Vol. 3, Issue 2 | 2021 NEWSLETTER GLOBAL PRIVACY ASSEMBLY
Message from the Chair In this issue: > Towards the 2021 Global At last year’s Closed Session, Privacy Assembly P3 I spoke about the three > The FTC’s post-pandemic aspects that are central to our privacy approach P4 Assembly’s progress: continued > The UN Special Rapporteur modernisation, collaboration and on the Right to Privacy P6 community. These themes continue to drive > Balancing data sharing, our work. innovation and governance In March, the GPA Executive in the digital society P8 Committee met to consider our > The 2020 GPA Census P9 Assembly’s strategic direction > A carrot and stick approach for the next two years. This is an to data protection P10 important part of our continued If the Joint Statement showed modernisation, as we focus our how our Assembly can speak with > The GPA Strategic Plan priorities on the areas where we one voice, then the launch of the 2021-2023 P12 can have the most impact and GPA Reference Panel showed > Working Group on retain the most relevance. As I how we will listen. The panel will COVID-19 related privacy discuss in more detail later in this provide a valuable resource of and data protection issues newsletter, we as data protection experts to inform our views and P13 and privacy authorities are at a work at our request on specific > Leveraging the intersection pivotal moment: if data protection items, and allow us to be a greater of regulatory spheres to looks too much like a barrier, we part of the privacy conversation forge new partnerships and risk being left behind. I urge all beyond our regulatory community. enhance the protection of members to read and consider the That sense of community is privacy rights P15 Strategic Plan 2021-2023 once it is reinforced in the results of our GPA > New Chair for the Berlin circulated. Census, showing the truly global Group – IWGDPT P17 Our strategy is a result of reach of the Assembly. The results > A Viewpoint from the collaboration across the Assembly, provide a vital insight into the way Middle East – The Dubai with the views of members from the data protection landscape is International Financial around the globe represented. changing. Centre (DIFC) P18 We are greater when we stand All of these themes will be part together. This shone through when of our Global Privacy Assembly > In conversation with... we issued our first GPA Executive 2021 conference later this year. Ms. Marie-Laure Denis, President, CNIL, France P20 Committee Joint Statement in The event will be the first hybrid March. conference, held both in person > Get to Know your ExCo… The statement on the use of and online, and I am looking John Edwards, Privacy health data for domestic and forward to what promises to be an Commissioner of New international purposes provided exciting and important moment in Zealand P22 timely guidance on an issue that our group’s continued history. > Update from the GPA is critical for governments, public Thank you for your continued Observer at the OECD P24 sector organisations and private support during this pivotal time for > Meet Our Member: businesses around the world. The data protection and privacy, and Alexander White, Privacy flexibility to respond to such an for helping to make our community Commissioner, Bermuda important issue that has arisen one that is so supportive, practical P25 between our conferences is an and relevant. important one: the GPA is now > Your GPA News Highlights P27 truly an influential forum year Elizabeth Denham CBE round. Information Commissioner, UK 2 Towards the 2021 Global Privacy Assembly Blanca Lilia Ibarra Cadena, President Commissioner, National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), Mexico provides an update on preparations for the GPA 2021
During the health emergency due event, INAI and its contractors to the COVID-19 pandemic, online will, at all times, comply with activities have become essential the control measures focused for the world’s population, on the prevention of COVID-19 adopting the utilisation of virtual infection that have been cooperation, among others. conference platforms as one of recommended by the World Health In addition, for the first time, the main mechanisms for holding Organization (WHO) and the various virtual activities are being meetings and mass events. Mexican authorities, such as social considered, which will enable However, we should not distancing, open spaces, limiting participants to interact with overlook the importance of having the number of people in face-to- the panelists in order to share various international personal data face spaces, among others. relevant, cutting-edge information. protection and privacy authorities As for the general theme of this These activities will take place on sharing a physical forum that edition of the GPA, it has been the margins of the open session will facilitate the exchange of decided to maintain the proposal for all participants. knowledge and ideas to provide presented last year: It is also envisaged that during solutions for emerging issues in “Privacy and Data Protection: A the breaks between conferences, the field and in the context of the human centric approach”. virtual and networking activities health crisis. This decision is based on a will be held to capitalise on the simple fact: with the advances in opportunities for open discussion. “For the general technological innovation and the In order to successfully carry out theme of this edition automated processing of personal these activities, an interactive and data, the human being must user-friendly online platform will of the GPA, it has been continue to be the main actor in be available for this edition of the decided to maintain the decision-making and the one who GPA. This will allow a secure digital proposal presented last exercises control over his/her interaction among the Assembly year: “Privacy and Data personal information. attendees. Protection: A human In the specific case of the GPA’s Open Session, the aim centric approach”.” will be to achieve co-existence For all of the above, we would between the development of like to extend an invitation to all For this reason, INAI has proposed new information technologies member authorities and interested holding the 2021 edition of the and the protection of human parties to participate in the next Global Privacy Assembly (GPA) rights, specifically the right to the edition of the Global Privacy in a hybrid format. This format protection of personal data. For Assembly, which will take place in will allow for data protection this reason, a programme is being a hybrid format from October 18 authorities and other participants prepared with keynote speakers – 21, 2021 in Mexico City and on who wish to attend in Mexico City, and parallel sessions for national the digital platform. as well as those who participate and international experts from virtually, to have the same different sectors to present their benefits, as well as the ability ideas and experiences, focusing on to take full advantage of the the central theme from different knowledge that will be shared perspectives: digital economy during the event. and e-commerce, regulatory It is important to point out convergence, accountability, data that, regarding the face-to-face analysis, regional and international 3 Horizon Scanning The FTC’s post-pandemic privacy approach Rebecca Kelly Slaughter, Acting Chair, Federal Trade Commission (FTC), US, writes exclusively for the GPA
The COVID-19 pandemic has use to address these and other had a transformative impact on ongoing issues for the benefit of the world, including on privacy. all? As Acting Chair, I am excited As the virus proliferated, many to lead the FTC as we emerge people shifted major parts of their from these challenging times and lives—work, education, shopping, begin to answer these questions. entertainment, and healthcare— I’m looking forward to engaging almost entirely online, bringing with our Global Privacy Assembly privacy and data concerns to the (GPA) colleagues on these issues to mitigate discriminatory forefront. I’ve experienced this as we use all of our tools to protect effects. Transparency means transformation in my personal privacy and prevent data abuses. that developers and deployers life, as well as in my role as a of AI should make sure that Commissioner and more recently Major Issues AI decisions are explainable as Acting Chair of the Federal • Algorithmic Discrimination and defensible. With proper Trade Commission (FTC). With more people online during transparency, academics, the pandemic, companies have advocates, and third parties “The pandemic has collected—and used—more can then test for discriminatory personal data for more purposes. outcomes. But transparency must highlighted the need for I know that the GPA has been not put untenable burdens on strong legislation at the concerned with the increasing consumers. And transparency federal level as more of use of algorithms and automated must be accompanied by, at a our work, our children’s decision-making and the potential minimum, accountability and education, and even our for algorithmic discrimination. I proper remedies. The companies social interactions are share this concern, and this is an that benefit from algorithms must taking place online.” area that the FTC will be looking at also have the responsibility to more intensively. ensure they are conducting regular I’ve previously noted that, when audits and impact assessments. For the FTC, the pandemic has we focus on the most troubling And we have to ensure there is put a spotlight on many existing examples of flawed algorithms in proper redress available for faulty privacy challenges: educational the marketplace, there is a clear or unfair algorithmic decisions. technology, health apps, remote list of factors that contribute The goal is to minimise and ideally work, and broadband privacy to discriminatory or unsavoury end discriminatory outcomes from practices. With vaccination on outcomes: faulty inputs, faulty algorithmic decisions. the rise in the United States, we conclusions, a failure to adequately are now looking toward the post- test, and proxy discrimination. • Facial Recognition Technologies pandemic future, keeping in mind We must take care that existing Another pressing issue is the the privacy gaps exacerbated by discrimination is not replicated, increasing development and the pandemic and the broader exacerbated, or potentially ‘hidden’ deployment of facial recognition issues of equity, including, inside algorithmic logic. technologies. Like algorithmic especially in the American context, Our staff will be actively decision making, facial recognition racial justice. investigating the use of algorithms, technology can also exacerbate As I see it, our future will be and we will continue to look existing racial disparities. There are shaped by our answers to two for ways to address other AI- some obvious privacy implications urgent questions: What major based consumer issues. The in facial recognition, such as being privacy issues will consumers starting point to delivering able to identify someone from confront? And what tools will algorithmic justice is increased just a photograph. But there’s also we, global privacy authorities, transparency and accountability disturbing evidence that these 4 technologies are less accurate at market. In order to have effective players in digital markets are there identifying non-white individuals, deterrence, we need to fully because of their access to and which has led to documented understand the benefits that control over consumer data. These cases of wrongful arrests of Black companies may get from violating dual missions are complementary, men. In our enforcement actions the law, not only financial gains and we should apply both the against Facebook and Everalbum, but also growth, opportunity, and privacy and competition lenses to we have challenged their competitive advantage. Once we problems in digital markets. default use of facial recognition better understand the benefits In addition to case-by-case technology, and we will continue to companies get, then we can enforcement, we can apply our look for violations in this area. pursue a remedy that ensures rulemaking authority to pervasive that companies would find these privacy problems. Clear rules • Children’s Privacy violations unprofitable. can provide a guide for honest Finally, protecting young people’s Second, we should focus on businesses and strong deterrence privacy will remain a significant accountability at a corporate for would-be rule-breakers. part of the FTC’s agenda. As and, whenever appropriate, Congress has given the FTC several schools shifted to virtual learning individual executive level. Here, important authorities to write models during the pandemic, we should understand how close rules to help protect consumers children and teens spent much the violations were to the core and promote competition. It is of their school and non-school of a business and how executive time we look at how rules might hours online. Ed-tech and other accountability could change provide relief from novel harms services used by children and that corporate culture. Further, in the digital economy as well as teens are not going away after the transparency measures, such as traditional scams, with the goal of pandemic ends. At the FTC, we are publishing assessments and even making our work more efficient currently reviewing our Children’s including potential whistleblower and potent. To that end, I have Online Privacy Protection Act protections, could help to reduce created a new rulemaking group rules. We also recently sent problematic practices. within the FTC to streamline our orders requesting information Third, we should focus on process, strengthen existing rules, from nine major social media and helping current victims. The FTC and undertake new rulemakings video streaming firms to obtain a often seeks monetary remedies to prohibit unfair or deceptive better understanding about these in our consumer protection cases, practices and unfair methods companies’ practices including such as repaying consumers the of competition. The FTC has information that may reveal how money they lost and disgorgement long innovated in how it uses these firms are targeting and of ill-gotten gains. Finding a its existing authority to protect categorizing children and families. monetary remedy in privacy privacy, and this is another tool cases, in which consumers may with which we must be creative. “Our future will be shaped have paid little or no money for Even as we take an aggressive a service, is a challenge. In cases approach with our existing by our answers to two for which monetary relief is hard statutory mandate, we are urgent questions: What or impossible to determine, we closely eyeing the prospect major privacy issues will need creative approaches to of more direct federal privacy consumers confront? And address consumer harm, such as legislation in the United States. what tools will we, global disgorgement of ill-gotten data, The pandemic has highlighted privacy authorities, use to meaningful notice, and renewed the need for strong legislation at address these and other opt-in for existing consumers. the federal level as more of our ongoing issues for the One recent example is our action work, our children’s education, benefit of all?” against Everalbum, where, instead and even our social interactions of disgorging monetary benefits, are taking place online. The we required the disgorgement of urgency of comprehensive data Applying the FTC’s Tools a different benefit: the algorithms privacy legislation with meaningful As market conditions and firm based on allegedly improperly limitations on the collection and conduct around privacy evolves, collected data. use of data and prohibitions on so too must the FTC’s enforcement I should also mention a discriminatory practices, dark approach. There are several areas significant structural advantage patterns, and data abuses has I am prioritising as we move that the FTC has: We have both a never been greater. The FTC stands forward. First, as we consider how privacy and a competition mission. ready to enforce a federal privacy to resolve investigations, we must We will be thinking carefully about law. In the meantime, we will use focus on deterrence of future the overlaps between our privacy our existing tools strategically and violations—both by our defendants and antitrust work. We must take creatively to protect consumers, and by other participants in the note that many of the largest particularly the most vulnerable. 5 The UN Special Rapporteur on the Right to Privacy In an exclusive for the GPA, Professor Joe Cannataci reflects on his tenure as UN Special Rapporteur on the Right to Privacy
