I’ve been offshore recently attending a series of privacy-related engagements. While it was disappointing to miss Privacy Week, these were commitments made to international counterparts in Europe and Singapore who also largely funded my travel.
Fortunately, I was able to contrive to be active in New Zealand through a series of videos that we featured on our homepage, Facebook and Twitter. If you missed them, these are available on our YouTube channel for the benefit of posterity.
My destination was a conference in Berlin, but I took advantage of having been funded to travel to the other side of the world, to arrange a number of other meetings in Brussels, and Paris, en route.
In Brussels, I had meetings with the European Data Protection Supervisor, Giovanni Buttarelli and his staff. He talked about his strategic direction, and was complimentary of our “making privacy easy” mantra, which echoes his own approach to compliance and engagement, as described in his strategy document.
Mr Buttarelli is deeply involved in Europe’s data protection issues and is keen to develop links with our office, and our wider Asia Pacific region.
Next on my schedule was a meeting with the European Commission. It is the keeper of the “adequacy” rulings, and a very important ally. This is especially significant for New Zealand with forthcoming new EU data protection regulation raising questions about how existing “adequacy” decisions are to be treated in the transition.
The head of the Data Protection Unit at European Commission, Bruno Gencarelli, was very supportive of our case, and only made a plea for us to keep him informed of law reform and other developments affecting privacy in New Zealand, so the Commission could be in a position to answer questions as they might arise from the European Parliament or Ministers.
One of the developments on which I received helpful briefings, first from Mr Gencarelli, and late in the day from the US Mission, was the “safe harbour” negotiations that are going on between Europe and the United States. Safe harbour is a way US companies can achieve data flows from the EU to the US without having adequacy status. The arrangement is being reviewed, and challenged in the European Court of Justice, largely as a result of European concerns over the activities of US intelligence agencies that might affect data relating to EU citizens.
In Paris, I had meetings with CNIL, our French equivalent. It is doing some quite cool stuff, and I think we can learn from it. It has a ‘privacy seal’ – a quality mark for organisations that demonstrate good privacy-embedded information handling systems. It also has some clever technology, like a downloadable cookie tracker - something I would like to explore for our office.
I also attended a meeting with the OECD whose work in this space includes setting and reviewing privacy and security guidelines for member countries. Among other things, they were very interested in work New Zealand is leading domestically and internationally on transparency reporting.
I then travelled to Singapore where I was a guest of the country’s Personal Data Protection Commission. I had been invited to give a keynote address at this year’s Personal Data Protection Seminar, an event attended by about 700 people. A copy of my presentation is available here.
Singapore’s Personal Data Protection Act only came into effect last year. Unlike our privacy law, it only applies to non government sectors. I was impressed by what its Personal Data Protection Commission had achieved in such a short time, including developing an online education tool that had more than 7000 users already. I hope to be able to match that success with our own e-learning privacy training modules which were launched during Privacy Week and are available on our website.
I was similarly impressed by the innovative approach the PDPC has taken to getting small to medium enterprises access to legal advice. It has struck a deal with the Singapore Law Society to ensure that an affordable “high level assessment” is available to all companies. This is a great idea and should both enhance compliance and build the capacity of the advisory sector.
It is important for New Zealand to pay particularly close attention to the data protection environments in Asia. It is vital that we understand how Asian data protection scenes work because so many of our markets are in Asian countries and our relationships with the region are projected to keep on growing.
By engaging with the international community, and groupings of data protection authorities and privacy commissioners, we will be better placed to face the challenges of global information risks to New Zealanders.