“Our Commission, [is] composed of one chairperson and eight commissioners, [who] are set to act by their own will,” explained Junichi Ishii, Director for International Affairs at Japan’s Personal Information Protection Commission, at PrivacyNama 2023′s Data Protection Commissioners Roundtable. “They should not be affected by any other powers, including the prime minister of Japan. So, as such, the independence of the Personal Information Protection Commission is ensured.”
Joined by Valborg Steingrimsdottir, Head of Data Security and Auditing at the Icelandic Data Protection Authority, the roundtable moderated by Malavika Raghavan (Senior Fellow, Future of Privacy Forum) saw the regulators share their experiences of enforcing and refining data protection laws in their home countries. These edited excerpts highlight how the two regulators identify data protection issues and address areas for reform, all while working within the ambits of their respective data protection laws.
The discussion comes in the backdrop of India’s recently passed data protection law—which also sets up a regulator to ensure compliance with the law, the Data Protection Board of India. While questioning the Board’s limited remit, commentators have also remained concerned over the fact that the Indian government will appoint its members, which could impact its ability to adjudicate fairly on privacy matters.
This discussion was organised with support from Meta, PhonePe, Google, and Salesforce, and in partnership with CUTS and the Centre for Communication Governance.
Malavika Raghavan, Senior Fellow, Future of Privacy Forum: How are your authorities located under your parent legislations in your jurisdictions?
Valborg Steingrimsdottir, Data Protection Authority, Iceland: The Icelandic Data Protection Authority is an independent authority, which means that it doesn’t take orders from other authorities, such as the Ministries. The law that provides for our duties is mainly the Icelandic Data Protection Act, but also various other acts, such as the Act on Scientific Research [which deals] using health data…Our Data Protection Act incorporates the European Union’s General Data Protection Regulation, on the basis of the legal framework for the European Economic Area.
I consider our duties mainly two-folded. On the one hand, we have to carry out supervision, or surveillance. Also, we resolve disputes regarding data protection, and we also examine, for example, data breach notifications and sometimes have to act on them. On the other hand, we have a supporting role, and we must provide especially other government entities with guidance, education, opinions and so forth. The Icelandic Data Protection Act also provides that our surveillance authority issue rules on electronic monitoring, appropriate security measures, specific rights of the data subjects, retention time, deletion and so forth. The Act also stipulates that we issue credit score agencies with a permit, and based on that, the surveillance authority issues permits with specific provisions for the processing of personal data that occurs for this purpose.
In issuing both rules and permits, we have to stay within the framework of the law, because according to Icelandic constitutional law and the principles of administrative law, we cannot issue rules that are not directly based on the Data Protection Act. However, as with the European General Data Protection Regulation, the Act contains a lot of discretionary principles, so we can use these principles to set a clearer and more transparent framework with the rules and the permits that we issue.
Junichi Ishii, Personal Information Protection Commission, Japan: The Personal Information Protection Commission is also an independent data protection authority in Japan, established based on our data protection law called APPI, the Act on the Protection of Personal Information.
The Commission was established in 2016, while our data protection law was enacted in 2003, and took full effect in 2005. So, we had 11 years where we did not have any independent supervisory authority for personal information protection. In that time, we had a multilayered supervisory regime—16 government authorities had the competency to supervise the handling of [specific] personal information. For example, the Ministry of Economy, Trade, Industry supervised businesses in general, the Ministry of Internal Affairs and Communications supervised communications network businesses, and the Ministry of Finance supervised financial institutions, and so on. But, such a supervisory scheme was very complicated, and we decided to establish a single independent authority to supervise the handling of personal information.
[Going back to its founding] Our Commission was started more precisely through an amendment of the APPI…it was [originally] established in 2014 to monitor the handling of a kind of national identification number called ‘my number’. The specific commission [for My Number] was reorganized to cover personal information in general. When the Personal Information Protection Commission was established in 2016, it was only handling the personal information [collected] by private sector entities. Our Commission and the APPI have now committed to [regulating] both private sector and public sector entities, including national government agencies, as well as local governments.
Our Commission has several missions, including monitoring and handling personal information and enforcement of the law. We also have the face of a policymaker, so we are entitled to administer the law. For example, we conduct a review of the law every three years, which is very important, and if necessary, draft possible amendments to the law.
The Commission is composed of one chairperson and eight commissioners. The Secretariat, from which I join today, exists to support the Commission. The Secretariat is composed of about 200 officials. Out of 200 officials, about 20 are officials for international affairs, which is the team I represent.
