ADPPA Would Surpass California’s Laws, but Improvements Remain
The American Data Privacy and Protection Act (ADPPA) was passed through the House Energy and Commerce Committee on July 20, a proposal which experts and advocates agree is long overdue. However, objections from California leaders may threaten the bill’s passage.
Stacey Gray, the FPF’s Director of Legislative Research & Analysis, argues otherwise in a new editorial for Lawfare. Gray explains how the ADPPA compares to – and surpasses – state privacy protections established by California’s Privacy Protection Agency (CPPA) and Privacy Rights Act (CPRA).
In substance and privacy protections, the current version of the ADDPA addresses and is “significantly stronger” than both the CPPA and CPRA “in nearly every way,” Gray argues. The ADPPA incorporates “substantive rights,” establishes groundbreaking new national civil rights protections, and preserves current state administrative enforcement powers.
“Any successful federal privacy law in the United States must be at least as protective as California’s current data protection framework for reasons that are both political and substantive,” said Stacey. “Congress can continue to strengthen and clarify the law to ensure that it exceeds the CPRA’s substantive provisions; preserves the CPPA’s existing enforcement powers; and establishes a single, strong comprehensive national privacy standard.”
ADPPA Helps Protect Civil Rights for All Americans
Today, The Hillpublished an op-ed from the Future of Privacy Forum’s (FPF) Senior Policy Counsel for Data, Decision Making, and Artificial Intelligence Bertram Lee. The piece highlighted that privacy, particularly in the context of digital services, electronic data flows, and personal data, is a civil right.
Yesterday, the House Energy and Commerce Committee voted to advance the American Data Privacy and Protection Act (ADPPA). If passed, the bill would enact the first national standard for privacy. In its current form, ADPPA would modernize civil rights for the digital age and update existing civil rights protections.
“What is at stake is bigger than the interests of individual states: it affects the lives of a majority of Americans,” Lee said in the piece. “State laws, including the California Privacy Rights Act and laws passed in Colorado, Utah, Connecticut, and Virginia, typically codify existing civil rights laws, but to date have not extended civil rights protections. The U.S. needs a law that will implement clear and meaningful civil rights safeguards.”
FPF Announces new APAC Director, Hosts Panel for Singapore Personal Data Protection Week 2022
As part of this year’sPersonal Data Protection Week in Singapore, the Future of Privacy Forum (FPF) — a global non-profit focused on data privacy, data protection and emerging technology policy — will host “Data Sovereignty, Data Transfers and Data Protection – Impact on AI and Immersive Tech” on July 21, 2022, from 9:30 a.m. to 12:30 p.m. GMT+8.
The panel will feature FPF’s recently appointed Managing Director for the Asia-Pacific (APAC) region, Josh Lee Kok Thong, who will discuss principles, practices, and policies to help businesses elevate their data governance practices and build trust in the use of advanced technologies such as artificial intelligence.
Lee joins FPF after working at the Personal Data Protection Commission Singapore (PDPC) for three years, where he helped draft Singapore’s Model AI Governance Framework and worked on the country’s strategy in AI governance. He is an Advocate and Solicitor of the Singapore Bar, a former international arbitration practitioner, and a former Assistant Director for Legal Policy in Singapore’s Ministry of Law.
Additionally, Lee co-founded LawTech.Asia, Singapore’s foremost publication on legal technology, as well as the Asia-Pacific Legal Innovation and Technology Association (ALITA). Lee is also a Research Affiliate in the Singapore Management University’s Centre for AI and Data Governance and a Voting Member of the IEEE Standards Association. For his work, he was identified as one of Asia’s Top 30 Persons to Watch in the business of law (Asia Law Portal, 2019).
As Managing Director for APAC, he and his team will drive FPF’s agenda in the region, particularly focusing on AI governance, cross-border data flows, and emerging realms like immersive technologies.
