The annual conference will be held in Tirana, Albania on 21-24 October 2019, and this year’s theme is: ‘Convergence and connectivity: raising global data protection standards in the digital age.’
We continue our ongoing interview series ‘Commissioners Around the World’ with a conversation with Angelene Falk, the
Australian Information Commissioner and Privacy Commissioner and Executive Committee member of the International
Conference of Data Protection and Privacy Commissioners (ICDPPC). As we count down to the next annual ICDPPC meeting in
Tirana this October, the Executive Editor of the European Data Protection Law Review (EDPL), Nelly Stratieva, is speaking to
national data protection regulators about the latest from their part of the world and their expectations about international
cooperation.
In this interview, Australian Commissioner Falk discusses her country’s new Consumer Data Right and Digital Platforms
Inquiry, as well as the recently introduced mandatory notification of data breaches. Commissioner Falk points out the need
for greater interoperability between regional frameworks in light of their growing number across the globe. She proposes a
concrete step in that direction – the adoption of a resolution at the upcoming 41st ICDPPC for a global policy on mandatory
notification of data breaches.
NS: Could you tell our readers more about the current privacy and data protection issues and initiatives in Australia?
AF: As Australia’s national privacy regulator, I am involved in a number of initiatives aimed at effectively regulating privacy
in the digital age. One of the key regulatory themes we are pursuing is how to get the right balance between privacy selfmanagement and organisational accountability. We are holding organisations to account and working to support consumers
in making informed decisions about their personal information.
One of the major changes over the coming months will be the new Australian Consumer Data Right, or CDR. This is a data
portability measure intended to create more competition and choice in the market by giving consumers control over how
their data is used and disclosed.
It will allow consumers to access particular data in a readily usable form and direct a business to securely transfer it to
another accredited business. My role is to ensure that strong privacy safeguards are built into the system, so consumers can
benefit from being able to switch service providers while their personal information is protected. We will also resolve
consumer complaints from individuals and small businesses, once the system is operational in February 2020.
Another important area of focus is the way digital platforms are handling personal information. Our competition regulator in
Australia, the Australian Competition and Consumer Commission (ACCC), has just completed an inquiry into the effect that
digital search engines, social media platforms and other digital content aggregation platforms are having on competition in
media and advertising service markets.
The inquiry has also looked at whether existing regulatory frameworks for the collection and use of data remain effective in
addressing the challenges of digitisation and the world of targeted advertising. We have been collaborating with the ACCC to
consider ways to strengthen data protection outcomes for Australians, and this process has recommended reforms to our
privacy laws to ensure that our framework is meeting the evolving challenges we face in this digital environment.
In both these areas — the Consumer Data Right and the Digital Platforms Inquiry — we have been working closely with the
Australian competition regulator. This collaboration between data protection and consumer protection authorities is an
essential part of protecting consumers in the digital age. This was also recognised by the ICDPPC’s 39th conference, in Hong
Kong in 2017, when it adopted a resolution on collaboration between data protection authorities and consumer protection
authorities for better protection of citizens and consumers in the digital economy.
In 2018, Australia introduced mandatory notification of data breaches to affected consumers and the privacy regulator. This
means that where someone’s privacy has been breached, and they are at risk of serious harm, they are informed of that
breach and are able to take the necessary steps to protect their personal information. Our regulatory focus during the first
year of the Notifiable Data Breaches scheme has been on driving awareness of entities’ obligations and of the causes of
data breaches to support better practices. Many entities have taken a proactive approach to engaging with us, allowing us
to work constructively with them to ensure an effective response. To date, we have clearly seen how the scheme is
increasing transparency and accountability for personal information handling practices.
Mandatory notification of data breaches is a feature of many data protection frameworks around the globe, and I will be
presenting a proposed resolution in Tirana that contributes to a global ICDPPC policy on this issue, with the goal of
preventing personal data breaches through security safeguards that target the ‘human factor’.
