Co-ordination and co-operation between Data

Transcription

PHAEDRA IMPROVING PRACTICAL AND HELPFUL COOPERATION BETWEEN DATA PROTECTION AUTHORITIES
http://www.phaedra-project.eu/
1 April 2014, revised 30 June 2014
PHAEDRA
Improving Practical and Helpful co-operAtion bEtween Data pRotection
Authorities
http://www.phaedra-project.eu
Call: JUST/2011-2012/FRC/AG
Agreement number: JUST/2012/FRAC/AG/2761
Co-ordination and co-operation between Data Protection
Authorities
Workstream 1 report
A report prepared for the European Commission’s Directorate-General for Justice (DG
JUST).
The contents of this deliverable are the sole responsibility of the authors and can in no way be
taken to reflect the views of the European Commission.
David Barnard-Wills
David Wright
Artemi Rallo
Rosario García
Paul de Hert
Gertjan Boulet
Dariusz Kloza
Paul de Hert
Gertjan Boulet
Beata Batorowicz
Paul De Hert, Gertjan
Boulet, Auke Willems
Artemi Rallo, Rosario
García
Piotr Drobek
Authors
Trilateral Research & Consulting, UK
Trilateral Research & Consulting, UK
Contributors
Universidad Jaume I, 2.1 (Google Buzz), 2.2 (Google Street
Spain
view), 4.6 (IberoAmerican Data
Protection Network), 4.11 (TAIEX
programme)
Vrije Universiteit
1.4 (Definitions and key terminology)
Brussel, Belgium
Vrije Universiteit
Brussel, Belgium
2.3 (CNIL’s investigation of Google’s
privacy policy), 2.4 (CBP and OPC’s
investigation of WhatsApp); 3.1.2
(Working Party on Police and Justice
(WPPJ)); 3.9 (Other initiatives) 4.14.2
(Communication from the Commission on
fighting spam, spyware and malicious
software)
Inspector General
3.6 (Central and Eastern Europe Data
for Personal Data
Protection Authorities), 3.7 (Conference of
Protection (GIODO), Balkan Data Protection Authorities), 4.1
Poland
(International Conference of Data
Protection and Privacy Commissioners).
Internal review
Vrije Universiteit Brussel, Belgium
Universidad Jaume I, Spain
Inspector General for Personal Data Protection (GIODO), Poland
2
Contents
1
Introduction ........................................................................................................................ 7
1.1 Need for improved cooperation and coordination .......................................................... 7
1.2 The PHAEDRA project ..................................................................................................... 8
1.3 Project objectives .............................................................................................................. 9
1.4 Definitions and key terminology ....................................................................................... 9
1.4.1 Co-operation .............................................................................................................. 9
1.4.2 Data protection authorities (DPAs) ......................................................................... 10
1.4.2.1 No set definition of DPA ............................................................................... 10
1.4.2.2 A functional approach: DPA as an umbrella for actors undertaking a various
range of activities ......................................................................................................... 10
1.4.2.3 Independence of DPAs .................................................................................. 11
1.4.2.4 Distinction with Data Protection Officer (DPO) ........................................... 12
1.4.2.5 A better term? ‘Data Privacy Agency’ (DPA) or ‘Privacy enforcement
authority’ (PEA) ........................................................................................................... 12
1.4.2.6 The doctrine about functions performed by DPAs........................................ 13
1.4.2.7 European legislation about functions performed by DPAs ........................... 15
2
11 case studies ................................................................................................................... 17
2.1 Google Buzz .................................................................................................................... 17
2.1.1 Overview .................................................................................................................. 17
2.1.2 Key events................................................................................................................. 17
2.1.3 Forms of co-ordination ............................................................................................ 17
2.1.4 Conclusions .............................................................................................................. 18
2.2 Google Street View ......................................................................................................... 20
2.2.1 Overview .................................................................................................................. 20
2.2.2 Sequence of key events................................................................................................ 20
2.2.3 Reasons for investigation ......................................................................................... 22
2.2.4 Findings of investigation .......................................................................................... 22
2.2.5 Forms of co-operation.............................................................................................. 23
2.2.6 Conclusions .............................................................................................................. 24
2.3 CNIL’s investigation of Google’s privacy policy ........................................................... 25
2.3.1 Overview .................................................................................................................. 25
2.3.2 Sequence of key events ............................................................................................. 25
2.3.6 Conclusions .............................................................................................................. 31
2.4 CBP and OPC’s investigation of WhatsApp ................................................................... 35
2.4.1 Overview .................................................................................................................. 35
2.4.6 Conclusions .............................................................................................................. 37
2.5 Irish Office of the Data Protection Commissioner’s Audit of Facebook Ireland............ 39
3
2.5.1 Overview .................................................................................................................. 39
2.5.3 Reasons for the investigation ................................................................................... 39
2.5.4 Findings of the investigation .................................................................................... 40
2.5.6 Conclusions .............................................................................................................. 43
2.6 Sony PlayStation Network hacks .................................................................................... 45
2.6.1 Overview .................................................................................................................. 45
2.6.6 Conclusions .............................................................................................................. 50
2.7 SWIFT and US Treasury Terrorist Finance Tracking Program (TFTP) ......................... 51
2.7.1 Overview .................................................................................................................. 51
2.7.6 Conclusions .............................................................................................................. 57
2.8 Telecommunications Data Retention .............................................................................. 58
2.8.1 Overview .................................................................................................................. 58
2.8.6 Conclusions .............................................................................................................. 62
2.9 World AntiDoping Agency code and standard revisions .............................................. 64
2.9.1 Overview .................................................................................................................. 64
2.9.6 Conclusions .............................................................................................................. 69
2.10 Global Privacy Enforcement Network “Sweep” ........................................................... 70
2.10.1 Overview .................................................................................................................. 70
2.10.6 Conclusions .............................................................................................................. 73
2.11 Google Glass ................................................................................................................. 74
2.11.1 Overview .................................................................................................................. 74
2.11.5 Conclusions .............................................................................................................. 75
4
2.12
3
Horizontal analysis ........................................................................................................ 77
Co-operation and co-ordination within Europe ............................................................ 78
3.1 European Conference of Data Protection Commissioners ("Spring Conference") ......... 78
3.1.1 Case-Handling Workshop ........................................................................................ 80