“We’re excited to welcome an experienced data protection expert and innovative thinker to our Asia Pacific team,” said Jules Polonetsky, FPF’s CEO. “FPF Asia-Pacific aims to serve in the wider Asia region as a cooperative and trusted platform of reference to advance principled privacy and data protection practices and policies supporting emerging technologies. Josh Lee and the FPF Singapore team will work closely with local stakeholders to develop these conversations within the Asia-Pacific but also will operate as a trusted communication hub between APAC and the other regions of the world.
At the upcoming panel discussion during Personal Data Protection Week in Singapore, Lee, and others, will explore the foundational differences between data localization requirements, international data transfer frameworks in data protection law, and data sovereignty. Attendees will learn about the latest APAC and global regulatory and policy developments and how businesses can better safeguard data against potential risks.
“I am excited to join the renowned team at the Future of Privacy Forum’s APAC office in Singapore and represent them at this year’s Personal Data Protection Week,” said Lee. “In my new role, I hope to work with like-minded partners to continue fostering data best practices in the APAC region as we prepare for the new opportunities and challenges in technology.”
FPF launched the Asia-Pacific office based in Singapore in August 2021. The office expands FPF’s international reach in Asia and complements FPF’s offices in the U.S., Europe, and Israel, as well as partnerships around the globe.
To see all the events FPF will support during PDPC’s Personal Data Protection Week, visit FPF.org. Follow the FPF APAC team’s activities here and sign up for the FPF APAC email list to stay in touch.
FPF Files Comments on White House Office of Science and Technology Policy Actions to Advance Privacy-Enhancing Technologies
FPF Files Comments on White House Office of Science and Technology Policy Actions to Advance Privacy-Enhancing Technologies
On July 8, 2022, FPF filed comments with the White House Office of Science and Technology Policy (OSTP) regarding specific actions that would advance the adoption of privacy-enhancing technologies (PETs).
As emerging technologies continue to offer increased speed, efficiency, productivity, commercial output, and connectivity, they rely more on the extensive collection and processing of personal data. This processing can result in data protection and security challenges. The Future of Privacy Forum (FPF) has long supported the development of PETs that can help mitigate data protection risks posed by emerging technologies.
In response to the Office’s invitation for comments and concerning the particular categories of information requested, FPF provided the following recommendations to the OSTP for the development of a national strategy on privacy-enhancing technologies:
1. Support the growing discipline of privacy engineering aimed at bridging the gap between technologies and policies through direct funding of academic research, building expertise within government, encouraging business-academia dialogues, and directing agencies to require federal contractors to incorporate PETs as appropriate to promote common standards in the discipline;
2. Recommend the establishment of a trusted inter-agency and multi-stakeholder body, including the FTC, NIST, HHS, NSF, and experts from the private sector, civil society, and academia, to provide guidance and standards-setting for de-identification and the role of PETs, with particular regard to their utility for compliance with state and federal legislation; and
3. Encourage the establishment of Administrative Data Research Networks (ADRNs) that offer de-identification tools to facilitate researcher access to data in a secure manner.
Meet Josh Lee Kok Thong, FPF Asia Pacific’s Managing Director
The Future of Privacy Forum (FPF) is thrilled to announce Josh Lee Kok Thong, FPF Asia Pacific’s new managing director. Lee is deeply passionate about the issues at the intersection of law, policy, and technology, and is a changemaker in the spheres of the law of tech, and the tech of law.
As a legal architect that hopes to re-shape relationships disrupted by technology, Josh will lead a team furthering FPF’s mission of advancing data protection best practices and the trusted development and use of emerging technologies in the region.
Learn more about Josh in the Q&A below.
Tell us about yourself. How did you come to be at FPF as the new Managing Director of our Asia-Pacific office?
It all happened rather serendipitously. While pursuing my postgraduate law degree at Berkeley, I was asked to be interviewed for an article by the Singapore Global Network (a global networking community for Singaporeans set up by Singapore’s Economic Development Board). It wasn’t anything fancy–they had just wanted to feature Singaporeans in the Bay Area. After sharing the article on LinkedIn, Dr. Clarisse Girot (whom I had previously worked with while in the Singapore Government) reached out and put me in touch with FPF CEO Jules Polonetsky; after our conversation, Jules said, “actually, we’re looking to have you in as someone more senior.”
