33rd International DPA Conference in Mexico City

By EDRi · November 16, 2011

This article is also available in:
Deutsch: [33. Internationale Datenschutz Konferenz in Mexico City | https://www.unwatched.org/EDRigram_9.22_33_Internationale_Datenschutzkonferenz_in_Mexico_City?pk_campaign=edri&pk_kwd=20111116]

The 33rd International Conference of Data Protection and Privacy
Commissioners was held in Mexico City, on 2-3 November 2011, hosted by IFAI
(The Mexican Federal Institute for Access to Information and Data
Protection). This year theme, “Privacy, the Global Age”, showed the clear
willing of the organizers to make it a direct follow-up to the 31st
Conference held in Madrid and its adopted resolution on global standards. As
a matter of fact, Jacqueline Peschard, IFAI President, called in her opening
remarks for a plan of action to be proposed by this conference. This
commitment to take further steps was shared by most, though not all, of the
DPA (Data Protection Authorities) at the conference.

The two-days conference included four plenary sessions and four sets of four
parallel sessions. A useful innovation consisted in the presentation of
highlights from parallel sessions, to keep the audience updated of all
discussions. While the parallel sessions addressed a broad range of current
hot data protection issues, the plenary sessions focused on various aspects
of the “big and distributed data” challenge: “Observation, Analytics,
Innovation and Privacy”, “The Drivers for Data Protection Law in Latin
America, Asia, and Africa”, “Security in an Insecure World “and “One Data
Protection Community. Many Cultures, Threats and Risks”.

The “big data challenge” was rather overstressed in the first plenary
session, especially through the keynote presentation by Ken Cukier (The
Economist), followed by two panel sessions.

In the first panel session, Jacob Kohnstamm, Peter Schaar and Marie Shroff
(DP Commissioners of The Netherlands, Germany and New Zealand, respectively)
and David Vladeck (FTC, USA) were asked whether the growth of data, its
mining and application challenge the way privacy enforcement agencies
protect individuals. The two European DP Commissioners insisted on the need
for a strict application of the legislation and more independent control
powers given to DPA, while the New Zealand Commissioner rather took the view
that there is a need to move from a focus of compliance to rules towards
being more strategic, identifiy the big risks, strategizing, and move to a
leadership mode or, as she said, “move from a negative mode to a positive
mode”. The FTC representative insisted on the changing nature of big data
(collected from smartphones, sensors, social networks.), leading to the
importance of privacy by design. He acknowledged that “the burden has to be
on the company, not on the consumer, to protect the data”.

In the second part of this session, gathering a panel of other stakeholders,
Gus Hosein (Privacy International) and Joel Reidenberg (Fordham Law School)
reminded the audience that the basic DP principles still applies. The former
warned that it would be a mistake to only focus on the use of big data while
forgetting about their collection process. The latter insisted on the need
to consider the broader systemic risks arising with big data, as they create
an unprecedented level of transparency of the citizen, who loses any
anonymity and choice capabilities, with the consent model breaking down.

One very informative sessions on new legal developments was the one dealing
with “changing laws in the US and the States”.

Françoise Lebail (EC DG Justice) presented the main features of the deep
reform the EU has undertaken in terms of privacy legislation. She made clear
that the revised legislation, to be adopted at the beginning of next year,
will leave less room for intrepretation for Member States, as the
disparities are currently huge: “no longer legal fragmentation”, she said,
mentioning both the national legislations and the two sectors, public and
private, including sectors formerly falling under the 3rd pillar. Other
important new features include: data breach notification, better enforcement
of rights, harmonization and increase of DPAs resources and powers, stronger
cooperation between DPAs (a reflection on a cooperation mechanism is
ongoing). On International aspects, she mentioned the need for a
continuation of EU citizen protection, not only through the adequacy but
also through the interoperability of the different DP schemes.

Lawrence Strickling (NTIA, USA) also introduced the big changes undertaken
in the USA to strengthen the privacy regime towards a general regime of
consumer data privacy, with a large focus on the international
interoperability of DP systems. A white paper will be issued in the weeks to
come, valid for the entire Obama administration, developing a four-pillars
framework: (1) A consumer bill of rights, that should be enacted in
legislation; (2) Codes of conduct developed by stakeholders; (3) Enforcement
of these codes of conducts by FTC; and (4) International interoperability.
One probably needs to wait until this white paper will be made available to
understand the exact share of enforced legislation and of self-regulation
this framework will actually encompass, as well as to which extent industry
lobbies will impose their views in the so-called multi-stakeholder process
of codes of conduct development.

“International interoperability” seems thus to be the new buzzword, and the
most that would be conceded in international discussions on a global privacy
and data protection framework. Civil society, as well as many DPAs, expect
more, though. They expect global privacy and data protection standards, and
this was precisely the topic addressed at the session on “Global Standards
Linked to Global Value”, organized and moderated by Lillie Coney (Electronic
Privacy Information Center).

During this session, Jörg Polakiewicz (Council of Europe) introduced the
major features of the current revision of Convention 108 that will soon
been submitted to consultation, and insisted on the fact that this
Convention is and will still be open to signatures and ratifications by
third countries, being the ideal vehicle towards a global privacy and data
protection standard.

Rafel Garcia (Spanish DPA) reminded the main advances of the Madrid
Resolution on global standards, adopted at the 31st DPA two years ago, and
mentioned the progress, though slow, made since then.

Meryem Marzouki (EDRi) took as a starting point the Madrid Civil Society
Declaration on “Global Privacy Standards in a Global World” adopted at the
2009 Public Voice Civil Society Conference organized in Madrid, in liaison
with the DPA Conference. She identified 6 main steps for an urgent action
plan to implement the provisions of this Declaration. EDRi representative
also reacted to the way the “big data” issue (or rather propaganda, in view
of radical deregulation of privacy forced by technological determinism, as
many civil society representative analysed) was addressed during the
conference. Meryem Marzouki reminded that “privacy is a fundamental human
right, that shouldn’t be adapted to new technical developments or economic
models”. Asking to put this dialectic back on its feet, she added that “it
is rather the technical, economic and behavioral norms that should comply to
international human rights standards.”

The next International Conference of Data Protection and Privacy
Commissioners will certainly bring interesting follow-up to this year
conference, especially with the new EU and US legislative frameworks, as
well as the revised Council of Europe Convention 108 being discussed. The
34th Conference will be held again in Latin America (Uruguay).

33rd DPA Conference, Mexico City (2-3.11.2011)
http://www.privacyconference2011.org

31st DPA Conference, Madrid (4-6.11. 2009)
http://www.privacyconference2009.org

The Madrid Civil Society Declaration (3.11.2009)

Madrid Declaration

Meryem Marzouki (EDRi) Presentation (3.11.2011)
https://edri.org/files/Marzouki-DPA-talk.pdf

“Big data and Small Agencies” – Colin Bennet’s Reflections on the 33rd DPA
Conference (7.11.2011)

Big Data and Small Agencies: Reflections on the 33rd International Conference of Data Protection and Privacy Commissioners

(Contribution by Meryem Marzouki (EDRI member IRIS – France)