Event Recording

Graham Williamson - Privacy in the Asia Pacific: CBPR vs. GDPR


Session at the Consumer Identity World 2017 APAC in Singapore

Now for something completely different. Yay. I'm going to be talking about one Asia pack's best kept secrets, and you all come to compete gold end to hear about this sort of stuff. So I'm very pleased to be here. Actually. Can I just say one thing, I'm very pleased that we've got this event happen and this is the first cap call activity event, in fact, and I'm very pleased to thanks so much, very pleased to be part of that. It's great to have your in terms of, I guess everybody's notice about cap gold, but just, I just want to emphasize that there are three links to the stool, not just events. Okay. There's a large research repository you need to look at, and there's also Analyst services. If you'd like to take advantage of that. Okay. Now I'd like to start with a go agenda. We're gonna talk about privacy.
We're gonna go into cross border privacy rules and then some next steps of what you can do about that. But I'd like to start with this as a Martin Kuppinger slide that basically says whatever we're talking about here, let's keep in mind that we're talking about people. Okay? So it comes to privacy. We are talking about the people that are a part of your organization, and these people could be, employees could be, contractors, could be partners, could be your customers, but they're all people. And they all want to work with devices and they need to connect with, to you with devices. And you've gotta support a lot of devices. And I know, you know, all of this stuff, increasingly it's things, and you're gonna need to make sure that you accommodate what people want to do with things that is protect their access to those things that turn things on and off.
And it's protecting access to the data that these sensors are collecting. Okay. So, but keep in mind that the center of all of this is things when it comes to consumer, I am, by the way, Capco does take a little bit of a different approach than do some, the other Analyst organizations. We don't see that hard and fast division between cm and C and your, the identity data management do within your organization. Okay. You granted, they're probably going to be instantiation with different products, but in terms of thinking through what you need to do about identifying people, regardless of whether they're at stock method in your company or a customer, that's buying things from you, they are people and trying, and, and think through least from a strategic point of view, the fact that we are dealing with people that have identities, we're dealing with people that are having that have different roles with us and dealing with us, and we need to accommodate all of that.
So suffice for the, for the introduction, what now are we needing? What do we need to grapple with when it comes to courtesy? Well, there, this, the, the citizen concerns and then customer concerns, and then it's the company concerns. Okay. And what CBPR does the cross board of privacy rules in AsiaPac is try and balance those two together. So rather than GDPR, which is very much coming from the point of view of what do I, as an individual want to do to protect my privacy? Well, CPPR says, well, that's fine, but what do we need to do in terms of the companies that want to actually do some business here and, and we try and make a balance between them. So the citizens, obviously the, the concerns about where our information is being kept and has this been made several times here, us Australia, we don't want to give the government anymore than we have to.
And we will prefer that the information we give to the tax department is kept very separate from the information that we give to the health department, which is kept very separate from the information that we give to immigration. So we like to keep that, that, that separate, and we'd like to manage that. Okay. We want to make sure that we, that, that our information is being kept, kept private obviously, and treated properly. And that's a big concern when it comes to AI. I think actually men have more of a concern than women. I dunno, this is just, just could be, just, could be on my very small sphere, but I see my wife, she doesn't mind giving information to Woolworths. She's got an everyday rewards card with Woolworths that says all of this information I've got on. You allows us to provide you better services.
So what was know that we like our coffee so that my wife will often get a, an email saying coffee's on special at Walworth and here's coupon for you to get it cheaper, because they know when she turns up to buy coffee, that's not all that she's going to. So she's quite happy doing all of that. I think men are a little bit more cautious and, and say, Hmm, there's a lot of information that these companies are collecting on us. And, and is it all being used properly when it comes to the, the company concerns, the issues there are, how does Woolworth make sure that they don't, that treat our getting information badly? How, how do they make sure that they, they keep in my situation, the Australian government happy cause Australia does have some pretty stringent privacy regulation that was brought in in 2014.