The next thing I knew, I was connected to senior members of the team in FPF, and FPF offered me this role–which I was delighted but also very humbled to receive. It also came at a time when another global tech company had also provided an offer. All things considered, joining FPF was the right choice, as it offered me the opportunity and chance to build something unique and shape it based on my vision.
TL, DR: I’m grateful for the connections and coincidences that came together that made this role possible, and I am excited to help the wonderful team at FPF take the office–and its mission–forward!
How do you see the role of the FPF Asia-Pacific office in the essential debates in the region on protecting personal data and advancing principled data practices in support of emerging technologies?
I think the FPF Asia-Pacific office (or FPF APAC) will be able to play a key and essential role in these dialogues.
Regionally, I see three fundamental shifts impacting the emerging technology and data protection landscape—first, the demographic shift. Second, the technological shift. Third, the regulatory shift.
First, the sheer demographic gravity of the Asia-Pacific means that jurisdictions like China, India, Indonesia, and others – have not just the largest but also some of the youngest and fastest-growing populations globally.
With a young, highly digitally-savvy population that is more conscious and careful about how their information is being used and how technology impacts them, there will be a stronger impetus to implement or update data protection regimes across the region to adapt to the changing sensibilities of these constituents.
Second, there are many technological developments occurring in the region. China is a world leader in AI and blockchain technology. Jurisdictions like South Korea and Japan are investing heavily in the future of the Web and media. In Hong Kong and Southeast Asia, fintech is revolutionizing how financial services are provided. With COVID-19 still fresh in everyone’s minds, healthtech is also an area with rapid development and opportunities. These technological developments, all of which rely on vast amounts of data, mean that trust in the collection, use, processing, and transferring personal data is a critical need for regulators, industry, and civil society.
Third, regulators in the region are, one, increasingly aware of the benefits and risks of emerging technologies; two, increasingly concerned about striking a balance between data innovation and data protection and control; and three, increasingly confident of regulating in a unique way that works for them. This comes amidst a backdrop of increased geopolitical focus on Asia, greater industry competition, and heightened awareness of finding a balance between innovation and technological risk–all adding to greater regulatory uncertainty in data protection and technology regulation.
Therefore, there is a significant role for FPF– through its unique approach of listening to governments, industry, civil society, and academia–to help foster the connections and dialogues critical to building trust.
We also want to use our unique centrist position – of focusing not on what appears good or bad, but on what is objectively important – to help regulators make the most informed choices on why, how, and when to regulate data and technology. We, therefore, want to be the most effective conduit, convenor, and collaborator in the region in this space. In short, when one thinks of technology, data protection, and trust, we want FPF APAC to be top-of-mind in this region.
What are your top three priorities as you take the helm of the FPF Asia-Pacific office?
To advance FPF’s mission, the APAC office will focus on three themes: continuity, construction, and visibility.
First, continuity. Unlike other places where transitions spell sudden shocks to how things are done, the FPF APAC office will continue many of its key projects already embarked upon. These include continuing the office’s tremendous work on the 14 jurisdictional reports on consent regimes and monthly privacy landscape calls, among others. We also want to emphasize our desire to build upon and nurture relationships already built with existing stakeholders, even as we also foster new ones.
Second, construction. FPF APAC will seek to construct a regional ecosystem of members, partners, and friends that is able to share perspectives, intelligence, and insights. After all, in a huge region with a multitude of views and stakeholders, it takes more than just two hands to clap. This collaborative network of partnerships is ultimately how we can be of value to our members and stakeholders, and further FPF’s mission and vision in the region.
Third, visibility. To ensure that FPF becomes and remains top-of-mind in policy and regulatory discussions in the region, we want to be a lighthouse amidst the constant changes and shifts in this space. FPF APAC will focus on being the trusted partner and advisor in understanding regulatory and technology developments as they come, and understand how to convey this information across in the most digestible way possible–so that important insights reach members and stakeholders in the right place, at the right time, and in the right way.