3.1.2 Working Party on Police and Justice (WPPJ) ......................................................... 82
3.2 Article 29 Working Party ................................................................................................ 83
3.2.1 Organisation ............................................................................................................ 83
3.2.2 Article 29 WP subgroups ......................................................................................... 84
3.2.3 Initiatives to improve co-operation .......................................................................... 85
3.2.3.1 Binding Corporate Rules and mutual recognition ......................................... 86
3.2.3.2 Article 29 Working Party website ................................................................. 87
3.3 Council of Europe TPD ................................................................................................. 87
3.3.1 Organisation ............................................................................................................ 88
3.3.2 Co-operation and co-ordination activities ............................................................... 88
3.4 Working Party on Information Exchange and Data Protection (DAPIX) ....................... 90
3.5 International Working Group on Data Protection in Telecommunications .................... 90
3.6 Central and Eastern Europe Data Protection Authorities ................................................ 91
3.7 Conference of Balkan Data Protection Authorities ......................................................... 92
3.8 Former Third Pillar Supervisory Authorities .................................................................. 93
3.8.1 Joint Supervisory Authority of the Schengen Information System ........................... 93
3.8.2 Joint Supervisory Authority of the European Customs Information System ............ 96
3.8.3 Coordinated Data Protection Supervision Group of the European Visa Information
System (VIS)......................................................................................................... 97
3.8.4 Coordinated Data Protection Supervision Group of Eurodac ................................ 98
3.8.5 Joint Supervisory Board Europol............................................................................. 99
3.8.6 Joint Supervisory Body Eurojust ............................................................................ 101
3.9 Other initiatives ............................................................................................................. 101
3.10 Conclusions ................................................................................................................. 103
4
Co-operation and co-ordination globally ..................................................................... 105
4.1 International Conference of Data Protection and Privacy Commissioners ................... 105
4.1.1 Organisation .......................................................................................................... 106
4.1.2 Co-operation and co-ordination activities ............................................................. 106
4.1.3 ICDPPC Resolutions .............................................................................................. 107
4.1.4 International Working Group on Coordination of Privacy Enforcement .............. 111
4.2 Organisation for Economic Cooperation and Development ........................................ 111
4.2.1 OECD Working Party on Security and Privacy in the Digital Economy (SPDE) formerly Working Party on Information Security and Privacy (WPISP) .......... 112
4.2.2 OECD Report on the Cross-border Enforcement of Privacy Laws (2006) ........... 114
4.2.3 OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws
Protecting Privacy, 2007. .................................................................................. 115
4.2.4 Report on the Implementation of the OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy, 2011. .................... 116
4.2.5 Privacy enforcement authorities ............................................................................ 116
4.3 Global Privacy Enforcement Network (GPEN) ............................................................ 117
4.3.1 Distinguishing between co-operation and co-ordination ...................................... 120
5
4.4 AsiaPacific Economic Cooperation ............................................................................ 121
4.4.1 APEC Cross-border Privacy Enforcement Arrangement (CPEA)......................... 121
4.4.2 Data Privacy Subgroup of the APEC Electronic Commerce Steering Group ....... 123
4.4.3 APEC – Art 29 WP Promoting Co-operation on Data Transfer Systems .............. 125
4.5 Asia Pacific Privacy Authorities (APPA) ..................................................................... 126
4.5.1 Technology Working Group ................................................................................... 128
4.5.2 Communications Working Group .......................................................................... 128
4.6 IberoAmerican Data Protection Network .................................................................... 128
4.6.1 Spanish DPA’s other outreach efforts in Latin America and East European
countries ............................................................................................................ 130
4.7 Association of Francophone Data Protection Authorities ............................................. 131
4.7.1 CNIL’s outreach efforts at co-operation ................................................................ 132
4.8 British, Irish and the Islands DPAs ............................................................................... 132
4.9 EUUS ad hoc working group on data protection ......................................................... 132
4.10 Memoranda of Understanding (MOUs) ...................................................................... 132
4.11 TAIEX programme ..................................................................................................... 134
4.12 Leonardo da Vinci (LDV) Programme ....................................................................... 135
4.13 Twinning ..................................................................................................................... 136
4.14 Other initiatives ........................................................................................................... 136
4.14.1 New Zealand – Privacy (Cross-border Information) Amendment bill................... 136
4.14.2 Communication from the Commission on fighting spam, spyware and malicious
software ............................................................................................................. 136
4.14.3 ROSKOMNADZOR Conference............................................................................. 137
4.15 Conclusions ................................................................................................................. 137
5
5.1
5.2
6
6.1
6.2
6.3
6.4
6.5
7
7.1
PHAEDRA survey of DPAs on improved co-operation and co-ordination.............. 140
Results of the survey questionnaire ............................................................................... 140
Results of followon interviews .................................................................................... 162
Benefits for Europe of international co-operation and co-ordination ...................... 168
Prevent regulatory arbitrage .......................................................................................... 168
Harmonisation of privacy enforcement ......................................................................... 168
Expand European model of privacy and data protection .............................................. 168
Protect Europeans in third countries ............................................................................. 168
Raise overall standard of privacy protection ................................................................. 168
Findings and recommendations .................................................................................... 170
Recommendations. ........................................................................................................ 172
6
1
1.1
INTRODUCTION
NEED FOR IMPROVED CO-OPERATION AND CO-ORDINATION
A principal challenge confronting data protection authorities (DPAs) and privacy
commissioners is the enforcement of privacy and data protection legislation. DPAs are
constrained by a shortage of resources to investigate and prosecute those who violate the
legislation.1 Often, these resourceconstrained DPAs may investigate the same privacy issue,
in effect, a duplication of effort. For example, several DPAs investigated the hacking of Sony
PlayStation, Google Street View’s recording of WiFi addresses and Facebook’s collection of
personal data for sale to thirdparty apps developers and advertisers.
Given the constraints of most DPAs, it seems an inefficient use of resource to have several
DPAs investigating the same issue. DPAs themselves have recognised the need to improve
practical cooperation.
The Organisation for Economic Cooperation and Development (OECD) adopted a
Recommendation on Crossborder Cooperation in the Enforcement of Laws Protecting
Privacy in 2007. The OECD said member countries should foster the establishment of an
informal network of privacy enforcement authorities (PEAs) and other stakeholders to discuss
the practical aspects of privacy law enforcement cooperation, share best practices and
support joint enforcement initiatives and awareness raising campaigns. Such a network has
been established. This is the Global Privacy Enforcement Network (GPEN).
