Public consultation on the Privacy Act – Submission – Graham Greenleaf

Cette soumission n’est disponible qu’en anglais.

Graham Greenleaf, Professor of Law & Information Systems, UNSW Sydney

The University of New South Wales | UNSW Sydney NSW 2052 Australia
T: +61(2) 9385 2485 | F: +61 (2) 9385 1245 | ABN 57 195 873 179 | CRICOS Provider Code 00098G
Sydney | Canberra | Australia

This invited submissionFootnote * responds to the Discussion PaperFootnote 1 issued by the Canadian Department of Justice concerning reform of the Privacy Act, which regulates data privacy issues in Canada’s federal public sector. No draft Bill is provided with the Discussion Paper.

Contemporaneous with the reform of the public sector law, the Minister for Innovation, Science and Industry introduced a Bill for the Consumer Privacy Protection ActFootnote 2 (known as Bill C-11), which (if enacted) will replace Canada’s private sector legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA) which also dates, largely unchanged, from the late 1990s. Bill C-11 is described by Canadian commentators as ‘Canada’s GDPR moment …[the] biggest privacy overhaul in decades’Footnote 3 However, questions remain concerning whether its provisions are strong enough to ensure that Canada’s positive ‘EU adequacy’ status is renewed, because of its lack of specific provisions concerning data exports, among other reasons.Footnote 4

Canada therefore has the opportunity to update both of its rather antiquated public and private sector laws, and to do so in a way which maximises consistency. It is unfortunate that the Discussion Paper refers only to aspects of PIPEDA, rather than exploring the possibilities for innovation and consistency found in the terms of Bill C-11. The opportunity to guarantee consistency by enacting one comprehensive national law has not been taken, but Canadians can still obtain the benefits of modern innovative and consistent data privacy laws if the two Ministries and the Parliament aim to ensure that this happens.

Executive summary

The principal recommendations made in this submission are as follows:

  • The Discussion Paper is structured around an out-of-date (1980’s) OECD model of data privacy law. A new Privacy Act should instead focus on current international privacy standards exemplified by the EU GDPR and Convention 108+. To the extent that Canada’s private sector laws including Bill C-11) meet these international standards, consistency is desirable.
  • Definitions require modernisation. ‘Personal information’ must be as broad as in the GDPR, and should include inferred (derived) or created information. ‘Administrative purposes’ have no useful role in limiting the scope of the Act and should be scrapped. ‘Federal public bodies’ should be defined to ensure that nothing ‘falls through the cracks’ between this Act and the private sector laws. ‘Sensitive information’ needs to be recognised and defined.
  • New rights are needed. Protections proposed for automated decision-making systems are not strong enough, needing a right to a ‘human in the loop’, a right to challenge any such decisions, to obtain a human-understandable explanation. Rights to reasonable security safeguards, and mandatory data breach notification are obviously essential.
  • Allowing personal data to be used and disclosed wherever reasonably required for any and every function or activity of a federal public body, not only the activity or function for which it is collected, is unjustifiable and ignores international standards of data minimisation.
  • De-identification proposals have fundamental flaws because they are based on deeming a particular technical process to be effective, irrespective of the reality of re-identification. Making re-identification research a criminal offence is a case of ‘shoot the messenger’.
  • Failure to define when personal data exports are allowed is dangerous and not sustainable.
  • The Privacy Commission needs powers to issue orders in relation to any breach of the Act, not just in relation to access questions. To give the Commissioner discretion to decline/discontinue complaint investigations is easily open to abuse.
  • To allow direct complaints to the Courts, and allow appropriate NGOs to act for complainants, would help give the Act effective teeth.

‘Third generation’ principles for reform are needed

Canada’s Privacy Act dates largely from the early 1990s, when fewer than twenty countries globally had data privacy laws, and it reflects the ‘first generation’ of international data privacy principles, particularly the OECD privacy Guidelines of 1980, and some parts of Convention 108 of 1981 (but omitting other principles). These principles were superseded by the much stronger protections found in the ‘second generation’ of data privacy principles embodied in the European Union’s data protection Directive of 1995 (and corresponding 2001 amendments to Convention 108). By 2011 most data privacy laws outside Europe had already adopted principles based on the majority of the stronger principles found in the EU Directive,Footnote 5 The OECD Guidelines remained largely unchanged in substance in their 2013 revision, and have not been a significant fact of global data privacy developments since the end of the1980s.