What are you reading or what podcasts are you listening to these days in relation to data protection?
Interested in learning more about FPF APAC and the APAC Council? Contact [email protected] to connect with the FPF Membership Team to learn more.
New Report on Limits of “Consent” in Indonesia’s Data Protection Law
Introduction
Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the seventh in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in Indonesia, including:
notice and consent requirements for processing personal data;
the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
Indonesia’s Data Protection Landscape
Currently, Indonesia has no comprehensive data protection law, though draft legislation in the form of a Personal Data Protection Bill (PDP Bill) was introduced in Indonesia’s Parliament in 2020. Under Indonesia’s existing law, provisions on personal data protection can be found in several different sectoral laws and regulations, including the digital, health, and finance sectors.
Role and Status of Consent as a Basis for Processing Personal Data in Indonesia
Indonesia’s existing laws rely heavily on consent as a mechanism for privacy self-management.
Consent serves as the primary or default justification for collecting, using, and disclosing personal data, subject to narrow exceptions and, at least in some sectors, other data protection principles, such as data minimization, purpose specification, and lawfulness and fairness of data collection.
It is also usually mandatory to obtain data subjects’ express consent as existing laws and regulations generally do not recognize implied or inferred forms of consent.
In the digital sector, operators of electronic systems must obtain consent in written form in the Indonesian language and provide information on the purpose and objective of data collection before collecting and processing personal data. It remains unclear whether laws and regulations provide alternative legal bases beyond consent for processing personal data.
In the health sector, consent is required to use personal data and/or medical records in health research and must generally be informed and recorded in written form. Data subjects must be provided with clear information on the purpose, method, and risks of the research, and the possible research outcomes, including any potential negative impact on them.
In the financial sector, banks, insurance providers, and peer-to-peer lenders must obtain written consent from consumers before providing or disclosing consumer information to any third party, unless applicable laws and regulations provide otherwise. Peer-to-peer lenders must also obtain consent to collect and process personal data and must ensure the confidentiality and integrity of the personal data, transactional data, and/or financial data from the time that such data is collected until it is erased.
Looking to the future: legal bases for processing in the PDP Bill
Compared with Indonesia’s existing laws, the current draft of the PDP Bill provides several legal bases for processing personal data.
One such basis is consent, which must be:
specific to one or more purposes communicated to the data subject; and
recorded (though consent may be given in writing or verbally).
Apart from consent, the current draft of the PDP Bill provides for other legal bases which apply where the processing of personal data is:
necessary:
for the performance of a contract to which the data subject is a party;
to fulfill a request of the data subject prior to entering into a contract; or
to comply with a statutory obligation that weighs on a data controller;
to protect the vital interests of the data subject;
in exercise of the data controller’s authority under applicable laws and regulations;
to fulfill the data controller’s obligation to provide services in the public interest;or
to fulfill other legitimate interests, after balancing the data controller’s and data subject’s respective interests.
However, note that since the PDP Bill has not yet been enacted, these provisions are still subject to change.
FPF Files Comments on Colorado Privacy Act Pre-Rulemaking Activity
Today, the Future of Privacy Forum (FPF) filed comments with the Colorado Department of Law regarding forthcoming rulemaking under the Colorado Privacy Act (CPA). The CPA, which goes into effect in July 2023, will establish important new data privacy rights, controls, and protections for individuals in Colorado.
FPF’s comments are directed toward ensuring that forthcoming regulations support the effective exercise of new privacy rights, maximize clarity for business and nonprofit compliance efforts, and promote interoperability with emerging U.S. and global privacy frameworks where appropriate, particularly where the CPA uses consistent language as other jurisdictions.
Specifically, FPF recommends that forthcoming CPA regulations should:
Clarify the approval and role of universal opt-out mechanisms in the context of today’s labyrinth of existing permission frameworks, including in non-authenticated interactions and their application to off-site data.
Ensure that the CPA’s high standard for obtaining valid consumer consent is realized in practice by providing that consent must be freely revocable and establishing limits on inappropriate “bundling” of consent for disparate processing purposes.
