Privacy professionals compare how shifting data protection laws are addressed

In a world of endless biometric data, what can a data commissioner do? A virtual panel convened for the 2023 edition of PrivacyNama, a conference focused on rulemaking around India’s new Digital Personal Data Protection Act, offers insights into some of the key concerns facing data privacy officials around the globe.

“It’s a very exciting and dynamic time to be having this conversation,” says Malavika Raghavan, a senior fellow at the Future of Privacy Forum, who hosts co-panelists Junichi Ishii of Japan’s Personal Information Protection Commission and Valborg Steingrímsdóttir from Persónuvernd, the Icelandic Data Protection Authority. Raghavan points to the long-awaited passage of the Digital Personal Data Protection Act in September 2023 as a turning point in digital governance for India, where questions around data security have nagged at the Aadhaar national ID program. (Parallel questions have arisen around the data protection law.)

Valborg Steingrímsdóttir identifies the duties of Persónuvernd as being twofold: “On the one hand, we have to carry out supervision – or surveillance,” she says. “We resolve disputes regarding data protection, and we also examine, for instance, data breach notifications. On the other hand, we have a supporting role: we must provide other government entities with guidance, education, opinions, and so forth.”

Junichi Ishii says Japan’s Personal Information Protection Commission (PPC) was established in 2016 as a way to centralize the previous system of multiple supervisory schemes, which he calls “overcomplicated.” The commission covers both private and public sector entities in monitoring and handling personal information, and enforcing the law.

He notes a key difference between Japan’s system and the EU: the PPC has an additional office that is focused on policy making and reform, rather than strict regulation. In other words, they can make rules as well as enforce them, as long as they follow established law. Raghavan points out that India’s scheme is limited to enforcement and compliance, with policy and rules set by central government ministries.

Regulators say independence is a key piece

In response to a question about the best advice for regulators and rulemakers navigating a new law, Steingrímsdóttir again underlined the importance of being an independent supervising authority, not subject to the orders of external ministries.

“I think it’s very important that the data protection authorities are independent, even if it’s within the government.” She also mentions enhanced cooperation with other European countries since the implementation of the EU General Data Protection Regulation (GDPR), the benefit of shared knowledge in addressing domestic issues, and how Iceland’s centralized data model plays a role in effective regulation.

Ishii agrees that independent oversight is important, as is simplicity. “The rules and regulations should be as simple as possible, for the sake of compliance,” he says, pointing out that the dual regulatory-legislative model means there can be a lot for people and businesses to take in.

The issue of cross-border data transfer is also salient to the discussion, as a factor that brings additional layers of requirements in terms of safeguarding personal data. Iceland is bound by the European Commission as to which countries are considered safe for data transfer, and has a seat in the European privacy and data protection council, which advises on the matter.  Steingrímsdóttir, however, acknowledges the wisdom of establishing broad principles and guidelines, to make different scenarios of international data transfer less complex, which can then be broken down domestically into more nuanced regulations based on context.

Ishii also says cooperation with foreign counterparts, to understand other legislative systems and philosophies, is essential.

Focus areas include youth, healthcare, social media

Children’s data, health data and social media regulation around the issue of election advertising are on the radar in each nation represented on the panel. Steingrímsdóttir explains that the Data Protection Authority of Iceland monitors alerts and complaints and data breach notifications to prioritize issues that need attention, and seeks to accumulate a certain threshold of data on which to base its decisions. In Japan, by contrast, priorities are coded in law, but also take formal inquiries into account.

In much the same way that the values established for digital ID frameworks vary from region to region, data privacy regulation has no standard approach. Managing it from a global perspective remains an ongoing conversation.

Article Topics

biometric data  |  biometrics  |  data privacy  |  data protection  |  digital ID  |  India  |  regulation