However, PIPEDA’s ten privacy principles were comprised by the Canadian Standards Association (CSA) Model Code of 1996,Footnote 6 which in turn was based on the OECD Guidelines of 1980. These ten 1980-vintage headings now form the structure around which this Discussion Paper for revision of the Privacy Act is based, even though they are not the basis of PIPEDA’s successor, Bill C-11. Nostalgia is a poor basis for public policy.

Modern reality is that there are now 145 countries with data privacy laws, and in recent years most new laws, and reforms of existing laws, have been influenced very strongly by the EU’s General Data Protection Regulation (GDPR) of 2016,Footnote 7 most of the significant principles of which are also found in the ‘modernised’ Convention 108 of 2018 (‘Convention 108+’), which together constitute a ‘third generation’ of international data privacy principles.

Canada’s 1985 public sector law is therefore something of a relic, and its revision gives Canada the opportunity to raise its standards to those of a modern ‘third generation’ data privacy law. As well as providing significantly stronger protections for individual Canadians, such a modernisation would benefit Canada as a country, and Canadian businesses, by strengthening Canada’s case for renewal of its ‘adequacy status’ by strengthening the protections of personal data when it comes into the hands of Canadian government agencies.

Such a public sector modernisation would also mean that Canada would have a much stronger case for being able to accede to Convention 108+, which would have many significant long-term advantages for the free-flow of personal data between Canada and other Parties to this increasingly global data protection treaty.Footnote 8

Such an approach would be completely consistent with the ‘three supporting pillars’ proposed for the reforms – respect for individuals ‘fit for the digital age’; accountability ‘that is meaningful and transparent’, or in others words ‘demonstrable’; and adaptability through being principles-based rather than unnecessarily prescriptive. But it calls for a ‘fourth pillar’, consistency with current international standards, as the Discussion Paper suggests (p. 4). However, this is not assisted by treating all such standards as though they are of equal value. The OECD Guidelines and the APEC Privacy Framework reflect the past history of data privacy, whereas the GDPR and Convention 108+ reflect the future.

‘Consistency’ between Canada’s public sector and privacy sector principles and legislation is also necessary, as the Discussion Paper acknowledges (p. 4), but this now means that references to PIPEDA in the Discussion Paper need to be superseded by consideration of Bill C-11, in whatever form that Bill emerges from the legislative process. Basing such consistency around a set of principles largely derived from the 1980s-vintage OECD Guidelines does not seem a sensible starting point.

Canada is one of the few jurisdictions in the world to treat the OECD Guidelines as having such a high degree of significance in the development of data privacy laws, but this perhaps reflects the key roles that Canadians have had, and continue to have, in their development (or lack of such).Footnote 9

Despite the above references to Bill C-11, the valuable and modern aspects of that Bill are merely one example of the legislation which is being enacted world-wide that reflects the latest international standards for data privacy represented by the GDPR and Convention 108+. Irrespective of Bill C-11, it is these international ‘gold standards’ to which Canada’s public sector law should aspire.

Structure of this submission

The rest of this submission follows the numbering of issues adopted by the Discussion Paper, and adopts a similar point-form presentation. At various points important details (sometimes whole principles) have been relegated to four Annexes, making it difficult to ascertain whether the Discussion Paper heads, or the Annexes, are more important. The Annexes are also discussed. Until an exposure draft Bill is available for comment, the proposals will remain unclear.

  1. Changing the title of the Act

The Discussion Paper does not suggest an improved English title. Perhaps ‘Federal Public Sector Data Privacy Act’ would have the virtue of being descriptive.

  1. Modernizing the purpose clause to better reflect the Act’s broader objectives

The proposed objectives of the Act could usefully include the objective of consistency with modern international data privacy standards.

It would also be valuable for the Act to explicitly state that it aims to include dissuasive sanctions against breach of its provisions, and appropriate and accessible compensation for those harmed by such breaches.

  1. Incorporating personal information protection principles from international models in the Privacy Act

As discussed above, the proposed starting point (see Annex 1, 1.2) is fundamentally misguided because it regards a set of principles ultimately derived from the OECD Guidelines of 1980 as its starting point. ‘Interoperability’ must be selective. For example, ‘interoperability’ with APEC Cross-border Privacy Rules (APEC-CBPR), by allowing data exports to US companies merely because are certified as CBPRs-compliant, is sufficient to disqualifies a country obtaining positive EU adequacy status.