Malavika Raghavan, Senior Fellow, Future of Privacy Forum: What are the top three pieces of advice for rule makers at the start of [implementing] a brand new law?
Valborg Steingrimsdottir, Data Protection Authority Iceland: For us, what has been probably most important is our independence. I think it’s very important that the data protection authorities are independent units within the government. What we have also found very important is enhanced cooperation with other European countries since the data protection regulation was implemented. This gives us both a wider knowledge of what is going on everywhere else and how they are resolving their issues. It also helps us in arguing our cases here, [so] that we are not alone in regulating in the way that we are. The third piece of advice would be to have good human resources and efficient procedures.
Junichi Ishii, Personal Information Protection Commission, Japan: Well, I read a news article recently reporting that the Minister of State [for Information and Technology] in India said that several regulatory authorities other than the Data Protection Board could establish their own rules on cross-border transfer of personal data.
But if I may, my advice is that the rules and regulations should be as simple as possible for the sake of compliance by the entities that are bound by such rules and regulations.
Malavika Raghavan, Senior Fellow, Future of Privacy Forum: I think the departure point for India here is that in our final data protection act, we have a Data Protection Board, but this is very much an enforcement and complaints kind of body, and it doesn’t actually have rule-making authority. The other thing then is that the rule-making and regulation-making under the Act really goes back to the Central government ministries…I suppose my first big question then is, what would you do differently if you thought that this was the Ministry making the rules?…Given our situation in India, does that actually substantively change the prioritization of rule-making?…Does it have an impact?
Valborg Steingrimsdottir, Data Protection Authority, Iceland: I’m not sure I have an answer to your question, because as I mentioned earlier, the rule-making [in Iceland] is according to our constitutional and administrative law…And that applies also to the ministries, they also have to act within the law. So, if we are talking about issuing rules based on law, it’s always congressional legislation that has the final say.
Junichi Ishii, Personal Information Protection Commission, Japan: In general, under the Japanese legal system, we as a government agency could establish rules and regulations delegated by law within the scope of [parent] law. We cannot establish any new obligations or rights by rules or regulations, other than [those] originally prescribed in law.
Speaking of our personal information protection legal system, we have only one law, the APPI. It delegates several elements to rules and regulations. For example, the APPI delegates the details of [prescribing] the personal identification ‘code’ to cabinet orders first. The cabinet order then further delegates [outlining] more details of the personal identification code to rules established by the Commission. In Japan, we have a multi-layered regulatory and legislative structure with regard to personal information protection. That might be a cause for complaints from businesses, that it’s very difficult to understand the whole regulatory framework for personal information.
Malavika Raghavan, Senior Fellow, Future of Privacy Forum: If we can go into the substance of the kinds of areas as well that are to be prioritized, one area that has already come up in both of your comments is this idea of the international transfers and cross-border [data transfer] rules. What would be your advice for rulemaking in that area, given that clearly it is also influenced by the background of several geopolitical negotiations that go on? Just to frame where we are coming from, in the Indian legislation itself, there are no restrictions on data transfers unless notified by the Central government. The rulemaking authority will come [from the Centre] for notification on restrictions, or blacklisting, as we call it. Interestingly, there’s no objective criterion to guide the [government’s] discretion.
Junichi Ishii, Personal Information Protection Commission, Japan: Our personal information protection law, APPI, has regulations on the cross-border transfer of personal data, they were introduced by the first amendment [to the law] made in 2015. I’m not sure if I could say this, but I heard that the main reason to introduce them was to obtain the adequacy decision from the European Union [under its General Data Protection Regulation]. And as you may know, after three years of negotiation, we at last achieved the mutual adequacy decisions between Japan and the European Union.
The APPI recognizes three main tools [for regulating transfers]. One, is the designation of foreign countries. The APPI has a scheme to designate foreign countries to which the personal data can be transferred, in a manner that is the same as domestic transfers of personal data. The second is the safeguarding of personal data by arrangements between data exporters located in Japan, business operators that the APPI applies to, and data importers in foreign countries. The third tool is explicit consent by individuals.
We had to elaborate on how the Personal Information Protection Commission designates foreign countries as doors through which personal data can be transferred. We also had to clarify what kind of instruments business operators could use to transfer personal data, and to safeguard personal data [exchanges] between the data exporter and data importer. These elements were delegated to Commission rules and we elaborated requirements. Of course, business operators can rely on contracts between entities relevant to the cross border transfer of personal data. But, there is another element which is certification. Internationally recognized certification can be used as an instrument to safeguard personal data transfers.
