The 43rd edition of the Global Privacy Assembly, GPA Mexico 2021 co-sponsored by Baker McKenzie, kicked off Monday with a full slate of virtual presentations and discussions. The program included speakers from regulators and data protection authorities, the private sector, think tanks and advocacy groups, NGOs, and academia—and covered topics ranging from facial recognition to the impact of data protection on marginalized communities.

In case you weren't able to catch the proceedings we've compiled some of the key takeaways from Day 2.



KEYNOTE SPEECH (III): DATA FLOWS WITH TRUST 

  • Mieko Tanno, Chairperson, Personal Information Protection Comission
  • Bruno Gencarelli, Head Data Flows and Protection, European Commission
  • Jonathan Mendoza Iserte, Personal Data Protection Secretary at INAI

The importance of data flows: Trends observed at EU commission:

  • International transfer is becoming more global and diverse than a few years ago. LatAm and Asia Pacific are the new laboratories of new data protection. More diversity in actors: no longer a state to state discussion, new players like international organizations: G7, G20, regional networks of DPA, the private sector in developing standards. Diversity of new solutions: developing new practical tools to facilitate data flows.
  • The shift from bilateral to multilateral of data flows. Legislation developed on common grounds. That convergence offers new possibilities to facilitate data flows, like "adequacy decisions". We will see more of these agreements. New opportunities have emerged from regional networks or organizations, like ASEAN model clauses. Building bridges between model clauses. EU has adopted model clauses. They do not need to be identical but are based on common principles. Building on that convergence can facilitate the data flows.
  • The importance of enforcement. There are no cooperation agreements to enforce privacy. Data breaches affect multiple jurisdictions at the same time, authorities should be able to share and cooperate. We need binding rules.
  • Synergies could be created with Trade and Data Protection instruments. Breaking down silos is very important.

Need to focus on practical solutions.


PANEL III: THE FUTURE OF PRIVACY AND TECHNOLOGY: CHALLENGES AND POSSIBLE SOLUTIONS 

  • Wojciech Wiewiorowski, European Data Protection Supervisor, European Union
  • Jane Horvath, Apple Chief Privacy Officer
  • Keith Enright, Google Chief Privacy Officer
  • Damien Kieran, Twitter's Chief Privacy Officer
  • Andrew Clearwater, Chief Trust Officer at One Trust
  • Erin Eagan, Facebook VP Public & Chief Privacy Officer

Private companies discussed how they view privacy and how they work to face the challenges.

Apple: privacy is a human right, a core value; it's not a marketing gimmick. Privacy is built from the beginning. We have teams on privacy from PR to engineering's to lawyers. When the iWatch was developed, the engineers wanted to have the privacy legal team included from the start. GDPR is critical and privacy laws but we have main pillars:

  • Minimum data collection, (i.e. maps, a new random identifier is created by the phone, in a long trip it will reset from time to time, they don't store or collect the location).
  • Sensitive data: it is kept on the device itself, like Siri audio, you have to opt in to share it with Apple. All audio processing is done on the device.
  • Transparency and choice: what happens to data, and giving the user a choice. Privacy nutrition label on privacy to facilitate privacy comparison between apps. App tracking choice to the user: linking to third party data or for advertising purposes with data brokers. That prompt will come up.
  • Security and encryption

Facebook: technology helps to access information and data has helped in the response to the pandemic. Changes present challenges. Privacy is a business priority and competitive advantage. If people do not trust us, we won't be in business. We built a data governance program. Privacy built on our products: improve how people control the products and services, archive, send a message encrypted and disappears automatically. It is important that the services work together across platforms and that is should be a joint venture. In addition, there is a need for collaboration between members of society, companies and, authorities to innovate responsibly.

Google: blocks phishing attacks, security scans on app, check daily for password breaches. Treating user data with privacy by design. Data minimization: Google can auto delete activity data after 18 months.  Federated learning: avoids centralized data by using devices. Open database of privacy algorithms. Meaningful control to users. Privacy checkup. Data portability.

Twitter: focused to using respectful products and services to enable the public healthy conversations: it is more than privacy and data protection. It is how information and data will interact with different systems internally and externally at the company. Therefore, robust and reasonable regulation is needed, as well as working standards to comply with people expectations.

Summary: There has to be a discussion: we are not protecting data; we are protecting human beings, human dignity. There has to be joint action that the business, the society, the representatives and the regulators. We will also see interconnected devices, criminal attacks and hacking. Disruption of services and part of that is a challenge of cybersecurity. We are not against innovation or companies. Solidarity should be the focus, not sovereignty.


