global privacy enforcement network gpen · global privacy enforcement network 3 2016: launching new...

Global Privacy Enforcement Network

1

2016Global Privacy

Enforcement Network(GPEN)

Annual Report


2

Table of Contents

Introduction ................................................................................3

About the Network .....................................................................4

GPEN Committee .......................................................................5

GPEN Website ............................................................................6

GPEN Activities in 2016 .............................................................6

The Network of Networks .......................................................6

Pacific and Atlantic Teleconferences .......................................7

Face to Face Meetings .............................................................8

Annual Privacy Sweep ............................................................9

Enforcement Survey ..............................................................11

2017 Work Plan Highlights .......................................................12


3

2016: Launching New Tools for Cooperation

The GPEN Committee is pleased to issue the third GPEN annual report. The

Committee issues our annual reports to promote a better understanding of the

network and to explain the Committee’s work.

In the year 2016, GPEN focused on creating the Network of Networks in order to

strengthen GPEN’s ties with other networks to promote and support enforcement

of privacy laws.

A few highlights:

● We further developed the Network of Networks

● We gathered for face-to-face meetings in Manchester and in Marrakesh to

discuss enforcement cooperation experience and practices.

● Our network’s fourth annual Privacy Sweep spotlighted the Internet of Things

● We undertook a Member Enforcement Survey to promote collaboration and

cross border enforcement actions

The GPEN Committee looks forward to working with the membership and to

continue leveraging our resources in 2017, to promote global data protection.


4

Introduction

About the Global Privacy Enforcement Network (GPEN)In 2007, OECD adopted a recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy. The recommendation called for member countries to foster the establishment of an informal network of Privacy Enforcement Authorities.

The Global Privacy Enforcement Network was established in 2010 by 13 privacy enforcement authorities. The informal network has grown by the end of 2016 to comprise 64 privacy enforcement authorities in 47 jurisdictions around the world, and the number of privacy enforcement professionals with GPEN website user accounts is 329. GPEN’s aim is to foster cross-border cooperation among privacy authorities in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context.

GPEN connects privacy enforcement authorities from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy. It primarily seeks to promote cooperation by:

● exchanging information about relevant issues, trends and experiences; ● encouraging training opportunities and sharing of enforcement knowhow,

expertise and good practice; ● promoting dialogue with organizations having a role in privacy enforcement; ● creating, maintaining and supporting processes or mechanisms useful to bilateral

or multilateral cooperation; and ● undertaking or supporting various specific activities as outlined in the GPEN

Action Plan.

GPEN is an inclusive cooperation network, open to any public privacy enforcement authority that:

(1) is responsible for enforcing laws or regulations the enforcement of which has the effect of protecting personal data; and

(2) has powers to conduct investigations or pursue enforcement proceedings.

GPEN is also outward looking. For example, through the Network of Networks, GPEN is now able to provide its members with insights beyond the privacy community which assist members in understanding and exchanging know-how with authorities from other sectors, such as the consumer protection sector.

GPEN has an increasingly strong activity/project base that we are confident will continue to attract members to the network and provide a valuable resource for existing members in 2017.


5

GPEN Committee

The Committee comprises 5 members from the Office of the Privacy Commissioner of Canada; the Israeli Law, Information and Technology Authority; United Kingdom Information Commissioner’s Office (ICO); US Federal Trade Commission (FTC); and Office of the Privacy Commissioner for Personal Data, Hong Kong, China (PCPD).

The committee provides leadership for the network and performs various tasks such as:● Processing applications from authorities wishing to participate in GPEN and

making recommendations for membership to participating authorities.● Activating user accounts for access to GPEN website.● Facilitating arrangements for GPEN teleconferences and meetings.● Maintaining the GPEN website.

The GPEN Committee may perform other functions that support GPEN’s mission like conducting surveys, releasing media statements, participating in meetings with other networks and stakeholders, etc.

GPEN Committee Members are:Michael MaguireManager, InvestigationsOffice of the Privacy Commissioner of Canada (OPC Canada)

Guilherme RoschkeCounsel for International Consumer Protection, Office of International AffairsU.S. Federal Trade Commission (FTC)

Sharon AzaryaIsraeli Law, Information and Technology Authority (ILITA)Head of International Relations

Hannah McCauslandSenior Policy Officer (International)Information Commissioner’s Office (ICO)United Kingdom

Aki CheungHead of Policy and Research DivisionOffice of the Privacy Commissioner for Personal Data, Hong Kong, China (PCPD)


6

GPEN WEBSITE

Our website serves as a support platform for GPEN activities, enabling participating authorities to share information, materials, and documents relevant to GPEN’s mission. Non-public documents, and materials associated with specific bilateral cross-border investigations or enforcement matters, are not intended to be shared or posted on this website, except pursuant to further agreement of the participants.

