completed her second two year term; and
• Morocco’s National Commission for the control and the protection of Personal Data (CNDP), was elected to the Executive Committee for a two year term.

Commissioner Besnik Dervishi, from Albania’s Information and Data Protection Commissioner also stood down from the GPA Executive Committee after serving an additional year as Past Host Authority.

President Commissioner Blanca Lilia Ibarra Cadena, of Mexico’s INAI, was elected as Chair of the Assembly. She replaces Elizabeth Denham CBE, UK Information Commissioner, who has completed her three year term.

Welcoming her successor, Ms Denham thanked the Secretariat and the Executive Committee for their support.

President Commissioner Blanca Lilia Ibarra Cadena responded: “The GPA is alive and flourishing thanks to our interactions and exchanges.

“Our partnership is deepening, with our cooperation covering issues that concern society as a whole, achieving a growing impact.

“The ideas expressed at this conference invite us to rethink and draw new horizons on the incorporation of best practices in the handling of personal data.”

For more information, visit globalprivacyassembly.org

The GPA September 2021 Newsletter is now published and available on the GPA website.

This Edition of the Newsletter features the upcoming highlights of the GPA 2021 Conference, as well as our regular editorial from some of the leading representatives of the GPA community. The Newsletter provides the latest insight and updates on important issues impacting the international data protection and privacy landscape today.

This GPA September 2021 Newsletter is the final edition to be produced by the current UK, ICO GPA Secretariat and we would like to sincerely thank all the contributors to the Newsletter during our tenure over the past three years.

View Newsletter here.

The GPA Executive Committee has shortlisted entries for the 2021 Global Privacy and Data Protection Awards.

Now in its fourth year, the Awards celebrate the achievements of the GPA community and shine a light on good practice.

The shortlisted Award entries are:

Education and public awareness

• Gibraltar Regulatory Authority – ‘Control Your Privacy’ campaign
• Personal Data Protection Office in Poland (UODO) – ‘GDPR in the school bench’ webinars
• European Data Protection Supervisor – TechDispatch reports

Innovation

• Office of the Privacy Commissioner of Canada – ‘Privacy Clinics’ platform
• Office of the Privacy Commissioner, New Zealand – ‘NotifyUs’ online platform
• CNIL, France – CookieViz 2.0
  Superintendence of Industry and Commerce, Colombia – Sandbox on Privacy by Design and by Default in AI Projects

Accountability

• Superintendence of Industry and Commerce, Colombia – Accountability Guidance
• CNIL, France – The Developer’s Guide to GDPR
• Information Commissioner’s Office, UK – Accountability Framework

Dispute resolution and enforcement

• Office of the Privacy Commissioner, Canada on behalf of privacy and data protection authorities – Video teleconferencing (VTC) Global Compliance Initiative
• Office of the Privacy Commissioner, Canada on behalf of the Canadian Authorities – Facial Recognition Technology compliance tools

GPA members will receive instructions on how to vote for this year’s shortlisted entries.

The winners will be announced at the Global Privacy Assembly 2021, Mexico.

As the INAI, Mexico is a committed guarantor body for compliance of fundamental rights, and Host of the Global Privacy Assembly 2021, we have decided the central theme of the GPA 2021 to be Privacy and Data Protection: A Human Centric approach. It is crucial to highlight the role individuals play in the decision making involved in data processing, regardless of the technology used for that purpose.

This year’s edition will be held in a hybrid scheme both online and in-person on 18-21 October 2021, which will allow us to have high-security standards and facilitate cooperation without physical or virtual barriers.

For the in-person part, diverse venues will be considered in order to provide the appropriate care for the safety of the attendees, maintaining safe distance protocols, mandatory use of face masks, and reduced forums. As for the virtual part, we will have a friendly platform that will allow digital interaction among participants.

With great excitement, we would now like to present the Agenda for the Open Session, which is mainly focused on the coexistence between the development of new information technologies and human rights. This will feature keynote lectures, panels and parallel sessions in which international and national experts will address their best practices on technological evolution and human intervention in massive data processing; Privacy and the Pandemic; Vaccine Passports and Similar Certificates; Data Flows with Trust; Internet of Things; and artificial intelligence, digital rights and inclusive policies are among others topics that will also be reviewed. The Agenda for the Closed Session has also been published.

As host authority of this year’s edition, INAI intends to generate opportunities for an open dialogue allowing leaders to discuss and to exchange knowledge and ideas to propose solutions for emerging issues in the field.

We are looking forward to your attendance at the Assembly, see you soon in Mexico City!