As another followup to the OECD Recommendation, the 29th International Conference of
Data Protection and Privacy Commissioners (ICDPPC) adopted a “Resolution on
International Cooperation” at its meeting in Montreal in 2007. The 33rd ICDPPC, held in
Mexico City in 2011, adopted an even more detailed Resolution, encouraging more effective
coordination of crossborder investigation and enforcement.
The European Commission’s proposal for a new Data Protection Regulation explicitly
mentions the OECD Recommendation of 2007. Articles 45 and 46 of the draft Regulation
provide for international cooperation mechanisms. The principal element in the
Commission’s conception of international cooperation in Article 45.1 relates to the
enforcement of legislation for the protection of personal data. The Article 29 Working Party
also has on its agenda enhancing enforcement and promoting international cooperation
between privacy authorities.
Article 45, as set out in the proposed Regulation of January 2012, states the following:
International cooperation for the protection of personal data
1. In relation to third countries and international organisations, the Commission and
supervisory authorities shall take appropriate steps to:
(a) develop effective international cooperation mechanisms to facilitate the enforcement of
legislation for the protection of personal data;
(b) provide international mutual assistance in the enforcement of legislation for the protection
of personal data, including through notification, complaint referral, investigative assistance
1
One DPA commented to the authors that “There is a solid amount of nonused resources and opportunities to
improve the international and domestic work of DPAs.”
7
and information exchange, subject to appropriate safeguards for the protection of personal
data and other fundamental rights and freedoms;
(c) engage relevant stakeholders in discussion and activities aimed at furthering international
cooperation in the enforcement of legislation for the protection of personal data;
(d) promote the exchange and documentation of personal data protection legislation and
practice.
2. For the purposes of paragraph 1, the Commission shall take appropriate steps to advance
the relationship with third countries or international organisations, and in particular their
supervisory authorities, where the Commission has decided that they ensure an adequate level
of protection within the meaning of Article 41(3).
1.2
THE PHAEDRA PROJECT
The PHAEDRA project, funded by the European Commission, aims to support improved co
operation. PHAEDRA stands for “Improving Practical and Helpful cooperAtion bEtween
Data pRotection Authorities”. The consortium’s key objective is to add value, complement
and support the initiatives of DPAs. The consortium comprises Vrije Universiteit Brussel
(Belgium), Trilateral Research & Consulting (UK), Universidad Jaume I (Spain) and the
Inspector General for Personal Data Protection (GIODO), the Polish Data Protection
Authority.
PHAEDRA is a twoyear project which began in January 2013. This report is the deliverable
of Work Stream 1 (WS1). It reviews and summarises efforts to improve practical cooperation
by DPAs as well as international organisations. It includes case studies of where two or more
DPAs have investigated the same privacy issue and analyses whether cooperation would
have helped. It identifies and evaluates existing mechanisms for cooperation between DPAs.
It specifies and characterises different forms of cooperation and coordination between
DPAs. It includes the results of a survey of 79 DPAs and interviews with a subset of those.2
WS2 reviews the legislation establishing DPAs to identify whether there are provisions that
act as barriers or that inhibit international cooperation and coordination and what measures
could be taken to reduce such barriers. DPAs may tackle privacy conflicts with a criminal law
dimension via mutual legal assistance treaties (MLATs), and some criminal law instruments
is therefore discussed in Deliverable 2.1 as an illustration and as a reflection.
In WS3, the PHAEDRA consortium has been in contact with DPAs to determine how our
project could reinforce their efforts. The consortium aims to hold three workshops for DPAs,
one in Europe, one in Latin America and one in the AsiaPacific region. The consortium will
coordinate its workshops with the GPEN meetings and the International Conference of Data
Protection and Privacy Commissioners. The first workshop was held in conjunction with the
35th ICDPPC in Warsaw.
In WS4, the consortium will prepare its findings and recommendations for improving co
operation and coordination.
2
The survey was sent to all DPA (or equivalent authorities) that the PHAEDRA team were able to identify. The
followup interviews were conducted with those DPAs who had expressed a willingness to participate in their
response to the survey.
8
In addition, there are two other WSs, one devoted to project management and the other, to
dissemination activities.
1.3
PROJECT OBJECTIVES
The principal objective of the PHAEDRA project is to help improve practical cooperation
and coordination between DPAs, privacy commissioners and privacy enforcement
authorities, especially in regard to the enforcement of privacy laws.
The consortium recognises that many DPAs face constraints, by way of human and/or
budgetary shortages, institutional and legislative rules and other factors. Thus, the project has
several subobjectives, including these:
 To build on recent efforts to improve cooperation and coordination in the
enforcement of privacy laws;
 To offer our services in investigating two key issues of concern to DPAs as "real life"
case studies in how cooperation and coordination works or could work or two
other initiatives (within the same budget frame) that the GPEN and/or working group
of the ICDPPC might find more useful;
 To prepare a final report of our findings and recommendations and to present those at
the third workshop and at the final conference.
1.4
1.4.1
DEFINITIONS AND KEY TERMINOLOGY
Co-operation
By cooperation, we understand a range of activities, in different forms undertaken between
DPAs for various aims pertaining to the functions distinguished by Bygrave, Raab and
Bennett (see below: DPAs).
Part 4 of Deliverable 2.1 distinguishes two main types of cooperation. First, cooperation
aimed at the enforcement of privacy and data protection laws in crossborder cases (“hard”
type of cooperation). Secondly, “soft” types of cooperation:
 The setting of standards in one or more of the following fields: mutual recognition of
binding corporate rules; coordination of policies in the enforcement of privacy and
data protection laws, coordination of enforcement methods; sanctions;
 Mutual assistance between DPAs for the purpose of the establishment of other DPAs,
the institutional strengthening of other DPAs, or the support of other DPAs in the
implementation of privacy and data protection laws;
 Raising awareness activities, with the aim to inform the public about privacy and data
protection laws.
Part 4 of Deliverable 2.1 also distinguishes following forms of cooperation that could be
undertaken for both types of cooperation:
 Monitoring privacy and data protection laws in other countries;
 Sharing of standards and information;
 Trainings & staff exchanges;
 Projects between DPAs.
As regards the specific aim of the enforcement of privacy and data protection laws, part 4 of
Deliverable 2.1 distinguishes following forms of cooperation
9



1.4.2
Mutual legal assistance;
Parallel or joint investigations;
Mutual recognition. 