NS: The GDPR resounded around Europe and the world. In your opinion, what will be the next legislative frontier that
could have such disruptive power?
AF: The GDPR has had a big impact on information handling around the world, and it continues to influence data protection
legislation in other jurisdictions.
In today’s digital age we need our legal frameworks to reflect technological developments so they remain fit for purpose. I
expect we will continue to see legislative changes in the years to come. To succeed, they will need to provide for greater
interoperability between regional frameworks.
Interoperability doesn’t mean uniformity, but instead recognises the differences in our frameworks and provides a bridge to
ensure that personal information is protected no matter where it flows. As regulators, we can work towards this by
collaborating on developing policy positions, guidance, tools and enforcement.
These efforts are already reflected in the standards we are seeing emerge around the world: the GDPR, Convention 108, the
Ibero American Data Protection Standards, APEC Cross Border Privacy Rules (CBPR) and the OECD Privacy Guidelines.
International data transfers can also be facilitated through other regulatory tools such as certification and privacy seals,
codes of conduct, binding corporate rules and standard contractual clauses, to name a few.
Building on this, we are considering the role a certification scheme could play in Australia as a way for organisations to
demonstrate their accountability in personal information handling. We are looking at what’s been done on this already in
jurisdictions like the EU, Japan, and Singapore.
We are also implementing the APEC Cross Border Privacy Rules in Australia, which my office will enforce. In doing this we can
learn from others further down the CBPR road, like the US, Japan and Singapore, where this mechanism is in place to provide
accountable cross-border data transfers.
As a regulator, my ability to efficiently prevent, detect, deter and remedy relies on cooperation and collaboration, and a
framework that is interoperable with other regions.
NS: What major issues do you hope will be addressed at the 41st ICDPPC in Tirana? Which topics are of most
importance for you?
AF: The themes of this year’s conference — convergence and connectivity — could not be more relevant in 2019. Around the
world we are seeing data protection laws intersect with consumer protection, human rights and the digital economy.
This convergence underlines the importance of collaboration between privacy regulators. Collaboration between data
protection authorities and consumer protection authorities is also an essential part of protecting consumers in the digital
economy. In Australia, this is borne out in our work with the Australian Competition and Consumer Commission on a range of
initiatives including the Australian Consumer Data Right and an inquiry into digital platforms. My office also co-chairs the
ICDPPC’s Digital Citizen and Consumer Working Group with the Office of the Privacy Commissioner of Canada.
Accountability is the other important topic I see at this year’s conference. The interrelationship between privacy selfmanagement and organisational accountability is crucial to raising global data protection standards in the digital age. Done
well, privacy self-management allows individuals to exercise choice and control by understanding how their personal
information is being handled. But it’s reliant on organisations making this information accessible and understandable, and
we must continue our focus in this regard.
The 41st ICDPPC organization task force announced today that over 20 confirmed 41st ICDPPC official Side Events were published on the Conference website www.privacyconference2019.info. These are only the first complete side events applications that have been reviewed and approved, whereas the task force representative confirmed further that several other side events applications are yet to be reviewed.
Distinguished organizers as familiar to the ICDPPC community as the Council of Europe, the EDPS, the Information Commissioner’s Office (ICO), CIPL, IAF, or Vrije Universiteit Brussel can be, along with major global companies such as Microsoft, Google and Facebook, join other prominent names of the domain like DataGuidance, OneTrust, Huawei, and GSMA.
A complete list of the side events due to be held on the 22nd and 24th of October, 2019 is available at https://privacyconference2019.info/conference/side-events/.
In the run up to the 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Tirana, the European Data Protection Law Review (EDPL) is doing a series with interviews with commissioners from around the world. The first to answer questions by EDPL’s executive editor Nelly Stratieva is Dr Andrea Jelinek, EDPB Chair and Director of the Austrian Data Protection Authority.