INAI’s Commissioners
Host Authority, GPA 2021

The OECD Working Party on Data Governance and Privacy in the Digital Economy (WPDGP), the Global Privacy Assembly (GPA) and the mandate of the UN Special Rapporteur on the Right to Privacy are hosting two workshops that will be spread across three days 21-23 June 2021.

The workshops will offer complementary – and sometimes challenging – points of view of the impact of the COVID-19 pandemic with a special focus on privacy and data governance. The topics follow on from two previous workshops held in April 2020 and September 2020.

The first session will provide an opportunity for policy makers and regulators to share perspectives one year later on the varying privacy and data governance frameworks that were developed in support of their response efforts.

This will lead onto two sessions on innovative insights on countries’ plans for the road to recovery with a specific focus on “Data privacy aspects in the workplace during the pandemic” and “Vaccination programmes and travel passports.”

The third and last day will be an intensive workshop organised by the UN Special Rapporteur on the Right to Privacy, also with the support of the GPA. It will be dedicated to a more in-depth evaluation of the evidence available on the impact of the pandemic on privacy across the world. The intensive sessions on this third day will also afford NGOs, academics and others, both within and outside OECD countries, with the opportunity to discuss similar issues as those presented during the first two day workshop or outside it.

View the workshops agenda.

Do you have a resolution idea to table at the GPA 2021 Conference?

Are you looking to co-sponsor or contribute as a GPA member to this year’s Conference resolutions?

The GPA Executive Committee is aware that many members want to get as much as possible out of their membership of the GPA. Engaging with the development of the Conference Resolutions is a great way to get involved. As we start to prepare for this year’s Closed Session, members are reminded of the GPA approach, including the deadlines for submission, relating to resolutions.

Submission of Resolutions for the GPA 2021 Closed Session

• Resolutions for 2021 will be adopted at the hybrid online and in-person Closed Session. Members considering submitting a resolution, please note that resolutions should:
• • be clear and concise;

• • address matters sufficiently related to the purposes of the GPA and invoke action on matters relating to data protection and privacy;

• • focus on a current strategic need of the GPA – In other words, resolution main sponsors should be able to easily explain how the resolution text contributes to the delivery of the GPA Strategic Direction adopted in Tirana, 2019.

• Proposed resolutions must have at least four other co-sponsors (apart from the main sponsor), representing, insofar as possible, different cultural, geographic and legal backgrounds. Please note: it is the main sponsor’s responsibility to ensure that these four other co-sponsors have been obtained by the time of final submission of the resolution to the conference on 4 October at the latest, otherwise the Resolution may risk not to be considered valid.
• It is the main sponsor’s responsibility to negotiate member amendments to a resolution. The Secretariat can receive amendments directly to the Secretariat central inbox to forward onto the main sponsor, but many main sponsors prefer to be contacted directly. In any case, please indicate which email address and name of official responsible for answering questions about the resolution the Secretariat should use for directing all resolution-related enquiries and amendments.
• Proposed resolutions should be submitted either in English, or if the original is in another language, then please submit a copy in English simultaneously.

 

Proposed resolutions are subject to the following timelines in 2021: 

Action	Date
Please notify the Secretariat of intention to table a resolution by:	11 June 2021
Deadline to table a draft complex/technical resolution to the Secretariat	30 June 2021
Deadline to table a draft resolution (non-complex/technical) to the Secretariat	30 July 2021
Proposed draft resolutions circulated to all GPA members: consultation period launched, for comments and amendments	16 August 2021
Final draft resolutions circulated to all GPA members in advance of the Closed Session (complete with four other co-sponsors)	4 October 2021

For your information, please see the link to the GPA Rules and Procedures and for all enquiries regarding the above and the upcoming Closed Session, please contact the GPA Secretariat: secretariat@globalprivacyassembly.org.

The Chair of the Global Privacy Assembly (GPA), its Executive Committee and conference hosts the National Institute for Transparency, Access to Information and Personal Data Protection (INAI), Mexico, are pleased to announce the 43rd Global Privacy Assembly 2021 will take place between 18-21 October 2021 in Mexico City, Mexico, as a hybrid event, available both in-person and online.

Registrations will open soon! With more details to follow.

Visit this year’s conference website, Twitter and LinkedIn for the latest information.

The GPA May 2021 Newsletter is now published and available on the GPA website.

Featuring editorial from some of the leading representatives of the GPA community, get the latest insight and updates on important issues impacting the international data protection and privacy landscape today.

View Newsletter here.