Provide appropriate guidance, flexibility, and interoperability for conducting meaningful data protection impact assessments, informed by best practices developed by regulators in both U.S. and global jurisdictions with comparable requirements.
Establish that a broad range of ‘profiling’ decisions are subject to consumer opt-out rights and follow best practices for automated decision-making transparency so that Coloradans are fully empowered to exercise their rights.
Adopt a definition of “biometric data” that protects individual privacy interests by limiting invasive and non-consensual tracking and identification.
Future of Privacy Forum and Israel Tech Policy Institute Cyber Week Delegation, 2022
Last week, The Future of Privacy Forum’s (FPF) Israel Tech Policy Institute (ITPI) welcomed a delegation of trailblazing privacy professionals from around the world to participate in Tel Aviv University’s Cyber Week conference and to meet with start-ups, regulators, and academics.
The week started with an illuminating tour of the Peres Center for Peace & Innovation, followed by a trip to Team8 headquarters and a roundtable discussion with Duality, a leading developer of privacy protection homomorphic encryption technology.
Around the table sat government officials (from Europe and the U.S.) alongside chief privacy officers of leading fintech, education, and transportation companies, gathering to discuss the current and future landscape of privacy regulation and practice.
At night, the delegation gathered to celebrate Cyber Week at an FPF and Goodwin reception, providing an opportunity to socialize, eat, and network with leading attorneys in the privacy space from around the world.
For the next morning’s event, Stacey Gray, FPF’s Director of Legislative Research and Analysis, led an engaging discussion surrounding the rapidly changing landscape of U.S. Privacy Policy, featuring Chegg Sr. Assistant General Counsel Bekah Putz, Streetlight Data CPO Kara Selke, Plaid CPO Sheila Jambekar, and Gravy Analytics CPO Jason Sarfati.
Together, the group discussed the difficulties inherent in reconciling state laws and instability across sectorial regimes of enforcement, and assessed the uncertain path forward for federal legislation. Speakers flagged the need to establish shared definitions when drafting contracts, and the general practice of referring to California’s CCPA as a benchmark for compliance across the nation. An interesting discussion surrounding “Dark Patterns” – and how far symmetry in website design must truly go – ensued, with critiques on the concept of total symmetry. Amit, Pollack, Matalon & Co graciously hosted the FPF event, which included breakfast for participants to connect over before the event began.
Apple’s Jane Horvath, the Federal Trade Commission’s Noah Phillips, and the European Commission’s Karolina Mojzesowicz examined methods of ensuring competition and innovation while supporting consumer data protection. Consumer role inhabited much of the conversation, with Horvath advocating for the consumer to be at the center of the discussion regarding tensions between security and privacy; Mojzesowicz echoed this desire, hoping to place decision-making power – regarding what is done with data and who profits from it – at the hands of the individual. Mojzesowicz explained that “there is no privacy without security,” while FTC Commissioner Phillips elaborated that online security is a necessary prerequisite to people feeling protected in their privacy. Throughout the discussion, panelists examined how to navigate the technical and legal complexities of these tensions, their roles in the marketplace, and visions for their hopes in finding the right balance.
Panelists included FTC Commissioner Noah Phillips, eBay CPO Dr. Anna Zeiter, AppsFlyer Legal Counsel Leor Hurwitz, and Apple CPO Jane Horvath, who each commented on their optimism regarding advertising’s future. While Commissioner Phillips highlighted the importance of carefully balancing trade-offs in user experience and increased privacy, Zeiter discussed limiting 3rd party cookies and investigating uses of Privacy Enhancing Technologies. Horvath explained the appropriate uses and restrictions for the use of Apple’s technical identifiers, the importance of educating consumers on the implications of their consent, and the need for patience as companies adjust from opt-out to the newly implemented opt-in data access system. Hurwitz highlighted the value in developing new data technologies to improve the ecosystem as a whole, citing data clean rooms, scalable cryptographic solutions, aggregation, and conversion modeling as some potentially useful models of privacy by design. All panelists shared optimism about a future where privacy and advertising co-exist, leveraging technological innovation, careful regulation, and user experiences as key avenues to navigate the path forward.
