Entries submitted
B1 – Entry by: Autoridade Nacional de Proteção de Dados – ANPD
Description of the initiative:
The initiative involved the creation and public availability of interactive dashboards on the ANPD website, developed by the Security Incident Treatment Coordination of the General Coordination for Oversight (TIS/CGF/ANPD).
The primary objective is to provide information on security incidents reported to the Authority, while also fostering active transparency by enabling the public to monitor and understand the Coordination’s work in analyzing and handling such incidents.
These dashboards are updated in real time and offer stakeholders a clear and categorized view of key information, such as:
- Location where the security incident occurred (federative unity) – Estado.
- Public or private sector involved – Setor.
- Market segment – Segmento.
- Type of incident – Tipo de incidente.
- Type of communication (preliminary, supplementary or complete) – Tipo de comunicação.
In addition, there is a dashboard that specifically addresses the Incident Investigation Procedures (PAI) investigations initiated ex officio, triggered by complaints, or media reports — in which ANPD investigates whether a security incident occurred. The data covers the period from 2021 to the current year, providing both a historical and up-to-date overview.
The page hosting the dashboards was completely redesigned to enhance user experience, adopting a more user-friendly and functional interface for the public.
With this initiative, the Security Incident Treatment Coordination (TIS) strengthens communication with society, expands access to information and prioritizes best practices in transparency and accountability in public administration.
Most importantly, it advances the continuous pursuit of improvement and innovation in public services, always aiming at the effective implementation of public policies within the institution.
The central idea behind the development of the interactive dashboards emerged as a response to the high volume of information requests regarding security incidents received by ANPD — whether through the Ombudsman via Fala.br, or via emails sent directly to the Coordination.
Why the initiative deserves to be recognised by an award?
This initiative represents a significant advancement in the sharing of information related to security incidents, strengthening active transparency and accountability to society, especially considering the sensitive nature and public interest surrounding the topic. By providing up-to-date data directly to interested parties, ANPD demonstrates public confidence in its work, offering valuable insights for citizens, researchers, the press, and organizations concerned with the subject.
Interactive dashboards enhance data navigation and understanding, making information accessible to all audiences. They empower citizens to verify whether personal data breaches have occurred in their respective Federative Units (UF/Estado), enabling them to assess potential risks involving organizations with which they have relationships.
Such efforts also reflect institutional maturity by documenting and publicly communicating ANPD’s ongoing work in the investigation and handling of incidents.
In addition, the user-centered redesign of the webpage, combined with the continuous maintenance of up-to-date information, positions the initiative as a potential model of best practices – one that can be replicated by other data protection enforcers in Brazil and internationally.
B2 – Entry by: Autoridade Nacional de Proteção de Dados – ANPD
Description of the initiative:
Between June 2023 and March 2024, ANPD and the Executive Consulting Unit “Simplifica” of the Ministry of Management and Innovation in Public Services worked on mapping and redesigning the “Request Handling” process, under the responsibility of the Monitoring Division within the General Coordination for Supervision.
This initiative took place within the scope of another program that offered mentoring for process simplification projects across the Federal Government.
To that end, the following methodology was applied:
(1) Process prioritization;
(2) Schedule (WBS);
(3) Diagnosis;
(4) Process modeling;
(5) Problem and Solution Matrix;
(6) Process redesign;
(7) Standardization;
(8) Creation of artifacts;
(9) Automation;
(10) Final report.
The pilot project was implemented in February 2024.
The “Request Handling” process deals with submissions by data subjects reporting violations of their rights or breaches of the LGPD.
One of the main challenges faced by data subjects was the need to register in ANPD’s electronic system in order to file a request. This process was slow and involved:
(1) filling out an online form,
(2) emailing a signed statement and copies of identification documents,
(3) verification of the information by the protocol team, and
(4) creation of a password.