  1. Clarifying concepts

Comments on some definition proposals:

  • Changing ‘government institutions’ to ‘federal public bodies’ may make sense. Surely the test should be whether any bodies/controllers not covered by a provincial Act are covered by either PIPEDA (or now Bill C-III) or this Act, unless there is an explicit statutory exemption from any coverage (eg individuals for household affairs). Preventing bodies from falling between the cracks and becoming ‘privacy free zones’ is a recurrent problem in jurisdictions with split legislation such as Canada.
  • For international and domestic consistency, the definition of ‘personal information’ should be at least as broad as that contained in the GDPR, otherwise adequacy issues are likely to arise, and the international relevance (‘interoperability’?) of case law will decrease. There is considerable current discussion of this issue in relation to reform of Australia’s Privacy Act 1988.Footnote 10
  • Limiting protections so that they only apply when personal information is used for ‘administrative purposes’ directly affecting the individual concerned, is a very unusual restriction, unknown in other jurisdictions. The Discussion Paper is correct that it would not cover some types of AI processing. Merely to broaden the definition to include ‘any practice involving personal information that could directly affect the individual, whether or not a decision-making process was involved’ will not solve the problem, because it does not answer why any uses of personal information should be allowed unless they comply with normal principles. This would in fact result in a de facto version of the proposed ‘de-identified’ uses exemption (but without de-identification). The best solution is simply to abolish the ‘administrative purposes’ requirement.
  • A few countries such as Singapore and New Zealand do not create any special rules for ‘sensitive information’ but (as Japan found) this is likely to cause problems with EU adequacy assessments.
  1. Updating rights and obligations, and introducing new ones

Some proposed new rights deserve strong support:

  • To ‘extend the right to access one’s personal information’ to foreign nationals who are not present in Canada’ is an obviously desirable reform, and one which may be necessary for Canada to have its adequacy status confirmed, because of the greater emphasis now placed by the EU (including the CJEU) on rights of EU residents in relation to data accessed by foreign governments.
  • Automated decision-making systems (such as artificial intelligence tools): have been recognized since the 1995 EU Directive as requiring special protections, and this has been reinforced by the GDPR, although it is often perceived to be a GDPR innovation. The Discussion Paper recognizes the importance of this topic, but is anemic in suggesting only measures for ‘enhanced public awareness’. It is now generally recognized that there should be a right to insist on a ‘human in the loop’ (GDPR art. 22). In some jurisdictions there is also a right to challenge any such decisions, and/or to obtain a human-understandable explanation of the automated processes involved. The GDPR also forbids any such automated processing of sensitive data, with limited exceptions (GDPR art. 22). Similarly, Bill C-11 provides that ‘If the organization has used an automated decision system to make a prediction, recommendation or decision about the individual, the organization must, on request by the individual, provide them with an explanation of the prediction, recommendation or decision and of how the personal information that was used to make the prediction, recommendation or decision was obtained.’ The Privacy Act should do the same, and both Canadian Acts should give a right to human intervention in such decisions, as GDPR article 22 requires.
  • All data privacy laws include a specific obligation to (at the least) provide reasonable security safeguards, often supplemented by specific regulations. This Act is a complete outlier in not including such requirements.
  • Since the first draft GDPR (2011), the 2013 OECD Guidelines revision, many US state laws, and some Canadian provincial laws, the requirement of mandatory data breach notification (MDBN) have become commonplace in data privacy laws around the world. It is time for this law to do likewise.

Other proposed new principles are discussed in Annexure 1 (pgs 25-27):