[Also] If I remember correctly, we have five requirements for [country-specific APPI] designation. One is, of course, equivalent protection of personal data. But, interestingly, we had other requirements such as the possibility of mutual cross border transfer flows of personal data. For example, the country to be designated does not have a policy of so-called data localization. Another important thing is that the foreign country to be designated should have an independent supervisory authority for personal data protection, similar to Japan’s. Actually, we only have designated the European Union and the United Kingdom [under the APPI].
Valborg Steingrimsdottir, Data Protection Authority, Iceland: For international transfers, we are entirely bound by the decisions of the European Commission as to which countries are considered safe third countries. Further than that, we have the European Data Protection Board‘s guidance regarding which measures are sufficient when transferring data to unsafe third countries. We have a seat in the European Data Protection Council, which advises on the matter. So, we are taking part in the conversation.
But, we have found that it is very complicated to deal with, especially when we look at the cloud-based services, which are our main concern, because of strict requirements on encryption, for example. So, it becomes very technically complicated. This, as you mentioned, might be a reason for us to consider setting out some broader guidelines. But, of course, we are bound by our European framework.
[But, in general] Our legislation, as it sounds like your legislation as well, is based on some broad principles, which we have to interpret in each case. The requirements we make for data processing depends on the nature of the data, as well as who the data subjects are, and the nature of the processing. That also could be the grounds for setting out some rules that apply in different fields, because then you can have more transparency in what requirements we are making regarding each category of data.
Malavika Raghavan, Senior Fellow, Future of Privacy Forum: Could you tell us a little bit more about the process of rulemaking itself? So when you pick up a particular area for rulemaking, how do you approach it? What are the generalized kinds of rulemaking processes and requirements that you put in place around transparency and accountability? And also the process of rulemaking, both in terms externally, in terms of consultation, but also internally, is there a kind of broad framework or anything that you follow?
Valborg Steingrimsdottir, Data Protection Authority, Iceland: We do make our own policies when it comes to our surveillance. Each year we issue a policy where we state what will be our priorities in the next year. This is the policy we always look to when we are making decisions on where we are going to put out our resources.
In the recent years, we have prioritized the protection of children’s data, as well as the protection of health data. First, the children’s data is specifically protected under the GDPR. And as to the health data, in Iceland, we have extensive Centralised collection of health data by the government, which is categorized as sensitive data. And we have also done [or issued notices on] how political parties use social platforms to target advertising to potential voters based on profiling. That was due to the British Information Commissioner’s Office’s investigation of similar matters, as well as we also became aware that the Icelandic political parties are using these social platforms to a great extent. So, all this has resulted in our surveillance being focused a bit too much perhaps on public entities. So, now for the next year, I think we are going to try to focus a little bit more on private entities.
[On the question of identifying problem areas for regulatory attention] We don’t issue any specific rules regarding this specific data processing, but we conduct our surveillance. We audit and investigate. Where we decide to audit and investigate usually depends on the information that we are receiving anonymously or by, for example, a complaint, or if we get a lot of data breach notifications regarding a specific processor. Unfortunately, we have been a little bit understaffed or underfunded in recent years, so we haven’t been able to do as much as we would like.
But, based on the cases that we are getting notifications about, we have, for example, been looking at cloud-based services in the health sector, and we have been looking at cloud-based services in the elementary schools, for example, [those] using Google.
Junichi Ishii, Personal Information Protection Commission, Japan: In Japan, we have an Administrative Procedure Act that generally prescribes the procedures to establish a final cabinet order, or enforcement rules, including the Commission’s rules under the APPI. The Act prescribes that we have to go through public consultation if we establish any rules or regulations that affect the rights and interests of individuals. Commission rules delegated by the APPI certainly affect the rights and interests of individuals. So, we have to go through the public consultation with our draft of the cabinet order, as well as Commission rules. We also go through another consultation process with stakeholders before we go into public consultation procedures. Then we prepare the draft, and go through the public consultation, and then establish rules and regulations.
Malavika Raghavan, Senior Fellow, Future of Privacy Forum: One thing that has emerged from this conversation is that it’s not so linear. It’s very interesting for me to hear that rulemaking or regulation and the draft rules intersect with enforcement in some sense. You have your rules, and then you see through your surveillance and supervision that certain areas require more regulation or attention. So, given your vantage points as regulators, and also people with the responsibility of making regulation, how do you pick what needs your immediate attention and what does that timeline look like?