Goodwin’s Lore Leitner then led a panel discussion entitled International Data Flows: From Legal Restrictions to Sufficient Safeguards. EU Commission’s Bruno Gencarelli, Google CPO Keith Enright, Duke University Professor David Hoffman, and TransUnion CPO Shoshana Gillers spoke on the varying international legal regimes, frustration over the lack of a Safe Harbor between the US & EU, and the complexity of the issue. Key comments included focusing on increased consumer demand and expectations of privacy, concerns about data localization, and insights on positive developments in technology coexisting with opportunities to improve regulation. Audience questions further sparked discussion on the complexity of regulating smaller entities within the space, and the importance of cost-benefit analysis regarding every contract, transaction, and international data transfer.
FPF’s Data Protection Conference at Cyber Week continued with a presentation of the Distinguished Public Service Award to Amit Ashkenazi, a leading public figure in Israeli privacy and security law. Goodwin’s Omer Tene provided an overview of how Ashkenazi helped set up the Israel Privacy Protection Authority–serving as its first Head of Legal Department–after spending a decade at the Ministry of Justice Legislation and Counseling Department. Ashkenazi reflected on his time in service after the award presentation, emphasizing the importance of creating agile regulations with sufficient resources for enforcement. Ashkenazi shared his excitement for bringing the GDPR’s abstract concepts to new, Israel-specific legal formulations, and demonstrated pride in the experiment of regulating technology through government action, displaying a clear enthusiasm that continuous innovations in law can protect, build, and empower both technology and privacy industries.
FPF’s delegation concluded their Cyber Week formal events by meeting with the Israel Privacy Protection Authority (IPPA) for a conversation about Privacy Enhancing Technologies (PETs). Gilad Semama, IPPA’s commissioner, highlighted that Israel serves as a world leader in the PET space, fostering Privacy by Design solutions alongside innovative technologies from start-up companies.
Commissioner Semama emphasized the importance of tailoring PETs to specific circumstances, data, and usage, and explained how certainty in legal standards could support broader uses of PETS by government and industry. In an animated roundtable discussion, the FPF delegates had an opportunity to comment on their company’s PET uses, potential new solutions, and the role of regulation. Many advocated for the creation of regulatory sandboxes, while others explained the tension between innovation and safety teetering with PETs, as regulatory uncertainty places a cooling effect on innovation. Placing privacy at the heart of responsible technologies can help balance human rights of all types with company interests, and PETs can serve as a potential solution; however, instilling a sense of urgency in understanding, building, scaling, and implementing these technologies may be key to their successes (or failures). FPF plans to work on efforts to collaborate globally with regulators interested in advancing PETS.
Later that evening, FPF’s Delegation reconvened to explore Tel Aviv’s Jaffa neighborhood through a guided walking (and eating) tour of the neighborhood, filled with historical information, Shakshuka, and rooftop sunset views. The next day, the group ventured to Jerusalem for a day of touring and activities.
The tour started at the Israel Museum, with an explanation of historic Jerusalem alongside mini modeling of the city, followed by a visit to the Mount of Olives, the Dead Sea Scrolls, and a guided tour of the Western Wall Tunnels and the Church of the Holy Sepulcher.
FPF and ITPI are proud to have hosted this incredible group of delegates in Israel for this year’s Cyber Week Conference, and confident that all who joined gained an in-depth awareness of the complexity surrounding many privacy debates, technologies, and regulations. Through social events, informal conversations, and informative programming, the delegation gathered insights to bring back to their companies while forming bonds, memories, and conversations with other privacy professionals.
To all who participated, thank you! FPF members or prospective members interested in participating in next year’s Israel delegation and future trips to the APAC region should contact Membership Director Judy Gawczynski at [email protected].
