Taking a look at the status of activities relevant to the security of personal information in 2020 through foreign organisations and international consultations, such as the UN, OECD, APEC and APPA/
21:36 GMT, Saturday, November 28, 2020
Overseas patterns are also presented in the 2020 Annual Report on Personal Information Security. United Nations (UN) — Organisation for Economic Cooperation and Development (OECD) — Asia-Pacific Economic Cooperation (APEC) — Asia-Pacific Privacy Supervisory Organization (APPA) Forum — International Supervisory Authority for the Security of Personal Information (GPA) — Look at the International Privacy Compliance Network’s operations.
Overseas Trends-International organizations such as the UN and OECD.
- United Nations (UN)
Established in 1946 to prevent war and maintain peace, the United Nations (hereinafter referred to as the UN) is a member of the UN Human Rights Council (UN Human Rights Council) to regularly and systematically review and improve the human rights situation of UN member states. Hereinafter, UNHRC) has come up with various resolutions. Although these resolutions have no legal effect to enforce member states, it can be seen that they play an important role in accordance with the law as a standard for human rights protection.
Since the UN Human Rights Council adopted a resolution on’The Right to Privacy in the Digital Age’ at the UN General Assembly in December 2013, countries continue to respect and protect the right to privacy in digital communications, It carries out personal information protection activities that require review of procedures, practices and laws related to interception and collection of personal information.
According to an annual report submitted to the UNHRC by the UN Human Rights Council’s Special Rapporteur on the Rights of Privacy, Joseph Kannatachi, in 2020, the United Nations focused on privacy, personalities, health data, and the use, security and surveillance of personal information by companies. The Task Force on Privacy and Personality deals with the link between personal data protection and gender equality, and the Special Rapporteur discusses the linkages between privacy, gender autonomy, and male guardianship systems that appear in many countries for three years from 2020. He has declared that he plans to pay more attention. In addition, the draft recommendations released through the 2020 annual report deal with countermeasures and recommendations for the impact of the gender gap on personal information protection in the digital age. The draft recommendation is based on research findings that privacy is experienced differently by gender and is compounded by race, age, socio-economic independence and other factors.
On the topic of health data and privacy, the UN General Assembly in October 2020 unveiled international standards for health data protection and safe use. According to the Recommendation on the Protection and Use of Health-related Data, which was submitted to the UN General Assembly, health-related data is highly sensitive information, but its commercial value is high, so businesses that collect, use, and sell health data are already successful. Therefore, he pointed out that there is a growing concern about personal information infringement. In this regard, it provides best practices for data management to solve specific problems such as electronic medical records, mobile apps, marketing, and access to health-related data by employers and insurance companies, and in specific situations such as indigenous peoples, people with disabilities, refugees, and inmates. It was recommended to consider the personal information protection demands of data subjects.
In addition, the Task Force on’Health Data’ declared that it plans to examine issues of proportionality and the need to collect DNA data of the whole population in certain countries, and to engage in the situation of countries taking such action. Regarding Use of Personal Data by Corporations, a total of two task force meetings were held in Malta in March 2020 (the first) and Brussels in September 2020 (the second). At the conference attended by major technology companies such as Huawei, Deutsche Telecom, Microsoft, Facebook, Apple, and Google, and civic groups, major issues and best practices related to transparency, artificial intelligence, and child privacy protection were discussed.
Since March 2020, the company has been investigating personal information protection problems arising from the spread of new technologies and conducting various activities related to personal information protection. Related to this topic, data sovereignty, databases for digital forensics, issues of transmitting health data collected through implantable health devices and prostheses, artificial intelligence, machine learning, automated data processing, etc. are also dealt with. It is constantly being discussed throughout the process. Regarding security and surveillance, the International Intelligence Oversight Forum (IIOF) was held in the UK in October 2020 to investigate and review best practices for improving privacy practices and individual surveillance-related cases. did.
Meanwhile, Joseph Kannatachi, the Special Rapporteur on the right to privacy of the UN Human Rights Council, officially visited Korea from July 15 to 26, 2020, and interviewed with the Ministry of Public Administration and Security, the Korea Communications Commission, and the Personal Information Protection Committee to discuss the current status of Korea’s privacy protection. I also figured it out. A report containing the current status of personal information protection in Korea and recommendations identified during the visit to Korea will be submitted to the UN Human Rights Council in the future.
- Organization for Economic Cooperation and Development (OECD)
The Organization for Economic Cooperation and Development (OECD) has played an important role in creating an environment for free circulation of personal information across borders while respecting privacy, starting with the’International Symposium on International Data Transfer and Privacy Protection’ held in Vienna, Austria in 1977. . Although the OECD guidelines or recommendations are not binding as international law, the contents of the “OECD Privacy Guidelines,” which limit the collection and use of personal information, are subject to personal information in the United States, Europe, and Asia. It has influence by being reflected in protection laws and institutions.