Very early in my role as United The mandate has an important complex web of information flows Nations Special Rapporteur on the complementary role with in society. The first major initiatives right to privacy, I said “Privacy has data protection and privacy of the state surveillance thematic never been more at the forefront commissioners worldwide to strand were the establishment of political, judicial or personal raise significantly the global of the annual International consciousness”. Little did I know standards of privacy. This shared Intelligence Oversight Forum (IIOF) how some issues would grow in commitment to advance privacy and the development of the ‘Draft significance or how others, such was formalised at the International Legal Instrument for Government as the COVID pandemic, new laws, Conference of Data Protection Led Surveillance’. Both, in their judicial rulings, and inquiries into and Privacy Commissioners, on 27 own way, successfully provoked corporate use of personal data, October 2015, in Amsterdam. debate and action to protect citizens’ privacy. Privacy, freedom of expression and freedom of access to “An important issue information are essential to in information policy the universal and overarching and governance is the fundamental right to dignity and the unhindered development of appropriate weighting one’s personality. As inaugural given to the use of Special Rapporteur on the right data for the benefit of to privacy, I sought to increase society and to the need understanding of the right to protect fundamental to privacy as fundamentally important for the autonomy and rights, like privacy and the ability of individuals to identify autonomy.” and choose between options in an informed manner throughout their lives. The theme of children’s privacy would exponentially heighten was added in 2017-2018 to the political, judicial or personal initial list of priorities, to examine awareness of privacy. the important contribution of the Space does not allow me right to privacy. It followed the to dwell at length on any of work on ‘gender perspectives of these matters, but I highlight privacy’ which shone a light on the the significant effect of the privacy concerns of many citizens European General Data Protection about the way in which gender Regulation; the updated was the basis for infringements Convention 108; the Investigatory upon their dignity and reputation – Powers Act of Great Britain and Priority themes sometimes irrevocably. Northern Ireland; the US CLOUD An important issue in Act; the Indian Supreme Court’s My priority themes throughout information policy and governance 2017 Puttaswamy Judgement, were Security and Surveillance; is the appropriate weighting and the ‘Schrems’ decisions Big Data and Open Data; Health given to the use of data for the of the Court of Justice of the Related Data; Corporations’ use benefit of society and to the need European Union, COVID Apps, of Personal Data, and Privacy and to protect fundamental rights, amongst others, upon the privacy Personality sought to safeguard like privacy and autonomy. This landscape. individuals’ privacy in the overall tension has been at the crux
6 of the challenges posed by the a global discussion to determine the Philippines and others but COVID virus to the right to privacy the type of information policy the common template adopted in of individuals and communities. most suitable for maximising the the country visit reports should The UN SRP Task Force on Health protection of, and minimising help readers compare apples with Data 2019 Recommendation on the risk to, individuals’ privacy apples, oranges with oranges. It the Protection and Use of Health- arising from the data collected should not be difficult to discern Related Data and its accompanying about them by corporations, the common thread that runs Explanatory Memorandum, was, and accessed from there, by quite fortutiously, a very timely governments. “The mandate report for the advent of the This requires engagement has an important pandemic in 2020. with all stakeholders, especially Some particular issues identified civil society, to bring home to complementary role early in the mandate, such as lawmakers and the corporate with data protection and smartphones as compellable sector, citizens’ and users’ privacy commissioners witnesses, have only grown in expectations of improved privacy worldwide to raise significance. For example, the protection. I stress the need for a significantly the global number of sexual assault victims citizen focus to achieve recognition willing to proceed with their if not remedy, for those individuals standards of privacy.” cases, even very strong cases, whose privacy has been infringed, has reportedly dropped due to and for those whose privacy is across my recommendations the ‘digital strip search’ nature of vulnerable. to all countries visited: privacy handing over their phones. Future challenges require is everybody’s right and its ongoing action based on evidence protection should not depend on “Privacy is everybody’s and a clear, comprehensive vision the passport in your pocket or your right and its protection of privacy. The value of privacy in location anywhere around the urban spaces for example, needs world. should not depend on to be assessed when considering Multiple consultations with the passport in your all the intrusive technology that multiple stakeholders, such as civil pocket or your location can be deployed in so-called society, academics and individuals, anywhere around the smart cities to meet individual and the corporate world, and data world.” collective expectations of privacy, protection and privacy authorities, in both public and private spaces. provided invaluable insights Engagement is also required captured in the reports on all the Big data issues continue to weigh with the technical community subjects mentioned above made to heavily on privacy, particularly to promote the development of the United Nations Human Rights the growing reliance on artificial effective technical safeguards, Council and General Assembly. intelligence (AI). This provided the including encryption, to put Throughout I have been impetus for the Recommendations ‘privacy by design’ genuinely into assisted by the expertise and on AI which is intended as a practice. support of many individuals and common international baseline organisations. The Taskforces for for data protection standards Privacy and its protection is thematic action streams were regarding AI solutions, especially everybody’s right composed of highly experienced those to be implemented at the and unpaid volunteers who domestic level. Apart from extremely useful provided invaluable research and unofficial visits to several other background for my reports to the Safeguards and remedies countries, I carried out official Human Rights Council and General country visits in Argentina, France, Assembly. I thank the international The safeguards and remedies Germany, Korea, the UK and the community of privacy and data available to citizens can never USA. When read together, the protection authorities in particular, be purely legal or operational. updated versions of the country and I wish the GPA and all its The complexity of important visit reports should provide useful members and observers, a safe issues such as Indigenous Data examples of good practices as well and successful 2021. Sovereignty means that law as insights into the complexities, alone is not enough. Cultural trials and tribulations that privacy SRP reports are available on the change based on an appreciation protection faces across all regions SRP webpage. Enquiries can be of human rights and their of the world. made to Prof. Elizabeth Coombs contribution to achieving economic COVID-19 put an end to at [email protected]. and social equality is required. It plans to carry out more visits in um.edu.mt is now opportune for example, for countries as diverse as Nigeria,
7 Focus Balancing data sharing, innovation and governance in the digital society – Safeguarding individuals’ data protection and privacy
Andrea Jelinek, Chair of the European Data Protection Board (EDPB), gives an overview of the safeguards and legal frameworks in place in the EU to uphold data protection and privacy standards in the digitised society
The EU’s data protection legal COVID-19 related Digital Green the application of the DGC must framework is a key enabler of a Certificate (DGC), the future be strictly limited to the current data economy: innovation and new ePrivacy Regulation, on the Data COVID-19 crisis. technologies will not be successful Governance Act (DGA) and the In its latest statement on if they are not trusted and trust draft of the UK adequacy decision. the future ePrivacy Regulation, can only be achieved by respecting In the joint EDPB-EDPS opinion the EDPB recalled that under existing data protection legislation. on the DGC, the Board underlined no circumstances can the level The data protection regulators that any measure adopted at of protection offered by the have a key role to play in making national or EU level that involves current ePrivacy Directive be sure individual rights are respected processing of personal data must lowered. The ePrivacy Regulation in a quickly digitalising society. respect the general principles should complement the GDPR by providing additional strong guarantees for confidentiality and protection of all types of electronic “The data protection communication. regulators have a key role to The EDPB also asserts that play in making sure individual the data protection authorities rights are respected in a responsible for enforcement of the GDPR should be entrusted with the quickly digitalising society.” oversight of the privacy provisions of the future ePrivacy Regulation. Allowing this will ensure a The European Data Protection harmonised interpretation and Board aims to uphold data enforcement of the privacy rules protection standards in our across the EU and guarantee a evolving digital economy. The EDPB level playing field in the Digital recently published its Strategy and Single Market. Work Programme for the coming of effectiveness, necessity and Similarly, the joint EDPB-EDPS years with four pillars providing a proportionality. Therefore, any opinion on the Data Governance clear account of EDPB objectives use of the Digital Green Certificate Act was also built on keeping the and focus. One such key objective by the Member States other than integrity of the GDPR’s standards, is to monitor new and emerging enabling free movement within the and the roles of the national DPAs technologies and their potential Union must have an appropriate to enforce the GDPR and maintain impact on fundamental rights and legal basis in the Member a level playing field. the daily lives of individuals. States’ law and all the necessary The protection of personal data The EDPB safeguards data safeguards must be in place. is an essential and integral element protection principles through Furthermore, the EDPB for trust in the digital economy, guidance, consistency opinions affirms the new regulation must and the DGA must be fully in and decisions, and legal advice expressly include that access to line with the EU personal data to the European Commission. and subsequent use of individuals’ protection legislation, and make Recent examples of when the data by the Member States once this unambiguously clear. EDPB’s legal advice was called the pandemic has ended is not An issue that is at the top of for was in consultation on the permitted. At the same time, the EU’s political agenda is the
8 adequacy agreement with the UK. has mirrored, for the most part, We also ask the Commission The EDPB was requested to issue the LED and GDPR in its data to closely monitor all relevant two Opinions on the Commission’s protection framework and when developments in the UK in the draft UK adequacy decisions: analysing its law and practice, the months and years to come and to one on the UK’s adequacy under EDPB identified many aspects to take action if needed. the Law Enforcement Directive be essentially equivalent. At the The EDPB is determined to help (LED); and the second on the same time, a number of important to shape Europe’s digital future in draft adequacy decision based challenges remain and the Board line with our common values and on the General Data Protection calls upon the Commission to rules, while continuing to work to Regulation (GDPR). The EDPB address these in its final decision. promote regulatory coherence noted that the UK starts off from We welcome the Commission’s and enhanced protection for an advantageous position vis-à- decision to limit the granted individuals. vis other third countries. The UK adequacy to a specific time period.