If everything went smoothly, it could take up to three days—time the individual had to wait before being able to officially submit a request. In short, it was a procedure that discouraged people from submitting their claims. At that time, ANPD received an average of 120 requests per month.
The old system used for receiving requests was not integrated with other platforms and was not intuitive or widely understood by citizens.
The new service, along with the solutions implemented during the process redesign, has positively contributed to the efficiency and transparency of internal workflows, enabling clearer communication, operational execution, and decision-making.
Following the implementation of the service, ANPD began receiving an average of 750 requests per month—a 525% increase.
The most significant changes involved simplifying the registration process and improving the request form.
The service now accepts the federal government’s unified login system (with over 150 million registered users) for accessing digital public services.
Why the initiative deserves to be recognised by an award?
In the words of Minister Hélio Beltrão (Decentralization and Freedom, 2002), “Landing in the real Brazil involves […] simple and inexpensive solutions, tailored to our realities […] and, above all, to the low standard of living of the majority of our people.”
The collaborative network-based approach has enabled the rational use of public resources, preventing rework and waste.
The service not only improved the institution’s internal processes but also added value to the Public Administration and, most importantly, to society—resulting in a more efficient, transparent, and responsive service. It reflects the commitment of the Brazilian public sector to building a fairer and more inclusive society.
By integrating with the federal government’s unified login system (with over 150 million registered users), the new service has made it easier for data subjects to exercise their rights and communicate with the ANPD. This progress is evident in the number of requests received. Following the implementation of the service, ANPD went from an average of 120 requests per month to 750—an increase of 525%.
Alongside the new service, ANPD also redesigned its webpage, providing step-by-step instructions in plain language on how to submit complaints or petitions (see link 1 in item e).
B3 – Entry by: Autorité de Protection des Données Personnelles (APDP – Monaco)
Description of the initiative:
Named Céos, “he who thinks”, in reference to the Titan of intelligence in Greek mythology, the APDP’s virtual assistant can answer the users’ questions in many different languages about personal data protection and security in the Principality of Monaco.
Developed in a dedicated, secure, isolated environment hosted in France, Céos does not collect any personal data. The users’ IP address is not collected. Conversations are encrypted and anonymized. They are kept for a maximum of 7 days to improve the operation of Céos. Only administrators have access.
The Céos operating database is made up mainly of information available on the APDP website.
Deployment is to take place in 2 stages.
In the 1st phase (current phase), it provides users with quick detailed answers on Law no. 1.565, which was recently passed (December 3, 2024) and data protection in the Principality. In particular, it informs data controllers of their obligations and individuals of their rights. It also tells them where to find the various documents available on the brand new APDP website (practical information sheets, model letters for lodging complaints, model registers of activities and processing, etc.).
In a second phase (end 2025), it will support data controllers in achieving compliance. By means of simple questions to answer and direct links to relevant information documents (definitions, examples, practical information sheets, etc.), it will guide them in filling in the register of processing activities and the register of data breaches, as well as in carrying out their impact analysis.
Why the initiative deserves to be recognised by an award?
Law no. 1.565 of December 3, 2024 governing data protection in the Principality of Monaco is very recent, and people – data controllers and individuals alike – have a lot of questions. In early 2025, the APDP launched a new website, which it regularly updates with documents (fact sheets, guides, etc.) and tools (forms, register templates, etc.).
To make this information more accessible and easier to use, the APDP decided to equip itself with an AI virtual assistant that enables users to quickly find available information and all the help they need to fill in the various documents, all in strict respect of their privacy since not personal data is collected. Its operating database is made up mainly of information available on the APDP website.
The aim is not to replace the legal or technical advice provided by APDP agents, but to use AI technology to help users navigate the site and make the most of the tools at their disposal.