Data protection authorities (DPAs)
1.4.2.1 No set definition of DPA
During the first PHAEDRA workshop, held during the 35th International Conference of Data
Protection and Privacy Commissioners (ICDPPC), from 23 to 26 September 2013 in Warsaw,
Blair Stewart, assistant Privacy Commissioner at the Office of the Privacy Commissioner of
New Zealand, said that there is no set definition of a DPA, which is “generally a multifaceted
regulator with statutory independence and a range of functions including enforcement.”’3
Philip Schütz refers to DPAs as independent regulatory agencies (IRA),4 defined by Thatcher
as
“a body with its own powers and responsibilities given under public law which is
organisationally separated from ministries and is neither directly elected nor managed by
elected officials”.5
1.4.2.2 A functional approach: DPA as an umbrella for actors undertaking a various
range of activities
Bygrave recalls that
“sight should not be lost of the fact that data protection authorities are not alone in monitoring,
encouraging and/or enforcing the implementation of data protection laws. A great number of
other bodies are involved, to varying degrees in one or more of the same tasks, even if their
participations is not always formally provided in data protection instruments.”6
“At a national level, obvious examples of bodies that play an instrumental role in monitoring
or enforcing data privacy law are parliamentary committees, ombudsmen, national auditing
offices, and regulatory authorities with consumer protection as part of their remit. The role
that the latter may play is demonstrated by the former UK Financial Services Authority (now
Financial Conduct Authority) in respect of data security breaches. It is further demonstrated
by the US FTC in respect of regulating deceptive business practices involving processing of
personal data, and in enforcing particular sets of data privacy rules. Indeed, the FTC is now
regarded as the de facto federal DPA for the USA. Although its field of competence is more
restricted than is typical for European DPAs, its data privacy remit has expanded considerably
over the past 15 years. [...] Last but not least, account must be taken of the judiciary. [...] Yet a
remarkable characteristic of the field of data privacy law is that many national courts’
involvement in interpreting and enforcing statutory rules has been minor if nor marginal,
relative to the role played by DPAs. The same may be said with respect to development of
nonstatutory rules. “7
3
Stewart, Blair, “Cooperation beyond DPAs”, presentation at the 1st PHAEDRA Workshop, Warsaw, 24
September 2013, http://www.phaedraproject.eu/wpcontent/uploads/BlairStewart_PHAEDRA.pdf
4
Schütz, Philip, “The Set Up of Data Protection Authorities as a New Regulatory Approach”, in Serge Gutwirth,
Ronald Leenes, Paul De Hert & Yves Poullet (eds.), European Data Protection: In Good Health?, Springer,
2012, p. 128.
5
Thatcher, Mark, “Regulation after delegation: Independent regulatory agencies in Europe”, Journal of
European Public Policy 2002, Vol. 9, No. 6, p. 956.
6
Bygrave, Lee A., Data Protection Law. Approaching Its Rationale, Logic and Limits, Kluwer Law
International, The Hague / London / New York, 2002, p. 73.
7
Bygrave, Lee A., Data Privacy Law. An International Perspective, Oxford, Oxford University Press, 2014, pp.
177179.
10
Bennett and Raab, discuss seven roles of DPAs (see below: The doctrine about functions
performed by DPAs) but add that:
“Not every function is played with equal weight by every commissioner. Nor are these
functions the exclusive responsibility of the data protection agency; other central coordinating
ministries and departments have important responsibilities for data protection policy in
different states.”8
Thus, the qualification of an authority as a DPA does not depend on it being called a DPA,
but rather on its powers to perform the functions distinguished by Bygrave, Raab and Bennett.
1.4.2.3 Independence of DPAs
Section 62 of the preamble of Directive 95/46/EC reads as follows:
“Whereas the establishment in Member States of supervisory authorities, exercising their
functions with complete independence, is an essential component of the protection of
individuals with regard to the processing of personal data;”
Article 28(1)§2 of Directive 95/46/EC provides that the Supervisory authorities “shall act
with complete independence in exercising the functions entrusted to them.”
Schütz referred to the lack of independence of DPAs as one of the ‘most pressing topics for
DPAs’, which has already been scrutinized by the European Court of Justice.9 The criteria of
independence is indeed not always met by institutions such as the US Federal Trade
Commission or ministries such as the ‘Ministry of Communications and Information
Technology’ in India.10 Yet, the Indian government would have planned to set up a DPA.11
In Japan, various government ministries are responsible for the oversight of the ‘Protection of
Personal Information Act’ in specific sectors, under the supervision of the Consumer Affairs
Agency.12 Yet a new ‘independent’ DPA in Japan is to be established from January 2014.13
Bygrave put that its remit will initially be restricted to
“oversight of the identity number scheme set up under the 2013 Act on Use of Numbers to
Identify Specific Individuals in Administrative Procedures (‘My Number’ Act). The scope of
the agency’s mandate is to be reconsidered within one year after the Act’s entry into force (24
8
Bennett, Colin, J. and Charles D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective,
Ashgate, 2003, p. 109.
9
Schütz, Philip, “The Set Up of Data Protection Authorities as a New Regulatory Approach”, in Serge Gutwirth,
Ronald Leenes, Paul De Hert & Yves Poullet (eds.), European Data Protection: In Good Health?, Springer,
2012, p. 140; see also Lee A. Bygrave, Data Privacy Law. An International Perspective, Oxford, Oxford
University Press, 2014, pp. 170172.
10
Linklaters, Data Protected. https://clientsites.linklaters.com/Clients/dataprotected/Pages/India.aspx
11
Aulakh, Gulveen, “Government to set up Data Protection Authority to safeguard privacy”, The Economic
Times, 20 February 2014, http://articles.economictimes.indiatimes.com/20140220/news/47527222_1_privacy
billprivacyinvasiondataprotectionauthority
12
Miyashita, Hiroshi, “The evolving concept o data privacy in Japanese law”, International Data Privacy Law
2011, Vol. 1, No. 4, p. 233; Privacy Laws & Business, “New Data Protection Authority for Japan”, International
e-news,
7
October
2013,
http://www.privacylaws.com/Publications/enews/InternationalE
news/Dates/2013/10/NewDataProtectionAuthorityforJapan/
13
Horibe,
Masao,
“A
New
Data
Protection
Authority
in
Japan”,
2013,
http://www.digitalenlightenment.org/sites/default/files/201312A%20New%20Data%20Protection%20Authority
%20in%20Japan%20by%20Masao%20Horibe.pdf
11
May 2016).”14
1.4.2.4 Distinction with Data Protection Officer (DPO)
The term DPA should be distinguished from the term ‘Data Protection Officer’ (DPO).
