Kia ora koutou,
I’m writing this from Ireland, sitting at a desk only a couple of metro stops away from some of the biggest big tech headquarters and one of Europe’s most active and vocal data protection authorities. It’s good to be back in my motherland and right in the middle of the EU’s myriad privacy issues. It does make me reflect, however, on the many ways we in the Asia-Pacific are fortunate. We have opportunities to learn so much from our EU colleagues, but we must also remember that we’ve done so many things simply and effectively for years and have made strides in the regulation, enforcement and practice of privacy that many in EU could take a lead from.
That said, privacy breaches have dominated our regional news over the last week. The Philippines National Privacy Commission has just issued a sweeping "please explain" order to 67 online lenders who allegedly violated the Data Privacy Act. Complainants to the NPC alleged the lenders collected contact information from their mobile devices and made contact with these third parties without their consent. In some cases, lenders even posted to customer social media platforms making threats about borrowers and sharing their personal information to wider audiences. This is a great reminder that privacy breaches are not only caused by criminal hackers and that we need to be equally mindful of deliberately intrusive privacy practices by agencies entrusted to protect their customers’ data.
Criminal attacks are still a major risk, however. A major public health organization in NZ — Tu Ora Compass Health — experienced a cyberattack that exposed the personal information of up to 1 million patients who enrolled with the PHO between 2002 and 2019. The PHO has been unable to confirm the extent to which patient files had been accessed in the attack, although it is unlikely that detailed medical files were compromised. Interestingly, the attack occurred in August, but the PHO sought to manage and address the breach, including understanding its scope, before publicizing it. While the upcoming mandatory breach notification regime in NZ will likely require notification much sooner than this, these sorts of cases will assist agencies in NZ to understand the complexities of breaches and create effective management and notification processes.
The IAPP ANZ Summit 2019 is just weeks away. We have an exciting recent addition to an already comprehensive program — the U.K. ICO Deputy Commissioner of Operations James Dipple-Johnstone and Data Protection Deputy Director Kevin Adams will join Sage Artificial Intelligence Vice President Kriti Sharma to give us an overview of GDPR enforcement against non-EU agencies 18 months on. This will be an unmissable opportunity to get an understanding of how one of the EU’s most respected DPAs is managing enforcement against agencies in the Asia-Pacific region. If you haven’t already done so, register online to grab one of the few remaining spaces at this unique event.
Finally, the IAPP has issued a call for speakers for next year’s IAPP Asia Privacy Forum, which draws hundreds of privacy professionals from across the Asia-Pacific region. This is a great opportunity for Australian and NZ thought leaders to share their immense experience and insights with the wider region. I’d encourage you all to consider making a proposal to speak.
I hope to see many of you in Sydney at the end of the month. Until then, enjoy the digest, and kia kaha (keep up the good fight).
Nga mihi nui,
If you want to comment on this post, you need to login.