PL&B takes pride in our excellent working relationship with DPAs around the world

Three of our Privacy Laws & Business Reports editorial team (Laura Linkomies, Editor; Professor Graham Greenleaf, Asia-Pacific Editor; and Merrill Dresner, Assistant Editor) and many of our correspondents joined me in Hong Kong for last month’s 39th International Conference of Data Protection and Privacy Commissioners. Graham Greenleaf moderated the session on West meets East with speakers from France, Mexico, the USA and China. As sole Media Partner for the conference, we at Privacy Laws & Business were pleased to promote this event around the world helping result in the best attended conference in this series.

We have reported on some of the main conference themes in this edition (p.1) including DPAs’ fines (p.14), European data privacy standards outside Europe (p.21) and several subjects from the Asia Privacy Scholars Network Conference sponsored by PL&B (p.29).

It was a perfect opportunity for us to meet subscribers to PL&B International Reports, previous and potential PL&B Annual International Conference speakers, and many Data Protection Authorities. It is in such informal discussions, for example with Commissioners from South Africa’s Information Regulator, which create the links which sustains PL&B’s in-depth coverage of 121 countries with privacy laws and many more planning such laws.

A side event which I attended gave a positive slant on Cross Border Privacy Rules (CBPR). It showed that not only the US but also Japan’s Personal Information Protection Commission is supporting this initiative with companies being assessed by the Japan Information Processing and Development Centre (JIPDEC). Only one Japanese company has been approved so far as meeting the CBPR standard. But the organisation is ready to process more CBPR applications, as it already has a national certification scheme in operation with thousands of Japanese companies approved.

Discussions and interviews outside the conference sessions and side events

As always, discussions and interviews outside the conference sessions and side events provided valuable insights which we will cover in our December edition, for example, with Chaeho Rheem, Standing Commissioner, Personal Information Protection Commission, on the use of mediation in Korea.

After the conference, Merrill and I visited the Privacy Commissioner for Personal Data, Hong Kong for an interview with Commissioner Stephen Kai-yi Wong and Deputy Commissioner, Fanny Wong. Stephen Wong had said at the conference that “meeting the legal requirements of compliance and accountability to recognise the intrinsic values of data privacy rights would be improved by the ethical approach including a fair and ethical use or processing of data. Data users need to add value beyond just complying with the regulations. Perhaps it is high time we developed an equitable data privacy right for all stakeholders.” I have invited him to expand on this concept. We discussed with Fanny Wong and Daniel Chin-wah Leung, Head of Communications and Education, their conciliation work in the absence of enforcement orders.

Our visit to Macau’s Office for Personal Data Protection provided fascinating insights into its work not only in this Special Administrative Region famous for its casinos but also its surprisingly influential role in privacy law policy making in the People’s Republic of China, always described during our visit as “Mainland China.”

More on all of these subjects in our December edition.

The UK retains its international outlook

One option for the UK is to join the European Economic Area so I visited Iceland to see how the data protection law is working there (p. 16).

Last night I attended an IAPP event in London with Elizabeth Denham, the UK’s Information Commissioner, who made comments on several international issues including:

1. The ICO wants to stay involved with the EU Art. 29 Data Protection Working Party (WP29). The exact relationship between the UK and the WP29 after Brexit is not clear but Denham has made efforts to reinforce existing strong relationships with the parties and ensure that the UK, as the EU’s largest Data Protection Authority, has continued to be the lead author on many of the WP29 guidance documents.

2. Encouraged by the government, the ICO will continue to have an international outlook with active participation in not only the WP29 but also the Global Privacy Enforcement Network (GPEN), Common Thread, (Commonwealth countries data protection coordination body) and the Asia Pacific Privacy Authorities (APPA).

3. I asked whether the ICO is now able to offer a faster service on processing Binding Corporate Rules applications as some companies have been considering taking their applications to France or other countries. She said that the UK had processed 85% of all the approved BCRs and she has devoted more resources to this area. Her staff are now working on a template to make the BCR application quicker and easier.

Elizabeth Denham summarised her international perspective by declaring: “Right now, we are playing in all the fields we can.”


Stewart Dresner, Publisher

International Report 149

Lead story:

East meets West: Converging regimes, different approaches

Data Protection Authorities discussed legislative frameworks, data transfers and new technologies at their 39th International Conference. Laura Linkomies reports from Hong Kong.

Contents also include:

  • Comment: Can the GDPR create a new global standard?
  • EU-US Privacy Shield – success so far
  • ‘Speaking the inconvenient truth’: UN Special Rapporteur on privacy
  • Asian privacy scholars meet
  • Privacy in eight South Asian States
  • European data privacy standards in laws outside Europe
  • Industrial Internet of Things: Data privacy and intellectual property
  • Austria amends DP law to comply with GDPR provisions
  • Iceland shows how an EEA country steers parallel to the EU
  • South Korea faces GDPR hurdles
  • Belgian DPA publishes guidance on DPOs and internal records
  • Think tank says DPAs should fine only seriously negligent conduct
  • CNIL publishes processor guidance
  • EU DPAs issue GDPR guidance
  • Human Rights court rules to limit monitoring of employee emails
  • Luxembourg issues GDPR Bill
  • UK ICO welcomes draft DP Bill
  • Hungary moves on with the GDPR
  • Uber settles with US FTC
  • Guidance on driverless vehicles
  • EU to tackle data localisation
  • Canada’s DPA to step up enforcement
  • Call records ruling in Portugal