The slogan for this year’s International Privacy Commissioners Conference in Marrakech Morocco was “Opening new territories for privacy”. With over 110 data protection authorities as accredited members and just under that amount participating at the conference, data protection and privacy are truly becoming a fundamental, universal right. The international conference strives to build international cooperation and promote strategic objectives to further a global approach to protecting privacy and data protection. This year’s conference was on point regarding the strategic objectives, but missed the mark on the participant diversity front, the experience-sharing dialogue and the depth of expertise.
- Defining Strategic Objectives
The conference revolved around four main subjects: international personal data flows; personal data protection as a fundamental, universal right; balancing security and privacy in a surveillance world; and digital education of the youth. Accordingly, the Commissioners adopted 4 resolutions to help reinforce these strategic objectives[1]. While these objectives are essential, as a participant in the conference, I found myself asking, “What concretely are we doing?” These objectives do not “push the line”, and while defining them is a first step towards achieving the goals, the defining stage does nothing for the implementation at national levels.
- Lack of Economic Actor Diversity
While this conference’s slogan was “Opening new territories”, there was an overwhelming presence of old territories such as Microsoft, Facebook and Google that smothered any interesting opportunities for cultural exchanges on how data is protected throughout the world, the different struggles, and the need for coherent guidance from data protection authorities. While this year’s conference took place in Africa and as Isabelle Falque-Pierrotin[2] rightly highlighted “the advancements in data protection implicate all institutional and economic actors”, the African industry dialogue was reduced to a very interesting, but short, side panel with the Association francophone des autorités de la protection des données personnelles (AFAPDP). In fact, not only was the African industry not present, the European and Asian industry were missing as well.
- Little Experience-Sharing
At such a high-level conference, participants understand and know in advance that the objective is not to revolutionize the way DPAs, DPOs, and companies manage privacy and data protection. However, at a bare minimum, the expert panelists who present the different subjects should share their practical experience on what has worked for them, what was ineffective, and their results. The Digital Education panels led by Isabelle Falque-Pierrotin and John Edwards[3] was the only panel to have offered their experience by presenting the effectiveness of their awareness and educational campaigns. The Ontario DPA, for example, displayed the positive results of including data protection awareness into the national educational curriculum for young children and high schoolers[4]. The Hong Kong DPA explained their high success in including a local celebrity in their educational videos[5] and in the creation of “Student Ambassadors” who lead the privacy campaigns in schools[6].
- Depth of Expertise
The Privacy Commissioners conference is supposed to assemble the top experts from all data protection authorities and industries to share their expertise and their success in different fields. Unfortunately, I would need two hands to count the number of times overarching data protection and privacy principles were re-hashed and explained. One side event with the U.S. Department of Commerce spent an hour and a half presenting the website certification procedure for the Privacy Shield, and when it came to the questions on how to rebuild faith in international data transfers to the US, the DoC’s responses left much to be desired and the European Commission capitalized on this by restating that data don’t have to be transferred to the US.
While the international conference is a time for building a coherent global strategy to data protection and privacy, it seemed to boil down to the same institutions and actors restating the same basic rhetoric. All the while global economic actors were waiting forward answers to their practical questions, their concerns on government surveillance and balancing security and privacy; as well as guidance on reoccurring future compliance issues which never came. Let’s hope that the pragmatic and can-do attitude of the Hong Kong Data Privacy Authority will lead to an effective practical approach to international cooperation at the 39th International Privacy Conference.
[1] Resolution for the Adoption of an International Competency Framework on Privacy Education; Resolution on Developing New Metrics of Data Protection Regulation; Resolution on Human Rights Defenders; Resolution on International Enforcement Cooperation available at: https://icdppc.org/document-archive/adopted-resolutions/
[2] CNIL Chairwoman and General Secretary of the AFAPDP
[3] New Zealand Privacy Commissionner
[4] https://www.ipc.on.ca/wp-content/uploads/2016/10/2016-09-30-38th-data-protection-conference.pdf
[5] https://www.pcpd.org.hk/english/resources_centre/multimedia/video/video.html
[6] https://www.pcpd.org.hk/childrenprivacy/en/student-ambassador-program.html