Observations from Albania: the 41st Annual International Conference of Data Protection and Privacy Commissioners (October 23-24, 2019)

UK ICO Commissioner Liz Denham, who serves as Conference Chair, welcomed attendees at the public session and provided a brief summary of what transpired at the Commissioners’ closed door sessions. She noted that “privacy” has gone “mainstream.” People around the world expect more information about how their data is used. She stressed the importance of future international collaboration and regulatory cooperation to develop shared strategies and tactics “to protect people from big companies.”

Commissioner Denham also highlighted the increased focus on the role of data protection as a relevant consideration in competition analysis by international regulators. She noted that the International Privacy Commissioners’ Conference, and the ongoing assembly of global regulators, resolved to be more transparent in the future with respect to the regulated community and other interested parties. Finally, she hinted that a new name for the group would be announced before the 2019 conference concludes.

Before proceeding to other substantive discussions, Commissioner Denham introduced a film tribute to the late Giovanni Buttarelli, who passed away in August. Giovanni served as European Data Protection Supervisor, host for the 2018 Privacy Commissioners’ Conference, and was widely recognized as a thought leader in the field — especially on the subject of data protection and ethics. He was a great friend and inspiration to many in the privacy community, including the author here.

In a panel on international data protection regulatory convergence, Bruno Gencarelli, Head of International Data Flows and Protection at the EU Commission said that such convergence was already a reality. There was also general discussion around the fact that the Council of Europe’s Convention 108+ was already a leading international data protection pact that has been agreed to by 26 COE member states and one non-member.

Hong Kong Privacy Commissioner Stephen Wong described the differences between Hong Kong and Mainland China privacy regimes and cybersecurity laws. He noted that Mainland China observed a “sectoral” approach to privacy, while Hong Kong adopts a comprehensive approach more like the EU. While Hong Kong does not have data localization requirements, Mainland China assuredly does. Using one highly detailed slide, he explained the (complicated) status of the various Mainland China privacy and cybersecurity laws and regulations.

Marc Rotenberg, CEO of EPIC stressed the importance of enforcement as the necessary next steps in order to globalize GDPR. He asked rhetorically, “will we stop technologies of mass surveillance, or simply rationalize their use?” and also whether “we will allow surveillance capitalism to capture ever more data.” He advocated for a moratorium on facial recognition technology pending democratic debate, and for a moratorium on mass surveillance, as well as for study of the embedded biases in the use facial recognition technology.

Brad Smith, President and Chief Legal Officer of Microsoft provided an impassioned keynote address in support of a “third wave” of privacy protection going beyond earlier waves based on notice/choice and access/control. He explained how the third wave of privacy should be predicated on specified baseline rules; specific rules for certain new technologies; integration with other laws; and be embodied in a new global pact. He also called for new industry initiatives to ensure privacy for new technologies such as IoT devices.

In a panel addressing “the global privacy challenge of data driven business models,” the journalist and civil society panel members and one privacy commissioner essentially leveled one-sided criticism on US tech companies. The panel ignored the fact that, as the Court of Justice stated just last month, data protection is of course not an absolute right and must be balanced against the rights of expression and to receive information, as well as the right to conduct a business. In addressing the pernicious problem of political and electoral manipulation, the speakers failed entirely to mention the intricately documented interference by Russia and other nation state actors in US, UK and other elections, including their use of extreme disinformation tactics and active measures. Instead, the speakers only addressed micro-targeting by commercial actors.

On the antitrust panel, FTC Commissioner Rohit Chopra addressed the intersection of data protection and Competition. He noted that the FTC was a unique privacy agency that has jurisdiction over both data protection and competition as part of its consumer protection responsibilities. He explained that his focus on these topics concerned the use and abuse of power over data. He noted that he hoped to see companies compete on privacy, and opposed “take it or leave it” contracts. He is acutely focused on the remedies available for privacy violations. He also talked about his recent dissent in a case that involved by far the largest privacy financial penalty ever imposed—reiterating his belief that the outcome was still not punitive enough. He did not note that the settlement in that case amounted to 9% of the respondent’s global revenues as compared to the GDPR’s maximum of 4%. Interestingly, he touted the crucial role State Attorneys General play in the United States in protecting consumers on privacy issues, and he indicated that he stays in close touch with them.

On October 24, the final day of the conference, Peter Hustinx, co-chair of the Programme Advisory Committee introduced the final day’s activities and described the purpose of the gathering as to raise global privacy standards and promote global convergence.

Christopher Docksey, Hon. Director General, European Data Protection Supervisor and Data Protection Authority of Guernsey delivered a keynote focused on the “Accountability” principle. He suggested this was a somewhat new concept in data protection regulation (in Article 24 of GDPR). He did not mention or draw upon the long experience of U.S. companies with legal compliance programs under the Caremark standard for corporate fiduciary duty as well as the DOJ’s organizational sentencing guidelines.

Docksey described “accountability” as companies implementing necessary internal mechanisms to achieve and demonstrate complianceAbrams later distinguished “accountability” from compliance on the basis that the former seeks to achieve justice and fairness in addition to legal compliance. It was noted that COE Convention 108+ also incorporated the accountability principle.

The “accountability” discussion was elaborated in a panel moderated by Andrea Jelinek, Chair of the EDPB and Austria’s DPA. She explained that an “accountable” organization needs to put in place policies, procedures and technical measures to achieve compliance, and be able to demonstrate compliance. Caroline Louveaux CPO of MasterCard, announced her company’s Corporate Data Responsibility initiative.

Daniel Therrien, Privacy Commissioner of Canada spoke of his agency’s investigations of Equifax and Facebook regarding the alleged inadequacy of their accountability programs, including alleged failures of internal monitoring.

Trevor Hughes, CEO of IAPP, moderated a panel about operationalizing privacy. Julie Brill, SVP and Deputy General Counsel of Microsoft, spoke of the operational imperatives of data protection, including the likely lack of sufficient resources. She noted that companies need the right technological tools to implement privacy at scale. She also recommended that DPAs establish mediation services to address complaints.

Julie noted that Microsoft relies on internal ethics boards with respect to AI and facial recognition technologies. These boards comprise engineers, lawyers, and senior executives responsible for business and trust. They look at individual proposals and projects, and use of the company’s APIs for data access.

Kalinda Raina of LinkedIn stressed the importance of corporate privacy culture. She recommended the value of deputizing non-privacy colleagues as privacy champions in their business units.

In closing, Liz Denham announced the new name for the ICDPPC as the “Global Privacy Assembly”. Next year’s conference will be in Mexico City. Hasta pronto!