global privacy enforcement network gpen · global privacy enforcement network 3 2016: launching new...
TRANSCRIPT
Global Privacy Enforcement Network
1
2016Global Privacy
Enforcement Network(GPEN)
Annual Report
Global Privacy Enforcement Network
2
Table of Contents
Introduction ................................................................................3
About the Network .....................................................................4
GPEN Committee .......................................................................5
GPEN Website ............................................................................6
GPEN Activities in 2016 .............................................................6
The Network of Networks .......................................................6
Pacific and Atlantic Teleconferences .......................................7
Face to Face Meetings .............................................................8
Annual Privacy Sweep ............................................................9
Enforcement Survey ..............................................................11
2017 Work Plan Highlights .......................................................12
Global Privacy Enforcement Network
3
2016: Launching New Tools for Cooperation
The GPEN Committee is pleased to issue the third GPEN annual report. The
Committee issues our annual reports to promote a better understanding of the
network and to explain the Committee’s work.
In the year 2016, GPEN focused on creating the Network of Networks in order to
strengthen GPEN’s ties with other networks to promote and support enforcement
of privacy laws.
A few highlights:
● We further developed the Network of Networks
● We gathered for face-to-face meetings in Manchester and in Marrakesh to
discuss enforcement cooperation experience and practices.
● Our network’s fourth annual Privacy Sweep spotlighted the Internet of Things
● We undertook a Member Enforcement Survey to promote collaboration and
cross border enforcement actions
The GPEN Committee looks forward to working with the membership and to
continue leveraging our resources in 2017, to promote global data protection.
Global Privacy Enforcement Network
4
Introduction
About the Global Privacy Enforcement Network (GPEN)In 2007, OECD adopted a recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy. The recommendation called for member countries to foster the establishment of an informal network of Privacy Enforcement Authorities.
The Global Privacy Enforcement Network was established in 2010 by 13 privacy enforcement authorities. The informal network has grown by the end of 2016 to comprise 64 privacy enforcement authorities in 47 jurisdictions around the world, and the number of privacy enforcement professionals with GPEN website user accounts is 329. GPEN’s aim is to foster cross-border cooperation among privacy authorities in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context.
GPEN connects privacy enforcement authorities from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy. It primarily seeks to promote cooperation by:
● exchanging information about relevant issues, trends and experiences; ● encouraging training opportunities and sharing of enforcement knowhow,
expertise and good practice; ● promoting dialogue with organizations having a role in privacy enforcement; ● creating, maintaining and supporting processes or mechanisms useful to bilateral
or multilateral cooperation; and ● undertaking or supporting various specific activities as outlined in the GPEN
Action Plan.
GPEN is an inclusive cooperation network, open to any public privacy enforcement authority that:
(1) is responsible for enforcing laws or regulations the enforcement of which has the effect of protecting personal data; and
(2) has powers to conduct investigations or pursue enforcement proceedings.
GPEN is also outward looking. For example, through the Network of Networks, GPEN is now able to provide its members with insights beyond the privacy community which assist members in understanding and exchanging know-how with authorities from other sectors, such as the consumer protection sector.
GPEN has an increasingly strong activity/project base that we are confident will continue to attract members to the network and provide a valuable resource for existing members in 2017.
Global Privacy Enforcement Network
5
GPEN Committee
The Committee comprises 5 members from the Office of the Privacy Commissioner of Canada; the Israeli Law, Information and Technology Authority; United Kingdom Information Commissioner’s Office (ICO); US Federal Trade Commission (FTC); and Office of the Privacy Commissioner for Personal Data, Hong Kong, China (PCPD).
The committee provides leadership for the network and performs various tasks such as:● Processing applications from authorities wishing to participate in GPEN and
making recommendations for membership to participating authorities.● Activating user accounts for access to GPEN website.● Facilitating arrangements for GPEN teleconferences and meetings.● Maintaining the GPEN website.
The GPEN Committee may perform other functions that support GPEN’s mission like conducting surveys, releasing media statements, participating in meetings with other networks and stakeholders, etc.
GPEN Committee Members are:Michael MaguireManager, InvestigationsOffice of the Privacy Commissioner of Canada (OPC Canada)
Guilherme RoschkeCounsel for International Consumer Protection, Office of International AffairsU.S. Federal Trade Commission (FTC)
Sharon AzaryaIsraeli Law, Information and Technology Authority (ILITA)Head of International Relations
Hannah McCauslandSenior Policy Officer (International)Information Commissioner’s Office (ICO)United Kingdom
Aki CheungHead of Policy and Research DivisionOffice of the Privacy Commissioner for Personal Data, Hong Kong, China (PCPD)
Global Privacy Enforcement Network
6
GPEN WEBSITE
Our website serves as a support platform for GPEN activities, enabling participating authorities to share information, materials, and documents relevant to GPEN’s mission. Non-public documents, and materials associated with specific bilateral cross-border investigations or enforcement matters, are not intended to be shared or posted on this website, except pursuant to further agreement of the participants.