B4 – Entry by: Croatian Personal Data Protection Agency
Description of the initiative:
Although the General Data Protection Regulation (GDPR) has been in force since May 2018, achieving full compliance remains a significant challenge, particularly for small and medium-sized enterprises (SMEs). To address these challenges, the Croatian Personal Data Protection Agency, in cooperation with its partners, developed Olivia: an innovative, open source, user-friendly, and interoperable digital tool specifically designed to support SMEs throughout their GDPR compliance journey.
Olivia offers a comprehensive package of educational and practical resources. It includes fifteen data protection courses that address all key obligations of data controllers and processors as defined by the GDPR. Each course consists of both theoretical and practical components. In the theoretical part, users can explore lessons explaining specific GDPR obligations, view educational videos, and take quizzes to assess their knowledge. The practical modules provide data controllers with templates and tools to generate internal documentation that demonstrates compliance and accountability. Additionally, the Olivia platform hosts twenty webinars covering a range of data protection topics. These webinars are permanently accessible and free of charge to all interested stakeholders.
Olivia is a virtual teacher and assistant at the same time. Olivia contains a small online academy that offers to SMEs, but also to all data controllers, a series of learning modules to improve their knowledge in the field of personal data protection, and also serves as a practical tool to help organisations create internal documents to prove their compliance and accountability. It was successfully launched in 2024 and will be regularly updated to ensure its continued relevance and effectiveness. The Croatian DPA is now working on the development of modules on the interplay between GDPR and Artificial Intelligence.
To further support users, a detailed user manual, handbook, and an instructional video have been developed and uploaded to the Olivia platform to serve as a lasting educational resource. The “Olivia” digital tool has empowered SMEs, but also data protection officers across the EU, to improve GDPR compliance through user-friendly support, educational resources, and international collaboration. It enhances SMEs’ expertise, encourages a culture of privacy, and promotes EU-wide engagement through its open-source, multilingual design. Olivia is adaptable and scalable, enabling the seamless integration of new modules and language versions to support GDPR compliance across diverse national contexts.
Why the initiative deserves to be recognised by an award?
Olivia deserves recognition because it represents a pioneering, practical, and sustainable response to a genuine need among SMEs for GDPR compliance support. Despite being in force since 2018, the GDPR remains challenging, especially for smaller businesses with limited resources. Olivia bridges this gap through an open-source, interoperable, user friendly digital tool that combines high-quality educational resources with practical compliance support, empowering SMEs to meet their legal obligations confidently and effectively.
The initiative goes beyond traditional training by offering fifteen structured data protection courses, practical templates to generate internal compliance documents, twenty permanently accessible webinars, and educational videos, all freely available in English. This innovative approach fosters a culture of privacy, strengthens the data protection ecosystem, and supports the consistent application of GDPR principles across various national contexts.
Moreover, Olivia promotes international cooperation and future-proofs its impact by enabling seamless integration of new modules. By combining education, practical tools, and international collaboration, Olivia sets a unique and replicable standard for raising awareness and improving compliance across the EU and wider. This makes Olivia truly worthy of recognition as an outstanding and innovative data protection initiative.
B5- Entry by: European Data Protection Supervisor
Description of the initiative:
In response to the rapid pace of development of artificial intelligence, and increasing risks to fundamental rights on large online platforms, countries around the world are passing laws that intersect with privacy and data protection frameworks. Some of these laws provide the various competent authorities with new tools to promote a sustainable and rights-oriented digital economy. However, they also lead to parallel investigations by various authorities into the same practices of the same entities, with a potential for regulatory conflicts and inconsistencies in relation to data-related practices. Therefore, the EDPS observes a need for greater cross-regulatory cooperation to avoid an inconsistent application of legal requirements in this complex landscape.
To this end, the EDPS has identified key areas to work on, based on current initiatives rolled out in the EU and beyond and the feedback received from various stakeholders. This encompasses the need for a coherent and consistent application of EU law in the digital economy, in particular of the so-called ‘EU Digital Rulebook’ (including the Digital Services Act, the Digital Markets Act, the Data Act and the Artificial Intelligence Act); the need for cross-regulatory cooperation between competent regulators; and the need to uphold data protection as the backbone of this digital regulatory framework.