And so organizations that transgressed that privacy are open for, for, for problems. But now what about then the, the, the company that must deal now across borders and, and in Asia pack, we've got that problem. Haven't we, there are many companies in Singapore that sell outside of Singapore. They're selling into the Philippines, into Indonesia, into Thailand, into Australia. How do does that poor company know what's happening in the, in the regulations sphere within these other jurisdictions? Well, quite frankly, they don't, they're relying on the fact that there's no nothing really in place for a custom in Thailand to come and say you transgressed by privacy, that they're relying on the fact that there's there's, that is unlikely to happen, but as we should see, that's changing.
So we've got now this cross border privacy rules, and I'm gonna come to tell you a little bit more about that in a minute, but I wanted to compare it with GDPR. And I must admit, I I'm a bit of a, a, a voice in the wilderness when it comes to Capco, because GDPR looms so large within the organization. But I say, Martin, don't forget. CBPR R and in fact, the first advisory note on this topic is about to come out and there's an early version of it there, if you would like to pick it up on, on, on, on your way out, GDPR, as everybody knows is, is, is, is relies upon a very tight coupling between the men states in Europe. Okay? The, the, the men states in Europe have come together and said, this is how we are going to across. So the whole jurisdiction, this is how we're going to manage privacy.
Well, fat chance of doing that measure pack. Okay. We have to grappl with the fact we've got all of these different sovereign states that have all got different privacy regulation, and we needed a mechanism to bring that together. In terms of the GDPR, as we've heard, it's pretty stringent, right? Is the strong, punitive elements behind GDPR that makes companies want to comply. We don't have that with CBPR R we, we are relying more on the negotiation and relationships between the enforcement agencies within, within countries. So that's just sort of a comparison between the two, because that was required by the title of this presentation. Okay. So what's the objective here. Cross border privacy rules basically say, what we want to do is provide more frictionless trade between our countries within, within AsiaPac. Okay. And we want to, but at the same time, make sure that the, the individuals privacy is, is maintained.
So the trick is to say, okay, Singapore company, you can ship your product into all of these other countries. How do we make sure that you are protected in terms of the, the privacy regulation? And more importantly, how do we know that the people, how do we make sure that the people you're dealing with your customers have their PII protected in terms of if I've got, if I've got certain rights within my own country, how do I know that when I'm dealing with this foreign company, that my privacy rights are protected history, this has started way long time ago. It's through the, the Asia, Asia Pacific economic consortium, where AEG started back in 2004. And then there was this common or one, I shouldn't say common, it's called it's called the privacy framework. The APEC privacy framework that was came out in 2007 is a opportunity for companies to normalize their privacy details against a common set of, of privacy regulations.
So the privacy in, within the APEC, the APEC countries now within the framework, this privacy framework that's being put up, there are nine principles that go through and they're, they're in the report. If you wanna have a look at that, but nine principles behind privacy. And so if a country now wants Tojo the CPPR, they take their privacy principles and map them against the privacy principles that are in the framework and determine how they're going to deal with an analysis there. So, for instance, in Australia, we've got 13 privacy principles. So the Australian government is mapping most 13 against the nine within the framework and determining how they're going to deal with anomalies. Okay. So that's up to the country to do that. There's already in the, that signed up a part of it, and we've got seven, seven committees. So what we can see is there's a, a critical mass, I would say by the end of 2018, we'll have a critical mass here.
That from that point on, it's going to be something that, that people are going to going to really be wanting to see in terms of those of the nine, by the way. And so you can see how the, I mean, they come covering basic issues when it comes to principles and you, you need to make sure that your, your activity within your country can be natural. That, so for instance, the PII data collection, I mean, it's generally accepted now in virtually all countries have had privacy legislation and that's, that's a, that's actually a prerequisite. There are some countries in the impact that don't have privacy regulation in place yet they can't participate in, in CPR, but provided. You've got that data collection. We've gotta make sure, like within, within Australia, you cannot collect any, any more information than you than you need for a particular transaction.
