When I took up the job in February last year, I was pretty familiar with the legal and policy issues around privacy, and I knew a fair bit about complaints. One area that I hadn’t had so much experience with was international engagement. But this has long been important and will be a very prominent feature of the Office’s focus in 2015.
Last year, I travelled to South Korea and Canada to attend the meetings of the Asia Pacific Privacy Authorities (APPA), and to Mauritius for the International Conference of Data Protection and Privacy Commissioners (ICDPPC). I also visited my federal and state counterparts in Sydney, just after taking up office. Others in my office attended meetings in Colombia, Brussels, Victoria and British Columbia.
These trips can involve considerable expense (although internationally sought after staff have been canny in securing funding from the hosts to accompany invitations to address conferences such as those in Brussels and Colombia). International travel is also a common subject of enquiry by select committees, political parties and interest groups, and rightly so. Like all other areas of our work, we need to be able justify the application of public resources and explain the value derived for the Office, and for New Zealand.
The field of privacy and data protection has become increasingly global, as aggregators of data and technology providers such as Vodafone, Google, Microsoft, Facebook, Apple and others provide their services in almost every jurisdiction. It is important for enforcement agencies such as ours to share ideas, and sometimes coordinate responses to emerging issues.
When the European Court of Justice found that Spanish law required Google to “break links” in search returns based on the so-called “right to be forgotten”, Google immediately began a service for Europeans only, to exercise their newly discovered right. The APPA meetings in Seoul and Vancouver provided an opportunity for regulators in the Asia Pacific region to compare approaches, and discuss whether to seek a similar service for our region’s “data subjects”.
With New Zealand embarking on a major reform of privacy law, it is very helpful to compare notes with other jurisdictions that have been through reform and implementation process, such as Australia, and countries that have already implemented policies to be enacted here, such as mandatory breach notification.
In 2012, New Zealand finally secured “adequacy” status from the European Union, meaning personal data can be sent here from Europe for processing without special measures being taken by the European companies. This is sometimes dubbed New Zealand’s first free trade agreement with the EU. After Edward Snowden’s revelations about the alleged actions of the NSA and its “Five Eyes” partners erupted the following year, a committee of the European Parliament expressed disquiet about New Zealand’s involvement and questioned whether the “adequacy” determination should be revisited in light of the alleged mass surveillance.
Therefore maintaining strong links with European privacy regulators and the European Commission is essential for maintaining New Zealand’s reputation and hard won status.
At the International Conference in Mauritius, New Zealand was elected Chair of the executive committee of the ICDPPC. It’s not quite like being on the Security Council but it involves providing a conference secretariat through to the 2015 conference, accrediting privacy agencies wishing to join the conference and implementing resolutions such as the 2014 resolution on international cooperation. It is about being a direct link to the nearly 100 economies with data protection authorities or privacy commissioners.
The role of Chair is an opportunity to have a voice in the ongoing discussion about the role of privacy regulation at this critical time of technology development, international concern about security breaches, and the activities of transnational corporates and intelligence agencies.
There are quite marked cultural and legal differences in approach to privacy between Europe and North America, and New Zealand can help bridge these traditions - a theme I touched on in my closing remarks at the Mauritius conference.
The role of Chair has led to a number of invitations to attend different events and conferences, some funded, some not. This year I will:
Others in my office will represent us in Macau and Hong Kong, and no doubt attend meetings in Australia. In a role as delegate to the APEC Electronic Commerce Steering Group Data Privacy Subgroup (ECSG DPS), and as an administrator of the APEC Cross-border Privacy Enforcement Arrangement (CPEA), Assistant Commissioner Blair Stewart will be attending a meeting in Philippines at which significant advances are expected to be made in reviewing the APEC Privacy Framework and the CPEA.
By remaining engaged with the international community, and groupings of data protection authorities and privacy commissioners, we are better placed to face the challenges of increasingly global risks to the privacy of New Zealanders.