Keynote Speech (IV): Artificial Intelligence and Democratic Values: The Role of Data Protection

  • Marc Rotenberg - President and Founder at Center for AI and Digital Policy

In the book Computer Power and Human Reason written by Joseph Weizenbaum it is said that we should never allow computer to make important decisions because they lack human like wisdom, but it is our reality that they take decisions for us. Including, if we receive public benefits, if are to go to jail they decide for us.

Data protection is at its core with the fairness, justice and transparency rights. The real privacy paradox requires transparency since individuals have the right to know about how the processing of their personal data takes place. We need to see the code in order to see the outcome. 

The focus of the democratic values is purposeful we can see two AI futures; one that protects human right or another that centralizes control. AI helps fuel innovations and progress even as it is subject to regulations. AI remains accountable but there is a different future driven by machines used by governments to deprive consent. Those in charge may not fully understand how AI works but how it can be used to control people.

The Center issued a report that provides a basis to compare countries and to follow particular countries in order to check if they are making progress to democratic values. To assess subjective values, the Center looked closely at the history and data protection law of each country. It also reviewed if the regulations and law had implemented the rights fairness, accuracy and transparency.

Words alone are not sufficient there must be investigation into implementation and enforcement. It is because implementation is so critical that the Center asks if countries have implemented and enforced OECD guidelines and the Universal Declaration of Human Rights.

The Center review AI practices of certain countries. The clear distinction on democratic and autocratic governments is the use of facial recognition for surveillance of their citizens since it coerce social behaviour and limit their freedom; used against religious minorities and other vulnerable populations. It's use will continue unless regulations are established. How we choose to control AI is the most important question facing humanity.

IoT creating autonomous automatic devices leads open fundamental questions on liability we must establish clear rules in order that these remain under human control.

Isaac Asimov's rules are not enforced today. We will lose control and put the people at risk and we will face new schemes of destruction unless regulations are established.

With a proper use of AI we may begin to find solutions to disparities of society instead of bias technology.

When it comes to privacy protection, we need to pass from words to actions; self-audits, third party audits and enforcement are all necessary actions to ensure we are passing from words to actions

The are no reason why technology cannot be used to enforce human rights.

We have two futures ahead let choose that in which the technology reflect our values


 PANEL IV: THE CHALLENGE OF COMPLIANCE: THE PERSPECTIVE OF DATA PROTECTION OFFICERS 

  • John Edwards, Privacy Commissioner NZ
  • Lara Kehoe Hoffman, Global Director Data Privacy and Security, Netflix
  • Barbara Cosgrove, Vice president and Chief Privacy Officer, Workday
  • Anna Zeiter, Associate General Counsel and Chief Privacy Officer, eBay
  • Takeshige Sugimoto, Managing Director, S&K Brussels

The Panel focused on what are the main challenges for the DPO and what it takes to be a successful DPO. Many topics have been analysed:

  • Participants outlined the main challenges they face in their role. The DPO must be a figure that helps the business to comply with the law, but there are also additional expectations. Indeed the DPO is challenged to help define the company's core values.
  • Another key challenge is how to translate the information to the consumers. The more a company invests in privacy, the more customers will trust the company. Thus, it is critical to provide consumers with tangible proof that the organization keeps their data safe.
  • Another challenge for the DPO is definitely to be able to perform his or her duty in an independent manner.
  • Moreover, the DPO must be a good communicator and have a strong character to be able to draw red lines.
  • The discussion then shifted to the advantages and disadvantages of having an external DPO, and what is the best alternative, whether to opt for an internal or external DPO. Surely an internal DPO has a better knowledge of the organization, its decision-making processes and the technologies used. It is indeed fundamental that the DPO is well connected with the decision-making process.
  • However, the best option may vary from case to case; for example, in a small company it may be preferable to opt for an external DPO who has a background of knowledge to ensure compliance with the law.
  • Another topic was about how the DPO recommendations are accepted by the various companies. What has emerged is that, even though it is not always easy, the organizations recognise that it is crucial to gain the consumers trust, and users are very well educated around the globe, especially after the GDPR came into force, and they know their rights.
  • Moreover, it’s fundamental to have a very good privacy by design process, in order to deal with the issues before resources and money are spent.
  • A big challenge for the DPO is to deal with a company operating in multiple jurisdictions, and an issue about this aspect was whether there may be any disadvantages in applying the higher standard even in less regulated jurisdictions. Again, this depends on the business model of each specific company. Often the approach used is to provide all the subjects with a core set of rights. A recurring pattern for dealing with this problem is to ensure compliance with the GDPR everywhere and monitor the new rules implemented across the globe. If the new regulations are stricter than the GDPR, the stricter requirement is applied. To provide an example, it is not convenient to have different tools for subjects' access request; it is easier to apply the most severe requirement because it is more efficient.
  • The last topic was the communication between the DPO and the Data Protection Authorities. The communication is essential and helps both to be more efficient. The Data Protection Authorities and the DPO are, and must be, collaborators.

