Opening the Asia Pacific Privacy Authorities Forum

It was a privilege to represent the Attorney-General, Senator the Hon. George Brandis QC in opening the 47th Asia Pacific Privacy Authorities Forum.

 

"As Geoffrey Blainey wrote in his seminal history of the continent over fifty years ago, this ‘tyranny of distance’ had a profound and enduring effect upon the shaping of Australia’s history.  However, in revising his work for the 21st century, Blainey was forced to acknowledge that while Australia’s geographic isolation remained, revolutionary developments in communications technology had, in the intervening half-century, reduced much of its tyranny.

As Blainey observed, ‘The timeless obstacles, imposed on the movements of people and goods by wide oceans and high mountains and long deserts, are being lowered’, and as a result, distance is fading, for both the message and the messenger.  And in concert with this revolution in communication has come an explosion in data, and the technologies we use to make sense of it.

These innovations now permeate nearly every aspect of our lives, from the way we interact with friends and family, to the provision of the essential services of government. 

Taken in full, these technologies have undoubtedly given the modern world innumerable social and economic benefits. But data is also vulnerable and not every use of it is to be welcomed.   And in an age where the use of data is growing exponentially, and advances in data analytics is transforming the way we use this wealth of information, data protection has emerged as a rapidly evolving regulatory and enforcement challenge."

 

 Check out my full speech below.

 OPENING SPEECH

47th ASIA PACIFIC PRIVACY AUTHORITIES FORUM

 

 

10 JULY – 09.00AM

Check against delivery…

 

Thank you very much, Timothy, and thank you distinguished guests.

Can I acknowledge: Mr John Edwards, New Zealand Privacy Commissioner, Dr Francisco Javier Acuña Llamas, Commissioner President of the National Institute for Transparency, Access to Information and Personal Data Protection, Mexico, Mr Leong Keng Thai, Executive Chairman of the Personal Data Protection Commission, Singapore, Mr Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong Special Administrative Region of the People's Republic of China, and Mr Heng Lam Ho, Functional Head of the Office for Personal Data Protection, Macao Special Administrative Region of the People's Republic of China.

 Can I also acknowledge the delegates from the dozen privacy regulators in the APEC region that are present today, as well as the Queensland Privacy Commissioner, the Victorian Commissioner for Privacy and Data Protection, and the Northern Territory Information Commissioner and Commissioner for Public Interest Disclosures.

May I begin by saying what a pleasure it to be here, in the spectacular surrounds of Darling Harbour, to open this forum on behalf of my friend and colleague, the Commonwealth Attorney-General, Senator the Hon George Brandis QC. 

It is incredible to think that in 1790 Darling Harbour, or Long Harbour as it was then known, lay on the outskirts of the British colony at Sydney Cove. 227 years later, the same cove is framed by the Harbour Bridge and the Opera House and is arguably the centrepiece of one of the world’s great international cities.  However, in 1790, the fledgling colony it abutted was isolated, and impatient for news from Europe.

Watkin Tench, Captain of the Marines at Sydney Cove, wrote of the gloom and dejection present in the colony caused by being entirely cut-off from communications with England for the three years since the departure of the First Fleet from Portsmouth in May 1787.

The arrival of five British transport ships in June 1790 would dispel this gloom as well as the imminent threat of famine. 

However, the isolation from Britain quickly resumed, with no further ships, news or letters arriving for another year.

As Geoffrey Blainey wrote in his seminal history of the continent over fifty years ago, this ‘tyranny of distance’ had a profound and enduring effect upon the shaping of Australia’s history.

However, in revising his work for the 21st century, Blainey was forced to acknowledge that while Australia’s geographic isolation remained, revolutionary developments in communications technology had, in the intervening half-century, reduced much of its tyranny.

As Blainey observed, ‘The timeless obstacles, imposed on the movements of people and goods by wide oceans and high mountains and long deserts, are being lowered’, and as a result, distance is fading, for both the message and the messenger.

And in concert with this revolution in communication has come an explosion in data, and the technologies we use to make sense of it.

These innovations now permeate nearly every aspect of our lives, from the way we interact with friends and family, to the provision of the essential services of government. 

