Key Takeaways from the IAPP ANZ Summit

Simply Privacy recently represented at the IAPP ANZ Summit in Sydney, a two day privacy extravaganza attended by 450+ privacy professionals from across Australia and Aotearoa NZ.   The weather was rubbish but the vibe was excellent, with some good inspiration to take into the holiday season and remind us that working in privacy is always fresh and interesting.

The Simply Privacy team was out in force at the Summit. Daimhin Warner kicked things off on day 1 by interviewing former senior NSW Government Minister Victor Dominello about government service delivery and digital identity. Emma Pond undertook MC duties for one of the streams and Frith Tweedie moderated a biometrics panel discussion and a keynote panel discussion on AI on day 2. In between, it was a great opportunity to connect with friends, colleagues and clients and nerd out on all things privacy.

In addition, we were fortunate enough to be invited to attend the Asia Pacific Privacy Authorities (APPA) forum side meeting, organised by the Centre for Information Policy Leadership (CIPL). Unsurprisingly, the focus of this session was AI, and in addition to hearing from the regulators, the big names in big tech – Meta, Microsoft, IBM, PayPal and others – were in the room to share insights and approaches.

Our key takeaways from the Summit:

AI is still the number one hot topic in privacy.  While we are likely near the top of the hype cycle, this is a transformative technology that will significantly impact all of our lives. The explosion of generative AI in particular has propelled thinking about AI harms and how to prevent them to the forefront of many organisations, with the job of identifying and mitigating AI risks often landing on the desk of the Privacy Officer.

Despite this, much of the discussion on this topic was around how responsible AI governance required a collaborative effort across a number of disciplines within an organisation, not just privacy (with a hat tip to the emerging importance of the role of ‘privacy engineer’).  Contrary to the ‘cult of personality’ approach that is currently affecting AI, there’s no ‘AI’ in ‘team’.

We also heard from representatives of some of the ‘hidden voices’ that aren’t being heard in the current AI discussions. While there is a need to consider the future harms of AI there are significant harms being perpetuated now that need our urgent attention – we should worry less about Robocop, and more about Robodebt.

Another emerging issue around AI is the immense computing power it requires, and the environmental impact this has.  As ESG reporting becomes more mainstream/mandatory this AI risk will become more prominent.

Our Privacy Commissioner, Michael Webster, gave a ‘call to action’ keynote including a reminder of the important role of privacy in a free and democratic society, and the role of privacy professionals in protecting this.  He also spoke of the need to strengthen our current laws, and that he has recommended to our government that it introduce a civil penalties regime, provide individuals with more privacy rights, and require agencies to demonstrate accountability for privacy.

A recurring theme across the summit was the need to ‘know your data’ in order to do privacy right.  This isn’t a new or particularly sexy concept but had some renewed force behind it, following a year of big Aussie and NZ privacy breaches as well as in the context of AI’s endless thirst for data. So once more for those down the back, if you don’t know what personal information your organisation holds, where it is, what it is being used for and by whom, then any privacy risk assessments or controls will be incomplete and illusory.

And of course once you know your data, you need to govern your data.  Hot on the heels of the OpenAI governance soap drama were many discussions and calls to action around making sure that agencies have robust and responsible privacy and AI governance structures and processes.

The regulatory landscape is shifting, with some significant proposals to amend Australia’s Privacy Act, including the agreement in principle to remove both the current small business and employee exemptions. These intended changes, coupled with the move late in 2022 to extend the territorial scope of the Act to any organisation ‘doing business in Australia’, will bring many NZ businesses into scope of this legislation and its $50 million fines regime.

On the biometrics front, Deputy Privacy Commissioner Liz MacPherson spoke about the OPC’s announcement that it will be publicly consulting on an exposure draft of a biometrics privacy code of practice in early 2024. Discussion centred around the importance of proportionality assessments and the need for care when using third-party biometric systems.

Other changes coming down the line that made the summit line up included the potential impact and influence of the EU AI Act – again, with extraterritorial application – and the Customer and Product Data Bill – coming for banking first, but not stopping there.

The overall message for privacy professionals was that there is a lot coming down the line, and the best thing to do is to start getting ready now.