  • Accuracy – The ‘administrative purpose’ limitation is far too restrictive, has no equivalent in laws elsewhere, and serves to create ‘privacy free zones’ for some information. It should be abandoned.
  1. Updating rules on the collection, use, disclosure, and retention of personal information
  • Limiting collection to data ‘reasonably required’ (or, better, ‘necessary’) for the purpose of collection is part of data minimisation, an essential principle since 1995. The proposed limitation to ‘where it is reasonably required for the federal public body’s functions or activities’ may seem at first glance to be a moderate implementation of data minimisation, but this would be to ignore the vast range of ‘functions or activities’ that some public bodies now have. It would be wrong, and contrary to the principle of data minimisation to allow an agency to collect information it might ‘reasonably require’ for a vast range of functions, when it is in fact collecting personal data for a very narrow specific function. Collection should be limited to what is reasonably necessary for the purpose of collection. It is reasonable for that purpose to be able to be interpreted broadly enough to include ‘functions and activities’ which are normally associated with that purpose of collection, but not every function or activity that might be undertaken by the body.
  • The proposal that the factors that must be taken into account by federal bodies (and ultimately the courts), in order to determine what is ‘reasonably necessary’ should be spelled out in the legislation, is desirable. The four factors proposed to be included are useful but inadequate, because there is no reference to the reasonable expectations of the individuals from whom the information is collected.
  • The proposal that the Act should make if clear that ‘created or derived personal information is a “collection” ‘ is desirable, but must also be coupled with the inclusion of ‘created or derived personal information’ in the definition of ‘personal information’. Similar reforms are proposed for the revision of Australia’s Privacy Act.Footnote 11
  • Limiting subsequent use and disclosure is an essential aspect of data minimisation. The Discussion Paper proposes to continue to allow uses and disclosure that are ‘compatible’ with the original purpose of collection (possibly coupled with a definition of ‘compatible’ and examples). At the least, subsequent uses and disclosures should require that the reasonable expectations of the individual the information is about must be taken into account. The set of factors which it is proposed (above) should be taken into account in determining the limitations of collection could also be required to be taken into account here (as the Discussion Paper suggests, but in a more limited context, on p. 15).
  • At one point use and disclosure is proposed to be allowed where ‘reasonably required for a purpose in the public interest’ (Annexure 1 pgs 25-27), but it seems that this is to be limited to being a residual discretion held by the head of a public body, to be used when no other grounds for secondary use or disclosure are available (p. 15). The only proposed constraint on this dangerous open-ended power is ‘an associated record-keeping requirement for such decisions to allow review by the Privacy Commissioner’. This is not protective enough. There should also be a requirement that the data subject is informed that the use or disclosure has taken place, to enable them to pursue remedies if they consider this is in breach of the Act. If agency heads seeks an exemption on the grounds of national security or criminal investigation, they should be required to seek the advice of the Privacy Commissioner prior to the use or disclosure.
  • A separate principle requiring deletion (ie non-retention) is needed, and is proposed, where the purpose of collection has been completed. Specific provisions allowing for longer retention (eg for archives), as proposed, are common in other countries’ laws.
  • All of these matters should be dealt with in a consistent fashion in both the Privacy Act and Bill C-11.
  1. Allowing a greater role for ‘de-identified’ personal information

The Discussion Paper attempts to dismiss the significance of the dangers of re-identification of personal information, by prefacing its support ‘Despite some well-known anecdotes of de-identified personal information being subsequently re-identified…’. These ‘anecdotes’ are in fact well-documented accounts of horrendous data breaches through failed attempts at de-identification A particularly egregious data breach by the Australian government in relation to Medicare records led the Australian Privacy Commissioner to comment that ‘The first [lesson] is that the de-identification of large and rich datasets for publication to the world at large is extremely difficult’.Footnote 12

The proposals in the Discussion Paper have fundamental flaws because they are based on deeming a particular technical process (defined ‘de-identification’) to be effective, and then deeming other uses of this ‘de-identified’ information not to be in breach of the Act provided appropriate protections are taken. This will be so whether or not the information can, in fact, be re-identified. There needs to be provisions that allow de-identification schemes to be terminated whenever it is shown that re-identification is possible.

Bill C-11 also deals with de-identification, requiring that technical and administrative protections be proportional to the purpose of use of the de-identified data, and the sensitivity of the data.Footnote 13

The Discussion paper then proposes to ‘Create a specific offence for re-identifying personal information that has been de-identified, or for wilful attempts to do so’. In contrast, Bill C-11 creates an exception to any such an offence when re-identification is attempted ‘in order to conduct testing of security safeguards…’ (ie to show to the alleged de-identification is not in fact effective). Such as exception is also necessary in the Privacy Act, if de-identification is not to be based on the principle of ‘shoot the messenger’.

As Geist puts it: ‘De-identification has emerged as a major issue in the world of big data, with many organizations relying on de-identified data for a wide range of purposes. As the public battle over Sidewalk Labs in Toronto demonstrated, some object to any use of their data, even if de-identified’.Footnote 14 This issue deserves far more detailed consideration than it is given in the Discussion Paper, and failure to do so will inevitably result in major problems emerging.