New Report on Limits of “Consent” in the Philippines’ Data Protection Law
Introduction
Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the sixth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in the Philippines, including:
notice and consent requirements for processing personal data;
the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations,
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
The Philippines’ Data Protection Landscape
The main personal data protection legislation in the Philippines is Republic Act No. 10173, better known as the Data Privacy Act of 2012 (DPA), which was passed in 2012 but only fully took effect in September 2017.
The DPA applies broadly to individuals and organizations that process the personal information of Philippine citizens, even if the individual or organization does not have a legal presence in the Philippines. For purposes of the DPA, “processing” refers to any operation(s) performed upon personal information and includes collection, use, and disclosure of personal information, among others. The DPA also provides a number of exceptions for the processing of personal information by public authorities for various purposes.
The stated policy aim of the DPA is to protect the fundamental human right to privacy of communication while ensuring the free flow of information to promote innovation and growth.
To that end, the DPA provides data subjects with a number of rights over their data, including rights to information about how their personal information is processed, correct personal information about them, and order the blocking, removal, or destruction of their personal information. Notably, the DPA was also the first data protection law in APAC to provide data subjects with an express right to data portability, which applies where personal information is processed by electronic means and in a structured and commonly used format.
The DPA also establishes the National Privacy Commission (NPC), an independent body that is responsible for administering and implementing the DPA. The NPC’s role as defined by the DPA is multifaceted and includes responsibilities to, among others: (1) advise the Government and the public and private sectors on personal data protection-related matters; (2) ensure that regulated entities comply with the DPA’s requirements, using enforcement measures if necessary; and (3) align the Philippine data protection framework with international standards and cooperate with peer regulators in other jurisdictions.
Since its establishment, NPC has been active in issuing guidance on the DPA. One of the NPC’s first acts was to issue the Implementing Rules and Regulations to the DPA, which took effect in September 2016 and provided clarification as to how the DPA’s requirements apply in practice. Since then, NPC has also provided further guidance in the form of circulars, advisories, and notably, 307 “advisory opinions” published on the NPC’s website, in which the Commissioner provides guidance on how the NPC would interpret and apply the DPA’s requirements in a wide range of situations, often in response to questions from businesses and members of the public.
Role and Status of Consent as a Basis for Processing Personal Data in the Philippines
Consent is one of several, equivalent legal bases for processing personal information and sensitive personal information under the DPA. Alternative legal bases are similar to those under the GDPR and cover a range of situations where the processing of personal information is necessary for:
preparatory steps for, or fulfillment of, a contract;
vital interests of the data subject;
compliance with a legal obligation;
response to a national emergency; or
pursuit of the “legitimate interests” of the data controller or a third party, subject to a balancing test.
Alternative legal bases for processing sensitive personal information are also premised on necessity but are much stricter and generally only apply in narrow circumstances where either the data subject is incapable of giving consent (e.g., medical treatment or a threat to life and health), or where specific provisions of law stipulate that consent is not required but provide other safeguards for the sensitive personal information.
For purposes of the DPA, consent must be freely given, specific, and informed and must indicate that the data subject agrees to collection or processing of his/her personal information. The NPC has also clarified through an Advisory Opinion that it would not recognize implied, implicit, or negative forms of consent.
If an individual or organization wishes to rely on consent to process personal information, it must obtain consent from the data subject (or the data subject’s lawful representative) prior to collecting the personal information or for non-sensitive personal information, either before or as soon as reasonably practicable after collection. Once obtained, the consent must also be recorded, whether by written, electronic, or other means.
Consent can also be withdrawn at any time, in which case processing of the personal information must cease unless the individual or organization can rely on an alternative legal basis for processing.
New Report on Limits of “Consent” in Australia’s Data Protection Law
Authors: Dominic Paulger and Elizabeth Santhosh
Elizabeth Santhosh is a current law student at Singapore Management University and an FPF Global Privacy intern.
Introduction
Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the fifth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in Australia, including:
notice and consent requirements for processing personal data;
the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations,
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
Australia’s Data Protection Landscape
The cornerstone of Australia’s federal data protection framework is the Privacy Act of 1988, which was passed in 1988, commenced in 1989, and gives effect to the Organisation for Economic Co-operation and Development’s (OECD) 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as Australia’s obligations under international human rights law to protect privacy.