At the annual OECD Ministerial Council Meeting (MCM) held in May 2020, the’Principles on Artificial Intelligence’, a recent issue in each country, was unanimously adopted. This recommendation presents a vision of artificial intelligence technology that embodies values, including privacy, and Secretary-General Angel Gurria stressed that safety and privacy are paramount in AI systems. The core content of the recommendation consists of principles of inclusive growth and sustainable development, human-centered values and fairness, transparency and accountability, security and safety, and accountability. This declaration, in which Korea’s Second Vice Minister of Science and Technology Information and Communication participated as the chairman of the OECD AI Expert Group, is expected to serve as a key guideline for the future development of AI-robot-related technologies as it is the first AI recommendation established by an international organization. do.
In addition, the OECD is continuously working to protect the rights and interests of children in an online environment. In 2011, a study on the risks faced by children and child protection policies was initiated, and based on this, the 2012 policy decision on child protection and recommendations on strengthening domestic and international cooperation were presented. In today’s digital world, children in today’s digital world, such as threats to personal information and data conversion, are being promoted to update the existing recommendations from February 2020, through a policy note on the online environment (Growing Up Online: Addressing the Needs of Children in the Digital Environment). It is examining the importance of policy measures to respond to this confronting situation.
- Asia-Pacific Economic Cooperation (APEC) The
Asia-Pacific Economic Cooperation (APEC) has been operating the’Cross-border Privacy Rules’ (CBPR), a global personal information protection certification system since 2011. . CBPR is a global certification system that evaluates the level of personal information protection of companies, and was implemented to facilitate e-commerce transactions in the APEC region and secure mutual transfer of personal information between member countries. APEC regularly holds senior management-level meetings, and through the Data Privacy Sub-group (DPS) meeting of the Electronic Commerce Steering Group (ECSG), the protection of personal information of APEC regions and major international organizations. Analyze trends and understand the current status of member countries’ implementation and operation of the CBPR system.
At the ECSG DPS meeting in Santiago, Chile in February 2020, discussions on the revision of the APEC privacy framework took place. In the discussion, which focused on the introduction of the right to move personal information, the results of analysis on the expected effects and side effects of the introduction of the right to move personal information, and cases of introduction by each country were introduced. The member countries agreed on the necessity of a cooperation system for discussing issues and will continue to discuss related matters.
By 2018, a total of eight countries, including Korea, had joined the CBPR system, and in 2020, the Philippines submitted the application for membership for the ninth time. Six certification bodies (three agencies in the US, and one agency in Japan, Singapore, and Korea) in 4 out of 8 countries, and about 20 companies, including Apple, HP, and IBM, obtained CBPR certification. . Looking at the related activities of countries that have obtained CBPR certification, the United States is researching ways to utilize technologies such as certification review tools based on consultations between three certification bodies, and is promoting the spread of the system through cooperation between certification bodies. As the number of certified companies increased, as of March 2020, 23 CBPR and 6 Privacy Recognition for Processors (PRP) certifications were obtained.
In addition, the USMCA (United States-Mexico-Canada Agreement) was signed through NAFTA renegotiation with Canada and Mexico, providing an opportunity to expand the digital economy and activate CBPR. Japan hosted the 51st APPA Forum to share the current status of Japan’s CBPR promotion, and held CBPR promotion seminars at home and abroad. As Paidy, Inc. obtained the CBPR certification, the number of certified companies increased to three, and last year, the 40th ICDPPC side event and the 50th APPA Forum public conference held CBPR related sessions. It is promoting the system by holding CBPR workshops for companies at home and abroad. In Singapore, IMDA (Info-communications Media Development Authority) has been designated as the certification body, and in the first year, a policy to reduce certification application fees was promoted to induce SMEs to acquire certification. Accordingly, two companies are considering applying for certification.
Along with this, we are steadily promoting activities to spread the CBPR system in our country by analyzing best practices of CBPR/PRP certification. Furthermore, CBPR by adding a certification system as a requirement for overseas transfer of personal information in addition to the existing Binding Corporate Rules (BCR). It is expected to guarantee free foreign relocation to certified companies. Canada is looking for a certification body to operate the CBPR system, and is considering a way to designate overseas certification bodies. It is expected to lay the groundwork for the operation of CBPR in the country after the October 2020 federal election. TrustArc is considering applying for CBPR certification body. Australia officially joined the CBPR system in December 2018 after expressing its intention to join the CBPR in 2017, and is recruiting domestic certification bodies to operate the system. Taiwan has established the Personal Data Protection Office to oversee policies on personal information protection and interpret related laws. Cooperation with the EU, such as responding to GDPR-related issues and analyzing national laws for adequacy evaluation, will be carried out as a major task.