  1. Introducing stronger accountability mechanisms in the Act

In relation to data exports, ‘stronger’ is only correct relative to a very low starting point:

  • The data export restrictions proposed are the weakest possible ‘trust us’ approach, requiring only that exports of personal data by Canadian agencies are ‘consistent with current Government policy’, and that there should be a ‘written agreement’ for such transfers. The Discussion Paper gives only a vague indication of what standards such agreements must meet. For example there is no requirement that the standards of protection in the foreign destination must meet or exceed Canadian standards of protection, and must be realistically enforceable by Canadian citizens.
  • Seen from the perspective of either a Canadian concerned about where their government will allow their personal information to be exported, or a third country questioning whether it is safe to allow their citizens data to come into the hands of a Canadian agency, these proposals offer no reassurance. Unfortunately, neither does Bill C-11 provide a model answer, as it has no clear provisions on trans-border data flows.Footnote 15 The Discussion Paper’s attempts to avoid this issue are not sustainable, as it will recur until a principled answer is developed and adopted.

Other proposals are much more positive:

  • The proposed obligations on federal agencies to implement privacy by design (PbD), privacy impact assessments (PIAs), and obligations to have a Privacy Management Program (PMP) are each desirable, and reflect ‘third generation’ data privacy principles. Unfortunately, PbD and PIAs are absent from Bill C-11, despite their strong antecedents in provincial Canadian laws.
  • The proposal to legislate a requirement to determine which federal public body (or bodies) is responsible under the Act for shared personal data resources is valuable.
  1. Modernizing transparency practices

Some of the proposals in this section are worthwhile, although the more significant aspects are relegated to Annexes.

  • Enhancing transparency around indirect collections and secondary uses’ involves publishing information on a website after personal information collected for one purpose has been used/disclosed (and thus collected) for another purpose. This approach is really a fig leaf which leaves individuals uninformed about how their personal information is used, and it must not become an excuse to loosen the requirements for justification of unanticipated secondary uses and disclosures. Japan had difficulty with the EU over a similar practice.
  • New proactive publication requirements’ are worthwhile, but it should not be regarded as surprising that PIA and PMPs should actually be published so that the public can consider their justifications. However, anything that removes opportunities for non-disclosure by agencies is worthwhile, if the experience of countries like Australia is any guide.

Other proposed new principles are discussed in Annex 1 (pgs 25-27) and Annex 3 (pgs 36-39), and it is difficult to see why they have been relegated to the Annexes:

  • Accountability requiring proactive demonstration along GDPR lines (better called ‘demonstrable accountability’ to distinguish it from the largely useless OECD version) is very valuable, and a significant ‘3rd generation’ principle.
  • Chief Privacy Officers are proposed to be required for federal agencies (Annex 3,2), to support an agency’s compliance with the Act, even though the head of the agency would ultimately be responsible. This is probably useful, but it is not comparable with the position, independence and responsibilities of a Data Protection Officer under the GDPR (GDPR, arts. 37-39).
  • ‘Enhanced transparency for complaint investigations and oversight powers’ (Annex 4.2) is perhaps the most important type of transparency that a data privacy regime can exhibit, the transparency of how the Commissioner applies the Act to resolve complaints, with details of the remedies that are provided when the Act is found to have been breached. The proposal for ‘a statutory direction to publish advance opinions, decisions around processing access requests, and complaint investigation outcomes, including decisions to decline to investigate, final reports and orders, and compliance agreements’ is a superb recommendation, and goes beyond what is found in the GDPR (and in fairness, is indirectly suggested by the 2013 revision of the OECD Guidelines).
  1. Fostering open dialogue and providing publicly accessible guidance

The proposals under this heading, and in Annex 4.2, are all desirable.

  • Caution is needed in relation to the ‘regulatory sandbox’ proposal, which suggests that it will only be used to allow the Privacy Commissioner to confirm whether agency procedures are in fact in compliance with the Act, where there is some doubt about this. Such an approach is quite different from a ‘sandbox’ which involves agencies (or companies) effectively having provisions of the Act suspended to allow them to test processing which is known to be in breach of the Act, but claimed to be ‘innovative’, with the hope that approval will subsequently be given for its continuance..
  1. Creating an enhanced compliance framework to address unresolved issues

The following proposals in section 11 (most of which are repeated in Annex 4.3) deserve support:

  • Giving the Privacy Commissioner the power to audit the personal information practices of federal public bodies’ Australian Commissioners have had such powers for most of this decade, and have made sparing use of them.
  • Giving the Privacy Commissioner the power to collaborate with regulatory counterparts in Canada’ – This is obviously needed, given Canada’s complex constitutional structure, but it is equally obvious that the limitation to ‘in Canada’ is unnecessary and undesirable, because Commissioners must be able to collaborate with their international counterparts, given how common it is for data breaches and the like to take on international dimensions.
  • Providing the Privacy Commissioner with the power to enter into binding compliance agreements with federal public bodies This is a valuable power, because financial penalties against public agencies have little effect. Binding agreements have been used in Australia for most of this decade, and they have had some use in PIPEDA.
  • Imposing clear statutory timelines for proceedings before the Privacy Commissioner’ – Delayed resolutions by DPAs are a widespread problem, so time limits would be useful, provided the Commissioner has enough resources to handle the volume of complaints. Otherwise it could create a temptation to refuse to investigate complaints (see below).

However, some of the proposals in section 11 must be approached with caution:

  • Giving the Privacy Commissioner the discretion to decline to investigate a complaint or to discontinue an active complaint investigation’ – Australian experience suggests that such discretions are dangerous to complainants, if they do not have either (i) any avenue of appeal against the Commissioner’s refusal to investigate; or (ii) an alternative ability to take their complaint directly to court. The result in Australia has been that the federal Commissioner, over 20 years operation of the comprehensive Privacy Act, has made on average less than two enforceable determinations (positive or negative) per year. Many more are dismissed with no determination, and thus no right of appeal. There is no separate right to go to court, so they are left without any remedy.Footnote 16
  • Providing the Privacy Commissioner with the power to issue orders…’ – The Commission needs powers to issue orders in relation to any breach of the Act, not just in relation to access questions. Australian federal Commissioners have had such powers since 1988. Canadian provincial Commissioners also have such powers, with a right of appeal to the courts, and it is not obvious why the federal Commissioner should be any different.Footnote 17
  • Expanding the Federal Court’s de novo review jurisdiction’ – For the same reason, this otherwise valuable proposal should be re-considered in light of the PIDPT,

Other aspects of enforcement have not been considered in the Discussion Paper, but should be considered:

  • Direct complaints to the Courts – All of these proposals assume that, in order to obtain any remedies, an individual must first make a complaint to the Privacy Commission (with the risk of it not being investigated). It is inadequate in a modern data privacy law to consider that making a complaint to a Privacy Commissioner is a sufficient avenue of redress for data privacy breaches, whether against government or the private sector. It can be a good avenue for those who cannot afford (or afford the risk) of taking direct legal action against a department in breach of the Act, but there is no justification for preventing those who wish to take direct legal action from doing so.Footnote 18 The EU Directive required direct access to the courts since 1995, and the GDPR is even more clear in doing so (GDPR art. 79).
  • Authorising appropriate NGOs to act for complainants – One of the main reasons that the GDPR has already had a major impact in Europe after less that three years in force, and far more impact than the 1995 Directive ever had, is that it expressly authorises non-profit NGOs that are active in data privacy to act on behalf of data subject in actions to enforce the GDPR (GDPR art. 80 ‘Representation of Data Subjects’). Such actions, particularly by NOYBFootnote 19 (headed by Max Schrems), have arguably been the most effective driving force in the enforcement of the GDPR to date. Canada should consider creating such an explicit mandate for NGO enforcement in both this Bill and in Bill C-11.

Acknowledgments: Colin Bennett, Michael Geist and Jill Matthews have provided valuable comments on drafts of this submission, but all responsibility for content remains with the author.

Author’s qualifications; Graham Greenleaf AM has been involved in data privacy law and policy since the mid-1970s. He has been a statutory member of a DPA, adviser to the Australian Privacy Commissioner, co-founder of the Australian Privacy Foundation (APF) and founder of the Asian Privacy Scholars Network (APSN). He is the author of Asian Data Privacy Laws (OUP 2014), and Asia-Pacific Editor of Privacy Laws & Business International Report (UK). In 2010 he was made a Member (AM) of the Order of Australia, for services to the protection of privacy and to free access to legal information. He has prepared reports on the adequacy of the data protection systems of seven Asia-Pacific countries for the European Commission, and was invited to speak in Brussels at the launch of the GDPR in 2018. He represents the APF as an Observer on the Consultative Committee of Convention 108/108+. Over 150 of his articles on data privacy are available at <https://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=57970>. More information is on his web pages at <http://www2.austlii.edu.au/~graham/>,