Musings from Marrakech

I had the pleasure of attending the 38th International Conference of Data Protection and Privacy Commissioners in Marrakech. Although, for the first time, I wasn’t eligible to take part in the first day and a half of the conference, which is a closed session for accredited data protection authorities, I was able to participate in the open sessions and in the many side events. It’s the first time that the conference has been held in mainland Africa (two years ago it was in Mauritius) which, coupled with the first time accreditation of the Mali data protection authority and the telecommunications regulator from Cote d’Ivoire to attend the closed session, illustrates how data protection law is spreading within Africa. Indeed we were told that around 70 data protection authorities were present in Marrakech and that more than 110 countries around the world now have a data protection or privacy law.

It was good to see the ICO continuing to field a strong team at the conference lead by its new Commissioner, Elizabeth Denham. Of course Elizabeth was on familiar territory having attended the conference previously on many occasions, albeit representing Canada rather than the UK. This gave her a welcome foot in the door with, amongst other things, the ICO being the driving force behind a resolution, adopted by the closed session, committing the authorities to several concrete measures for strengthening international cooperation and effectiveness in enforcement.

The open sessions were interesting although there wasn’t too much said that was genuinely new and, as is often the case with conferences like this, there was too little time left for discussion and questions from the floor. The main topics and a few points of interest were:

• Data Protection and Privacy Law as a Driver in Sustainable Development – there was an interesting comment about how data protection, through its requirements for processes, transparency and accountability acts can act as a driver against fraud and corruption.
• Adequacy, Localisation, and Cultural Determinism – Bruno Gencarelli, Head of the Data Protection Unit in the European Commission said, perhaps encouragingly, that “adequacy” is not about looking for a carbon copy of EU law but is about finding a system which delivers what is essentially an equivalent level of protection to that delivered by the EU regime. Other comments were made about how data localisation is problematic but is about much more that data protection, particularly in financial services where it extends to banking confidentiality, security etc.
• Oversight and Accountability Principles for Government Access to Data – included a presentation from Joe Cannataci, UN Special Rapporteur on the right to privacy. He used UK examples for some of his critical comments about government surveillance, albeit that he did acknowledge that one of the reasons why he had chosen the UK  was because there is more openness about the system of surveillance here than in many other places.
• Technology and Science Trends: What Impact on Privacy? – much emphasis on the development of artificial intelligence and machine learning. How can “algorithmic transparency” and other meaningful information on the basis of decision making be provided to individuals?
• Digital Education – welcome work is being done by the OECD to try to gather an evidence base for government policy making on this and other aspects of data protection and privacy.

As is often the case some of the side events were rather more practically focussed than the main conference sessions. These events included one organised by the US Department of Commerce on the Privacy Shield and several around accountability focussing on demonstrating compliance to regulators, the challenges technology poses for effective governance and the role of risk assessment in accountability. There was also an event on Privacy Bridges. This had been the theme of the 2016 conference but had been somewhat undermined when the CJEU blew up one of the most significant, existing bridges, the Safe Harbor, shortly before the start of the conference. After a pause for reflection the architects of the various Privacy Bridges were keen to take work forward and will do so in the coming year, concentrating on the bridges concerned with transparency, and user control and not just on building bridges across the Atlantic.

So where now? Well it’s back from the souks, tagines and sunny weather of Morocco to the reality of the autumn chill of a UK heading for Brexit. The main themes emerging from the conference which were around the impact of robotics/artificial intelligence and around putting accountability into practice, will undoubtedly feature prominently again at next year’s conference. This will be in Hong Kong and promises to be bigger and better than ever, reflecting not just the commitment of the Hong Kong Commissioner, Stephen Wong, but also the ever growing significance of data protection and privacy law in the Asia Pacific Region.