Article 18(2) of Directive 95/46/EC empowers the Member States to introduce into their
national law the appointment by the controller of a personal data protection official. Article
35 GDPR introduces a mandatory data protection officer to be designated by the controller
and the processor in situations where, a) the “processing is carried out by a public authority or
body”; b) “the processing is carried out by an enterprise employing 250 persons or more;” or
c) “the core activities of the controller or the processor consist of processing operations
which, by virtue of their nature, their scope and/or their purposes, require regular and
systematic monitoring of data subjects.” The tasks of the DPO are provided in Article 37
GDPR. Germany was the first state that introduced a DPO, in 1977.15
1.4.2.5 A better term? ‘Data Privacy Agency’ (DPA) or ‘Privacy enforcement
authority’ (PEA)
Noteworthy is Bygrave’s change of terminology, from ‘Data Protection Authority’ (in 2002)
to ‘Data Privacy Agency’ (in 2014).16
The OECD Recommendation on Crossborder Cooperation in the Enforcement of Laws
Protecting Privacy (2007) uses the term ‘privacy enforcement authority’ (PEA), which
“means any public body, as determined by each Member country, that is responsible for
enforcing Laws Protecting Privacy, and that has powers to conduct investigations or pursue
enforcement proceedings.” 17
The APEC ‘Cooperation Arrangement Crossborder Privacy Enforcement’ (2010)18 and the
OECD ‘Global Privacy Enforcement Network’ (GPEN)19 use the same term. During the first
PHAEDRA workshop, Blair Stewart put that this definition is
“similar to the narrower enforcement oriented definition of supervisory authority in [...]
[Convention 108] and [Directive] 95/46/EC”, and that “[i]n addition to specialist privacy
authorities, a PEA may include a general enforcer of, say, consumer or broadcasting laws
which includes a privacy law”.20
14
Bygrave, Lee A., Data Privacy Law. An International Perspective, Oxford, Oxford University Press, 2014, p.
178, referring for more information to Miyashita, Hiroshi “Japan’s new ID Number Act (2013)”, Privacy Laws
& Business Intl Report 2013, nr. 124, p. 16.
15
The website of the CNIL provides an interactive map that shows which countries allow the appointment of
Data Protection Officers and which gives an overview on their status, duties and powers:
http://www.cnil.fr/english/topics/dpoineurope/
16
Bygrave, Lee A., Data Privacy Law. An International Perspective, Oxford, Oxford University Press, 2014, p.
3; Bygrave, Lee A., Data Protection Law. Approaching Its Rationale, Logic and Limits, Kluwer Law
International, The Hague / London / New York, 2002, pp. 7071.
17
OECD, Recommendation on Crossborder Cooperation in the Enforcement of Laws Protecting Privacy, Paris,
2007, http://www.oecd.org/internet/interneteconomy/38770483.pdf
18
APEC, Cooperation Arrangement Crossborder Privacy Enforcement, 2010/SOM1/ECSG/DPS/013, Data
Privacy Subgroup Meeting Hiroshima, Japan, 28 February 2010, 2010/SOM1/ECSG/DPS/013, p. 1,
http://aimp.apec.org/Documents/2010/ECSG/DPS1/10_ecsg_dps1_013.pdf
19
OECD, Global Privacy Enforcement Network, https://www.privacyenforcement.net/
20
Stewart, Blair, “Cooperation beyond DPAs”, presentation at the 1st PHAEDRA Workshop, Warsaw, 24
September 2013, http://www.phaedraproject.eu/wpcontent/uploads/BlairStewart_PHAEDRA.pdf
12
In its reply to the first question of the first PHAEDRA questionnaire for DPAs,21 as regards
areas for improved cooperation and coordination with other privacy commissioners and
DPAs, the US FTC recommends
“referring to cooperation between ‘Privacy Enforcement Authorities’ as defined in the
OECD Recommendation on Crossborder Cooperation in the Enforcement of Laws
Protecting Privacy [...] This definition is broader than the phrase ‘Data Protection
Authorities and Privacy Commissioners’ as that phrase is commonly understood. The
APEC Crossborder Privacy Enforcement Arrangement (CPEA) and the Global
Privacy Enforcement Network (GPEN) follow the OECD definition to facilitate
privacy enforcement cooperation among all authorities involved in the protection of
privacy laws, rather than among only Data Protection Authorities and Privacy
Commissioners. Accordingly, we recommend a global substitution of ‘Privacy
Enforcement Authorities’ for ‘Privacy Commissioners and DPAs’ or ‘Data Protection
Authorities and Privacy Commissioners.”
1.4.2.6 The doctrine about functions performed by DPAs
Bygrave
Bygrave puts that:
“DPAs’ oversight functions typically encompass the handling of complaints by members of
the public over the processing of personal data. It can also involve the auditing of the legality
of dataprocessing operations independent of complaints. Additionally, the agencies are
frequently expected to orient and advise governments, parliaments, private organizations, and
the general public about data protection matters. Some DPAs are also responsible for
oversight of FOI [Freedom of Information] regimes. DPA powers are often broad and largely
discretionary. In most cases, the agencies are empowered to issue legally binding (although
appealable) orders. In some jurisdictions, however, the agencies do not have such competence,
or they have not had it in relation to certain sectors”.22
In that regard, Bygrave points at the numerous differences between data protection laws .
“in terms of the monitoring and supervisory regimes they establish. The basis
differences here relate to the powers of data protection authorities (e.g., some function
as ombudsmen, others are able to issue legally binding orders) and, accordingly, the
nature of the legal preconditions for processing personal data (e.g., some require mere
notification, others require licensing).”23
As regards ‘Notification and Licencing Schemes’, Bygrave puts that
“Most data protection laws lay down special rules to enhance the ability of data
protection authorities to monitor the practices of data controllers. There are two main
categories of such rules. [...] One category requires data controllers simply to notify
data protection authorities of certain planned processing of personal information. [...]
The second category of control/oversight scheme requires that data controllers must
apply for and receive specific authorisation (in the form of a licence) from the relevant
data protection authority prior to establishing a personal data register or engaging in a
21
The two questionnaires for DPAs were developed by the consortium of the PHAEDRA project, and are
available here: http://www.phaedraproject.eu/?page_id=37
22
Bygrave, Lee A., Data Privacy Law. An International Perspective, Oxford, Oxford University Press, 2014, pp.