NS: A bit after the 1-year “birthday” of the GDPR, could you share your impressions? Where is the Regulation succeeding and where is there more work to be done? Have there been any surprises?
AJ: The first 15 months after the General Data Protection Regulation (GDPR) entered into application have been remarkably busy for data protection authorities and data protection professionals across the European Economic Area (EEA) and beyond. There has been an unprecedented growth of the global community of data protection professionals and public awareness is at an all-time high.
From the very first day, the first cross-border cases were logged in the European Data Protection Board’s (EDPB) crossborder case register, totaling 517 today, and queries started pouring in at the national supervisory authorities (SAs). 260 of the cross-border cases have led to one-stop-shop (OSS) procedures. So far, there have been 25 final OSS outcomes.
An important take-away from the first 15 months is that the resolution of cross-border cases, is time and resource intensive: SAs need to carry out investigations, observe different procedural rules and coordinate and share information with other supervisory authorities.
Many are eagerly awaiting the first major fines, but, while we see that SAs do not hesitate to impose fines when necessary, these are only part of the story. Compliance can only be achieved through an effective combination of guidance, stakeholder engagement, and, where necessary, enforcement by the national SAs.
The EDPB offers an interesting example of a more intensive form of cooperation between regulators. Our strength lies in that we combine the knowledge and expertise of 31 regulators and the European Data Protection Supervisor (EDPS) that are close to the situation on the ground in our respective countries, with a strong drive towards harmonisation and consistency. With this in mind, since its creation, the EDPB has endorsed the 16 GDPR related Working Party 29 (WP29) guidelines and adopted 7 guidelines and a recommendation of its own. In addition, the EDPB completed its first major consistency exercise, which resulted in the adoption of 31 opinions on national data protection impact assessment (DPIA) lists.
We do not do this work in a vacuum. To make sure that all upcoming guidance achieves the double goal of enabling compliant data processing and stronger rights for individuals, the EDPB regularly engages in stakeholder consultations. So far, the EDPB has organised 2 stakeholder events and 7 public consultations, of which 3 are still ongoing.
15 months in, there is no doubt that the GDPR has transformed the data protection landscape: citizens, businesses and legislators around the world are more aware than ever of the importance of data protection rights.
While we don’t need a single tech regulator, more cooperation between the competition and data protection regulators could sometimes be necessary.
NS: The GDPR transformed privacy and data protection not just in Europe, but around the world. In your opinion, what will be the next legislative frontier that could have such disruptive power? Would it come again from Europe or perhaps from another part of the world?
AJ: I see two important developments that in my view will gain importance in the coming years.
Firstly, data protection is here to stay. The GDPR set the ball rolling, but today new legislative initiatives are being taken in many places across the globe. While there is no such thing as ‘one size fits all’ for data protection, we should still aim for a degree of global convergence. Every nation has to conceive its own data protection laws, but some measure of compatibility will greatly facilitate economic exchange and help build trust among consumers.
Secondly, we see an increasing convergence between the work of competition regulators and data protection authorities. Data represents a new type of economic resource which is fast becoming the life force of the global economy. However, the accumulation of data by a few big players has the potential to threaten the level of data protection and freedom of choice enjoyed by consumers of digital services.
As a result, the work of competition and data protection regulators is becoming increasingly more intertwined. Data protection authorities can help assess the impact that market dominance may have in terms of privacy, freedom of expression and choice. While we don’t need a single tech regulator, more cooperation between the competition and data protection regulators could sometimes be necessary.
Data protection is here to stay.
NS: What major issues do you hope will be addressed at the next ICDPPC in Tirana?
AJ: I see international conferences such as the ICDPPC as a unique opportunity to meet and talk with other regional authorities. One of the issues I’m particularly interested in discussing with colleagues from across the globe is how to achieve a degree of convergence in data protection which would strengthen data subject rights everywhere.