Navigating the Global Data Privacy Landscape: The 2020 GPA Census An introduction to the 2020 GPA Census Report and its significance for the GPA and wider data protection and privacy community NAVIGATING THE GLOBAL DATA PRIVACY LANDSCAPE: Every three years the GPA The Census provides a useful THE 2020 GPA CENSUS takes stock of the work of the reference tool for those whose Global Privacy Assembly (GPA) business and data crosses membership through the GPA jurisdictions and to national policy Census. This work began in 2017, makers considering new legislative and the 2020 Census builds upon approaches. It also supports the work of the first Census in member authorities’ capacity 2017. This Census – based on building and collaboration through 2019 data – collected information dissemination of ‘how it’s done’ from 70 GPA members to provide in other jurisdictions. Finally, the a ‘point in time’ picture of the data in this Census informs the policies and delivery approaches GPA’s Working Groups which are that currently guide and regulate charged with delivering activity data protection and privacy in support of the GPA 2019-2021 globally. Conference Strategic direction and its successor document (currently the oversight of an independent The GPA Chair Elizabeth under development and to be regulator. Denham has advised agreed at the GPA Conference in The design of the report is that the Census: October 2021). founded in the GPA aspiration, This report bears many which is to: “create an environment “Furthers the work similarities to the picture reported in which privacy and data in the 2017 census, but there are protection authorities around the previously done and some noteworthy differences in world are able to act”. The words provides points of 2020. Most notably, the growth in within this aspiration have been comparison as well as size of data protection authorities translated into binary code, and we new insight into how the around the world in terms of wanted to convey that the report is approach of member budgets and personnel indicates about data authorities across the the increasing importance of world by using the globe visual. authorities supports ensuring that citizens’ personal GPA Members and Working the GPA’s 2019-2021 data and privacy are protected, Groups have received a copy of the strategic priorities.” and seen to be protected, via GPA Census 2020 Report.
9 Case study A carrot and stick approach to data protection Bjørn Erik Thon, Director at the Datatilsynet, the Norwegian Data Protection Authority, contributes our case study on innovative practices in safeguarding individuals’ data protection and privacy
As a data protection authority in bi, trans and queer people. The 2021, we must use a wide range investigation was sparked by a of measures to achieve our goals. complaint regarding the app’s With complaints and data breach data sharing practices, coupled notifications pouring in, there is a with a technical report outlining risk that we end up as a mere case- how sensitive user data was being handling factory. It is therefore transmitted to third parties. Taking important for us to apply a into account the complexity of strategic approach in our work, to the matter, we established an Ensuring data protection in a have a long-term perspective, and interdisciplinary team with legal, pandemic not to be afraid to try innovative technical, social science, and working methods. communications expertise to In the context of COVID-19, the To ensure compliance, we handle the case. Norwegian health authorities believe that it is necessary to launched a contact-tracing app use a carrot and stick approach. “To keep up with in April 2020. The app had three We recently announced our the complexities of different purposes: contact- intention to issue a €10 million tracing, analysing the effect of administrative fine to a social the ecosystems we infection-reducing measures, and networking application. regulate, we need research. While the use of the app Additionally, we imposed a ban on to be proactive and was voluntary, we were concerned the processing of personal data innovative. While that users could not choose the in the Norwegian contact-tracing we need to sanction purpose(s) for which they wanted app, at the height of the pandemic. to provide their data. We also This demonstrates that we have violations, prevention criticised the use of GPS data for to use a big stick if necessary. is better than cure.” contact-tracing. As the data was However, the carrot can be equally stored in a centralised, cloud- useful. Our regulatory sandbox For us, the Grindr case is a based facility, this created the promotes that data protection can symptom of a bigger issue, namely potential for mass-surveillance. benefit organisations and society the opaqueness and lack of user Furthermore, the app was alike. Through our work on data control in the AdTech industry. launched before the technology protection by design and default, This is something we believe needs for contact-tracing and analysis we aim to provide businesses with to be addressed as a matter of had been completely developed. instruments that unite the use of priority. To make matters worse, Subsequently, large amounts technology and the protection of Grindr users belong to sexual of personal data were collected consumer data. To address issues minorities at risk of discrimination. without there being any practical regarding children’s data, we have Our preliminary findings suggest way of making use of the data. Due both issued fines and taken on a that Grindr lacked a valid user to this, we considered the measure more proactive role. consent for sharing detailed GPS disproportionate, also taking into location and identifiers of its users, account low public support of the Using the stick where it matters which is why we announced our app (14% adoption rate) and the the most intent to issue an administrative manageable infection rates at the fine of approximately €10 million. time. One of our biggest cases of 2020 Grindr is contesting those findings, Mid-June 2020, we announced was our investigation into Grindr, and we are now working on a final that we would be imposing a a social networking app for gay, decision. temporary ban on the app’s
10 processing of personal data. This Data protection by design and the increased use of educational immediately led to the health default is an essential concept in tools, sometimes applied without authorities shutting down the app this regard. Our experience over schools understanding how they and deleting the collected data. A the years has shown us that where work or which risks they entail. To new version of the contact-tracing data protection by design is not put these issues on the agenda, we app was later released, amending observed, irreparable damage can have organised several roundtable the shortcomings. sometimes be the consequence. conferences with stakeholders, That is why we believe in which we believe has had a Encouraging viable innovation promoting it as a proactive positive effect in making visible measure. the need for coordination and data We recently established a protection expertise in the school regulatory sandbox to help “The sandbox is a new sector. companies develop data way of working for Du bestemmer (“You Decide”) protection friendly artificial is an online teaching resource intelligence (AI). The sandbox us, allowing us to go about data protection and digital provides free guidance to a deeper into specific responsibility for children aged selection of companies of varying cases and cooperate 9 to 18. The objective of the types and sizes across different with stakeholders to website is to increase awareness, sectors. Feedback from both the help develop compliant reflection, and knowledge about private and public sector shows data protection and the choices that there is uncertainty on how to solutions.” young people make when using translate regulatory requirements digital media. The website is a into practice when developing Together with external collaboration between ourselves and deploying AI. Transparency, stakeholders and experts, we and the Norwegian Directorate for data minimisation, and fairness have developed guidelines Education and Training. were the top three data protection and checklists for software issues in the first round of development with data protection Looking ahead applications. by design and by default. We will use best practice Through our involvement in the To keep up with the complexities examples and insights from development of the European Data of the ecosystems we regulate, the sandbox projects to help Protection Board’s guidelines on we need to be proactive and organisations implement AI in a the matter, we were able to discuss innovative. We will therefore good way that incorporates data with and learn from other data continue to look for ways to protection requirements. The goal protection authorities to leverage promote compliance at the is to promote the development of each other’s expertise. We also development stage of systems innovative AI solutions that, from host an annual competition on and services. While we need to a data protection perspective, are data protection by design to sanction violations, prevention is both ethical and responsible. encourage organisations to put the better than cure. The sandbox is a new way of guidance to practice. working for us, allowing us to go deeper into specific use cases and Children’s data warrants special cooperate with stakeholders to protection help develop compliant solutions. The sandbox is also a way for us Children are encountering to learn more about AI and how continual technological innovation, organisations work with data which brings with it complex risks protection on a practical level. and opportunities. New forms of data collection by businesses, Fostering data protection by parents, and the public sector can design jeopardise children’s rights. In recent years, we have Profiling and personalised services detected particular issues with have become part of our daily how schools process students’ lives. Users expect services to be data. We have fined schools secure and to safeguard their data for data breaches where they protection rights in an effective have failed to adequately manner. Businesses taking data secure children’s data or even protection seriously build trust and inadvertently published the data have a competitive advantage. online. Another particular issue is