169170.
23
13
particular dataprocessing activity.”24
Next, Bygrave addresses ‘Sanctions and Remedies’, putting that
“All data protection Acts stipulate a variety of sanctions and remedies for breach of their
provisions. Provision is usually made for a combination of penalties (fines and/or
imprisonment), compensatory damages and, where applicable, revocation of licenses and
deregistration. Sometimes, strict/objective liability for harm is stipulated. Sometimes too
allowance is made for the imposition of ongoing enforcement damages during the time in
which a data controller fails to comply with the orders of a data protection authority. In many
cases, compensation may be awarded for noneconomic/immaterial injury (emotional distress)
as well as economic loss. In a very few cases, allowance is made for class actions to be
brought.”25
Bennett and Raab
Bennett and Raab discuss seven roles of DPAs: ombudsmen, auditors, consultants, educators,
policy advisers, negotiators and enforcers.26
“Data Protectors as Ombudsman” refers to their responsibility to receipt, investigate and
resolve complaints from data subjects.27
“Data Protectors as Auditors” refers to the general audits of a particular organization or of a
particular technology.28
“Data Protectors as Consultants” refers to their powers to “give advice to individual data
users on how to comply with data protection norms”.29
“Data Protectors as Educators” refers to the “analysis of wider privacy and surveillance
questions and the continuous education of data users and data subjects” in order to “anticipate
problems and encourage citizens to protect their own privacy”.30 Bennett and Raab make the
following distinctions:
“To an increasing extent, many regulatory agencies see their roles not only in relation to
public policy, ‘big issues’ and ‘big events’, but also in encouraging a culture of privacy
protection throughout society, the economy, and government in an era of widespread
adoption of new and privacyinvasive technologies. [...]
Other regulatory authorities devote considerable resources to producing guidelines and
advice on paper and in electronic form, from public platforms, and through the mass
media. [...]
In addition, of course, commissioners are expected to give frequent speeches and
presentations concerning the importance of privacy. Furthermore, some agencies
24
Ibid., p. 75. Bygrave also notes that ‘Only a minority of countries operate, or have operated, with
comprehensive authorisation/licencing regimes’; and that ‘data protection regimes in which licensing is the rule
rather than exception do not confirm with the Directive’ (p. 76).
25
Ibid., p. 77.
26
Bennett, Colin J., and Charles D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective,
Ashgate, 2003, pp. 107116.
27
Ibid., p. 109.
28
Ibid., p. 110.
29
Ibid., p. 110.
30
Ibid., p. 111.
14
commission special studies relating to special privacy problems; other produce shorter
and more frequent research publications on new technologies [...]’.31
‘Data Protectors as Policy Advisers’ refer to their responsibility ‘to comment on the
privacy implications of proposed legislation or on new automated personal record
systems. [...] Commissioners also frequently give testimony on issues at hearings of
legislatures, and publish their responses to government policy documents where privacy
interests are affected’.32
“Data Protectors and Negotiators” refers to the negotiation of code to “enhance the
understanding of the privacy problem within different sectors.”33
“Data Protectors as Enforcers” refers to their power
“to order compliance with the privacy protection principles. Here there is a clear distinction
between those authorities whose powers are limited to those of investigation and
recommendation, and those that can mandate changes in behaviour. [...] Ultimate redress in
most countries is vested in the courts [...] some countries have established small tribunals, ad
hoc groups of experts that perform a quasijudicial function.”34
1.4.2.7 European legislation about functions performed by DPAs
Bygrave finds that Directive 95/46/EC provides the most detailed treatment of the
competence and functions of DPAs.35Article 28§1 of Directive 95/46/EC is on ‘Supervisory
authority’, and reads as follows:
‘1. Each Member State shall provide that one or more public authorities are responsible for
monitoring the application within its territory of the provisions adopted by the Member States
pursuant to this Directive.
These authorities shall act with complete independence in exercising the functions entrusted
to them.
2. Each Member State shall provide that the supervisory authorities are consulted when
drawing up administrative measures or regulations relating to the protection of individuals'
rights and freedoms with regard to the processing of personal data.
3. Each authority shall in particular be endowed with:
investigative powers, such as powers of access to data forming the subjectmatter of
processing operations and powers to collect all the information necessary for the performance
of its supervisory duties,
effective powers of intervention, such as, for example, that of delivering opinions before
processing operations are carried out, in accordance with Article 20, and ensuring appropriate
publication of such opinions, of ordering the blocking, erasure or destruction of data, of
imposing a temporary or definitive ban on processing, of warning or admonishing the
controller, or that of referring the matter to national parliaments or other political institutions,
the power to engage in legal proceedings where the national provisions adopted pursuant to
this Directive have been violated or to bring these violations to the attention of the judicial
authorities.
31
Ibid., pp. 111112.
Ibid., p. 112.
33
Ibid., p. 113.
34
Ibid., pp. 113114.
35
32
15
Decisions by the supervisory authority which give rise to complaints may be appealed against
through the courts.
4. Each supervisory authority shall hear claims lodged by any person, or by an association
representing that person, concerning the protection of his rights and freedoms in regard to the
processing of personal data. The person concerned shall be informed of the outcome of the
claim.
Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of
data processing lodged by any person when the national provisions adopted pursuant to
Article 13 of this Directive apply. The person shall at any rate be informed that a check has
taken place.
5. Each supervisory authority shall draw up a report on its activities at regular intervals. The
report shall be made public.
6. Each supervisory authority is competent, whatever the national law applicable to the
processing in question, to exercise, on the territory of its own Member State, the powers
conferred on it in accordance with paragraph 3. Each authority may be requested to exercise
its powers by an authority of another Member State.’
The supervisory authorities shall cooperate with one another to the extent necessary for the
performance of their duties, in particular by exchanging all useful information.
7. Member States shall provide that the members and staff of the supervisory authority, even
after their employment has ended, are to be subject to a duty of professional secrecy with
regard to confidential information to which they have access.’
Article 46 of the GDPR provides that Supervisory authorities are
“responsible for monitoring the application of this Regulation and for contributing to
its consistent application throughout the Union, in order to protect the fundamental
rights and freedoms of natural persons in relation to the processing of their personal
data and to facilitate the free flow of personal data within the Union.” The duties and
the powers of DPAs are provided in Articles 51 to 54 GDPR.
