GDPR influential but the Council of Europe Convention 108 still attractive

While the EU Data Protection Regulation (GDPR) is dominating the scene in Europe, this edition makes clear its substantial impact in Asia. The intention of the European Commission from the start was to have a privacy positive influence for companies providing services to the European Economic Area and from there spread its influence around the world.

PL&B’s editorial team at the DPAs’ 39th Annual Conference in Hong Kong in September observed that the GDPR was the dominant reference point. Its influence can be seen in the countries seeking an EU adequacy declaration, such as Korea and a future mutual adequacy declaration in the case of Japan (p.1). The People’s Republic of China has also defined some of the terms of its new Personal Information Standard to be comparable (p.25). We greatly appreciate the role played by our national experts in translating documents and interpreting them so that Professor Graham Greenleaf, Asia-Pacific Editor, can analyse and report on them in such a substantial and authoritative way.

A role for mediation

Our interview with the Korean Commissioner (p.20) in Hong Kong and visit to the Commissioner’s office in Hong Kong (p.22) gave valuable insights. We asked about the extent to which their mediation process was helped by the role of mediation in Korean and Chinese culture. We learned in Hong Kong that Chinese culture emphasizes harmony in daily life. Generally speaking, complainants may just wish to air their grievances without pursuing them to the very end. This is particularly their experience when the party complained against has shown sincerity and respect to the person who is dissatisfied with their collection or use of personal data. The person then often becomes willing to resolve the complaint by way of mediation or even not pursue their complaint further. Even if the office starts to use online dispute resolution, the Commission staff recognise the continuing need for a local human mediation option.

Its work has received support from the adoption of Hong Kong’s Apology Ordinance which came into operation on 1 December (p.24) and is thought to be the first in Asia.

A new platform for collective action

Mediation is little used in Europe or North America but there may be some potential for using this technique there. In the meantime, prosecutions and other regulatory tools continue to be deployed as the norm. It will be fascinating to watch what happens assuming privacy activist, Max Schrems attracts crowd funding to support data law suits which he explains will help consumers fight for their rights and encourage whistleblowers inside tech companies to speak out (p.15). The collective (class) action provision in the GDPR provides a solid basis for this new initiative.

Council of Europe Convention 108 remains attractive

However, the GDPR is not the only international instrument in this field. Yesterday, we received news from the Council of Europe that its Committee of Ministers has accepted Mexico’s request to accede to the Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and to its additional Protocol 181. Mexico is the ninth country from outside Europe that has been invited to accede, after Uruguay, Mauritius, Senegal, Tunisia, Morocco, Cape Verde Islands, Burkina Faso and Argentina. This legally binding convention clearly represents a standard to which many countries can aspire.

As always, Laura Linkomies, Editor, is happy to receive your feedback or ideas for articles. Contact her at with your suggestions.

PL&B’s GDPR Help! Roundtable on 31st January in London on Managing Risk will enable you to have a peer group discussion – to be hosted by Australia-based Macquarie Bank (p.31).

I and all of us at PL&B wish you Happy Holidays, as we move forward steadily to 25 May 2018 and application of the GDPR.


Stewart Dresner, Publisher

International Report 150

Lead story:

Australia’s mandatory breach notification regime imminent

A notification duty will apply, from February 2018, to all private sector and not-for-profit organisations with an annual turnover of more than A$3 million. By Elizabeth Coombs and Sean McLaughlan.

Contents also include:

  • Comment: Adequacy is a fluid concept
  • Italy’s DPA issues guidance
  • Finland seeks harmonisation by following the GDPR’s text closely
  • Spain is one step closer to new European reality with its DP Bill
  • Catalan DPA to launch its DP by Design Award in January
  • EU DPAs: Legal action to come unless Privacy Shield improved
  • Blockchain: Disrupting data protection?
  • China’s Personal Information Standard
  • Korea uses mediation to settle disputes between individuals and organisations
  • Hong Kong’s DPA prefers mediation to prosecution
  • ENISA presents ideas on certification
  • Privacy activist launches data-lawsuit NGO
  • Jamaica prepares for DP law
  • Guernsey adopts DP Law
  • EU DPAs consult on BCRs
  • UK ICO issues GDPR guidance, confirms BCRs will continue
  • Ireland proposes 13 for age of consent online
  • Connected toys and smart watches endanger children’s privacy
  • EU expert group discusses GDPR
  • DPAs’ enforcement statistics