Since 2013, OPC Canada has been administering the GPEN website, originally with assistance from the OECD, which graciously hosted the site since the Network’s inception in 2010. In this capacity, OPC Canada has implemented all changes and enhancements to the website, with strategic direction and approval from the GPEN Committee.
At the GPEN Members’ Meeting in October 2015 in Amsterdam, the GPEN Committee announced that the OPC Canada was offering to take-over hosting of the GPEN website, while continuing to manage the site as it has for the past three years. OPC Canada took over hosting of the GPEN website from the OECD, as planned, in the first quarter of 2016. Our focus in 2016 was on ensuring a smooth migration of the site to the OPC Canada, and ongoing maintenance of existing functionality. Now that the site has been successfully migrated, the Committee will focus its efforts on the development of several new website initiatives, as outlined in our 2017 Annual plan, and on streamlining the GPEN interface to enhance the user experience.
GPEN 2016 Activities
Network of Networks
The Network of Networks initiative of GPEN, launched in 2015 and fully rolled out this year, is already proving that dialogue between networks, in the privacy enforcement global community, and with other sectors/networks interested in privacy enforcement related issues improves international enforcement cooperation.
The current Network of Network participants are: Asia Pacific Privacy Authorities (APPA); Common Thread Network (representing Data Protection Authorities in Commonwealth nations and territories); International Conference of Data Protection and Privacy Commissioners (ICDPPC); International Consumer Protection Enforcement Network (ICPEN); and Unsolicited Communications Enforcement Network (UCENet, formerly London Action Plan – or LAP).
Global Privacy Enforcement Network
7
In 2016, these participants exchanged news and ideas about their events and activities – via the GPEN website and, more recently, new Network of Network conference calls. Collaboration between Network of Networks partners in 2016 included GPEN participation in ICPEN conferences; UCENet and GPEN inviting privacy authorities to participate in their upcoming Sweeps; an invitation from the ICDPPC to have enforcement cooperation events recognized and promoted by the Conferences; and, generally, an increasing appreciation for the value of sharing expertise and experience in implementing new initiatives to meet common challenges confronting networks and members/authorities.
In 2017, GPEN aims to reinforce the existing partnerships and welcome new participants to the network.
Pacific and Atlantic Teleconferences
One of GPEN’s most successful activities is periodic conference calls and meetings
to discuss enforcement issues, trends, and experiences with its members. There are
usually two monthly conference calls, though open to all, one series is scheduled
for the Pacific group of members and one for the Atlantic group organized by the
OIPC - British Columbia and the US - FTC respectively, to allow all members to
participate in at least one call during office hours.
In 2016 GPEN held 10 Atlantic teleconferences and 9 Pacific teleconferences.
The discussions included the following topics:
1. Is it Possible, Anonymous loyalty cards?
2. Enforcement Cooperation Handbook
3. Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and
Security
4. Genetics: The Ultimate Identifier
5. California Breach Reports and Reasonable Data Security
6. Networking the Networks: ICPEN’s econsumer.gov cross-border consumer
complaint website
7. Commissioner Elizabeth Denham on Accountability
8. GPEN Sweep and Strategies for Releasing Results
Global Privacy Enforcement Network
8
9. How Commercial Utilization of Personal Data Challenges Privacy?
10. Uses and Abuses of Privacy Impact Assessment
11. GPEN Sweep: Reflections and Brainstorming for 2017 activities
12. Complaints Process Satisfaction Surveys
13. Handling Breach Notifications
14. Improving Consumer Awareness of Privacy and Security Settings When
Purchasing Web-Enabled Devices.
15. Jurisdictional Developments in De-Identification
16. Privacy as a Human Right in the Digital Age
17. Blockchain Technologies and Cryptocurrencies
18. Device Security Awareness for the Holiday Season
Face to Face Meetings
The GPEN Committee hosted GPEN Members’ Meetings in conjunction with two,
separate international events, the International Enforcement Cooperation Annual
Event in Manchester (March 2016) and the International Conference of Data
Protection and Privacy Commissioners in Marrakesh (October 2016).
These meetings offered an opportunity to: review new initiatives; obtain member
feedback to inform future priorities; and build relationships critical to future
cooperation.
In Manchester, GPEN members were provided with an update on: ● the GPEN Alert initiative and the Joint Oversight Panel set up to advance its use; ● a review of the Network of Networks pilot nearly one year after its launch; ● the GPEN Champions’ initiative aimed at promoting GPEN within authorities; ● the results from the 2015 GPEN Privacy Sweep and a look forward to the GPEN
Privacy Sweep 2016, and; ● the developments linked with the GPEN website (servers migration, creation of
an enforcement contacts section).
