IIC Singapore - TRPC Forum: Privacy Rules Beyond Borders
The European Commission’s General Data Protection Regulation (GDPR), APEC Cross Border Privacy Rules (CBPR), and other privacy regulations, have been hot topics of interest across a plethora of companies and organisations. Most of whom have burning questions about compliance, the costs of compliance, and how and when these different privacy rules overlap. Addressing the audience members on these issues, were four panellists representing different stakeholder groups engaging in a compelling discussion on privacy rules.
There was general agreement that the conversation on protecting users' privacy has gone beyond compliance and has moved towards companies' accountability towards users. Users expect their personal data to be protected, and companies can demonstrate their commitment towards users by implementing consistent data policies across all jurisdictions they operate in. In fact, it may be advantageous to companies' business to have a personal data protection policy in place, increasing the users' trust in companies.
As countries increasingly appear to be taking the GDPR as ‘inspiration’ for local personal data protection laws, it is likely that there will be convergence in the basic elements such as the definition of data processors and data controllers. However, diversion is always likely to happen in the implementation and interpretation of local laws. Countries will adapt the GDPR to suit their needs, and implementation will nevertheless be dependent on the capability and capacity of local personal data protection agencies – a luxury most emerging economies do not have.
The role of a Data Protection Officer (DPO) is not an easy one. They often have to play multiple roles of privacy advocate, compliance office and program manager. Yet DPOs are expected to be increasingly prominent features within a team's corporate structure. Their role would be to seek out continuous solutions to the challenge of finding a balance between ensuring data subjects’ privacy and keeping compliance costs down. The general consensus was that whilst the DPO's job might be a lonely one, it is important for his or her work to integrate seamlessly to the company's overall workflow. Their role would also require them to strike a balance between a level of compliance to privacy rules that would not be overly restrictive for a company’s flow of information.
One of the distinct differences highlighted between the GDPR and the CBPR, was the CBPR’s clear lack of protocol in the event of data breaches. With businesses not obliged to inform their data subjects of breaches, this could impact the reliability of the CBPR in the long run and its effectiveness in enhancing privacy frameworks.
There was an acknowledgement that institutions similar to the International Organisation for Standardization (ISO), might eventually end up as the ‘go-to certification body’ for smaller companies who may wish to bypass the difficulties of complying to every different privacy rule; or simply attain the certification, but to be used for more 'decorative purposes'.
Questions were raised on how to regulate artificial intelligence (AI), or if there was even an immediate and pressing need to regulate AI. Although AIs may process tremendous amounts of data, not all of it may be personal data – and even then much of the scope may already be covered under existing regulations. With AI being such a nascent technology, there is still a lot more that needs to be done to demystify what AI is and better understand the risks.
Perhaps ending with more questions and issues raised, one corollary that clearly emerged was the ongoing complexity of privacy rules, and how they continue to be an evolving challenge for everyone.
TRPC and IIC Singapore would like to express our appreciation to CMS Singapore for hosting the forum which featured a full house attendance of over 50 participants.
Event URL: http://trpc.biz/iic-singapore-trpc-forum-privacy-rules-beyond-borders/
For more information on our events please visit here.
- Angela Xu, Co Vice President, AsiaDPO; Senior Counsel Privacy, Uber
- Arianne Jimenez, Privacy & Public Policy Manager, APAC, Facebook
- Evelyn Goh, Director, Policy, Tech & Trustmark Personal Data Protection Commission, Singapore
- Associate Prof Hannah YeeFen Lim, College of Business (Nanyang Business School), NTU Singapore
Matt Pollins. Partner, CMS Singapore; Director, IIC Singapore