11 The GPA Strategic Plan 2021-2023 An evolution not revolution
Elizabeth Denham, GPA Chair and UK Information Commissioner, emphasises the importance of shaping the next chapter of the GPA’s story on relevance
The GPA, and the ICDPPC before see value, do not see action, then it, is a story. And every story has the next chapter of our story will chapters. There’s a chapter on a be one of irrelevance. group being formed. A chapter on Writing this next chapter was a group becoming truly global. A the focus when the GPA Executive chapter on the group finding its Committee held the Strategic place in the wider world. Direction Development Workshop The chapter we have written is 2021-2023, in March. one of evolving and modernising The Strategic Plan 2021-2023 to meet the challenges of a will shape our story and priorities data-driven age. We’ve found over the next two years in the eyes the structure to make the GPA of the wider community. And we effective. We’ve found the topics to approach it at a pivotal moment: if make the GPA relevant. data protection looks too much like But now we must shape the next a barrier, we risk being left behind. we have all seen our domestic chapter of our story. How does Either we are an essential part of workload rise; we are all busier that structure, that modernisation, the solution, or we lose our voice. than ever before. work in the real world? How With that in mind, the Executive Against that backdrop, we have does equipping our Assembly Committee has focused our next shown the pragmatic approach our for a digital-driven world work in chapter on relevance. community brings. We can build on practice? The strategic plan builds on the the approach our members have solid foundation we have in place, taken across the past year, of both “The plan the Executive and on the progress made through enabling and protecting. Committee has set out the work of our GPA Working The plan the Executive Groups and the GPA membership Committee has set out retains retains our three strategic in the last two years. Our vision, our three strategic priorities but priorities but adapts them mission and priorities remain truly adapts them for our changing for our changing world. relevant, and so our new plan is world. And it is accompanied by And it is accompanied by a one of evolution not revolution. a clear implementation plan, to clear implementation plan, But we must respond to the ensure we continue to have a to ensure we continue to changing world. The pandemic has practical impact. have a practical impact.” resulted in significantly accelerated The draft GPA Strategic Plan – and accelerating – digitisation 2021-2023 will be circulated to that affects the way we all live, GPA members for consultation And crucially, how will people work, travel, learn and socialise. for final adoption at the GPA outside of our regulatory, privacy We have seen an increased Closed Session 2021. It is an commissioner community, respond appetite to use personal data in important part of our continued to our story? Because if those both short-term and longer-term modernisation, and I urge all outside of our community do not responses. And on a practical level members to read and consider it.
The GPA Secretariat - Your central contact point
If you are interested in getting more involved in the GPA’s work, by joining one of the Working Groups, or volunteering to be a future Assembly host, please get in touch with the Secretariat at [email protected] For more information on the GPA, visit our website at globalprivacyassembly.org 12 Working Group Highlights Working Group on COVID-19 related privacy and data protection issues
Chair of the Working Group on COVID-19 related privacy and data protection issues, Commissioner Raymund E. Liboro, highlights the innovative approaches being applied by the working group to emerging global issues
In many parts of the world today, As in other industries, travel the pattern of COVID-19 infections industry organisations see is upward while revenues personal data processing as across many industries remain an excellent way to facilitate subdued. In an attempt to achieve safe travel during the ongoing normalcy in economic terms, pandemic. the government and the private There are also considerations of sector have been implementing so-called digital ‘health passports’ more protocols while still strictly or ‘health codes’ intended to help observing COVID-19 safety personal information controllers measures. identify a passenger’s COVID-19 We at the GPA are in full results and vaccination status. support of all efforts to bring Given the enormous back livelihoods and catalyze involvement of sensitive economic recovery. But we remain health-related data in these turn, effective contact tracing can steadfast in instilling our values developments, it is only prudent jumpstart the recovery of both for protecting personal data and for all to adopt an exemplary business and entire sectors amid deterring data privacy risks. attitude in implementing these the ongoing COVID-19 crisis while minimising risks to data subjects. “We continue to work Our joint statement encouraged closely to ensure that the governments and organisations to minimise data collection to guidance the GPA provides only that information that can to the global community contribute to the protection of is relevant, practical, and public health while also factoring in effective… We are also reasonable retention periods and charting new strategies other privacy protection measures to create new points at the outset. of contact to influence Governments and organisations external stakeholders.” must also ensure that technology solutions adopted and promoted comply with ‘privacy by design In the first formal joint statement new measures. Likewise, we must and default’ principles and have of the GPA Executive Committee, ensure that the use of personal considered cybersecurity risks. we focus on guiding authorities data is regularly assessed for its Consent for data collection and and industries involved in effectiveness in the immediate processing must also have a well- domestic and international travel, goal of eliminating COVID-19, and defined purpose and information which have been gradually re- for the long-term risks to personal provided as to the extent of the opening to revitalise the sectors privacy and data protection. data processing is made accessible involved and arrest further losses. As all these are unchartered and clear to all users, regardless of The travel industry was among territories, the GPA’s latest their geography and the language the sectors that suffered gravely. issuance helps the aviation and spoken. According to the World Travel and tourism industries gain travellers’ Likewise, we reminded Tourism Council, the industry lost trust, which is key to a successful everyone to put in place protection $4.5 trillion in 2020. contact-tracing campaign. In measures for vulnerable
13 individuals who may not be able programmes and the processing Emerging issues survey to use or have access to electronic and sharing of health data devices. Also needing protection concerning travel and passenger Moreover, as we continuously are individuals who cannot be data. assess the privacy landscape, the vaccinated due to their age, We also continue to promote GPA COVID-19 Working Group possible health risks, or other the adoption of the GPA’s 2020 recently held a survey to identify underlying conditions. ‘Compendium of Best Practices’ the most pressing privacy issues across jurisdictions. To recall, at this point of the COVID-19 Ongoing work the Compendium was created pandemic, requiring internationally last summer following a global coordinated action from the GPA. As the GPA intensifies its campaign collaboration to address emerging The survey will serve the needs to ensure the implementation privacy issues in the wake of the of non-privacy regulators, bodies, of privacy-protecting measures COVID-19 outbreak. and organisations dealing with across sectors as we move toward new, more detailed, or high-risk mass immunisation, we look “Our latest joint personal data processing due to forward to our success in shaping statement encouraged COVID-19 protocols. COVID-19 strategies from national We hope to finalise the results governments and agencies down to organisational of this survey and provide level. organisations to minimise support to GPA members and In fact, since November last data collection to only the wider GPA community on year, the COVID-19 Working Group that information that these issues and succeed in the has been making strides in this can contribute to the fight against the pandemic with endeavour. protection of public adequate safeguards for the right Among these is the adoption health while also to personal data privacy and of the Working Group’s Terms of factoring in reasonable protection. Reference and the nine meaningful retention periods and At present, we continue to Working Group Meetings to date. work closely to ensure that the other privacy protection We have also adopted a guidance the GPA provides to the COVID-19 Working Group Portfolio measures at the outset.” global community is relevant, of work, which identified three practical, and effective. We are also strategic issues: alternative The Compendium is a charting new strategies to create working arrangements; the use of comprehensive guide for new points of contact to influence e-learning and online schooling authorities and organisations external stakeholders. technologies; and, sharing of data from all sectors to transition to We remain resolute that new between hospitals and health the new normal while equipping technologies involving personal ministries and other relevant them with policies, measures, data must be secure and all risks government bodies. In addition, and solutions mindful of the data eliminated, to avoid contact-tracing two new emerging issues were privacy principles of transparency, databases becoming a valuable included: personal data legitimate purpose, and treasure trove that risks falling into processing for vaccination proportionality. the wrong hands.
