The International Association of Privacy Professionals (IAPP) Global Privacy Summit in Washington DC is probably the biggest event on the annual privacy calendar.
When I last came to the summit in 2015, there were more than 3,000 delegates attending out of 20,000 IAPP members - and the numbers just keep growing. This year, the summit was attended by 3,500 of 29,000 members.
It’s a big investment to come all the way to the United States, so we try and take the opportunity to schedule side meetings, and take advantage of the fact that so many of our international colleagues are here, including privacy commissioners and data protection authorities, government and industry representatives, and civil society organisations.
It’s also important to report back to you, so here goes.
9am-3pm, Monday 17 April - United Nations Headquarters, New York
The UN Global Pulse is an initiative driven from the UN Secretary-General’s office and is committed to using data to help with the UN’s humanitarian and development programmes. This can include partnering with telecommunications companies to track the movements of populations fleeing crises, or monitoring radio broadcasts with voice recognition software to get real time information about what’s happening in remote communities.
Global Pulse is very conscious of the need to have privacy practices that ensure the data is protected and used appropriately. It has established a Privacy Advisory Group to assist and New Zealand Assistant Privacy Commissioner Blair Stewart is a member of the group.
The meeting was to discuss updating the privacy principles under which the UN has been operating since 1991. I was invited to make some introductory remarks and to observe and participate in the experts’ group.
3pm - Meeting with Andrew Gilmour, UN Assistant Secretary-General for Human Rights
As chair of the executive committee of the International Conference of Data Protection and Privacy Commissioners, I sought a meeting with Mr Gilmour as part of my mandate is to make connections between our conference and other international organisations.
With so many human rights crises around the world and the fact that dedicated privacy functions are looked after in Geneva, privacy is not part of the New York office’s dedicated responsibilities. But Mr Gilmour is conscious of the importance of privacy as a precondition to the enjoyment of a number of other human rights, such as freedom of association and expression, and the relevance of privacy in work being carried out on human rights and counter-terrorism.
We discussed these connections, the different roles of privacy commissioners around the world, and the March report of the UN Special Rapporteur on the right to privacy.
We had a very useful discussion, and committed to an ongoing relationship between our organisations.
4.30pm - Meeting with Jens Wandel, Assistant Administrator and Director of the Bureau of Management at the UN Development Programme (UNDP)
Like Global Pulse, UNDP needs to collect and use personal information in the delivery of its development goals. That has not always gone as well as it would have hoped, and issues with access to data impeded the UN response to the recent Ebola outbreaks. The UNDP last month developed and issued a guidance note entitled Big Data for Achievement of the 2030 Agenda: Data Privacy Ethics and Protection.
As we talked, it struck me how familiar the conversation was to many I have had in New Zealand with government ministers, officials, the Data Futures Partnership and others about the need to use data to improve the delivery of services and the importance to maintaining trust and building a social licence.
Phrase of the day: Data philanthropy
Many of the organisations we heard from depended on companies lending their commercial and customer datasets to humanitarian and development agencies for philanthropic purposes, hence the phrase “data philanthropy”.
9am-11am, Tuesday 18 April, Washington DC
One of the great things about IAPP is the way they accommodate different interest groups, particularly data protection authorities (DPAs). Tuesday was designated DPA day with IAPP opening doors and organising meetings with a number of government and civil society groups.
First up was a briefing on privacy research funded by the Networking and Information Technology Research and Development Program (NITRD).
NITRD administers a US$4.5 billion US federal research fund, of which US$30 million is directly related to privacy-related research.
We heard from the aptly named Centre for Disclosure Avoidance Research (part of the US Census Bureau) and the Defense Advanced Research Projects Agency (DARPA) which was conceived in response to the Soviet era Sputnik launch and has since been engaged in research as diverse as stealth bomber technology, the Internet, and privacy technologies.
Most of us know the Department of Homeland Security from its border security work when we cross into the US but it also has an extensive research programme. The department partners with New Zealand agencies in relation to matters such as identity verification and authentication. One of the projects is about meeting the need of “addressing privacy concerns with big data and algorithms” and is very relevant to many programmes back home.
The National Institute of Standards and Technology (NIST) presented on privacy engineering, and the Federal Trade Commission described how it had uncovered a TV manufacturer which had been harvesting and selling viewers’ viewing history.
2pm-3.30pm - Meeting with civil society groups at Georgetown Law School
The US has a proliferation of non-governmental organisations and civil society groups focused on privacy, data protection, and the ethics of digital technologies. There’s the Electronic Privacy Information Centre, the Centre for Democracy and Technology, AccessNow and others linked to academic faculties.
These organisations make a hugely important and informed contribution to the discourse on privacy in public policy. Data protection authorities are often constrained by their empowering statutes, and may be limited in their ability to advocate for particular positions. In short, they welcome the opportunity to exchange views with independent community and academic tech spokespeople.
Among other topics, we had a stimulating conversation about privacy security, encryption and surveillance.
4pm-6pm - Meeting with the acting chairman and staff at Federal Trade Commission (FTC)
In Europe, it is a common complaint that “the US doesn’t have comprehensive privacy regulation”. In fact, the US has many different privacy protections at state and federal level, but they just don’t have a single regulation that looks like the European model. Several state and federal agencies have different roles in administering and enforcing privacy statutes and values.
The FTC has emerged as one of the most influential for consumers. It has jurisdiction to police “unfair” trade practices (which is a bucket large enough to contain many privacy sins) and it has shown that it is willing to be very active in ensuring corporates do not abuse customer data or trust. The FTC is a member of our international conference and a key international partner in privacy enforcement cooperation.
6pm - Brookings Institute Dinner
Two years ago when I attended a dinner at the Brookings, I made the observation that a conversation about international privacy was entirely focused on Transatlantic (i.e. US/Europe) preoccupations, and overlooked a very significant proportion of the world’s population.
To balance the conversation, a Brookings Distinguished Visiting Fellow, Cameron Kerry, invited me to kick off a dinner conversation about privacy and the rest of the world. With several representatives of the intelligence and security community present, the focus of the discussion drifted toward the desirability and feasibility of some kind of international treaty or instrument covering intelligence (particularly signals intelligence) activities.
Phrase of the day: Synthetic data
During the research presentation, several references were made to this concept, which refers to a type of anonymised data. In other words, it is a dataset that can be used by researchers but has been processed in a way that it no longer refers to real, and identifiable individuals.
To be continued.
Image credit: Fearless Girl statue photographed by Anthony Quintano.