Building on an earlier experience that ran from 2017 to 2021, the EDPS proposes the establishment of a Digital Clearinghouse ‘2.0’ that would provide authorities and bodies with a forum to exchange and coordinate on issues of common interest. This forum should facilitate proactive, collaborative efforts among participating authorities to address potential issues before they become practical problems, ensuring that different authorities are aligned on goals, methods, and responsibilities to avoid duplication of efforts or inconsistencies in their actions.
A Digital Clearinghouse 2.0 should promote cooperation in ‘variable geometry’, providing relevant authorities, bodies and networks the flexibility to join only discussions and working groups on issues where they have or need relevant expertise. This Clearinghouse should have a permanent Secretariat to assist in the timely delivery of concrete outcomes, such as joint statements and guidelines that garner each participant’s expertise. The Digital Clearinghouse 2.0 should also become a forum where participating authorities lawfully share information about their ongoing enforcement actions.
Why the initiative deserves to be recognised by an award?
The EDPS’s initiative acknowledges the proliferation of legal requirements that companies operating in the digital economy need to comply with – data protection being key among them – and proposes a pragmatic solution for the various competent regulators to align and increase legal certainty.
The Digital Clearinghouse 2.0 would be a forum to promote cross-regulatory cooperation at EU level, building upon initiatives for cross-regulatory cooperation that are operating in different regions (Australia, Canada, the UK, Ireland, the Netherlands, France, and Germany). This initiative is aligned with the strategic objectives of the GPA to:
- Map cases of intersection between personal data protection, competition, consumer protection, and other intersecting regulatory spheres;
- Identify barriers to cross-regulatory cooperation and develop or advocate for solutions where they do not exist;
- Encourage and facilitate greater bilateral or multilateral cross-regulatory cooperation between DPAs and other regulatory authorities.
This proposal of the EDPS feeds the current discussion between the European Commission, the European Parliament and EU Member States on how to ensure simplification and competitiveness for businesses. One of the ways to pursue such goals is through enhanced dialogue, cooperation, and coordination among regulatory bodies to ensure a predictable and effective legal environment that places fundamental rights at the core.
B6- Entry by: Hellenic Data Protection Authority
Description of the initiative:
The HDPA had created a website for young people in 2010 which contained useful information for their online presence. Over the years, it proved to be a valuable source of information not only for children, but also for educators and organizations acting for the benefit of children. Although the information available was updated at several occasions, the format of the presentation became obsolete and not appealing to young people. In addition, the online presence of young people has changed their way of life and brought new challenges to Data Protection.
The new micro-site of the HDPA aims to be the central point of reference for valid and complete information on how a young person can benefit from the opportunities of the internet while being able to control how his/her personal data are used online. The content includes material presenting ways to stay safe online. It contains four main thematic sections on
- Privacy,
- Publications,
- Online contacts,
- Social Networks.
It is accompanied by a Glossary of privacy terms for young persons. It has also been built in such a way that more thematic areas can be added. For a more effective understanding of the instructions and content, each section of the material includes Key Takeaways and interactive applications like Quizzes, and also Videos in every section. The HDPA is currently constantly updating the mini-site. It is noted that the mini-site is built using templates and can be easily upgraded and stay “fresh” and current.
Why the initiative deserves to be recognised by an award?
The microsite aims to raise young persons’ awareness of their rights and responsibilities in relation the protection of their privacy online. It includes practical knowledge and instructions which are organized in thematic sections (Privacy, Publications, Online contacts, Social Networks). The material includes a useful Glossary, Key Takeaways and interactive applications like Quizzes, and also Videos for every thematic section. This activity constitutes an easy point of reference for young persons, whgenever they face a problem with their online personal data, while at the same time it is a useful resource for educators.