Access the latest data protection and COVID-19 guidance and resources from GPA members and observers at: globalprivacyassembly.org/covid19
14 Working Group Highlights Leveraging the intersection of regulatory spheres to forge new partnerships and enhance the protection of privacy rights
An update from the Co-Chairs of the GPA’s Digital Citizen and Consumer Working Group: The Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner
Established in 2017, The Digital • Information Commissioner’s DCCWG members have also been Citizen and Consumer Working Office of the UK, who discussed in heavy demand promoting Group (DCCWG) arose out of the their Digital Regulation Co- cross-regulatory collaboration recognition that traditional lines operation Forum with the with presentations, panels and separating privacy, consumer Competition and Markets keynotes at various conferences protection and competition Authority and the Office of and webinars. This includes have rapidly begun to blur – or Communications (Ofcom); presentations at the Digital outright disappear – in today’s • Norwegian Datatilsynet, who Clearinghouse (DCH), the Canadian digital economy. This Working discussed their joint guidance Bar Association’s Privacy Division, Group seeks to explore and better with the Norwegian Consumer an Advertising and Marketing understand these intersections, Authority on Consumer Data and Conference, the IAPP Australia foster greater collaboration across Digital Services; and New Zealand Summit and an regulatory spheres, and holistically • Office of the Australian expert panel at the Computers, realise superior privacy and Information Commissioner Privacy and Data Protection consumer outcomes for individuals (OAIC), who presented a case (CPDP) 2021 Conference entitled: across the globe. study in co-regulation with ‘When Regulatory Worlds Collide respect to Australia’s Consumer – the Intersection of Privacy, Cross-regulatory collaboration Data Right; Competition and Consumer By all measures, the start • Competition and Consumer Protection’. of the second year of our Commission of Singapore, who current mandate has proven discussed how their Competition The DCCWG is in the an overwhelming success. Our Guidelines were amended to process of completing membership has grown to 18 specifically identify privacy as agencies with the addition of four an aspect of competition on its ‘Deep Dive’ into new working group members. quality that may be taken into the complements and Following the GPA’s first ever consideration; and tensions created by Virtual Annual Conference in • Colombian Superintendencia the intersection of the October 2020, we also hosted our de Industria y Comercio privacy and competition first DCCWG webinar welcoming (Colombian SIC), who discussed approximately 50 participants from how they incorporated regulatory spheres. 22 GPA members and observers. In privacy considerations into a addition to outlining the DCCWG’s competition remedy reached A cross-regulatory event of note progress, participants heard from with a joint venture between was the first ever joint Global working group guest speakers Colombia’s three largest banks. Privacy Enforcement Network including the: (GPEN) / International Consumer
15 Protection Enforcement Network sessions also went on to explore • The intersection phenomenon (ICPEN) Best Practices workshop the substantive legal intersection is not new, but it is certainly in February 2021. This joint event between these regulatory spheres, more pronounced than ever in brought together 175 privacy and as well as how the various forms today’s exponentially expanding consumer protection enforcement of cross-regulatory enforcement digital economy; professionals to discuss the cooperation can lead to greater • We are speaking different intersection and potential compliance. languages across regulatory cooperation strategies between The ICPEN/GPEN webinar itself spheres – privacy authorities the regulatory spheres. Given the represented a pragmatic example tend to talk about data as DCCWG’s experience with cross- of cross-regulatory collaboration, ‘personal information’ while regulatory work, we were invited to which is a key objective of the competition authorities tend design and oversee sessions. DCCWG: to promote greater to conceptualize how data can cooperation across regulatory represent ‘the relevant product’ spheres. for anti-trust analyses; DCCWG members have Another recent example of • Measuring privacy can pose also been in heavy cross-regulatory collaboration challenges for competition demand promoting includes a pair of opinions analyses – Privacy is a less cross-regulatory published by the European tangible, qualitative concept. collaboration with Data Protection Supervisor There’s greater difficulty in (EDPS) related to the European seeing a ‘privacy protection’ presentations, panels Commission’s Digital Markets Act increase or degradation than a and keynotes at various and the Digital Services Act. quantifiable price increase or fall; conferences and On the Opinions, Supervisor • Competition remedies can webinars Wojciech Wiewiórowski, raise privacy concerns, as pronounced that: with a merger remedy that “Competition, consumer contemplates data-sharing with The webinar itself was the last in a protection and data protection law other market participants. The series of four ICPEN best practices are three inextricably linked policy challenge lies in finding a balance workshops and focused on the areas in the context of the online between the two without enforcement of consumer data platform economy. Therefore, sacrificing either – and we have privacy. Chaired by Working Group the relationship between these heard it can be done! members the Office of the Privacy three areas should be one of Commissioner of Canada (OPC, complementarity, not friction.” In addition to the regulatory Canada) and the Federal Trade To guarantee the successful interviews, the Deep Dive also Commission of the United States implementation of the European involves an academic review of America (FTC, US), the webinar Commission’s Digital Services Act assessing how privacy and consisted of two brief introductory package, the EDPS called for a clear competition regulators have presentations as well as breakout legal basis and structure for closer historically approached/discussed sessions to work through a cooperation between the relevant this intersection as well as its practical exercise. oversight authorities, including growing implications in the digital The introductory presentations data protection authorities, economy. To this end, Professor saw the OPC, Canada present consumer protection authorities Erika Douglas of Temple University highlights of the GPA’s and competition authorities. in Philadelphia is conducting Enforcement Collaboration the academic review. Professor Handbook, while the Netherlands Looking to the future Douglas has been studying this Authority of Consumer Markets intersection for some time and gave a brief overview of the digital The DCCWG is in the process of has written numerous papers and advertising ecosystem, including completing its ‘Deep Dive’ into given multiple talks on the subject. the various entities and actors that the complements and tensions Ultimately, the Deep Dive will be collect and use personal data and created by the intersection of comprised of two complementary the ways in which the information the privacy and competition reports setting out a baseline of is used. regulatory spheres. To date, we what this intersection looks like Assisted by DCCWG moderators have completed 11 competition and how competition regulators from the Colombian SIC, the regulator interviews and we have approached it. We look OPC, Canada, the OAIC, as well are starting to analyse those forward to sharing the results of as the FTC, US, the breakout responses. As a ‘sneak peek’, the Deep Dive with our DCCWG sessions explored the consumer certain of the preliminary annual Working Group Report later protection and privacy issues findings or comments from those this year. raised by digital advertising. The interviews include:
16 Working Group Highlights New Chair for the Berlin Group – International Working Group on Data Protection in Technology (IWGDPT)
Ulrich Kelber, Federal Commissioner for Data Protection and Freedom of Information, Germany, talks about the important work undertaken by the Berlin Group – IWGDPT, and his new role as Chair
Background
The Global Privacy Assembly Maya Smoltczyk, Berlin Commissioner for Data Protection and Freedom of Information hands over the chairmanship to Ulrich Kelber (GPA) is proud to host a broad variety of expert-level permanent progress and to provide data This has always been supported Working Groups – from Digital protection friendly solutions by the specific composition of Education to International for new products and services, the Berlin Group, comprising Enforcement Cooperation and which for many years centered technical, legal and regulatory many others. But what the GPA around telephones and other experts from data protection and does not feature, is a dedicated telecommunication-related privacy supervisory authorities, Working Group for technology devices. as well as from non-governmental issues. The GPA addresses this organisations (NGOs) and gap by continuing its strong “I believe there would be academia. In effect, this enabled relationship with the independent value in exploring ways the Group to elaborate tailor- ‘International Working Group on made and practical solutions or Data Protection in Technology and means whereby both suggestions that are applicable, (IWGDPT), which, a few years the GPA and the Berlin scalable and feasible for all ago, changed its scope and name Group might be enabled relevant stakeholders. from ‘Telecommunication’ to to further inform and Having said this, and taking into ‘Technology’. liaise with each other on account the long history and high The IWGDPT dates back to current topics and issues reputation of the Berlin Group, 1983, when it was founded on the for future review.” I feel very honored that I was initiative of the Data Protection asked by my colleague, the Berlin Commissioner of the federal state With the rapid advancement Commissioner for Data Protection of Berlin in Germany and when of technology, most notably and Freedom of Information, Ms. the GPA (or, as it was known then, the creation of the Internet or Maja Smoltczyk, whether I would the ‘International Conference World Wide Web, together with be willing to accept, with the of Data Protection and Privacy the long-term and overarching consent of the Group, a transfer Commissioners’) was still in its trend towards the digitisation of the chair function from her infancy, having held only its fifth of society, the group felt the authority to my office. Now I am annual meeting. Due to these need to widen the Berlin Group’s very pleased to announce that circumstances, the group became focus and to shift its scope from this transfer has taken place on better known under its nick-name: telecommunication to technology the occasion of the latest meeting the ‘Berlin-Group’. in the wider sense. of the Berlin Group on 24 March In 1983, at a time when for 2021. example, personal computers Future path My sincere thanks go to my emerged for the mass market, Berlin colleague, Ms. Smoltczyk, for the Berlin Data Protection For almost 40 years now, the Berlin her dedication and commitment Commissioner felt the need to Group has worked successfully. to the Berlin Group during the keep a close eye on technological 17 past years. Of course, I will strive any case, I will be happy to report the not-so-distant future. For a to maintain and continue the to the GPA Chair and Executive lively and debate-driven group, extraordinary significance and Committee as well as to the GPA such as the Berlin Group, I believe value of the Group to the global membership on the activities and it is vital to engage in face-to- data protection community. results of the Berlin Group. face discussions and to have a As to the unique nature and The Berlin Group will continue direct and in-depth exchange independence of the Berlin Group, to work on specific, topic-related of views. Therefore, I am very I am not intending to change this; recommendations. A paper on grateful to my colleagues at the however, I believe there would be sensor networks – or ‘digital dust’ Privacy Protection Authority of value in exploring ways and means – will soon be tabled for adoption, Israel and at the UK Information whereby both the GPA and the and the Group decided at its recent Commissioner’s Office that – Berlin Group might be enabled to 24 March 2021 meeting to further after another virtual meeting further inform and liaise with each work on voice-controlled devices, in September 2021 – they are other on current topics and issues as well as to prepare papers volunteering to host in-person for future review. Coincidentally, on smart cities and on facial meetings of the Berlin Group in I was elected as a member of recognition technology (FRT). spring 2022 in Israel and in autumn the GPA Executive Committee in With regards to future meetings, 2022 in the UK. October 2020, and this may help I am hopeful and confident that smooth the way in this regard. In we may meet in person again in
Regional Perspectives A Viewpoint from the Middle East – The Dubai International Financial Centre (DIFC) – Lori Baker, Vice President Legal and Director of Data Protection