Article 1(1) of the Additional Protocol to Convention 108 is on ‘Supervisory authorities’ and
provides that “Each Party shall provide for one or more authorities to be responsible for
ensuring compliance with the measures in its domestic law giving effect to the principles
stated in Chapters II and III of the Convention and in this Protocol.”
Article 12(1) of the Modernisation Proposals of Convention 108 reflects Article 1§1 of the
Additional Protocol to Convention 108, and provides that “Each Party shall provide for one or
more authorities to be responsible for ensuring compliance with the measures in its domestic
law giving effect to the principles of this Convention.”
16
2
11 CASE STUDIES
This chapter comprises a set of case studies of where two or more DPAs have investigated the
same issue (e.g., the hacking of Sony PlayStation, Google Buzz and Google Street View
vehicles gathering WiFi addresses, Facebook’s collection of personal data for sale to third
party apps developers and advertisers). The case studies focus not only on how improved co
operation would have been beneficial if it had occurred, but also on instances where there has
been cooperation (e.g., CNIL’s investigation of Google’s amalgamation of its different
privacy policies). It highlights the success of the Article 29 Working Party as a model of co
operation between DPAs, at least, in regard to some issues (but there have, of course, been
calls for changes even to the Article 29 Working Party, which has led to the Commission's
proposals in the proposed new Regulation for the Article 29 Working Party to be replaced by
a European Data Protection Board). The case studies provide some contextual background in
each case and some conclusions.
In addition to the analysis contained in this report, an interactive timeline of these all these
cases can be found on the PHAEDRA project website.36
2.1
2.1.1
GOOGLE BUZZ
Overview
On 20 April 2010, 10 data protection authorities from around the world (Canada, Spain,
Ireland, UK, Italy, Germany, New Zealand, France, the Netherlands and Israel) signed a letter
to the CEO of Google, Eric Schmidt, demanding respect for the rules of protection of privacy
and personal data in launching new products and services.
2.1.2
Key events
This complaint was filed publicly, on behalf of the others, by the authorities from Canada,
Spain and Israel at a press conference held on 20 April 2010 at the International Press Center
in Washington, DC, expressing the deep concern of supervisors by the threats to the privacy
of its users projected by the launching of the Google Buzz social network on 9 February
2010.
2.1.3
Forms of co-ordination
Jennifer Stoddart, Privacy Commissioner of Canada, who led this initiative, pointed out that
this letter was the result of an unprecedented collaboration not only of a group of authorities
from a specific region of the planet but 10 authorities from four continents with very different
orientations on the protection of privacy. The agreement between them was easy to reach,
even though there were so many countries involved: it showed common convictions about the
problems of protecting privacy related to Google Buzz and assumed, without doubt, an
irreversible sign of the willingness of the authorities of data protection in the world to
strengthen their international cooperation.37
36
http://www.phaedraproject.eu/?page_id=136
Stoddart, Jennifer, “Enforcing Privacy in the Online World”, Remarks at the IAPP Canadian Privacy Summit
2010, International Association of Privacy Professionals, 27 May 2010.
http://www.priv.gc.ca/media/spd/2010/spd_20100527_e.asp
37
17
This joint action by authorities served to remind Google and other transnational organisations
operating in the field of technology, and particularly the Internet, of the obligation to comply
with relevant national laws on data protection when deploying their online products and
services.
Data protection and privacy authorities were shown to be singularly concerned about the fact
that “too often, the privacy rights of the world’s citizens are being forgotten as Google rolls
out new technological applications”. In particular, they said that the manner in which Google
had carried out the deployment of Buzz “has led to a disappointing disregard for fundamental
laws and regulations on privacy”.38
Data protection authorities recalled that the Gmail email service used by 146 million users –
Web email service, individual and private – had merged with a new social network service
(Google Buzz), automatically assigned to the users a network of "followers" from among the
people with whom they corresponded most often on Gmail. The allocation of Gmail users to a
network of followers was made without properly reporting on the operation of this new
service and provide sufficient information to enable informed consent. It was a clear violation
of the basic principle of data protection to preserve the right to maintain control over personal
information.
The letter signed by the data protection authorities urged Google to set an example as a leader
in the Internet industry and recalled the insistent demands to guarantee the right to privacy by
design and launch of new products and services according to the following rules39: (1) to
collect and process only the minimum amount of data necessary to achieve the specific
objectives of the product or service; (2) provide users with clear and unambiguous
information about how personal information will be used for enable them adequately
informed consent; (3) design products with the default privacy settings; (4) ensure easy use of
the privacy control tools; (5) to ensure adequate protection of personal data; (6) and provide
users with simple procedures to respond to their requests and delete user accounts.
On 30 March 2011, the Federal Trade Commission said Google had agreed to settle FTC
charges that it used deceptive tactics and violated its own privacy promises to consumers
when it launched Google Buzz in 2010. The FTC alleged Google practices had violated the
FTC Act and proposed a settlement barring the company from future privacy
misrepresentations, requiring it to implement a comprehensive privacy program, and calling
for regular, independent privacy audits for the next 20 years. It was the first time an FTC
settlement ordered a company to implement a comprehensive privacy program to protect the
privacy of consumers’ information.40
2.1.4
Conclusions
This case (and the similar case relating to Google Glass (see below) suggests that co
ordinated expressions of shared concern on the part of voluntary groups of DPAs are possible,
38
http://www.priv.gc.ca/media/nrc/2010/let_100420_e.asp
http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2010/notas_prensa/common/abril/100420_
Final_joint_letter_eng.pdf
40
http://www.ftc.gov/opa/2011/03/google.shtm. On 24 Oct 2011, following a public comment period, the FTC
accepted as final the proposed settlement related to the Google Buzz case. http://ftc.gov/opa/2011/10/buzz.shtm
39
18
but that these measures do not always involve all parties that may have concerns or the
potential for enforcement processes (in this case the US FTC). A collectively signed letter is a
relatively minor form of cooperation, with potentially limited impact, however, it does show
some agreement of key issues relating to a new service or technology.
19
2.2
2.2.1
GOOGLE STREET VIEW
Overview
Street View41 is a Google service that provides panoramic images of public streets around the
world obtained by Google cars photographing streets since 2008.
On 22 April 2010, Hamburg Data Protection Agency found that, in addition to the cameras
and antenna, Google cars carried software that collected wireless network information from
WiFi routers.
Initially, Google said that it only collected publicly broadcast SSID information (the WiFi
network name) and MAC addresses (the unique number given to a device like a WiFi router)
but not payload data (information sent over the network). But, finally, Google admitted that it
was “clear that we have been mistakenly collecting samples of payload data from open (i.e.,
nonpasswordprotected) WiFi networks”.