I've gotta tell you the story. I took my wife to a, a theater visit that couple years, and it doesn't happen very often, but anyway, it was quite a good experience. I went into the website and they show you the layout of the theater. And for your particular show, you can choose that shows what you're available and you choose the seats you want. And that all worked very well. Then the next screen said, well, what's your name and address? I thought they don't need my name of address to send sell if I'm on the seat. So I put in Mickey mouse, 1, 2, 3, anywhere street, anywhere USA, and went to the next screen and that collected my money, put me to the payment service and they collected the payment for it. And that worked very well. Then the next stream, when it came back from the payment service said, okay, we'll mail you the tickets.
So quick trying to go back back back to actually put in my address and session crashed. So I had to call them Monday morning and said, hi, this is Mickey mouse. So they did actually send me the tickets out to Mickey mouse, the post box I get, but you're not, not allowed to collect more information than you need. And that point was made actually by Matthias, what he tried to or did actually at the hotel where they wanted to see your passport, they didn't need all of the information in metastasis passport to give him a key to the role. And we, as, as, as, as, as, as the people understand this sort of stuff, we've gotta be much better at saying you can't do that. So must collect any more information than you absolutely have to have. You've gotta give the, the individual the ability, and this is how, where consent comes in.
You've gotta allow them to say, as they are, they are agreeing to this particular transaction that they're going, that they're going to go through. You need to make sure that that information's protected. It's not satisfactory to have a situation where your information gets stolen. As soon as you've done that, the company has not complied with privacy laws and they could be, they could be penalized for that. So you can map all of the, your, your, your particular principles in your own country to these nine and see where they fit and the trickiest for the enforcement agencies to term determine how that's going to do, how that's gonna happen. Okay. So what was happened within, within a particular country is the, the country regulator. And, and that will be in Singapore. It's the, the, the data, oh, what's, what's the government fund called in Singapore does the data protection.
They protection. That's the one. Okay. They're the enforcement agency for Singapore, or will be Singapore signed, gave their intent in September. So by, by next year, they'll be part of CBPR. And so they'll be responsible for the enforcement within, within Singapore, in Australia. It is the Australian office of the information commissioner. There'll be the value that does the enforcement there. And then with the each country that needs to be at least one accountability agent, an accountability agent is the person or entity that's responsible for certifying companies to, to the, the mechanism. So there's a certification that goes to, to, to allow the companies to say, look, you come in and you audit my business processes that collect or use PII, and you make sure that it complies to the security regulation in our country. Okay. And once they've done that, they get, they get to say that CBPR certified and then any citizen within a CPR country can deal with that company and can know that.
Should there be any problem? They can go to the enforcement agency in their country. And that enforcement agency will take up that issue and will investigate and will take action if need, if action is needed. Okay, so that that's in the minute of the moment. I'm imagining Singapore setting that up Australia. They agreed at the APEC meeting in, in Vietnam, in November last month. Australia's agreed to, to, so they're going through that, that activity now, and there is publicly available. The, how the enforcement happens, how the audit happens is, is publicized and how the, the enforcement happens is, is all publicized too. So it's a, a, well, you can get all of the information on the program. It's all, there's a lot of it's transparent. So right now, north America is well represented in NAAC, as well as Japan. Japan is fully signed up in, in C in terms of where we're going. Those ones that shown there have all indicated that they are going to be standing up to, to C P.
Okay. So one of the next steps, if you're a multinational company, or if you're advising a multinational company, do encourage them to, to do their audit. Now, this is, as I mentioned earlier today, there has been some pushback with companies saying, well, why should I put all of this money into an audit? Well, there's two reasons. One is that it's gonna number one, make sure that you go improve your processes. Cause you're not gonna go and get ordered until you've done it yourself and turn audit, and fixed up the processes and done all of the things that GDPR wants, which is make sure that you've got somebody that's looking after PI data in, in your, your company. If you don't have a data controller in your company in Europe, you are silly because if your enforcement agency comes to you and says, who should let controller?