Taken in full, these technologies have undoubtedly given the modern world innumerable social and economic benefits. But data is also vulnerable and not every use of it is to be welcomed.   And in an age where the use of data is growing exponentially, and advances in data analytics is transforming the way we use this wealth of information, data protection has emerged as a rapidly evolving regulatory and enforcement challenge.

Today’s forum is therefore a valuable opportunity for privacy authorities to share knowledge and strengthen data protection across the Asia-Pacific region.

 

For over 25 years, the Asia Pacific Privacy Authorities Forum, or APPA, has played a leading role in creating new opportunities for collaboration on privacy policy within our region.

It has offered a venue in which to explore how national legislative frameworks operate effectively in a regional context. And it is, I’m proud to say, something of an Australian invention.

Its origins can be traced back to 1992, when what was then known as the National Privacy Agencies Conference first convened. Membership of the conference consisted of a few Australian States and Territories engaging with one another under relatively informal arrangements.

Four years later, the National Privacy Agency network expanded its membership to include our good friends next door, creating the Privacy Agencies of New Zealand and Australia, or PANZA.

In 2003, PANZA membership expanded into the Asia Pacific to include Hong Kong, and by 2006 the APPA Forum, as we now know it, was born – with the agencies responsible for privacy regulation in Canada and the United States also joining the partnership.

Over the past 11 years, APPA has continued to grow, casting its collaborative reach across four continents to become a strong network of 20 members, including, the Privacy Enforcement Authorities recognised by APEC, participants in the Cross-border Privacy Enforcement Arrangement, as well as members of the Global Privacy Enforcement Network, or G‑PEN, an international privacy cooperation forum established in 2007.

From humble beginnings, APPA has emerged as the principal forum for privacy authorities in the Asia‑Pacific, and is supported by other international networks, such as G‑PEN and the Common Thread Network, which links Commonwealth data protection authorities.

Although each of these networks has similar objectives, each is distinguishable, with a particular point of focus.

For APPA, that focus is on building strong and enduring working relationships among countries facing similar challenges, and opportunities, due to the trans-national flow of data.

Because data knows no national borders, data protection is an increasingly complex and technologically integrated challenge. The potential benefits of data use and analytics make data a valuable asset — one that is increasingly sought after by governments and businesses alike.

However, these innovations must go hand in hand with the protection of individual rights.  And to this end, embracing best-practice data protection is essential to gaining the community and consumer trust that underpins economic certainty in the digital age.

It is therefore essential for regulators to meet the expectations of the community in data protection — through identifying and establishing processes that reduce the risk of its misuse.

For while the scale of big data may affect the complexity of the challenge policymakers face, it does not change the fundamental principles behind our response.

The great value of APPA is that it brings together regulators from across the region and facilitates a consistent, principles-based approach to tackling shared concerns — one that is focused on clear enforcement priorities for our region.

APPA’s focus on collaboration also recognises that national data regulations are most effective when they form part of a consistent international regulatory framework.

The consistent messaging about data regulation that results from such a framework also has a significant value in assuring markets and communities of a coordinated and stable governance response to data challenges.

This consistency is a crucial element in the prevention of data misuse, and underpins the contribution of APPA in our region.

 

It is essential to acknowledge the important role played by APEC in the promotion of privacy across the Asia-Pacific.

Australia has worked hard to drive the development of an APEC Privacy Framework, which now provides a basis on which to enable regional data transfers that benefit consumers and businesses in an environment supported by the governments of member economies.

APEC Ministers have endorsed the Framework, recognising the importance of effective privacy protections that avoid barriers to information flows and ensure continued trade and economic growth in the region.

The Framework recognises that businesses have a key interest in protecting the personal information of their customers and encourages a system in which personal information can be disclosed across borders with appropriate protections.

As Chair of the APEC Data Privacy Sub-Group, which oversees the operation and implantation of the Framework within and across APEC jurisdictions, Australia facilitated the framework’s update in 2016, to ensure that it adequately reflects changes to the privacy environment in the region since its original endorsement in 2004.

Another key initiative of the Sub-Group has been the development of the Cross Border Privacy Rules system.

This system provides a mechanism to facilitate the flow of personal information across international borders by businesses in their ordinary course of trading, and aims to ensure that effective protections are in place between member economies to protect personal information when it is transferred across borders, which is essential to consumer trust and confidence in the modern online marketplace.