- Asia-Pacific Privacy Supervisory Organization (APPA) Forum
The Asia Pacific Privacy Authorities (APPA) forum, established in 1992, is a forum for discussing issues related to legislation and new technologies in the field of personal information protection. Member state supervisory bodies share domestic trends in personal information protection at each forum and share opinions on cooperation measures such as joint investigation of personal information infringement. As of December 2020, commissioners of 20 organizations (including the state government) from 12 countries including Korea, the United States, Australia, and Singapore are working as member organizations.
At the 51st APPA Forum (May 2020, Tokyo, Japan), New Zealand mentions the response to Christchurch, led by the Prime Minister of New Zealand and the President of France, on the subject of’terrorism and social media’ immediately after the terrorist attacks in Christchurch. It urged governments and technology companies to act in a coherent way to prevent media use from leading to extreme violence and terrorism. On the other hand, regarding “data transfer abroad,” an official from the U.S. Department of Commerce said that the EU General Data Protection Regulation (hereinafter referred to as the General Data Protection Regulation), which focuses on privacy and data protection, in addition to strengthening national security and cybersecurity for foreign companies in China, and increasing market entry barriers. GDPR) and other regional trends were explained. In addition, he pointed out that the burden of compliance costs for multinational corporations is greatly increased due to the existence of various regulations, and mentioned that it is necessary to establish interoperability between regulatory systems, taking into account different legal systems, economic power gaps and cultural differences in each country.
On the same topic, Korea’s Personal Information Protection Committee introduced relevant domestic laws and emphasized the need for consistent standards for interoperability between international agreements and data transfer abroad. It also introduced the government’s efforts, including continuous discussions. In addition, regarding the privacy of children, the UK announced that the GDPR’s child privacy protection requirements were reflected in the revised protection law in 2018, and that it is enacting the Code (Age Appropriate Design Code) to protect children as digital citizens. This code applies to services that are likely to be accessed by children. Considering the child’s maximum interests,’High Privacy’ is set as the default unless there is a compelling reason, and the Geolocation option is set to’Off’ as the default. It is recommended to adopt. On the same topic, the U.S. Federal Trade Commission introduces major sanctions on online dating apps and other restrictions in relation to the enforcement of the Children’s Online Privacy Protection Act (COPPA). It emphasized the obligation to comply with the same law when processing.
At the 52nd Forum (December 2020, Cebu, Philippines), Hong Kong and the UK introduced their own face recognition technology in relation to personal information protection in performing public affairs. As part of the smart city construction plan, Hong Kong planned to install smart street lights equipped with traffic volume detection and weather/air quality detection functions and panoramic cameras in four areas, but announced that the situation has been suspended due to concerns about personal information infringement. On the other hand, he emphasized that safe and desirable installation should be achieved through the use of personal information protection-friendly technology and increased transparency of personal information processing. The UK introduced a case of using facial recognition technology by police in public places, and explained the background and side effects of its use. In particular, they shared the findings of the UK Information Commissioner’s Office (ICO) on the use of facial recognition technology by the London Police Department and South Wales police, their recommendations, and future plans.
In addition, with regard to the topic of’right to data movement’, Australia introduced the right to data movement in the form of’consumer data rights’ by reflecting the relevant concept of EU GDPR in the amendment of the Competition Consumer Act. This right allows consumers to provide consent to the products and services to be used with clear knowledge in order to establish an arena of fair competition. This will be applied to the financial sector first, and then to the energy and communication sectors sequentially. On the same topic, Singapore announced that it has publicly received opinions on the scope of data, data porting, and controllers subject to the obligation to guarantee the right to data mobility, and the need and compliance of resources to comply with the obligation as key feedback. It announced that there is a need to establish clear data types, formats, and standards for cost reduction.
Meanwhile, the Korea Personal Information Protection Commission needs support to help SMEs properly understand and comply with the data protection regulations of each country in relation to trade negotiations, especially in the digital economy where new technologies and digital commerce are rapidly developing and the need for offshore data transfer is rapidly increasing. I mentioned. To this end, it was proposed to open an English version of the’Common Portal for Sharing Personal Information Legal Information of Member States’ at the APPA level. Member state supervisory bodies agreed on the need to share legal information through a common portal and agreed to open and operate the portal. The Macau Personal Information Committee, the current communication working group leader, is planning to carry out additional related projects in cooperation with working groups such as the Korea Personal Information Protection Committee.
- International Personal Information Protection Supervisory Organization (GPA)
The Global Privacy Assembly (GPA), its predecessor, is the International Conference of Data Protection and Privacy Commissioners (ICDPPC), the 41st General Assembly (October 2020, Albania) changed its name, and has continued its existing activities. Since its establishment in 1979 for the purpose of promoting personal information protection, dialogue and cooperation among member organizations, and information sharing, a regular general meeting has been held once every year to discuss major changes in the field of personal information protection legislation and new technologies. It is playing an important role as a forum for discussion on personal information protection at a global level by adopting relevant resolutions and seeking joint responses to major global privacy issues through the formation and activities of working groups.