The Privacy Act originally only applied to the public sector, but subsequent amendments to the Privacy Act over its 33-year lifespan have extended the scope of the Act so that the Act now covers the public sector and organizations in the private sector that either have an annual turnover of over AU$3 million or fall within certain prescribed industries.
Amendments made in 2010 to the Privacy Act established the Office of the Australian Privacy Commissioner (OAIC), which is responsible for, among others, issuing guidance on how organizations can comply with the Privacy Act. The Office also investigates and resolves complaints concerning organizations’ personal information practices, including, where necessary, issuing formal decisions known as determinations.
Major reforms to the Act’s privacy protections in 2014 introduced a unified set of Australian Privacy Principles (APPs) applying to both the public and private sectors. Any organization that is covered by the Privacy Act must comply with the 13 APPs, which broadly establish rights and obligations for:
collection, use, and disclosure of personal information;
anonymous and pseudonymous personal information;
use of personal information for direct marketing;
cross-border transfer of personal information;
quality and security of personal information; and
access and correction to personal information.
The latest amendments, in 2018, introduced a notifiable data breach scheme for organizations that are subject to security obligations under the Act.
In recent times, there has been significant discussion on the need to reform the Privacy Act, as well as Australia’s broader data protection framework, to respond to challenges to individuals’ privacy posed by the exponential growth in digital technologies, social media platforms, and the Internet of Things (IoT).
In 2019, the Australian Competition and Consumer Commission (ACCC) published its Digital Platforms Inquiry which highlighted risks from the business models of Big Tech companies and suggested the Australian government conduct a review. This eventually led the Attorney General’s Department (AGD) to release an issues paper in 2020 inviting public consultation on whether the Privacy Act and its enforcement mechanisms remain fit for purpose and possible avenues for reform, followed by a discussion paper with more detailed proposals one year later.
Alongside public consultation on reform to the Privacy Act, the AGD has also held consultation on a new bill, the “Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021” (Online Privacy Bill) which, if passed, would complement the Privacy Act by introducing a binding online privacy code with which social media and other online platforms would have to comply, or face legal penalties. The status of the Online Privacy Bill is currently uncertain following recent federal elections in Australia.
Role and status of consent in the jurisdiction
Consent plays an important role in the Privacy Act and is relevant to the operation of a number of APPs.
Though consent is not required for all collection of personal information under the APPs, consent is required for the collection of certain prescribed categories of “sensitive” personal information, unless an exception applies.
Consent also functions as an exception that permits certain acts in relation to personal information that would otherwise be prohibited under the APPs – namely:
collection of personal information from a source other than the data subject;
use or disclosure of personal information for a different purpose than the purpose for which the personal information was originally collected;
use of personal information for direct marketing purposes; and
cross-border transfer of personal information, without taking reasonable steps to ensure that the overseas recipient of personal information does not breach the APPs in relation to that information.
The APPs also impose detailed notification and notice requirements which operate independently of consent requirements. Organizations that are subject to the Privacy Act are generally required to maintain a privacy policy providing information about the organization’s activities in relation to personal information as well as how individuals may exercise their rights under the APPs in relation to their information. Additionally, organizations are required by default to notify individuals of certain prescribed matters when the individual’s personal information is collected or as soon as reasonably possible after collection.
These existing consent and notification requirements have been the subject of much discussion during consultation on reform to the Privacy Act as there is widespread recognition that organizations over-rely on consent. The general direction of reform proposals seems to be in favor of strengthening the legal test for what constitutes valid consent, while at the same time reducing the frequency with which, or circumstances under which, individuals are asked to provide consent. However, there are signs stemming from the consultations on the potential reform of the Privacy Act that Australia may ultimately move away from a “privacy self-management” approach and towards an approach that places greater accountability on organizations by requiring that collection, use, or disclosure of personal information must be fair and reasonable in the circumstances. It remains to be seen how these proposals will evolve in the future.