Valborg Steingrimsdottir, Data Protection Authority, Iceland: It’s better to have some data to base your decisions on. We try to use our complaints and data breach notifications [for this] and we get anonymous notifications too. We try to use it to build up some data to try to see some patterns.
But, other than that, we have also mapped out [risk areas]. For example, based on the GDPR, we look at which categories of data should have specific protection, which data subjects need specific protection, and whether there are great risks connected to this specific processing. These are the three basic criteria we look at.
For example, when we look at the data breach notifications, we don’t only look at where we get a lot of data breach notifications. We also look at where we are not getting data breach notifications. For example, we have three large banks in Iceland. We have a lot of data breach notifications from one bank. And then some from the second. And then, I think, none from the third. That also gives us a cause to look into what is happening there. Because I’m sure there are data breaches happening there, but why aren’t they notifying us? What is going on? So, gaps in data also give us clues.
Adding on that, we know here in Iceland we have a lot of centralized data by the hand of the government, because we are a Scandinavian welfare state. That has led to our surveillance being aimed a lot at public entities. But, more and more private entities are collecting more and more data. And that’s what we would like to prioritize—[investigation into] where there is collecting a lot of data, and looking at the three criteria I mentioned earlier.
Junichi Ishii, Director for International Affairs, PIPC, Japan: Speaking of cabinet orders and Commission rules, these contents are specifically prescribed in law. So, we have no choice over selecting what topics we prefer to prescribe rules on. We just do what the law delegates to us, what the law orders us.
[Just to add] We have another layer [of guidances] that are the guidelines under the Commission rules. Maybe this is unique to Japan, but our guidelines contain binding parts. I understand the guidelines based on the [EU’s] GDPR do not contain any binding parts. Mostly these binding provisions [in the Japanese context] are [on] changing the words of laws, or cabinet orders or Commission rules. But, other parts of the guidelines are not binding, like the reference for businesses to prepare their compliance with laws and regulations. So, our availability to select the focusing area might be in the guidelines. That is a more flexible [way] for us to show the details or clarification on the regulation of personal information protection.
Maybe the first step [to developing rules and guidances] will be the inquiries made by businesses or individuals. At the Personal Information Protection Commission, we provide windows for such inquiries. As a policymaker, we regularly have communications or exchange of opinions with business, academia, or some other stakeholders. They bring us insight on what areas we should focus on next, and maybe whether we can amend guidelines as needed, or make clarifications.
Malavika Raghavan, Senior Fellow, Future of Privacy Forum: So, Valborg, you mentioned the centralized data within your government, a kind of Scandinavian welfare state. We also have a very data-fied welfare state in India. In fact, many would say that the right to privacy judgment, that really preceded and put the coals in the fire for our data protection act, came out of a constitutional case revolving [around] biometric data usage and storage under our biometric ID. So, in that sense, it’s also very connected to Japan’s ‘my number’ ID and its overlap with data protection issues. So, overall, how do you see your role when you are undertaking this kind of surveillance [of the government]? How do you negotiate that relationship?
Valborg Steingrimsdottir, Data Protection Authority, Iceland: So far, we have been focused on health data. We have genetic information that is all stored in a kind of private entity—but there is great cooperation between that private entity and our general public hospital system, especially connected to scientific research on health data. So, we have this law on scientific research based on health data. Based on that act, we have to monitor specific aspects of these research projects. But, we also have other public entities that are monitoring other aspects of research too. So, there has been a bit of collision there.
For example, we had several cases during COVID-19 where there was this collision between this specific private entity, which stores all our genetic information, and the public hospitals doing research on COVID-19 patients. We had three major decisions where we came to the conclusion that there was a breach of both the Data Protection Act, as well as this act on scientific research. We found [it] was a bit difficult to cooperate with the other surveillance authorities, because we were not in complete agreement on how to interpret these acts. But, this is something that we take very seriously, because especially these research projects, where you collide health data and genetic data, can have great consequences for people.
Junichi Ishii, Personal Information Protection Commission, Japan: The My Number Act is administered by another government authority, not the Personal Information Protection Commission, which deals with the APPI. We are just an enforcer, regulator, and a supervisor of the handling of My Numbers by other ministries. So, in those terms, there is no room for conflict of interest between the Personal Information Protection Commission and other ministries.