I’ll be moderating a panel on accountability, a concept which lies at the heart of the GDPR, but is also part of other privacy and data protection laws. The concept of accountability has shifted the burden of protecting individuals’ rights firmly to the organisations and individuals which are processing data. It is a powerful concept that can drive high standards of data protection. It can also help us bridge jurisdictional and legal differences by creating interoperability: accountability can facilitate operations in multiple jurisdictions based on mutually agreed or commonly accepted privacy and implementation standards.
Announcement of the ICDPPC Secretariat and the ICDPPC 2019 host:
The ICDPPC 2019 Open Session agenda has just gone live with the detailed speaker line-up! The Albanian Host Authority for ICDPPC 2019 has announced the excellent line-up on their website here: https://privacyconference2019.info/conference/conference-programme/
Register for the ICDPPC in Tirana today!
Many thanks again to the Programme Advisory Committee Members, co-chaired by Peter Hustinx, former European Data Protection Supervisor and current non-Executive Director to the ICO, and Besnik Dervishi and his Colleagues at the Albanian IDP Host Authority for their hard work on the Programme Advisory Committee so far.
On the occasion of the 41st ICDPPC, we are pleased to propose to all our attendees the tours that will make your stay memorable
The host of the 41st ICDPPC, i.e. the Information and Data Protection Commissioner of Albania would like to propose to all the participants to this year’s International Conference a special package of tours, negotiated and arranged with one of our leading market operators VAS Tours Albania, through Albtours D. This package includes some of the best touristic spots, cities and attractions of our country, starting from the capital Tirana, and the close-by cities of Durrës and Kruja, to end-up as far as Saranda, Berat and Gjirokastra, Albania’s gems.
These tours are available from 19 to 27 October, and the reservations are made online by clicking here. We recommend that you book your seat for your trip as early as possible as their number is limited.
We are delighted to announce now the Agenda and Keynote Speakers for the Open Session of the 41st ICDPPC 2019 in Tirana, Albania on the 23-24 October 2019.
Keynote Speakers in order of appearance:
Jamie Bartlett
From the UK’s Demos think tank, and BBC presenter of ‘The Secrets of Silicon Valley’
Brad Smith
President of Microsoft
Christopher Docksey
Honorary Director General of the EDPS
Preparations are in full swing for Tirana, registration is open, so please register now to take advantage of the early bird rate. Please be advised that Tirana is pretty busy with events in October, therefore it is wise to book your hotel as soon as possible.
The Office of the Information and Data Protection Commissioner of Albania (IDP) is delighted to announce that the European Data Protection Law Review (EDLP) is an official media partner of the 41st International Conference of Data Protection and Privacy Commissioners. The EDPL and the IDP have officially announced their partnership on 6 May 2019.
The 41st Edition of ICDPPC will be held in the capital of Albania, in the Western Balkans, from 21 to 24 October 2019. The Conference will be held at the historic Palace of Congresses located in the heart of Tirana. More information about ICDPPC can be found here: https://icdppc.org/.
https://www.linkedin.com/feed/update/urn:li:activity:6531128298448130048
https://twitter.com/lexxion/status/1125363739417559043
https://www.facebook.com/399358566883666/photos/a.400219440130912/1392957057523807/?type=3&theater
We are getting ready for the 41st International Conference of Data Protection and Privacy Commissioners, hosted this year by IDP, the ICDPPC’s member authority in Albania.
This year’s Conference will take place in Tirana, Albania on 21 – 24 October 2019.
Registrations will open soon! More details to follow.
View moreThe 2019 ICDPPC Open Session Programme Advisory Committee (PAC) has recently been established and has met to appoint the final speaker line-up and content of the Open Session agenda in Tirana this October. The ICDPPC is honoured that Peter Hustinx, former European Data Protection Supervisor, and currently non-Executive Director at the ICO has agreed to co-chair the PAC. We will provide further updates from the Co-chairs in due course.
