Postcards from Hong Kong

你好 Hello from Hong Kong!

The second installment of our “Postcards from…” series comes from the other side of the world at the Shangri-La Kowloon in Hong Kong where I was privileged to represent NAI member companies during the 39th Annual International Conference of Data Protection and Privacy Commissioners on September 25-29, 2017.  The event was hosted by the Honorable Stephen Wong, Hong Kong’s Privacy Commissioner for Personal Data.

The conference theme, “Connecting West with East in Protecting and Respecting Data Privacy,” was echoed throughout the event and my time in Hong Kong.  Southeast Asia is a place steeped in tradition.  Conference participants enjoyed regular welcome teas and showed respect by presenting business cards to our colleagues with two hands.  Nightly light displays showcased Hong Kong’s amazingly colorful skyscrapers along Victoria Harbour.

Hong Kong was an apropos venue for the conference.  Commissioner Wong noted that its “one country, two systems” principle makes it uniquely qualified to bridge Eastern and Western data cultures; perhaps that’s one of the reasons Hong Kong boasts one of the largest concentration of data centers in Asia.  The conference was a great opportunity to talk with privacy commissioners and their staff from all over the world. Together, we considered the great opportunities, and great challenges, posed by our increasingly global, data-driven society.

Here are a few highlights from our discussions:

• Data drives the day: In his opening remarks, Commissioner Wong noted that the age-old saying of industrialization – “He who controls petroleum, controls the world” – has changed.  In today’s technologically advanced world, the saying should be, “He who controls data, controls the world.” Wong stressed that laws and policies need to balance two necessities: the free flow of data for commerce and the protection of data for privacy.  He explained that a successful data economy depends on transparency and control, and noted that ethical and responsible data use is paramount.
   
• Beating breaches: In today’s online marketplace, data breaches happen globally and frequently. Hong Kong, Japan, Korea, and the Philippines have all experienced individual consumer data breaches at a similar scale to the many well-known U.S. data breaches. Security is an increasingly important aspect of consumer privacy. In fact, the Honorable Raymund Liboro, Privacy Commissioner and Chairman of the National Privacy Commission for the Philippines, had a remarkably straightforward recommendation – “If you can’t protect it, don’t collect it.”
   
• Self-regulation for success: Participants in a panel hosted and moderated by Bojana Bellamy, President of the Center for Information Policy Leadership, argued that corporate responsibility and best practices are essential to a successful data-driven economy. They explained that the law simply isn’t sufficient to protect data, and that accountability and enforcement must embrace a value system that is designed to produce good outcomes. While deterrent sanctions may have a limited effect on future behavior, they advocated a system of motivated voluntary compliance, such as self-regulation, for constructive engagement and effectiveness.
   
• Responsible robots: Artificial intelligence and machine learning pose special challenges for data use and ethics. One conference panelist described these technologies as creating a “dilemma” at the intersection of ethics, privacy, artificial intelligence, machine learning, and public policy and regulation. Some conference participants argued for a new approach to data in an AI world, for example, privacy protection, accountability, individual empowerment, and a weighing of societal benefits by a “data steward.”  But others urged caution in such an approach and suggested that existing cultural values, privacy by design frameworks, and risk factors can span cultural differences and build effective ethics structures.  This conversation was a great segue to next year’s 40^th ICDPPC themed, Ethics and Dignity.  The 2018 conference will be held jointly in Brussels and Sofia, Bulgaria.

Our next postcard will be mailed from the land of waffles, chocolate, and beer…Brussels!  Our new Vice President for Public Policy, Will Carty, and I will attend the IAPP Data Protection Congress and some key GDPR readiness meetings with our colleagues from the IAB Europe.  Stay tuned!