But, as I said earlier, the Personal Information Protection Commission has the face of the policymaker administering the APPI itself. So, it is a challenge for us to avoid conflict of interest in terms of policymaking, regulating, enforcing, and supervising the law. If I understand correctly, we have a firewall between the team competent to enforce the law, or the monitoring and supervision divisions, against the policymaking division.
To add to that, our Commission, composed of one chairperson and eight commissioners, are set to act by their own will. They should not be affected by any other powers, including the prime minister of Japan. So, as such, the independence of the Personal Information Protection Commission is ensured.
Malavika Raghavan, Senior Fellow, Future of Privacy Forum: Could you share anything more about how you use guardrails or requirements [against the government] in those internal discussions?
Valborg Steingrimsdottir, Data Protection Authority, Iceland: We are an independent body, so we don’t have an obligation to negotiate [with the government]. But, of course, it’s better to be in some kind of understanding, especially with other surveillance authorities. It requires a conversation and an open dialogue. That’s the best way forward.
Malavika Raghavan, Senior Fellow, Future of Privacy Forum: Junichi, I wanted to come to you on this point on the question of children’s data, and whether you’re currently considering rules for that.
Junichi Ishii, Personal Information Protection Commission, Japan: My understanding is children online will certainly be one of the topics that will be addressed in the course of the next three-year review of the APPI. I’m not sure if those discussions will lead to any amendments to the law, Commission rules or guidelines. Considering that many, many data protection regulators all over the world are now focusing on children’s data protection issues, we at the Personal Information Protection Commission should also discuss and deliberate on what we could do too.
Malavika Raghavan, Senior Fellow, Future of Privacy Forum: In India, we have the option of exempting certain classes of data fiduciaries, certain state instrumentalities and state entities from the application of the act. Do you have any thoughts on that?
Valborg Steingrimsdottir, Data Protection Authority, Iceland: Regarding our exemptions, the courts in Iceland are exempt from the Data Protection Act when they are conducting [proceedings] in their judicial powers. Recently, I think it was in 2018, the European Court of Justice concluded that the court’s conversations with journalists about what is going on within their courts is something that falls within the scope of when they are acting in their judicial power.
Therefore, we consider now that almost nothing that happens inside the courts is under the jurisdiction of the Data Protection Act. That is something that we would like to review when we are reviewing our legislation, because in Iceland, the courts publish almost all their decisions on their websites. It’s very extensive publishing, and there is a search engine. And of course, within the courts, there is a lot of sensitive data, there is a lot of health data and so forth. This is very intrusive processing for the individuals. So, this is something that we would like to review.
Perhaps, it’s not the solution that the Icelandic Data Protection Authority should have surveillance of the courts because they need to have their independence. But, we consider that it is important that they have to apply to the Data Protection Act, nonetheless.
Junichi Ishii, Personal Information Protection Commission, Japan: The APPI also has exemptions. They are applied to broadcasting institutions, news reporting institutions, professional writers or religious institutions. This may be different from the GDPR, but political parties are also exempted by the APPI. That’s because the APPI respects freedom of expression, freedom of religion, and freedom of political activities.
So, we at the Personal Information Protection Commission do not have any power to supervise and enforce the law on these exempted entities. That would be a point to be discussed in the course of review of the APPI in the future. But, amendments to APPI are to be done by national diets that are composed of political parties, so it might be difficult for us to achieve such amendments. That may be a headache, my personal headache [laughs].
Malavika Raghavan, Senior Fellow, Future of Privacy Forum: Do you have any other pieces of advice that you would like to end with knowing what you know now about our context?
Junichi Ishii, Personal Information Protection Commission, Japan: When the data protection authorities are established in India, the important thing [to keep in mind] is cooperation with foreign counterparts and authorities, and to understand other legislative bodies and other legal systems and philosophies. [It is important to remember that] The legal system has to make their own rules and regulations, and that [they also] are aligned as much as possible to international norms.
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
*This piece was updated at 1:39 p on 8/11/2023 to correct a typographical error.
- Scope Of Data Protection Board Under India’s Digital Personal Data Protection Bill
- How Does India’s Digital Personal Data Protection Bill Address Data Breaches?
- Will The Composition Of The Data Protection Board Of India Impact How It Handles Data Privacy Complaints? #PrivacyNama2023
- How Will Alternate Dispute Resolution Impact The Settling Of Privacy Complaints In India? #PrivacyNama2023
- Are The Data Protection Act’s Blocking Powers A Fairer Deal Than The Section 69A Blocking Framework? #PrivacyNama2023