The United States, Canada, Japan, South Korea and Mexico are all participating in the CBPR system while Singapore, the Philippines and Chinese Taipei have similarly announced their intention to participate.

The Australian Government is currently consulting with key business and privacy stakeholders to gain a better understanding of the implications for Australia of participating in the CBPR system.

Another important international implementation mechanism of the APEC Framework is the development of the Cross-border Privacy Enforcement Arrangement, which has created a network for regional cooperation among privacy regulators.

The CPEA facilitates information sharing, investigation and enforcement cooperation among privacy enforcement authorities among APEC nations, and is an essential mechanism in maintaining consumer trust in the effective protection of personal information by businesses in the region.

 

From recent experience, I know that Australia’s ability to cooperate rapidly with fellow APPA members in the instance of multi-national data breaches has been of great value in enforcing Australian consumer and privacy rights.

The joint investigation of Ashley Madison by the OAIC and the Office of the Privacy Commissioner of Canada was an excellent example of cooperation made possible by the CPEA, and I understand that Mr Brent Homan, the Director General at the Office of the Privacy Commissioner, is with us today.

Data breach notification is one area in which the Australian Government is working to strengthen data protection and bolster community trust.

Over the coming next year the reporting of data breaches will move from being voluntary to mandatory under the Government’s Notifiable Data Breaches scheme.

The scheme is a consumer protection measure that will improve the privacy of Australians, by enabling individuals caught up in a serious data breach to take steps to lessen the impact.

I note that the Office of the Australian Information Commissioner has published draft resources on the Notifiable Data Breaches Scheme well in advance of its commencement on 22 February 2018, and I commend the OAIC on its work, assisting organisations to understand their compliance obligations under the relevant legislation.

 

As will be clear from my comments so far, the Turnbull Government believes there is no need for Australia to choose between being a vibrant, open, innovative economy and providing adequate protection for the personal information of all Australians. In an interconnected world, the two cannot be disentangled.

To this end, the Open Government Partnership represents a significant commitment on the part of the Commonwealth. 

In December 2016 the Government released Australia’s first Open Government National Action Plan.

Amongst other things, the plan commits to better public access to government-held information and data, release of high value datasets and reforms to our information access laws.

This complements and builds upon the considerable action the Commonwealth has already undertaken in this field, particularly in promoting open data and the digital transformation of government.

The Open Government Partnership is, therefore, an opportunity for Australia to build on its long tradition of openness and transparency.

Australia’s public sector is no exception to the greater collection and use of data. 

The Turnbull Government has made it a focus of information policy to encourage the publication and use of ‘big data’ by Commonwealth public sector entities. 

With this new focus comes a reminder of the responsibility to the public that I spoke of earlier- to ensure that their privacy continues to be protected while allowing the benefits of big data to accrue to the broader Australian community.

The Government’s data agenda seeks to optimise the use and reuse of public data, to promote the release non-sensitive data as open by default, and to encourage collaboration with the private and research sectors to extend the value of public data for the Australian public.

 

The OAIC plays an important role in safeguarding individuals’ privacy interest as part of this process, providing guidance, both formal and informal, to public sector agencies on how to manage privacy issues arising from their increased use and storage of data. 

The Information Commissioner, Mr Pilgrim, has recently published a Public Service Privacy Code to support the Australian Government’s public data agenda. 

This code will apply to all Australian Government entities subject to the Privacy Act and will be implemented in 2018.

Central to the code is the recognition that strong personal data protection is vital to unlocking the potential of government-held information.

The code and its supporting resources will be developed by the OAIC and will see explicit standards put in place to make best practice the only practice for government management of personal data.

Commissioner Pilgrim and his team do indeed have a broad and busy remit — as Australia continues to be a leading jurisdiction in both open government and personal information protection.

Things have certainly come a long way from an informal meeting of pioneering state privacy commissioners 25 years ago,, and it is fair to say that those in attendance at that first meeting could barely have conceived of the challenges faced by those gathered here today.

However, I’m certain that what was understood, even then, and sought, was a collaborative and cooperative approach to an emerging cross-jurisdictional challenge, and I’m delighted that Australia continues to play a key role in that approach. 

I congratulate Timothy’s team for assembling this important gathering. 

And on that note, it is my honour to open the 47th Asia‑Pacific Privacy Authorities Forum and to wish you all a most productive meeting here in Sydney.