The establishment of the DIFC construct, the DIFC has its own set adequacy. of civil and commercial laws and Since DIFC Data Protection The Dubai International Financial regulations and has developed a Law 2020’s enactment in May of Centre (DIFC) is home to the complete code of law governing last year, coupled with earning region’s largest financial ecosystem financial services regulation. As Observer status from the GPA of more than 25,000 professionals part of its autonomy, the DIFC has in 2019, and Member status in working across nearly 3,000 active created an independent judicial 2020, the DIFC Commissioner’s registered companies, making up system within the jurisdiction as Office has taken advantage of the the largest and most diverse pool well. opportunity to expand its reach in of industry talent in the region. Finally, DIFC has its own privacy the region. DIFC was established in law, Data Protection Law, DIFC Law accordance with the United Arab No. 5 of 2020 (DIFC DP Law 2020), The goal for 2021 Emirates (UAE) Federal Decree No. which is an update of the 2007 35 of 2004, as a part of Dubai’s law that preceded it. The main The goal this year for the strategic vision to diversify its objective of updating the 2007 law Commissioner’s Office is adequacy economic resources and attract and regulations was to reinforce in all directions – issuing adequacy capital and investments in the compatibility with international decisions of its own, receiving region. It is a financial free zone standards while addressing adequacy decisions from other defined in Federal Law No. 8 of globally developing data protection jurisdictions, and really exploring 2004. An independent jurisdiction and security issues, thereby what adequacy means in practice. within the UAE, the DIFC is building a flexible yet robust law The main questions we are empowered to create its own legal that could cope with emerging addressing in this exercise include: and regulatory framework for all technology and inspire ethical data Will personal data, once it arrives civil and commercial matters. management. Like the Directive in an adequate jurisdiction, be DIFC is unique in that it has a and the GDPR, they provide for treated in the way it would be legislative system consistent with principles, such as accountability, treated at home? And how do we English Common Law. Given its transparency, fairness and assure ourselves of that? 18 Adequacy recognition between regulatory model of addressing the tricky bringing everyone in the governments or data protection issues, political and technical, that sub-group together, as it spans authorities is key, as many hours the Act presents. from Mexico to South Korea, and of analysis, discussions and Similarly, in March 2021, for the schedules are busy for everyone in agreements go into an adequacy first time, privacy regulators from privacy these days, the benefits of decision at this level. But it is also across the Middle East, including this sub-group’s work not only to important for us to understand, previously blocked countries, met the GPA but to DIFC and the other what will the processors and to discuss forming a significant, members will prove to be many. controllers in that jurisdiction supportive forum. The DIFC’s One activity of the sub-group actually do if the culture and efforts in bringing this group was to survey non-privacy processing environment is not together is focused on consistent regulators and organisations supportive of privacy practices? messaging and communal to obtain feedback on personal Consequently, the DIFC assistance, as well as sending its data, security and privacy-related Commissioner’s Office is evaluating message to the rest of the world guidance provided during this last risk, and mitigation measures at that privacy and security in the year of major change and upheaval multiple levels, to expand and add Middle East are growing in interest around COVID-19 restrictions and depth to the current, more popular and influence in the world. requirements for protecting the practice of merely adding standard public at large. It also collected contractual clauses to a contract In March 2021, for information about how to improve, or binding corporate rules. As what details were missing, how such, we have developed a tool for the first time, privacy to develop COVID-19 prevention assessing such risk, which is being regulators from across technology while honouring the vetted and further developed at the Middle East… met privacy of individuals, and overall, the moment. to discuss forming a what the next steps should be as significant, supportive we continue to live in the post- Regional collaboration COVID-19 world. forum. The survey was one activity The Commissioner’s Office amongst others planned for 2021. has also been very successful As many of the regulators in the Leading this gave DIFC insights in bringing together privacy group oversee the development of and tips about very basic things, professionals from around the Gulf advanced technology that will have such as crafting an information Cooperation Council (GCC), Middle a global if not regional impact, gathering tool like the survey, East and Central Asia regions getting this forum established as well as connecting with well- to participate in an information will equip us with the necessary established regulators that have sharing forum. In addition to information to produce helpful shared experiences and positive discussing topics of all sorts guidance and get involved in (and even negative) examples regarding regional developments, vital ‘privacy by design’ efforts of privacy governance. The often, presentations by privacy undertaken by entities operating takeaway for DIFC as a Member experts in prominent law firms, in each other’s jurisdictions. of the GPA and as a sub-group privacy activists and even other The group will seek to prevent leader continues to provide us regulators foster the growth and regulatory barriers and hard stops with a much richer view of how to understanding of data protection in the evolution of technology, improve as a supportive, flexible, practices and knowledge. especially for example life-saving yet consistent regulator in a This group is a safe place to technology, such as contact tracing jurisdiction where privacy and bring together those who see the apps and other means of personal security are still very new concepts high value of privacy and security data collection that supports to some of its constituents. practices implemented, giving public well-being. The DIFC Commissioner’s Office them feedback and the room to aims to work with processors and engage in thought leadership DIFC and the GPA controllers in our jurisdiction, through the several white papers giving them the tools and guidance coming out of collaboration Finally, the Commissioner’s they need to build a business between group members, some Office is an active participant environment conducive to of which may be shared upon in GPA working groups, such as protecting individuals’ rights while request. One such paper was International Enforcement, and fostering innovation and inclusion. published in the GPA COVID-19 primarily, the Working Group on Being Members of the GPA and all resources library of regulator’s COVID-19 related privacy and data the opportunities it affords us has guidance on COVID-19 and privacy protection issues where DIFC is been immeasurably beneficial to practices, and another discussed leading sub-group 2 on regulatory DIFC in achieving these goals. the CLOUD Act and the optimal capacity building. While it can be
19 In conversation with... Ms. Marie-Laure Denis, President, Commission Nationale de l’Informatique et des Libertés (CNIL), France Marie-Laure Denis talks exclusively to the GPA about the role and work of the CNIL both domestically and globally
As President of the Commission Nationale de l’Informatique et des Libertés, (CNIL), France, tell us about your background and the role of the CNIL in France. I am a State Counsellor at the Conseil d’Etat, the highest administrative jurisdiction in France and I was appointed President of the CNIL in February 2019. Prior to this appointment, I was already involved in regulatory activities related to the digital supporting and supervising all environment, as an official public and private actors of the member of the French regulatory digital ecosystem. Our activity and bodies for the telecom sector and missions are now deeply rooted for the audio-visual sector. in European and international public health research, remote cooperation, in particular as a teleworking tools and health at member of the European Data work, or the more recent issue “‘A trusted ally of the Protection Board since the entry of health certificates. These were digital daily life’ is into force of the GDPR. also extremely demanding times the CNIL’s motto for for our staff and Commissioners. its strategic roadmap What do you consider are the But we knew we had to provide until 2021… it is in this main achievements of the CNIL to timely answers to ensure the date? development of consistent, spirit that I believe our Looking back at the past year compliant and effective solutions. community can also and months, which have been Our guiding principle in this make a difference at the particularly challenging for all endeavour has been the following: global level!” of us, I would say that our main data protection and privacy are not achievement has been to be an obstacle to the development able to react and adapt to an of digital solutions to address the The CNIL is one of the oldest unprecedented situation, while COVID-19 crisis but an enabler to national data protection fulfilling our duties and tasks as design tools that respond to the authorities, established in 1978, a data protection authority to societal demand of trust in public as a follow up to an intense public protect individuals’ personal data. policy and action. We also clearly and political debate regarding a When it comes to personal highlighted that, to be effective, project the government had at data processing in the context new technologies and personal the time to create a centralised of the fight against the COVID-19 data processing must not be database allowing French citizens pandemic, our expertise has seen in isolation but must be fully to be personally identified by been extremely sought after, integrated within an overall public different government services. both at national and European health strategy. Since its creation, our authority level, to provide guidance and During this difficult period, and regulatory landscape has recommendations on various we have also maintained a clear significantly evolved and we now issues, such as the setting up of focus on our role and priorities play a significant role as a ‘data new health information systems, in protecting the fundamental regulator’, with a dual mission of contact tracing applications, rights to data protection within the
20 digital economy. We have adopted ensuring our values and principles and on the international arena? landmark decisions and sanctions are fully integrated in new Though most of our borders regarding the main actors, such technologies and innovation going have been closed and our travel as Google and Amazon, and we forward. is still significantly restricted, the have completed the process of the That’s a challenge, but also an current crisis has also led to a review of our recommendation opportunity, so that privacy and more connected world, relying on cookies, which is now fully data protection are fully integrated increasingly on digital solutions. applicable. These are major steps into the new governance models In parallel, we are also seeing that which we consider as milestones that are to be set up and deliver privacy and data protection are for the development of a digital outcomes for people’s daily lives. becoming a growing consumer and ecosystem which responds to a societal demand, which need to be growing consumer demand of Are there any significant lessons answered, in order to build trust. trust and respect for their privacy, learnt or other important We have seen for example as well as of more control on the elements to consider that can be that a change of privacy policy way their personal data is handled shared with the GPA community? terms from a messaging services when using tools which are now It might be too early to draw application can lead to a real part of their daily lives. lessons from the current crisis but ‘migration’ of consumers to one thing we can already highlight competitors and more privacy- “We are seeing that is that we have been able to adapt friendly solutions. Cybersecurity to unprecedented challenges and incidents and data leaks are also privacy and data that we need to keep up with a highlighting the need to further protection are becoming strategy of ambition and resilience. protect our infrastructure, our a growing consumer and Over the past year, we have tools and our personal data. The societal demand, which extended our connections and demands and the expectations need to be answered, to interactions with our environment are here. Policy makers are also and stakeholders, as a necessity progressively apprehending these build trust.” in order to gain expertise in fields, issues in their decisions and such as public health, research, strategies. In your view, what are the new technology and innovation. That’s a real opportunity for the significant future challenges We also further developed our CNIL and for the Global Privacy for both the CNIL and the effective cooperation with other Assembly. From the daily use of data protection and privacy regulators and this is certainly mobile applications to the broader community? a trend that will increase in the issue of international data flow, we Challenges ahead – at national, coming years. need to articulate our actions and regional or international level – I consider that the impact of discourse in order to provide for a will certainly lie in our capacity COVID-19 is not to be seen as trusted digital environment. This to collectively demonstrate the a ‘game changer’ but rather as will only be possible if we have the effectiveness of our actions and an accelerator of trends and means to act, and if we are able to the ability for individuals to gain developments which were already make our voice heard, strategically trust in an environment which is in here and which we will have to and collectively. constant evolution. address collectively in the future. My view is that we need to Some of the solution towards a The GPA has all the tools for this remain proactive, to anticipate and ‘recovery’ from the COVID-19 crisis and has already demonstrated lay down clear recommendations, will probably need to build upon its capacity to anticipate these so that we can feed into a more sustainable innovation changes, for example by setting discussions at national, regional strategy, also when it comes up a relevant working group, and global levels. If we follow the to the processing of personal the Working Group on COVID-19 right approach and are provided data. We need to enshrine data related privacy and data protection with the sufficient means to act, I sharing and innovation in a more issues, or establishing the sincerely believe that we can make comprehensive way, calling for Reference Panel. The ongoing a difference in people’s lives, and greater regulatory cooperation. discussion on the future of our I hope we will continue advancing Numerous rising challenges organisation shall also take these in this direction with the Global are now addressing an array of elements into account in order to Privacy Assembly. combined issues going beyond ensure our means are fit for the “A trusted ally of the digital data protection and privacy, challenges ahead. daily life” is the CNIL’s motto for such as competition, consumer its strategic roadmap until 2021. protection, cybersecurity, content What are the important And it is in this spirit that I believe moderation, ethics, etc... We have opportunities that lie ahead for our community can also make a here an important role to play in the CNIL, domestically, regionally difference at the global level!