B7- Entry by: Information Commissioners Office (ICO)
Description of the initiative:
Protecting people online has been high on the policy agenda for many countries worldwide in recent years, with governments across the world enacting legislation to tackle illegal harms and protect children. The UK is a front-runner in this space, with the 2023 Online Safety Act setting out new legal duties for online services to keep users safe. Similarly, the Australian Online Safety Act 2021 provides safeguards against certain types of online abuse, and in the EU the Digital Services Act updates rules for digital services to prevent illegal and harmful activities online.
These developments have raised new questions about how online safety requirements interact with privacy legislation, and what this means in practice for organisations that use people’s data to implement online safety systems. It is important that companies design and deploy their safety measures with both privacy and safety in mind.
The ICO’s guidance on content moderation and data protection addresses complex and novel questions in this space. It provides online services with practical advice to help them comply with the UK GDPR and the Data Protection Act 2018 (DPA 2018) when developing and deploying content moderation tools. It is aimed at supporting services in scope of the UK’s new Online Safety Act and provides clarity on areas of intersection between the online safety and data protection regimes.
This work is one of the first pieces of guidance that explains the interactions between data protection and content moderation. It was produced in close collaboration with Ofcom, the UK’s online safety regulator. It represents a forward-thinking and collaborative approach to data protection regulation that has been successful in providing clarity for organisations as they work on implementing innovative tools to moderate content on their services.
The guidance was underpinned by an extensive programme of stakeholder engagement to understand how content moderation is used in practice and the data protection challenges services face when deploying content moderation processes. This included an open call for views alongside direct engagement with over 20 online services and trade associations across different sectors of the digital economy.
Why the initiative deserves to be recognised by an award?
The ICO guidance on content moderation deserves to be recognised by the GPA award for the following reasons: • Firstly, the unique innovation of this work is that it provides clarity for organisations in a cutting-edge technological area that spans across different regulatory regimes. It is one of the first products of its kind, providing guidance on complex areas of intersection between the data protection and online safety regimes in the UK. Feedback on the guidance shows that services have found it to be helpful, clear and pragmatic, with some services using the guidance to review and strengthen their data protection compliance. Services told us that our case study examples were especially helpful.
- Secondly, the guidance is a proactive and timely intervention, published at the beginning of the UK online safety regime enactment. It will provide greater regulatory certainty and confidence to organisations in the UK’s growing safety tech sector, encouraging investment and fostering an environment for services to develop innovative solutions to keep users safe online.
- Finally, the guidance was underpinned by excellent cross-regulatory collaboration with Ofcom, the UK’s online safety regulator. We have worked with Ofcom to proactively address key areas of uncertainty and ensure coherence between regulatory regimes.
B8- Entry by: Information Commissioners Office (ICO)
Description of the initiative:
The ICO started engaging with key organisations developing and using generative AI in Spring 2023. This process, along with the exercise of our information gathering powers, led us to the conclusion that greater regulatory certainty was needed in how specific aspects of data protection law applied to generative AI development and use. The following areas were identified as lacking regulatory certainty and became the focus of the consultation series:
1) The lawful basis for web scraping to train generative AI models
2) Purpose limitation in the generative AI lifecycle
3) Accuracy of training data and model outputs
4) Engineering individual rights into generative AI models
5) Allocation of accountability across the AI lifecycle and supply chain
Calls one to four have been published at the time of writing, while the fifth is due to be published in July 2024. Additionally, we will convene three roundtables on issues raised by stakeholders through the calls for evidence with a) technology sector representatives b) creative industries representatives and c) civil society groups. These roundtables will ensure to ICO receives evidence and views from a diverse range of perspectives in shaping our policy positions on these critical issues. This engagement will also provide those stakeholders most affected by our regulatory approach with an opportunity to engage with us and challenge our thinking.
Following the conclusion of the consultation, the ICO is committed to publishing a summary report by the end of 2024 and incorporating final positions into the next iteration of our guidance on AI and data protection.