Since 2013, OPC Canada has been administering the GPEN website, originally with assistance from the OECD, which graciously hosted the site since the Network’s inception in 2010. In this capacity, OPC Canada has implemented all changes and enhancements to the website, with strategic direction and approval from the GPEN Committee.

At the GPEN Members’ Meeting in October 2015 in Amsterdam, the GPEN Committee announced that the OPC Canada was offering to take-over hosting of the GPEN website, while continuing to manage the site as it has for the past three years. OPC Canada took over hosting of the GPEN website from the OECD, as planned, in the first quarter of 2016. Our focus in 2016 was on ensuring a smooth migration of the site to the OPC Canada, and ongoing maintenance of existing functionality. Now that the site has been successfully migrated, the Committee will focus its efforts on the development of several new website initiatives, as outlined in our 2017 Annual plan, and on streamlining the GPEN interface to enhance the user experience.

GPEN 2016 Activities

Network of Networks

The Network of Networks initiative of GPEN, launched in 2015 and fully rolled out this year, is already proving that dialogue between networks, in the privacy enforcement global community, and with other sectors/networks interested in privacy enforcement related issues improves international enforcement cooperation.

The current Network of Network participants are: Asia Pacific Privacy Authorities (APPA); Common Thread Network (representing Data Protection Authorities in Commonwealth nations and territories); International Conference of Data Protection and Privacy Commissioners (ICDPPC); International Consumer Protection Enforcement Network (ICPEN); and Unsolicited Communications Enforcement Network (UCENet, formerly London Action Plan – or LAP).


7

In 2016, these participants exchanged news and ideas about their events and activities – via the GPEN website and, more recently, new Network of Network conference calls. Collaboration between Network of Networks partners in 2016 included GPEN participation in ICPEN conferences; UCENet and GPEN inviting privacy authorities to participate in their upcoming Sweeps; an invitation from the ICDPPC to have enforcement cooperation events recognized and promoted by the Conferences; and, generally, an increasing appreciation for the value of sharing expertise and experience in implementing new initiatives to meet common challenges confronting networks and members/authorities.

In 2017, GPEN aims to reinforce the existing partnerships and welcome new participants to the network.

Pacific and Atlantic Teleconferences

One of GPEN’s most successful activities is periodic conference calls and meetings

to discuss enforcement issues, trends, and experiences with its members. There are

usually two monthly conference calls, though open to all, one series is scheduled

for the Pacific group of members and one for the Atlantic group organized by the

OIPC - British Columbia and the US - FTC respectively, to allow all members to

participate in at least one call during office hours.

In 2016 GPEN held 10 Atlantic teleconferences and 9 Pacific teleconferences.

The discussions included the following topics:

1. Is it Possible, Anonymous loyalty cards?

2. Enforcement Cooperation Handbook

3. Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and

Security

4. Genetics: The Ultimate Identifier

5. California Breach Reports and Reasonable Data Security

6. Networking the Networks: ICPEN’s econsumer.gov cross-border consumer

complaint website

7. Commissioner Elizabeth Denham on Accountability

8. GPEN Sweep and Strategies for Releasing Results


8

9. How Commercial Utilization of Personal Data Challenges Privacy?

10. Uses and Abuses of Privacy Impact Assessment

11. GPEN Sweep: Reflections and Brainstorming for 2017 activities

12. Complaints Process Satisfaction Surveys

13. Handling Breach Notifications

14. Improving Consumer Awareness of Privacy and Security Settings When

Purchasing Web-Enabled Devices.

15. Jurisdictional Developments in De-Identification

16. Privacy as a Human Right in the Digital Age

17. Blockchain Technologies and Cryptocurrencies

18. Device Security Awareness for the Holiday Season

Face to Face Meetings

The GPEN Committee hosted GPEN Members’ Meetings in conjunction with two,

separate international events, the International Enforcement Cooperation Annual

Event in Manchester (March 2016) and the International Conference of Data

Protection and Privacy Commissioners in Marrakesh (October 2016).

These meetings offered an opportunity to: review new initiatives; obtain member

feedback to inform future priorities; and build relationships critical to future

cooperation.

In Manchester, GPEN members were provided with an update on: ● the GPEN Alert initiative and the Joint Oversight Panel set up to advance its use; ● a review of the Network of Networks pilot nearly one year after its launch; ● the GPEN Champions’ initiative aimed at promoting GPEN within authorities; ● the results from the 2015 GPEN Privacy Sweep and a look forward to the GPEN

Privacy Sweep 2016, and; ● the developments linked with the GPEN website (servers migration, creation of

an enforcement contacts section).


9

GPEN members also considered what other resources might assist in achieving effective enforcement cooperation. Participants discussed the existing multilateral “Global Cross Border Enforcement Cooperation Arrangement”, as well as potential additions or enhancements to the Enforcement Cooperation Handbook, and the prospect of an enforcement training and skills development workshop.