21 Get to Know your ExCo… John Edwards, Privacy Commissioner, Office of the Privacy Commissioner, New Zealand
Privacy commissioners and data Europe to apply universally across consent’ for the use or disclosure protection authorities are often the economy to both the public of personal information. Rather, seen as ‘getting in the way’ of data and private sectors and not-for- the primary authority for using sharing, of stifling innovation, and profit sectors. The Act created a data is the purpose for which it was valuing legacy inefficiencies over clear avenue for New Zealanders collected. contemporary solutions to policy to make privacy complaints, but So between structuring problems and business initiatives. otherwise had no provision for business processes to achieve Much of my tenure as fines or enforcement. clarity and transparency about Commissioner has involved those purposes, judicious use of pushing back on this narrative. “We rely on the GPA to the exceptions to privacy principles The New Zealand Privacy Act, (such as, in the Covid-19 era, the almost certainly like yours, is a bring us together and need to protect from serious public handbook for information sharing. provide a forum. By health risks), specific statutory Every privacy or data protection working together and overrides, and codes of practice, law in the world exists only harnessing collective you’d think there’d be little to with reference to the need and knowledge, each of stop business and government importance of sharing information. from reaching their legitimate Rather than arbitrarily restricting us can be far more objectives? the movement of personal data, effective at delivering You’d be wrong. Uncertainty privacy laws seek to answer the beneficial privacy and risk aversion can create an question, “how can we have the outcomes for our echo chamber of misinformation innovation, the efficient solution, communities.” about the obstacles that data the benefits of the digital economy, protection laws impose. And the in ways that foster and maintain risk of these is that they are taken trust, and that value and preserve In 2020, a new Privacy Act passed as fact, with politicians responding individual autonomy?”. and came into force, substantially to the perceived need to act, and For many years as a practitioner, updating the original Act and to solve a perceived problem, my mantra when asked “can we granting my office new powers. by unnecessarily stripping away do [x] under the Privacy Act?” was In addition to receiving and citizens’ rights. “you’re asking the wrong question” investigating individual complaints, In New Zealand, this – ask, “how can we do [x]?“. the Privacy Commissioner is narrative led to the addition New Zealand has had a Privacy empowered to make public of further instruments to Commissioner since 1991. The statements, to provide advice facilitate information sharing position was established to on the operation of the Privacy in government. Approved authorise and regulate automated Act, to examine and report Information Sharing Agreements information matching across on proposed legislation and (AISAs) were added to the Privacy government departments, policies that affect privacy, and Act in 2013. primarily to detect social welfare to undertake inquiries. We issue AISAs have not completely fraud. The Office was and is an codes of practice that can relax or curtailed the perception of “Independent Crown Entity”, strengthen the information privacy privacy as an impediment to data funded by the state but free principles, and can give one-off sharing. A significant part of my from government and ministerial authorities for agencies to make role continues to be educating, control. an unexpected use or disclosure of even senior public sector leaders In 1993, the Act was expanded personal information. and politicians. I emphasise the to become the first national Unlike some jurisdictions, the importance of working within the information privacy law outside of Act is not founded on ‘informed system, rather than engaging in
22 perpetual law reform which may in a data hungry digital economy. technology. deliver death by a thousand cuts to The reforms gave the Biometrics and artificial data protection. Commissioner, for the first time, intelligence are among the most I’ve had the pleasure and good powers to actually enforce the urgently presenting challenges. fortune of working with many law, by issuing compliance notices, They require us to think in new highly dedicated and able team and access determinations. ways. For example, we used to members. They have helped We’ve finally caught up on many maximise the influence of our of you, with mandatory breach small office and, understood the notification. Our law will apply “Privacy laws seek to genuine needs and concerns of to agencies doing business answer the question, stakeholders, helping them realise here, regardless of where their ‘how can we have the their objectives in ways which servers, or lawyers are based. innovation, the efficient promote and enhance privacy. The fines are not at GDPR levels solution, the benefits (NZD$10,000 for failure to comply with a notice, or failure of the digital economy, “The (Privacy Act to report a notifiable breach), in ways that foster and 2020) reforms gave the but the reforms have given us maintain trust, and that Commissioner, for the an opportunity to reconsider our value and preserve first time, powers to operating model, and approach individual autonomy?’” to enforcement and compliance. actually enforce the law, We’ve borrowed from the best of by issuing compliance you to develop our Compliance think in a kind of binary way about notices, and access and Regulatory Action Framework. being in public spaces. If you are determinations.” It will guide our decision making out there in the street, capable of to direct our scarce resources to being observed, you don’t have areas of greatest impact for New an expectation of privacy. But One of my proudest moments Zealanders. that approach is too blunt when was when we successfully My office, like data protection we think of the potential harms argued that our intelligence authorities around the world, from ubiquitous CCTV coverage, and security agencies (the New continually faces complex privacy combined with facial recognition Zealand Security and Intelligence issues associated with increasingly technology. Do we have a Service and Government Security pervasive digital technologies. right to go about our business Communications Bureau) should Putting to one side the role played unobserved? Without being be made more fully subject to by big tech companies, gobbling up collected, collated, and curated? the Privacy Act. We argued this ever more personal information, No authority can tackle these was necessary to give the public this past year in New Zealand, issues alone. We rely on our confidence that those important some of the issues my office has international colleagues to lead activities of the State were being dealt with are: and inform our approach to undertaken in accountable, lawful • Private and public sector COVID- emerging privacy issues that and transparent ways, especially 19-related technology including we share. We rely on the GPA to following the controversy testing and vaccine registers, bring us together and provide a unleashed by the Snowden and contact-tracing apps. forum. By working together and revelations. In my view, this reform • Public privacy concerns harnessing collective knowledge, made the New Zealand intelligence associated with the disclosure of each of us can be far more infrastructure one of the most people’s COVID-19 statuses. effective at delivering beneficial regulated and transparent in the • A probe into the collection, privacy outcomes for our world. retention, and disclosure communities. While I can’t claim credit for the of personal information passage of the law, I am also very by landlords and property proud of the work we have done managers in the rental to leverage what were essentially accommodation sector. relatively modest reforms in the • A joint inquiry into Police’s Privacy Act 2020, which came into unwarranted photography force on 1 December last year. of members of the public, While the Act stopped short of particularly young Māori. the benchmark for data protection set by the GDPR, it gave us an Internationally, privacy will opportunity to modernise our continue to face challenges and approach to regulating for privacy need to adapt to developments in
23 Observer on the Road Update from the GPA Observer at the Organisation for Economic Co-operation and Development (OECD) Marie-Laure Denis, President, Commission Nationale de l’Informatique et des Libertés (CNIL), France, reports as the GPA representative at the OECD
Work of the OECD Working Party the Council of Europe and APEC). • the review of the on Data Governance and Privacy It meets twice a year in Paris implementation of the OECD The Global Privacy Assembly and organises workshops and Privacy Guidelines; (GPA), as part of its work with conferences. • the promotion of comparability international fora, is an observer in personal data breach at the Organisation for Economic “The WP DGP is a notification; Co-operation and Development platform where policy • reporting data governance (OECD) Working Party on Data makers monitor trends, and privacy implications of the Governance and Privacy (WP DGP). COVID-19 pandemic; as well as share experience, and The OECD has played an important • data ethics. role in promoting respect for analyse the impact privacy as a fundamental value of technology on As part of its Strategic Direction and a condition for the free flow of information security and Plan 2020-2021, the GPA has also personal data across borders. The privacy policy making.” initiated work on the question of GPA’s presence in OECD meetings government access to personal is therefore essential and is data held by the private sector strengthened with its key objective WP DGP delegates come from with the preparation of a of reinforcing relationships with various government bodies with questionnaire circulated among international bodies and networks an interest in the economic and members as a first step. advancing data protection and social aspects of information On data breach notifications, the privacy issues as a key priority and security and privacy. Non- GPA has also gathered important as part of its 2019-2021 Strategic governmental stakeholders information on the matter and is Plan. participate actively in the dialogue actively cooperating with the OECD The WP DGP is a platform where through the Business and Industry to share this information. policy makers monitor trends, Advisory Committee to the Finally, regarding the COVID-19 share experience, and analyse OECD (BIAC), the Civil Society pandemic, the GPA and the OECD the impact of technology on Information Society Advisory have been in close collaboration information security and privacy Council (CSISAC) and the Internet to provide a response to this policy making. It develops and Technical Advisory Committee important and urgent matter. monitors the implementation (ITAC). The working party has also The GPA has set up a temporary of several non-binding legal established relationships with working group on COVID-19 related instruments (soft law) adopted by other international and regional privacy and data protection issues the OECD Council and maintains organisations, such as Council and the OECD as a GPA observer an active network of experts of Europe, Asia-Pacific Economic is collaborating in the activities of from government, business, civil Co-operation (APEC TEL and the working group. This Working society and the Internet technical APEC ECSG), ENISA, the GPA and Group put forward a proposal community. the Global Privacy Enforcement which resulted in the publication This group serves as a Network (GPEN). of the recent GPA Executive foundation for developing national Committee Joint Statement on 31 co-ordinated policies and benefits Current work of the WP DGP and March 2021, on the use of health for the broader international the GPA data for domestic or international community through OECD’s co- The WP DGP currently works on travel purposes, in particular the operation with non-members and several topics with a focus on: importance of privacy by design in other international and regional • government access to personal the sharing of this data during the organisations (such as the GPA, data held by the private sector; COVID-19 pandemic. 24 Meet Our Member Alexander White, Privacy Commissioner, Office of the Privacy Commissioner, Bermuda