Our draft positions clearly signal to the market our regulatory expectations, and should help inform the thinking of our international counterparts in terms of generative AI regulation. More broadly, we hope this consultation series has moved the wider data protection and privacy community one step closer to regulatory certainty on the issue of generative AI compliance with data protection law.
Why the initiative deserves to be recognised by an award?
This is an evidence-led initiative to promote accountability across the generative AI supply chain. It was born out ICO’s engagement with strategically important generative AI developers and users, which identified areas of regulatory uncertainty around how data protection law applies to this rapidly growing subset of AI.
Organisations cannot easily be held accountable when the regulatory expectations around how they should manage their data protection responsibilities are not clear enough. This is why we launched this series of consultations on our interim positions. By putting these generative AI positions in the public domain we signalled our expectations to the market but also demonstrated transparency around how and why we reached our policy positions.
This consultation ensured all relevant stakeholders have the opportunity to provide evidence and views, ensuring the ICO’s policy positions are as robust as possible. The format of this consultation offers the opportunity to regulated entities to hold us accountable by challenging our thinking, and by providing regulatory certainty to the market, it will also enable us as regulators to hold generative AI developers and deployers to account.
B9- Entry by: Institute of Transparency, Access to Public Information, Protection of Personal Data and Accountability of Mexico City (INFOCDMX)
Description of the initiative:
During the COVID-19 pandemic, INFO CDMX faced the challenge of continuing to execute the procedures outlined in the Personal Data Protection Law of Mexico City. In this trying context, SIVER was developed to enable virtual and efficient verification of the treatment of personal data by those responsible in Mexico City. The main functions of SIVER are: scheduling and planning verifications; creating an effective communication channel between the guarantor agency and the responsible parties; providing timely and reliable information on the verification stages; conducting more verifications in a user-friendly digital environment; orderly storing and archiving the information and results of the verifications; annually increasing the information and results of the verifications and audits; and generating annual evaluations by responsible parties.
For its operation, SIVER has six types of users: Administrator (Director of Information Technology); Director of Personal Data; Deputy Director of Verifications; Verifiers; Advisor to accompany the responsible party; and the Responsible party. Each user has different roles, and they execute them according to their regulatory powers. Additionally, it is configured in five stages: initiation, review, accompaniment, follow-up, and compliance, adjusted according to the deadlines determined in the regulations.
SIVER strengthens the principles, duties, and obligations for the protection of personal data by allowing the review of its compliance in a systematized, controlled, and orderly environment. In addition to this, the SIVER was developed in open source to be shared with other guarantor agencies in the country, to effectively verify and consolidate cooperation as a good practice that adds value and institutional and citizen trust to the guarantor agency that implements it.
Why the initiative deserves to be recognised by an award?
With the implementation of SIVER, the following results have been obtained: cost savings, as verifications are now online; printing of files decreased, which contributes to environmental care; the time to verify was reduced by 60%; the number of verified responsible parties was increased; the number of verified personal data treatment operations increased; the provisions of the regulations are evaluated on a weighted basis; reports and statistics that allow comparative analysis of the results of the verifications are obtained. The verification data is the basis for generating diagnostics to develop work programs focused on data protection. In 2023, INFO CDMX issued the call “SIVER in your local guarantor agency”, in which ten out of thirty-one local guarantor agencies requested the donation of the software, thereby strengthening cooperative federalism among guarantor agencies to ensure compliance with the provisions on personal data protection in Mexico. Undoubtedly, technology has been used for the benefit of INFO CDMX and those responsible, in addition to providing other guarantor agencies with a tool that contributes to the protection of personal data.
B10- Entry by: Jersey Office of the Information Commissioner (JOIC)
Description of the initiative:
We’re trailblazing! Our innovative and unique mock privacy trial court case allows students to step out of the classroom and into the courtroom to explore the realities of mishandling personal data – by bringing data protection law to life!
