Entries submitted

D1: Office of the Privacy Commissioner of Canada
D2: PCPD, Hong Kong
D3: PIPC, Korea
D4: Office of the Privacy Commissioner, New Zealand 
D5: Federal Trade Commission, US

D1 – Entry by: Office of the Privacy Commissioner of Canada

Description of the initiative:

On September 7, 2017 Equifax Inc. announced that an attacker had accessed the personal information of over 143 million individuals, including 19,000 Canadians.

The OPC carried out a complex investigation into the breach, which involved site visits in both Canada and the United States. The investigation concluded as well-founded and conditionally/partially resolved, significantly raising safeguard standards for this key industry player. These commitments were backstopped by the successful negotiation of a compliance agreement.

Why the initiative deserves to be recognised by an award?

1. Impact on market best practices1. Impact on market best practices

Equifax, as a key global player in the concentrated credit-monitoring industry, occupies a critical role in the collection, use and disclosure of highly sensitive personal and financial information. The OPC’s Equifax investigation led to safeguard improvements and commitments that are already elevating best practices and shaping behaviours in the financial sector. For instance, our Office took the stance that organizations such as Equifax should offer lasting protections to mitigate against enduring privacy risks. As a result, the standards for the protection of those affected by data breaches have increased.

An illustration of the aforementioned is reflected in a large scale data breach announced by a leading Canadian financial institution who, subsequent to our findings, offered five years of credit monitoring to affected individuals (as opposed to one or two years), and is currently contemplating offering life-time monitoring.

2. Transborder implications

The investigation highlighted the complexity of dealing with extraterritorial organizations. This included asserting our Office’s jurisdiction over the personal information of Canadians while dealing with the Equifax Inc. in the US. It also reinforced the benefits of leveraging strong, collaborative relationships with international partners in the ever evolving and globalization of privacy risks.

Complete entry available here

D2 – Entry by: The Privacy Commissioner for Personal Data, Hong Kong (PCPD)

Description of the initiative:

Since June 2019, in light of the recent anti-extradition bill protests in Hong Kong, PCPD has received hundreds of cyberbullying reports on disclosure of personal data of government officials, police officers and their family members at online discussion forums and instant messaging platforms.

PCPD has taken a cross-disciplinary approach and engaged cross-border collaboration to tackle the incident in a timely and effective manner.

Why the initiative deserves to be recognised by an award?

As there is no specific law in Hong Kong on cyberbullying, the issues could be addressed by relying on different branches of the law, e.g. privacy violation, defamation and criminal intimidation, etc. Acknowledging its lack of prosecution power, PCPD joined hands with the Police and set up mutual notification and referral system to exchange intelligence and case-handling experience.

Since the control and use of personal data has become borderless, personal data protection could not be effected through the efforts of a single jurisdiction. Only cross-border collaboration could timely curb the spread of illegal posts and stop netizens from posting such contents.

PCPD’s foresees the trend of international cooperation in combating cyberbullying-related crimes. PCPD’s initiative in handling such a large scale cyberbullying incident could be useful reference, if not an example to be followed, for its counterparts worldwide. In a nutshell, this initiative demonstrates the importance of cross discipline and cross-border cooperation amidst legislative fragmentation in anti-cyberbullying laws.

Complete entry available here

D3 – Entry by: Personal Information Protection Commission of Korea

Description of the initiative:

The PIPC is responsible for mediating disputes. To that end, the Personal Information Dispute Mediation Committee (“Committee”) is established as a quasi-judicial body under Article 40 of the Personal Information Protection Act (“PIPA”) to mediate disputes with regard to personal data. It is a unique system in Korea, aimed at expeditiously providing redresses for damages caused by personal data breaches.

Why the initiative deserves to be recognised by an award?

Personal data breaches or misuse/abuse of personal data have been raised as a social issue as rapidly growing ICT industries inevitably entail large-scale personal data processing. However, a number of data subjects lacking expertise in data protection do not have knowledge of how to access individual redresses for data breaches or such information as laws and cases to refer to. In that regard, dispute mediation cases handled by the Committee and made public on its website will help them to understand and exercise their rights to data protection. Mediating disputes regarding personal data is significant in the sense that it makes it easier for data subjects to access redresses and to mediate a dispute with the counterparty in an amicable way, without having to initiate legal proceedings that should cost them more time and money. It is also effective in arousing data controllers’ attention to data protection to eventually rectify bad practices in personal data processing in a timely manner. The cases upon which the Committee has made its final decision are made public on its website, which receives positive feedback from both data subjects and data controllers who can refer to such cases and reach a mutual agreement in advance.

Complete entry available here

D4 – Entry by: Office of the Privacy Commissioner New Zealand

Description of the initiative:

The Office of the Privacy Commissioner (OPC) launched an own motion inquiry into the Ministry of Social Development’s (MSD) use of its information compulsion powers. OPC found that MSD had been misusing its powers and unjustifiably intruding on the privacy of thousands of New Zealanders.
OPC’s inquiry resulted in widespread public reporting. MSD also agreed to change their practice to comply with their legal obligations and undertake a review of their legislation to ensure consistency with recent privacy and other human rights jurisprudence.

Why the initiative deserves to be recognised by an award?

MSD’s failure to act consistently with their legal requirements affected vulnerable members of New Zealand society – those reliant on the state for support and assistance. OPC’s inquiry gave a voice to those affected by MSD’s failures and affected positive change for them.

OPC successfully brought about this change despite only having recommendatory powers, demonstrating OPC’s ability to successfully influence government through persuasive reporting.

Complete entry available here

D5 – Entry by: U.S. Federal Trade Commission

Description of the initiative:

In a historic settlement, the FTC imposed upon Facebook an unprecedented $5 Billion fine, a new privacy structure for accountability at Facebook, and new tools for FTC monitoring of Facebook. The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.

Why the initiative deserves to be recognised by an award?

The $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide. It is one of the largest penalties ever assessed by the U.S. government for any violation.

The settlement order also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance.

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”

Complete entry available here