The second face-to-face meeting for GPEN members was held on the margin of the International Conference of Data Protection and Privacy Commissioners in Marrakesh, Morocco on 18 October 2016. Around 30 representatives from member authorities and non-member organisations participated in the meeting.

GPEN Committee presented the results of the GPEN Sweep 2016 during the meeting, and highlighted the emerging challenges to privacy of Internet of Things devices. Members also made suggestions for the theme of Sweep 2017.

The GPEN Committee also reported to members on the progress and accomplishments of various GPEN initiatives, such as GPEN Alert, the Enforcement Survey and Network of Networks. As GPEN would hold the first Enforcement Practitioners Workshop in 2017, suggestions were sought from members to shape the event. Ideas on the format and contents of the workshop were received (These have since been incorporated into planning for the event, now scheduled to occur 21-22 June 2017 in Manchester, UK).

The Office of the Privacy Commissioner of Canada gave a short presentation at the meeting, highlighting the outcomes of its joint investigation, with the Australian Privacy Commissioner, into the Ashley Madison data breach. Experience, benefits and lessons learnt from enforcement collaboration were shared with members.

Annual Privacy Sweep

“The Sweep” is a GPEN initiative whereby privacy enforcement authorities work together on a particular topic once every year, to protect the privacy rights of individuals around the world. The Sweep is aimed at encouraging organizations to comply with privacy legislation and enhancing co-operation between privacy enforcement authorities. Concerns identified during the Sweep will typically result in follow-up work such as outreach to organizations, deeper analysis of privacy provisions and/or enforcement action.


10

The 2016 GPEN Sweep focused on “Internet of Things” (IoT) and was led by the

UK Information Commissioner’s Office (ICO). The study looked at devices like

smart electricity meters, internet-connected thermostats and watches that monitor

health, considering how well companies communicate privacy matters to their

customers. IoT devices have the potential to collect a large amount of personal

data from users, and it is important that users are fully informed about what is

happening with their information.

25 authorities took part in the Sweep, and the practices of 314 devices/companies

were examined.

The Sweep found that:

● 59 per cent of devices failed to adequately explain to customers how their

personal information was collected, used and disclosed;

● 68 per cent failed to properly explain how information was stored;

● 72 per cent failed to explain how customers could delete their information off

the device, and

● 38 per cent failed to include easily identifiable contact details whereby customers

could express privacy concerns.

Privacy communications relating to IoT devices were generally poor and failed

to inform users about exactly what personal information a device may collect

from them and what subsequently happens to the information. Companies

demonstrating good practice were in the minority and Sweepers generally felt

that overall there is significant room for improvement of privacy communications.

Individual authorities followed up on their own results, and there were discussions

taking place around potential bi-lateral initiatives. For the first time, individual

authority press releases were collated on the GPEN website public page. This

allowed press interest to better flourish across all the participants’ initiatives,

encouraging greater public awareness of the collective action, and amplifying

messaging regarding IoT sectoral shortcomings as a result.

Planning is underway for the 2017 Sweep, which will again be led by the UK ICO.


11

Enforcement Survey

Through the years GPEN members have made great strides toward laying the

foundation for international enforcement cooperation. Along the way, there arose

the need for easily accessible and comprehensive information about the regulatory

frameworks and enforcement powers of the privacy authorities in GPEN’s global

network. Such information would be very useful for identifying suitable partner

authorities in case international cooperation is needed. Further, the information

could assist GPEN members in staffing or even conducting legislative reviews.

With that in mind, the GPEN Committee decided to conduct a survey about GPEN

members’ enforcement powers.

The survey was led by the Israeli Law Information and Technology Authority

(ILITA), and was launched in October 2016, at the GPEN Members’ Meeting in

Marrakesh

A report will be published and made available on the GPEN website after

completion of the survey results. The report should provide useful insight to a

variety of enforcement frameworks and assist data protection authorities in their

mission to strengthen cross-border privacy protection and increase their powers

with a view to monitoring, encouraging and enforcing compliance.

2017 Work Plan Highlights

● Hold an enforcement practitioners’ workshop on practical

aspects of case handling and investigations;

● Complete the GPEN Champion project to increase participation

rate of GPEN members in GPEN’s activities;

● Conduct our fifth annual Privacy Sweep;

● Continue our Pacific and Atlantic conference calls;

● Increase the number of participants in the Network of Networks

and carry out at least one practical cooperation with each

member;

● Publish the survey report about enforcement powers;

● Develop new GPEN website functionality with respect to sharing

authorities’ powers, jurisdiction and ability to cooperate;

● Continue to increase and diversify membership.

global privacy enforcement network gpen · global privacy enforcement network 3 2016: launching new...

Documents