And you say, no, that's not a good look. So, you know, as we move into CBPR, it's going to require companies to be much better at, at as saying, okay, we are a company that looks after people's privacy. So employees make sure you do that properly. And by the way, we've got somebody that's looking after RPI, it's gonna raise the what's. They say the tide rising tide lifts all boats. That's what we're gonna be doing by following CBPR within our, with our company. So do, do, do you encourage your company to do that because a map PII against the framework, and they've got to make sure that there's an accountability agent that you can go to, to get certified. And indeed you might know some organizations that might want to put up their hand to provide that service. If you are working in a country that doesn't have that, you know, I think multinational companies tend to have some clout and they need to go to their, their, their organization and say their company, their country regulators, and say, look CBPR would allow me in the longer term to reduce friction within trade. It will relieve me of having to worry about privacy regulation in the countries, with which we we're dealing. And it also gives you, I think, a promotional benefit if you've got that CPR certified mark, I think citizens are probably gonna feel a little bit more comfortable entering their personal information into your website when, when they're doing business with you. So, so that could be the promotional capabilities. Okay. So what do we think? Do we think that this is a good idea or not good idea? We have one good idea, fact of life.
Excellent. Let's say good idea, but, but there's, there's an issue that every time there's a new regulation like this, it makes life much more complex with, so we talk about how even companies in Asia component, GDPR, PPA, and now practically actually do that. Okay. Well fact, there's no new regulation here, so that makes it easy. What is it? What does that mean? Well, the regulation, the privacy regulation already exists. The problem is as a company dealing transnationally, I either have to understand the regulation in every country that I'm dealing dealing with. Or I just sign up to C P it's lowest it's, it's a normalization. I don't like the term. Those comment. It's a normalization of privacy within that. So what GDP is been assign for that, there has to be some talk of, of that. And I'm told that there has been some discussion with the APAC bodies as far as is there something we can do with GDPR?
So I have no idea how far along that is. I do, based on the slide on the differences, I do perceive that I'm in, they very different a Analyst and how they can be brought together. I'm I'm not sure. I do think though, one of the factors that has accelerated the interest in C PPR is the us issue with safe father. And the problem they have with that countries are not happy with just letting it happen anymore. And they want some framework through which they can, they can do this properly. And the us is part of CCP. P now we had another question. No, you had wonderful slate of differences, right? Is why is it so complicated? This is like a governmental issue to find one kind ground say, this is regulation.
I suggest that the big have no interest in that. Oh, then absolutely. Okay. Coming back to the first bit of first one, though, it all comes back to people who are dealing with humans. And when it comes to the C PPR, it does rely on one human being, talking to another human being and say, does it make sense? What happened to it? Has there been an infraction here? Do we agree? There has been, well then Analyst us do something about it. Whereas the GDPR itself that dead, they did. So there's a bit of a different nuance there between Richard Richard.
You said there are different nonetheless companies try to have to comply to both CTR and GDPR for different reasons. And they follow a assess. One compliant approach is the overlap when it comes to controls. How is that overlap?
It's interesting question. Yeah. I mean, in terms of if the is agreement between CCP and GDPR, what at least that would mean is there was there's a common body that will actually investigate things, right? I mean, so GDP, for instance, would relies on the Australian identity commission's office picking up the phone. When somebody from enforcement agency in, in Europe, polls, I, Charlie will and they'll get involved. CDR formula makes that, you know, there's a, there's a process that they must follow in order to do that. And if GDPR taps into that, there's a potential for, for C R being used for GDPR enforcement.
I would, I would argue for that because I, the things that you are pointing, where the differences are, are largely implementation kinds of things. And the basic principles that you stuff on the screen are identical. As EPR paid are identical. It's only the underlying implementation of how the, the, the enforcement and things are gonna happen. And so having a global agreement that this is the way that we want people to seems like absolutely the right way to.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00