Meeting highest standards is beneficial to the business as the same format or tool that allows for portability or access serves all jurisdictions.

Is more efficient to have one global program even if it implies having a shorter time to respond to access request.

DPA is the longer arm of the regulator inside the company. Help regulator to fulfill its duty and help internally to streamline and improve processes.

It is a burden to keep track of interpretations of GDPR in different jurisdictions.



PANEL V: THE STATUS OF COE 108+ AND THE PROSPECTS OF A COE TREATY ON AI - Convention 108 

  • Gonzalo Sosa Barreto, Data Protection Coordinator at the Regulatory and Control of Personal Data Unit (Uruguay)
  • Jean-Philippe Walter, Data Protection Commissioner, Council of Europe
  • Veronique Ciminà, Legal Officer at the European Data Protection Supervisor Office
  • Alessandro Mantelero, Professor of Private Law and Technology at University of Turin
  • Paul Breitbarth, Director, Global Policy & EU Strategy at Trust Arc

Summary points

  • Gonzalo said that the purpose of Convention 108+ is to protect everyone regardless of their place of residence and country. Based on that and on the values that Convention 108+ entails, it could be a considered as a global standard.
  • He also mentioned that the achieve synergic convergence between Convention 108+ with other international standards is important because various frameworks in Latin America are influenced by Convention 108 and Convention 108+ since they include the standards and principles of this Convention.
  • Jean-Philippe pointed out that the biggest challenge is to obtain a sufficient number of ratification of Convention 108+ so that it can go into force. This is important because the purpose of Convention 108+ is to implement evaluation and cooperation mechanisms because data protection authorities have to operate and act together in cross-border issues.
  • Alessandro said that Convention 108+ is a relevant instrument because is open for states that are not part of Europe.
  • He pointed out that the global standard is the GDPR but there are many countries that do not aligned with the GDPR. However, Convention 108+ can be a global standard and represents a first step to a adequacy towards a GDPR standard.
  • Paul mentioned that currently private companies are concerned with international data transfer. If more countries adopt and implement Convention 108+, it can contribute to international data flows.



VIII. ISSUES CONCERNING THE PROCESSING OF PERSONAL DATA IN THE ELECTORAL ARENA.

  • Colin Bennett, Professor at University of Victoria.
  • Michael McEvoy, Information and Privacy Commissioner for British Columbia
  • Tobias Judin, Head of International, Norwegian Data Protection Autorithy
  • James Dipple-Johnstone, Chief Regulatory Officer ICO

Both the rights to privacy and the right to hold free elections have a longstanding tradition. It is only until very recently that such rights appear to be colliding. We need to find a way to strike balance between privacy and electoral freedom. The Panel discussed the experience of the DPA of British Columbia, Norway and the United Kingdom. The DPAs shared their experience regarding recent audits practiced by the DPAs to political parties.

The ICO conducted rudling more than 3 years an audit of data processing practices of political parties (https://ico.org.uk/media/action-weve-taken/2618567/audits-of-data-protection-compliance-by-uk-political-parties-summary-report.pdf). The ICO considered that  technology is creating a greater risk when it comes to profiling by political parties, and that regulators need to enhance their capabilities to be able to catch up in the game.

In the case of the ICO hiring much more technology technical talent, and investing in software, prove to be a wise investment, as now the ICO can move faster when examining information. ICO concluded that cooperation among local departments among ICO, cooperation among local authorities, and cooperation among international authorities, prove to be useful for regulator to be able to follow each line of investigation that pop-up from the audit.

Collaboration mechanisms among local and international authorities should be stable (set forth by law, with clear authorities) rather than informal task-based coalitions, crated in connection with a particular event.

Norwegian authorities arrived to similar conclusions. They considered that in many cases, political parties still lack the awareness of what good processing practices are. They tend to believe that if technology providers have a commercial offering and allows for a certain profiling or communication to occur, then the practice should be legal.

Political parties fail in privacy practices not only in sophisticated matters like behavioral profiling, but in rather pedestrian issues like sharing information collected through cookies or sending unexpected SMS to citizens.

British Columbia authorities agreed that in many cases, the traditional data collection practices of political parties (such as door-to-door collection of data) were the ones that first called the attention for the DPAs. Political Parties fell short to comply with the law in such old and traditional practices. During the audits, the authorities were surprised about the amount of data collected by political parties. It was particularly concerning to find that political parties were using databases coming from "petitions lists" to extract from there information of individuals that may sympathizers or adversaries to a political party.  


Note: the views expressed by the speakers as reported in this post do not necessarily reflect those of Baker McKenzie or any of their clients.