Alexander White explains the Bermudian approach to data protection ‘Quo Data Ferunt’ – following wherever the data may lead and persevering in the protection of individuals’ rights and freedoms
Background viewed in different ways: with believe that the best strategy to a sense of joy for the endless encourage businesses to adopt The Office of the Privacy possibilities that could take shape data protection practices is by Commissioner for Bermuda was or with the heavy burden of infinite showing that they make sense, not established as an independent possible roads to go down… only morally, but also for society public office in accordance Bermuda sits at a physical, and even, yes, for the business’s with the Personal Information cultural, and economic crossroads. interests. Protection Act 2016 (PIPA), the first We are, legally speaking, a We aim to help organisations comprehensive data protection law European jurisdiction, with strong navigate towards finding win-win for the jurisdiction. North American business ties, and scenarios, towards developing The office holds the mandate cultural links to those places along privacy practices to protect rights to regulate the use of personal with the Caribbean and Africa. This and enable business operations, information by organisations in interconnectedness has long been and towards embracing challenges a manner which recognises both to the island’s benefit, claiming in order to find ways to innovate the need to protect the rights the best of multiple worlds to while protecting privacy. of individuals and the need for organisations to use personal information for legitimate “We aim to help organisations navigate towards purposes. The law currently stands in a transitional phase finding win-win scenarios, towards developing of being partially in effect, privacy practices to protect rights and enable with the country’s first Privacy business operations, and towards embracing Commissioner appointed in challenges in order to find ways to innovate January 2020. while protecting privacy.” Setting a course as a new data protection regulator create a prosperous and successful Here, again, we see the power It would be remiss not to take community. Fitting, then, to speak and the peril of the blank slate. this opportunity to express a about our work in this issue of the Our jurisdiction is, in some ways, deep gratitude to the many GPA GPA newsletter that focuses on the new to data protection and in need members who – in our office’s balancing of interests. of education regarding rights and early days – reached out, took We hold privacy as a responsibilities that must take the time for an introductory fundamental right, yet must shape. By the same token, that chat, or even supplied templates find a way to promote its use by lack of fixed legal precedent allows for policies, procedures, job businesses that may not have a us to approach our strategy with descriptions, and more. Building a strong tradition of incorporating fewer paths closed off. new office from scratch meant that these ideas. Instead of seeing We started filling in our slate there was quite a bit of blank slate this dichotomy as in conflict, we with the sorts of ideas that might to fill in! follow the Bermuda tradition guide a contemporary regulatory Such a blank slate could be of finding a middle way. We strategy, like the need to shift
25 business interests to focus more inspired William Shakespeare’s solutions and fora, like the GPA. on the community good, or the The Tempest, and I like to think We consider the role of the importance of interoperability of that Bermuda also inspired Donne. GPA to be critical in navigating law and technology, or how we In our workshops and discussion these new issues and developing may use incentives to proactively sessions with the public or aspiring consensus solutions to our shift behaviour. You can read more privacy officers, we have taken to universal problems. As a small than you might ever want to about adapting the phrase with an ironic jurisdiction, we will always focus these strategies in our office’sMid- bent to say that, paradoxically, on the ways we may work with Atlantic Privacy Compass. After “Bermuda is not an island”. our colleagues to enhance our all, what better tool for setting our As true as this philosophy voice and present a united front course than a Privacy Compass? was at the birth of the modern to businesses or organisations The first permanent residents world, thanks to our technological that may be exponentially better came to Bermuda in the early advances the idea has never resourced. Please know that our 1600s, around the same time been more relevant. We are all office stands ready to assist and that John Donne wrote, “No man interconnected, and we may only support our colleagues at any time is an island”. It is often said that solve the problems that arise from in our common, vital work. Bermuda’s founding shipwreck that fact by using interconnected
Did you know? Bermuda’s national motto, Quo Fata Ferunt, comes from the Aeneid. Like the first Bermudians, Virgil’s Trojans found themselves shipwrecked. Considering what to do next, they decided that wherever the Fates may take them, they will follow and persevere. With a cheeky, one-letter adjustment to “Quo Data Ferunt” the Office of the Privacy Commissioner commits to following wherever the data may lead and to persevering in the protection of individuals’ rights and freedoms.
GPA key upcoming dates 2021
10 May Launch of GPA Global Privacy 30 Jul Deadline: Submission of and Data Protection Awards Working Group Reports 2021
31 May Deadline: Inform GPA 30 Jul Deadline: To table all draft Secretariat of intention to table Resolutions Resolutions
14 Jun Deadline: Submissions for 22 Aug Accreditation: Observers GPA Global Privacy and Data application deadline Protection Awards 2021
21 Jun Deadline: To table draft 18-21 Oct GPA 2021 Mexico complex/technical Resolutions with the GPA Secretariat
18 Jul Accreditation: Membership application deadline
Check our website for more information: globalprivacyassembly.org
26 Your GPA News Highlights For each edition of the GPA Newsletter, this section features GPA News Highlights for your information and review
Welcome to our May 2021 edition mechanism as adopted at the 42nd consultation in May and submitted of the GPA Newsletter. We recently Global Privacy Assembly Closed for final adoption in the Closed reached the half-way point in the Session in October 2020. Session, October 2021. run-up to the next Global Privacy Assembly in October 2021, and The GPA Reference Panel Accreditation 2021 the GPA community has been Launched The Global Privacy Assembly’s intensively working together to The GPA Reference Panel is now (GPA) application process for help shape and influence the launched following the successful new members and observers global data protection and privacy completion of the work of a wide remains open for the 2021 cycle. agenda. The level of collaboration cross-section of GPA members Since its foundation in 1979, has been impressive as the world around the globe as part of the the GPA has been continually continues to attempt to emerge Assessment Group. Under the growing and now includes from the COVID-19 pandemic, chairmanship of Ulrich Kelber, more than 130 authorities from grappling with new ways of Federal Commissioner for Data across the globe. The GPA now working. The GPA Secretariat has Protection and Freedom of welcomes new applications from outlined recent GPA initiatives Information, Germany, the panel authorities who wish to become below for your information, held its inaugural meeting on 29 members and from public entities/ which report on GPA members’ April 2021. international organisations that valuable contribution to delivering Details of the Reference Panel wish to participate in the GPA as the Conference’s Strategic Plan and its 16 members can be found observers. priorities. on the GPA website. The GPA Reference Panel is a • Applications for membership will Publication of the first GPA contact group involving a variety remain open until end of day, Executive Committee Joint of external stakeholders to provide Sunday, 18 July 2021 Statement in 2021 expert knowledge and practical • Applications for those public On 31 March 2021, the GPA expertise on the basis of ad hoc entities or international Executive Committee issued requests by the GPA on specific organisations who wish to join as a Joint Statement on the use data protection and privacy related GPA observers will remain open of health data for domestic or issues and developments in until end of day, Sunday, 22 international travel purposes, information technology. August 2021 urging governments, public bodies Please contact the and commercial enterprises to pay Secretariat for further All information including due regard to common global data information at secretariat@ application forms can be found on protection and privacy principles, globalprivacyassembly.org. the GPA website. such as privacy by design and default, when considering these GPA Strategic Direction The GPA Global Privacy and Data proposals. Development Workshop 2021- Protection Awards launched This Statement provides 2023 We are pleased to announce the practical guidelines that will be On 17 March, the GPA Executive launch of the GPA Global Privacy essential to building trust and Committee held its Strategic and Data Protection Awards 2021 confidence in the way health data Direction Development Workshop on 10 May 2021. We invite GPA is processed for travel purposes, 2021-23, with the aim to shape the members to submit their award building on the principles of next chapter of the Global Privacy entries by end of the day 14 June effectiveness, necessity and Assembly over the next two years, 2021. proportionality, long-established in agreeing the overall approach and All information including entry data protection laws worldwide. policy priorities. forms can be found on the GPA This is the first Joint Statement The subsequent draft GPA website, if you have any queries, to be published under the new Strategic Plan 2021-2023 will be please contact secretariat@ Joint Statement on Emerging Issues circulated to GPA members for globalprivacyassembly.org. 27