In a highly engaging and interactive session led by a real advocate acting as a judge, young people aged 16 to 18 take on prosecution, witness and defence roles to delve deep into Jersey’s data protection law, whilst developing life skills and personal values!
The team at the Jersey Office of the Information Commissioner (JOIC), work in partnership with an advocate, our External Legal Counsel, to enable the students to dip their toes into prosecution and defence investigations and explore contraventions of data protection law, with real court etiquette. 
Students are provided with courtroom bundle resources to prepare legal arguments, think critically and develop a sound knowledge and understanding of the law.
The JOIC team and Advocate Blackmore work with the students to set a cast list and provide witness statements in preparation for the 90-minute-long mock trial, challenging witnesses about their data protection knowledge, organisational training, mpacts on individuals and responsibilities, culminating in the delivery of the longawaited verdict.
This initiative supports the students’ understanding of the critical importance of data protection at a local and international level, as well as the magnitude, implications, and sanctions and enforcement powers available to global data protection authorities, both civil and criminal, following unlawful disclosure.
STUDENT TESTIMONIAL – “I remember this workshop. It was a great opportunity to improve crucial skills like teamwork as well as presentation of an idea and clear communication throughout the discourse between the sides of the case.”
Why the initiative deserves to be recognised by an award?
This unique approach supplements traditional learning by developing essential skills and critical analysis, helping the next generation to develop their understanding that data protection law touches every aspect of their lives and gain insights into how Jersey’s legal justice system works.
We want to increase the respect among young people for their personal information and create a team of young privacy ambassadors ready to be curious and confident.
Student Benefits include:
- Learning to interpret a law and see how it interacts with ‘real life’.
- Networking with industry, meeting lawyers, data protection officers and other key professionals who may be able to assist with career guidance.
- Working with transferrable skills and peers in developing high-level communication skills under pressure, useful for many careers.
- Invaluable experience for students who want to study and work in law, finance and technology-related industries such as AI, as well as media/journalism.
- Extra-curricular experience for university applications (via the ‘Universities and Colleges Admissions Service’ in the UK), Curriculum Vitaes, references/interviews.
- Multi-disciplinary involvement.
- Mock interview and possible work shadowing opportunities
PRIVACY PROFESSIONAL – “What a great initiative.”
PRIVACY PROFESSIONAL – “I wish this challenge was run in our jurisdiction.”
B11- Entry by: New Zealand Office of the Privacy Commissioner
Description of the initiative:
New Zealand does not have specific rules for biometric information. OPC is proposing to create some, by a code of practice under the Privacy Act 2020. Our challenge was to consult both a legal and non-legal audience on our draft exposure code (a technical document).
We had several challenges:
- We are a small office with limited resources for this work.
- We needed to talk to a wide group of people about a technical issue.
- We knew that biometric information was tapu (sacred) for Māori (New Zealand’s indigenous people) and we needed to take special care to listen to this group.
- We didn’t have money for design and had to work with a website that wasn’t modern.
We created a hierarchy/ layers of information that people could engage with at their level. This included the most technical (the code itself), a detailed consultation document written in plain language, an infographic that presented the code as a graphic, and a one-page consultation, that centred around summarising the main changes of the code into three questions. We used inhouse skills and the organisation’s Canva account.
Because we were a small team we front-footed questions with a clear banner on our web page and a detailed autoreply message, to ensure time was spent well.
We met face-to-face with Māori stakeholders to make sure we heard their concerns appropriately. We also worked to develop detailed stakeholder lists that were highly segmented with bespoke messaging to spark the interest of our many user groups: government, business, legal, health, NGOs and civil liberty groups, and individuals that had self-nominated to be notified when consultation opened.
Our work was supported with a media campaign, launching with a 20-minute interview with the Privacy Commissioner on RNZ, our national broadcaster.
During the four-week consultation period our biometrics web page had over 3000 unique visitors.