Global Privacy Enforcement Network
9
GPEN members also considered what other resources might assist in achieving effective enforcement cooperation. Participants discussed the existing multilateral “Global Cross Border Enforcement Cooperation Arrangement”, as well as potential additions or enhancements to the Enforcement Cooperation Handbook, and the prospect of an enforcement training and skills development workshop.
The second face-to-face meeting for GPEN members was held on the margin of the International Conference of Data Protection and Privacy Commissioners in Marrakesh, Morocco on 18 October 2016. Around 30 representatives from member authorities and non-member organisations participated in the meeting.
GPEN Committee presented the results of the GPEN Sweep 2016 during the meeting, and highlighted the emerging challenges to privacy of Internet of Things devices. Members also made suggestions for the theme of Sweep 2017.
The GPEN Committee also reported to members on the progress and accomplishments of various GPEN initiatives, such as GPEN Alert, the Enforcement Survey and Network of Networks. As GPEN would hold the first Enforcement Practitioners Workshop in 2017, suggestions were sought from members to shape the event. Ideas on the format and contents of the workshop were received (These have since been incorporated into planning for the event, now scheduled to occur 21-22 June 2017 in Manchester, UK).
The Office of the Privacy Commissioner of Canada gave a short presentation at the meeting, highlighting the outcomes of its joint investigation, with the Australian Privacy Commissioner, into the Ashley Madison data breach. Experience, benefits and lessons learnt from enforcement collaboration were shared with members.
Annual Privacy Sweep
“The Sweep” is a GPEN initiative whereby privacy enforcement authorities work together on a particular topic once every year, to protect the privacy rights of individuals around the world. The Sweep is aimed at encouraging organizations to comply with privacy legislation and enhancing co-operation between privacy enforcement authorities. Concerns identified during the Sweep will typically result in follow-up work such as outreach to organizations, deeper analysis of privacy provisions and/or enforcement action.
Global Privacy Enforcement Network
10
The 2016 GPEN Sweep focused on “Internet of Things” (IoT) and was led by the
UK Information Commissioner’s Office (ICO). The study looked at devices like
smart electricity meters, internet-connected thermostats and watches that monitor
health, considering how well companies communicate privacy matters to their
customers. IoT devices have the potential to collect a large amount of personal
data from users, and it is important that users are fully informed about what is
happening with their information.
25 authorities took part in the Sweep, and the practices of 314 devices/companies
were examined.
The Sweep found that:
● 59 per cent of devices failed to adequately explain to customers how their
personal information was collected, used and disclosed;
● 68 per cent failed to properly explain how information was stored;
● 72 per cent failed to explain how customers could delete their information off
the device, and
● 38 per cent failed to include easily identifiable contact details whereby customers
could express privacy concerns.
Privacy communications relating to IoT devices were generally poor and failed
to inform users about exactly what personal information a device may collect
from them and what subsequently happens to the information. Companies
demonstrating good practice were in the minority and Sweepers generally felt
that overall there is significant room for improvement of privacy communications.
Individual authorities followed up on their own results, and there were discussions
taking place around potential bi-lateral initiatives. For the first time, individual
authority press releases were collated on the GPEN website public page. This
allowed press interest to better flourish across all the participants’ initiatives,
encouraging greater public awareness of the collective action, and amplifying
messaging regarding IoT sectoral shortcomings as a result.
Planning is underway for the 2017 Sweep, which will again be led by the UK ICO.
Global Privacy Enforcement Network
11
Enforcement Survey
Through the years GPEN members have made great strides toward laying the
foundation for international enforcement cooperation. Along the way, there arose
the need for easily accessible and comprehensive information about the regulatory
frameworks and enforcement powers of the privacy authorities in GPEN’s global
network. Such information would be very useful for identifying suitable partner
authorities in case international cooperation is needed. Further, the information
could assist GPEN members in staffing or even conducting legislative reviews.
With that in mind, the GPEN Committee decided to conduct a survey about GPEN
members’ enforcement powers.
The survey was led by the Israeli Law Information and Technology Authority
(ILITA), and was launched in October 2016, at the GPEN Members’ Meeting in
Marrakesh
A report will be published and made available on the GPEN website after
completion of the survey results. The report should provide useful insight to a
variety of enforcement frameworks and assist data protection authorities in their
mission to strengthen cross-border privacy protection and increase their powers
with a view to monitoring, encouraging and enforcing compliance.
2017 Work Plan Highlights
● Hold an enforcement practitioners’ workshop on practical
aspects of case handling and investigations;
● Complete the GPEN Champion project to increase participation
rate of GPEN members in GPEN’s activities;
● Conduct our fifth annual Privacy Sweep;
● Continue our Pacific and Atlantic conference calls;
● Increase the number of participants in the Network of Networks
and carry out at least one practical cooperation with each
member;
● Publish the survey report about enforcement powers;
● Develop new GPEN website functionality with respect to sharing
authorities’ powers, jurisdiction and ability to cooperate;
● Continue to increase and diversify membership.