It's true. There are privacy laws around the world that emanate from other than the European Union. Yesterday, those Global Privacy Summit attendees who took in "The World Beyond: Global Privacy Priorities Outside the GDPR," heard from regulators from Israel, Japan and Canada as they outlined the nuances of each of their respective privacy regimes, all undergoing changes of some sort and all aiming to keep pace with the legal requirements of the GDPR in order to keep "adequacy" front and center.
Israel received its adequacy designation in 2011, and its Privacy Act of 1981 was one of the first in the world. But as settled as it is, the coming years will be times of change for the country's data protection regime, and includes binding legislation and strategic change at the authority itself. Last year, the Israeli Law, Information and Technology Authority (ILITA) saw a 100 percent increase in its budget. ILITA's head, Alon Bachar, said the data protection authority has also been successful at convincing policymakers that privacy is crucial for customer trust, which led to changes in legislation as well as how its DPA is resourced. Legislatively, a draft bill that increases its enforcement power just survived a first reading in Parliament, and legislation that passed in 2017 and comes into force this month allows it to issue fines up to 3.2 million Israeli dollars per case, "an enormous increase that will surely increase compliance," said Bachar.
The authority also possesses the "power and the know-how to conduct forensics investigations," which Bachar said has given his office a higher profile. The office is also very active in assisting the government with digital projects, including the new Israel Smart ID and a digital health project.
Similarly, Japan recently amended its data protection law. Japan's Personal Information Protection Commission was established in 2016 as an independent organization, and in 2017 regulatory authorities were centralized from ministers to the PPC, which is the sole privacy enforcement authority. It plans and drafts legislation, supervises and monitors personal information, provides the necessary mediation for filed complaints, and offers cooperation to businesses.
The APPI, Japan's privacy bill, was passed in 2003. It aims to find the balance between individual rights and interests and the utility of personal information. Amended in 2017, the APPI now aggregates the supervising authorities of the PPC, responds to globalization's changes, like cross-border transfer, clarifies the definition of personal information, establishes a legal framework for the active use of personal information, and mandates that a business operator handling the personal information of 5,000 or less is subject to the act. Previously, such a business would have been exempted.
Japan is seeking mutual verification with the EU, and hopes to keep personal data flows running with the U.K. post-Brexit, and in the U.S. aims to improve cross-border data sharing.
Fumio Shimpo, commissioner for International Academic Exchange at the PPC, said AI is a major issue for the commission to contend with. "AI is rapidly advancing, automated decision making is a key issue," he said. "AI is a most critical issue."
Israel's Privacy Protection Regulations have been a major shift for companies, said Bachar. "The new regulation requires all citizens in Israel to adjust their businesses in order to comply, and this means a big technological change in most Israeli institutions and companies."
The Israeli DPA is investing a lot in education writing guidelines so companies understand their obligations. In the upcoming year the agency will focus on smart cities, "which in Israel is very trendy," digital health initiatives within the nation, and AI.
"Digital health in Israel is a unique issue because in Israel we have a very concentrated field of health databases on Israelis. We have a lot of data for a lot of years on most of the Israeli population, and this goes to many initiatives, governmental and other, using this data for commercial purposes. So this will be the most bothering and interesting thing we'll do this year, technologically speaking," Bachar said.
For Commissioner Daniel Therrien in Canada, his priority is proving that Canada is still adequate for data transfers given the GDPR, and also lobbying for the power to fine companies who misbehave. A power he currently doesn't have.
"While I can investigate complaints and I can even lodge certain complaints on my own volition, the outcome is recommendations as opposed to orders and fines," Therrien said. It's a model that's worked well in many cases, and most recommendations made by the commission are implemented by organizations that are investigating. "But it does not always work, and though many companies do the right thing to protect privacy, if we're frank, there are a few others who are not so interested." That said, while he does "need to have a big stick in the toolbox, the ultimate objective is compliance." And that means engaging with companies to get them there.
Israel does not have Therrien's problem, as the DPA they can take criminal enforcement action, but most investigations are not criminal. In 2017, it investigated five criminal cases. That's decided by a variety of factors, he said: the severity of the conduct, the duration or frequency of the conduct, and its level of sophistication, among other factors. "It's a very big stick that we have, and we try to use it wisely and proportionately, but we definitely use it."
For now, looking forward, Japan awaits its answers from the EU on adequacy, as does Canada. Therrien said, "I've had to answer certain questions as to the oversight that my office provides," he said. The decision ultimately has to be made, under GDPR rules, by April 2020 at the latest. So, "there's still time for these discussions to unfold. My hope is there will be some amendments to Canadian law which will make it easy for European authorities."