Reflections on ICDPPC 2017 from a human rights defender

3 Oct 2017

By Sheetal Kumar

Last week, for the very first time, GPD attended the International Conference of Data Protection and Privacy Commissioners (ICDPPC), a global forum which brings together data protection authorities (DPAs) and other stakeholders to discuss trends in data protection and privacy, coordinate, and commit to tackling commonly identified challenges.

This year, the Conference was hosted by Hong Kong’s DPA, the Office of the Privacy Commissioner for Personal Data, with the theme “Connecting West with East in Protecting and Respecting Data Privacy” (the full programme is available here).

As we discuss in our ICDPPC navigation tool and introductory podcast, the ICDPPC has not historically been a very welcoming forum for human rights defenders, and engagement has so far been relatively limited.

This doesn’t, however, mean that it’s not an important forum. It’s the only place where DPAs from around the world meet – and these DPAs often have considerable influence over data protection at the national level, and, by extension, our human rights. Data protection is already central to human rights discussions, and will only become more so with an increasingly politicised cybersecurity debate, and the emergence of technologies like the internet of things (IoT) and biometric data.

And so, alongside other civil society groups – including Access Now, Internet Freedom Foundation, KICTANet, ICT Watch, and Privacy International, among others – GPD went to the Conference. Here are a few quick reflections on what we saw.


More needs to be done on inclusivity

The ICDPPC is not particularly known for its openness or inclusivity. It has high entry costs and limited opportunities for civil society participation. Knowing all this, it was still a surprise to find how clubby and insular the event seemed; even with over 700 delegates, from a fairly diverse range of stakeholder groups, it’s a place where everyone seems to know each other.

The Conference has made some steps in the right direction in the past few years by publishing the outcomes and minutes of the discussions on its website, livestreaming open sessions, and sometimes offering fee waivers to civil society groups. Much more remains to be done. This year, a global coalition of civil society groups, including GPD, published a statement and sent a letter to Conference members containing concrete recommendations on inclusivity.

They need us (even if they don’t know it)

One of the main arguments for civil society involvement in the ICDPPC is that we’re needed there as, essentially, watchdogs – to make sure that DPAs and industry stakeholders respect human rights. Having attending the event, the importance and necessity of this role is clearer than ever to us.

But it’s also clear that being a watchdog isn’t all that we’re needed for at the ICDPPC. DPAs and industry representatives don’t, alone, have the answers to the complex challenges within the ICDPPC’s remit; and so civil society’s constructive insight is just as necessary as our advocacy.  

Take the ICDPPC’s resolution on supporting human rights defenders, made at last year’s Conference. At the session discussing the resolution this year, it was striking both how little progress had been made on the commitments, and how few ideas there were for implementing them. The absence of civil society insight here is keenly felt. ICDPPC discussions on data localisation and its potential impacts on privacy were another area where the first-hand experience of civil society working with underrepresented groups (especially in the global South) would be of obvious benefit.

It has to be acknowledged that this perspective isn’t universally shared at the ICDPPC. While many DPAs were positive about the value of civil society input into discussions, one privacy consultant almost winced when informed of our efforts to open up the Conference. He seemed concerned about losing the trust between delegates, and that the ICDPPC’s “focused, expert” discussions would somehow become diluted. But as the discussions of the Conference progressed, this did not seem to be a legitimate concern. If anything, the tiredness of many of the debates (particularly on notice and consent, on which more below) points to a need for more voices and perspectives, rather than fewer.

The debate on cybersecurity and encryption might be maturing

The quality of debate at the Conference varied depending on the issue. Discussions on the principle of notice and consent, and its application in the digital age, were notably dated – fixating on a tired opposition of “big data vs. privacy” which is wholly inadequate to the emerging challenges posed by IoT and other technologies which will transform our relationship with the digital environment.

The session on the relationship between cybersecurity and data protection, on the other hand, was sophisticated and nuanced, and even concluded with a call to embed the right to privacy into cybersecurity policies. Similarly, at a session on encryption, all of the panellists – including the Director of the Council of Europe’s Crime Unit – acknowledged the importance of strong encryption not only for the protection of rights, but also for the security of the network, and users’ trust in it.

These are small steps for the Conference, and much more needs to be done (a formal resolution and declaration by Conference members on the importance of strong encryption would be a good start). But these may at least be hopeful signs that debates around cybersecurity and encryption are maturing, and that the damaging and hitherto dominant narrative of “security vs. privacy” may be starting to erode.

The GDPR looms large

There was one acronym on everyone’s lips at the Conference this year: GDPR, referring to the EU’s General Data Protection Regulation which will come into effect in May 2018. So frequently was it invoked that in one session, a panellist – when asked about the likely effect of the GDPR on digital identity schemes – begged leave to ignore the question, and exclaimed that he would be “happy if [he could] go just thirty minutes without talking about the GDPR”.

Ignoring the GDPR is not really an option for the ICDPPC, however. Considering the important role that EU legislation has historically played in data protection norms and standards, the GDPR will likely shape data protection and privacy policy across the world, with enormous ramifications for the global digital economy. DPAs are going to have a big role to play in managing the GDPR’s implementation and its subsequent reverberations – and civil society will need to be there as watchdogs, to make sure its provisions to empower and protect users are correctly enforced in the EU and beyond.

Next steps

The next Conference may be a year away, but there are two important things that we need to start doing now: first, suggesting agenda items to the incoming Executive Committee, to make sure our priorities and concerns are represented at next year’s Conference; and, second, putting pressure on the ICDPPC’s powerful Programme Committee to include a civil society representative.

If you’d like to be involved in this, get in touch with Sheetal at

Interested in seeing the resolutions from the 2017 ICDPPC? Read them here.

And don’t forget to sign the letter and statement calling on Conference members to promote more openness, inclusivity and transparency.