In this piece, TrustArc's K Royal, CIPP/E, CIPP/US, CIPM, FIP, Paul Breitbarth and Annelies Moens, CIPP/E, CIPT, FIP, discuss the latest on privacy in the Asia-Pacific region. The following is an excerpt from TrustArc's "Serious Privacy" podcast, which can be found here.

K Royal: Tell me how you got into privacy as a career?

Annelies Moens: Well, 20 years ago, there was no such thing as a privacy career in the Asia-Pacific. I had finished a computer science, IT degree and a law degree. And, I'd studied cool things like artificial intelligence and machine learning in the mid-'90s in the U.S. and Australia.

I was very clear about what I was not going to do. I was not going to follow a traditional legal career path. So here I was looking for alternative options, and I come across an advertisement from what was then called the Office of the Federal Privacy Commissioner, which is now known as the Office of the Australian Information Commissioner.

It was at the time when the Australian privacy legislation was being expanded to not only cover the federal public sector, but also the private sector, so it had a number of roles being advertised. I joined as a complaints investigator and auditor. On my first day, I remember being given 40 complaint cases and being told, "Annelies, now you've got to resolve these." So I just jumped into the deep end and ended up being deputy director of compliance and took it from there.

Paul Breitbarth: You did try to get out of privacy, though. What did you try?

Moens: So, back when I was working at the regulator, I'd been there for about five years, and it was starting to go through a lengthy law reform process, which led to amendments that actually only came into effect in 2014. And I thought, "This is going to take a long time."

I wanted to see what else was out there. So I took that as an opportunity to do an MBA at Vlerick in Belgium, which was a fantastic school. Then I took on roles as a group manager and external relations manager, but I never really moved out of privacy because that was around the time the International Association of Privacy Professionals was being set up in Australia and New Zealand. So I was actually part of the group of founding directors who launched the IAPP in Australia and New Zealand in 2008. I stayed on that board for the first six years and was its president between 2011 and 2012.

Then from 2012, I started consulting in privacy. I manage my own privacy consulting company called Privcore. So I do a lot of privacy consulting for government and private sector organizations here and overseas.

Breitbarth: Also, to clarify, you are one of our consultants.

Moens: Absolutely. So it's really interesting how I came across TrustArc. I'm the senior privacy consultant for the Asia-Pacific region, as well, for TrustArc. I came across TrustArc when I was working on the APEC Cross-Border Privacy Rules System. I was looking at, "What are the benefits of the system? Could Australia join?"

And I came across TrustArc through that work, because TrustArc was one of the first accountability agents for the APEC CBPR System. So for those people who are listening who don't know the CBPR System, it's a framework that enables safe data flows between companies operating in the Asia-Pacific region because in Asia-Pacific, there are diverse data protection and privacy laws and some economies don't have privacy laws.

So the mechanism was established to enable those safe data flows. That's how I came across TrustArc, which has been working in privacy for a very long time. It has the depth of expertise and consultants that are operating globally. So that complemented my privacy consulting business.

Breitbarth: Wonderful. You already mentioned that the rules in Asia-Pacific are quite different and that some countries have legislation, some don’t have legislation. You have boots on the ground. We don't. So what can you tell us?

Moens: It's very difficult, firstly, to have boots on the ground in all places in the Asia-Pacific, because it is just huge. So let me give you a bit of context. It's culturally and economically diverse. When you look at, for example, the statistics from the World Bank, and you look at all the major regional blocks in the world, you look at North America, it has about $22 trillion of gross domestic product and about 364 million people. You look at the EU, it's got a GDP of around $19 trillion with a population of about 513 million. You look at Latin America, Caribbean, Middle East and Africa, and you're looking at a GDP of around $11 trillion with a population of 2.1 billion.

But then when you look at the Asia-Pacific region, South and East Asia and Pacific on their own, so that's excluding the U.S., you've got a GDP of around $30 trillion and a population of about 4.1 billion. So that just blows North America, the EU, Latin America, Caribbean, Middle East and Africa out of the water from a population and GDP perspective.

Royal: Absolutely. I think we often forget that. You were going to speak at the IAPP Global Privacy Summit about this.

Moens: So, yes, I was going to speak at the IAPP Summit this year, until it was canceled. I was doing some research on the Asia-Pacific laws, and in particular, I was going to be on a panel looking at whether (the EU General Data Protection Regulation) will effectively conquer the world. And, what was my Asia-Pacific perspective? I came across some interesting points, which I thought I'd share on our podcast today. So the first question that arises is: Are the Asia-Pacific data protection and privacy laws based on the GDPR?

Most of those laws are not based on the GDPR. There is some alignment with the Philippines Data Privacy Act and the GDPR and also some of the provisions in the Indian Personal Data Protection Bill. So it's important to be across the Asia-Pacific data protection and privacy laws because most of them have extraterritorial application.

If you're a business outside of that region wanting to engage with the citizens and, might I add, that's 4 billion citizens in the Asia-Pacific region, you've got to be aware that those data protection laws have extraterritorial application in most situations. There are two key exceptions, and only one of them is going to be an exception for a very short time.

Hong Kong generally doesn't have extraterritorial application, nor does New Zealand until Dec. 1, 2020, when the amendments to its Privacy Act become operational, which I can talk about later.

And there's another thing that I think a lot of listeners might find unusual or not realize: Some of the key concepts in the GDPR actually come from the Asia-Pacific region.

Breitbarth: That's interesting. Tell me more.

Moens: So our listeners are probably aware that the GDPR has these provisions around accountability, and that's actually a concept that originally came out of APEC. APEC had a privacy framework that was developed in 2004, and there are 21 economies in APEC. And so that concept was developed there and there's a very good practical example, an application of it in the Australian Privacy Act in Australian Privacy Principle 8 that I can share, because I think it demonstrates it very well.

Photo by NOAA on Unsplash