Our goal for success was 50 submissions from the public and 50 from experts or organisations. As a result of this campaign, we received 70 submissions from experts and organisations and 179 submissions from individuals. Their feedback will inform the design of a final biometrics code.
Why the initiative deserves to be recognised by an award?
Biometric technologies are likely to become part of every New Zealander’s life, but many do not know that yet. As an Independent Crown Entity, we could have written a legal document and then let the experts comment. However, we chose to widen the circle and include, through clear and plain language and an engagement plan, a wider range of people who will ultimately be affected by this work.
This approach, especially the activities like creating an infographic and distilling the code to three core questions, was a new and at times challenging way of working for the team. However, by all pulling together for a common goal we were able to present a technical document in a way that was accessible and therefore received a wider range of submissions.
New Zealand is known as a country of people who are innovative. We took that spirit, and that of our Noble Prize-winning chemist Ernest Rutherford who famously said, “We haven’t got the money, so we’ll have to think.”
Our exposure draft is rightly a very technical legal document and OPC presented it in several ways to ensure that it could be understood and engaged with by a large audience.
View more information.
B12- Entry by: Spanish Data Protection Authority (AEPD)
Description of the initiative:
Created and launched in 2023, this initiative proves that age verification on the Internet can be executed without endangering children to targeted attacks or infringing on individuals’ data protection rights.
Our initiative champions an innovative approach where child protection does not require identifying children or collecting data from them. Instead, the responsibility lies with adults to prove that they have permission to access adult content. This approach automatically safeguards children without requiring any action from them or their devices, ensuring they cannot access harmful content.
By adhering to the set of proposed principles, which are derived from the GDPR, the implementation of this approach would effectively uphold the fundamental rights of citizens on the Internet. It would protect their anonymity and shield them from any unlawful processing of their personal data.
Moreover, this approach leverages existing identity documents, eliminating the need to create new identity infrastructures. This preserves individuals’ right to their own identity and allows for universal implementation across different countries.
Summarizing this initiative:
First, provides a risk assessment of the available age verification systems (released as an infographic) to establish a Decalogue of principles that particularizes the GDPR principles to this application domain.
Second, implements three different proofs of concept (PoCs) demonstrating that compliance with this Decalogue is possible and that the proposed approach could already be offered with a clear separation between identity management, content filtering and the age verification itself. These PoCs show that age verification can be performed on the data subject’s device, which has complete control over their identity and age data and allows for fully auditable and transparent solutions. The implemented PoCs can be seen in these videos:
– PoC on for PCs and consoles (Windows)
– PoC for smartphones (Android)
Third, is the key element of an ambitious Global Strategy on Children, Digital Health and Privacy promoted by the Spanish DPA that includes 35 measures focusing on education, digital health and well-being.
Why the initiative deserves to be recognised by an award?
This initiative is committed to children’s protection, aligning data protection rights and evidence-based innovation to improve online safety standards. Recognizing this initiative with an award highlights the importance of this alignment and encourages further development.
The initiative has been already awarded at a national level, for example:
- Data Cybersecurity Award Socinfo Digital Awards (February 2024).
- Public project award on II National Computer Awards (March 2024).
- Public sector award at @aslan Awards (April 2024).
However, its impact extends beyond national borders, and the initiatives’ success resonates globally. This allows the AEPD to contribute to a safer digital environment by collaborating with the ISO (in the elaboration of the 27566 standard), the European Data Protection Board (drafting a new statement) or the European Commission (participating in the Task Force on Age Verification under the Digital Services Act), to mention only some significant examples.
Since the initiative focuses on actionable steps, we are also collaborating with both, the Spanish and European pilot projects to provide harmonised solutions for age verification based on our initiative. Furthermore, significant efforts have also been made in dissemination and awareness, actively sharing knowledge through different conferences and scientific publications (at the Annual Privacy Forum 2024).