At the 41st General Assembly held in Tirana, Albania in October 2020, the supervisory bodies of Chile, Gabon, OECD, San Marino and Sao Tome and Principe were approved as full members. In addition, it approved the reappointment of Chairman Elizabeth Denhem of the UK ICO, the chairman, and elected Burkina Faso CIL and Argentina APIA as new executive committee members. At this general meeting, ① develop global policies, standards, and models for the future development of the conference and protect human rights in the digital age ② Cooperation in regulatory measures and sharing best practices ③ Human rights and social protection ④ Economic governance and digital economy ⑤ Democratic rights and political procedures ⑥ They agreed on six strategies, including data governance in the public sector.
In particular, it is expected that the conference will continue to have functions and systems in the future as the general meeting promotes the promotion of the conference body to the level of an international organization with a permanent secretariat. It has been agreed to change the name of the conference body from the existing ICDPPC to the Global Privacy Assembly (GPA). In addition, the 41st General Assembly will: ① Plan cooperation with supervisory bodies to strengthen effective judicial enforcement power between countries ② Privacy as a prerequisite for other basic rights as basic human rights ③ Cooperation between personal information protection supervisory authorities and consumer protection organizations ④ Human errors in personal information infringement Understanding ⑤ We adopted five resolutions, including social media and online violent extremist content research. At the’Enhancement of Personal Information Awareness and Competency Reinforcement of Asian Countries’ held as a side event, we discuss the current situation of Asian countries and mutual cooperation measures for raising personal information awareness and capacity building, and safeguarding and using personal information in a global digital environment. We gathered opinions on the need to continuously expand international cooperation to create an environment for the future. In addition, it was diagnosed that the participation and voices of Asian countries are still insufficient compared to the United States and Europe, and consensus was formed that Asian countries should make active efforts to increase their participation and interest in the future.
- International Privacy Enforcement Network (GPEN)
The International Privacy Enforcement Network (GPEN) is an international network established in June 2007 in accordance with the recommendations of the OECD, and is an organization that shares personal information issues and experiences among OECD member countries, and promotes cooperation in personal information protection between countries. . As of December 2020, a total of 50 countries and 69 supervisory agencies are participating. GPEN promotes information exchange in various ways, such as online or video conferences, and offline meetings to promote cooperation among member organizations. Video conferences are usually held once every two months, and major trends in personal information protection, such as recent legislative trends and response status of the GDPR, are announced and discussed in one or two countries. In addition, once a year, privacy enforcement agencies gather to hold a GPEN-led initiative called Sweep, which is a joint annual event with member organizations to cooperate to protect the privacy rights of individuals.
Sweep in 2020 covered the topic of’Data Breach Notification’ from the end of September to the beginning of October. Data Protection Authorities (DPAs) are responsible for the degree of awareness of the data breach notification framework in the workplace handling personal information, internal procedures for handling data breach, response system for data breach, management, By sending a pre-written questionnaire with an indicator of leakage prevention in the future, we tried to understand the current status and system of data leakage response at these business sites. Of the 1,145 organizations that were asked to respond to the survey, 258 submitted their responses (21% response rate), and it was determined that notification of data breach is mandatory only in 12 of the 16 countries where the supervisory bodies participating in the sweep are located.
About 98% of respondents were aware of the relevant legal framework, and only five organizations had low awareness of the legal framework. In addition, 86% of respondents have internal guidelines to help employees recognize data breaches or potential breaches, and 84% of respondents across sectors/countries have designated teams or organizations responsible for managing data breaches. It was known. In addition to internal reporting, 84% of respondents had policies or procedures in place to notify external parties (damaged individuals or regulators) of the breach, but only 74% of respondents informed the parties of the appropriate level of information. Regarding breach notification management, 83% of respondents said they keep records of data breaches or potential data breaches. It turned out that it didn’t have a program. Regarding the prevention of future leaks, only 65% of respondents said they took measures to prevent future leaks after a data leak occurred. The agencies that took the action said they were able to understand the trend of the breach through the work of notifying the breach and keeping records, so they were able to try to find the root cause of the breach.
nternational Organizations and International Consultative Chain — United Nations (UN) — Organization for Economic Cooperation and Development (OECD) — Asia-Pacific Economic Cooperation (APEC) — Asia-Pacific Privacy Supervisory Organization (APPA) Forum — International Personal Information Protection Supervisory Body (GPA) ) –Look at the activities of the International Privacy Enforcement Network (GPEN) in the field of personal information protection in 2019.