2.2.2 Sequence of key events
22 April 2010
27 April 2010
5 May 2010
14 May 2010
1416 May 2010
19 May 2010
19 May 2010 –
21 Sept 2010
19 May 2010 –
17 June 2010
21 May 2010 –
10 Nov 2010
28 May 2010
3 June 2010
8 June 2010
9 June 2010
The Hamburg DPA discovers that Google Street View cars carried
software that collected wireless network information.
Google says that its cars only collected SSID data (i.e., the network
name) and MAC address (a unique number given to a device like a
WIFI router).42
The Hamburg DPA asks Google to audit the WiFi data that Google
Street View cars collected
In its blog, Google admits that Street View cars had been collecting
samples of payload data from open (i.e., nonpasswordprotected) WiFi
networks.43
The Irish data protection authority asks Google to delete the collected
payload data in Ireland.
The Spanish data protection agency (AEPD) opens an inspection and
ordered Google to block payload data collected from WiFi networks in
Spain.
The Italian DPA starts a prosecution against Google Street View and
orders Google to stop collecting WiFi data.
CNIL starts an investigation of Google and announces that Google has
collected emails and passwords.
The Electronic Privacy Information Center (EPIC) asked the US Federal
Communications Commission (FCC) to launch an investigation on
Google and the FCC does so.
Austria starts an investigation and bans Street View cars.
The Hungarian DPA announces an investigation of Google Street View.
Google delivers a written undertaking to the Hong Kong DPA
announcing that Street View cars stopped activities.
Google made public a thirdparty report which confirms that it did
41
http://maps.google.es/intl/es/help/maps/streetview/
http://googlepolicyeurope.blogspot.com.es/2010/04/datacollectedbygooglecars.html
43
http://googleblog.blogspot.com.es/2010/05/wifidatacollectionupdate.html
42
20
21 July 2010
11 Aug 2010
18 Oct 2010
…
19 Oct 2010
27 Oct 2010
3 Nov 2010
13 Dec 2010
21 Mar 2011
21 Mar 2011
13 Apr 2012
12 June 2012
27 July 2012
23 January 2013
22 Apr 2013
indeed collect and store payload data from unencrypted WiFi networks.
Attorneys General from 38 US states start an investigation into Google
activities.44
The ICO reports that there was no evidence that Google caused any
detriment to any individual.45
The Spanish Data Protection Agency opens an infringement
proceeding46 against Google.47
The Canadian Privacy Commissioner determines that Google Street
View cars breached Canadian privacy law and recommends stronger
controls and privacy training.48
The FTC ends its investigation of Google Street View.
The UK Information Commissioner’s Office (ICO) concludes that
Google Street View cars breached the Data Protection Act 1998.49
The New Zealand Privacy Commissioner announces that Google
breached NZ’s data protection law.50
The French data protection authority, CNIL, fines Google €100,000.51
The FCC fines Google $25,000 for lack of cooperation in Street View
investigation.
The ICO reopens its investigation on Google Street View case.
Google informs the ICO that it retained payload data and ICO decides to
examine them.
Google agrees to make a $7 million payment for civil penalty and other
purposes to Attorneys General of 38 US states and the District of
Columbia for its collection of personal data via Street View vehicles in
the US 52
Hungarian DPA delivered a final statement on Google Street
View activities in Hungary outlining all the requirements to be fulfilled
for the sake of legitimate and acceptable data processings.53
Hamburg's DPA fines Google €145,000 for its data collection during
44
http://www.ct.gov/ag/cwp/view.asp?A=2341&Q=463406
http://www.ico.org.uk/news/latest_news/2010
46
The opening of an infringement proceeding by the Spanish Data Protection Agency (AEPD) followed the
conclusion of the investigations carried out by the AEPD’s inspection, which had revealed the presence of signs
of the commission of a total of five infringements – two serious and three very serious – of the Spanish Data
Protection Act. Two of them were attributable to Google Inc. in its capacity as responsible for providing the
service and designing the software that collects data for the Street View service. The other three were
attributable to Google Spain, in its role as responsible for collecting and storing data in Spain, and for
transferring them to the United States, as well as for being the representative in Spain of the company.
http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2010/notas_prensa/news/2010_10_18ides
idphp.php).
47
AEPD transferred to Court of Instruction No. 45 of Madrid the final inspection report and, in accordance with
the Spanish Administrative Procedure law, suspended the processing of disciplinary proceedings pending the
decision of the Court.
http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2010/notas_prensa/news/2010_10_18ides
idphp.php
48
http://www.priv.gc.ca/media/nrc/2010/nrc_101019_e.asp
49
http://www.ico.org.uk/news/latest_news/2010
50
http://privacy.org.nz/newsandpublications/statementsmediareleases/mediareleasegoogleagreestoprotect
privacybetter/
51
http://www.cnil.fr/english/newsandevents/news/article/googlestreetviewcnilpronouncesafineof100000
euros/
52
http://www.ct.gov/ag/lib/ag/press_releases/2013/20130312_google_avc.pdf
53
http://www.naih.hu/files/AdatvedelemNAIH5711162012BGoogleSV.pdf
45
21
11 June 2013
2.2.3
Street View operations in 20082010 through unencrypted WiFi
connections.54
The ICO serves Google with an enforcement notice for destroying
collected payload data by Google’s Street View cars in the UK.55
Reasons for investigation
DPAs around the world (Australia, Austria, Belgium, Canada, Czech Republic, France,
Germany, Greece, Hong Kong, Ireland, Italy, Netherlands, New Zealand, Spain, Switzerland,
UK, US, etc.) opened investigations against Google since 14 May 2010 on the collection and
storage without consent of WiFi networks’ location data and payload data associated with
them by the vehicles used to photograph streets for the Street View service.56
The main legal basis to start inspections related to the breach of the principles of processing
of personal data without consent of the data subject and not covered by a law and without
guarantees in international transfer of data to the United States.
The opening of investigations in so large a number of countries on almost every continent was
driven by the following:
 The vast extension of the Street View service in more than 30 countries had earlier
requested the presence of the Street View cars photographing streets and potentially
storing personal information emitted by wireless networks.
 The explicit acceptance of Google's collection and storage of personal information related
to WiFi networks (from identification to network communications content) was an
avoidable invitation to inspect.
 Although Google alleged error as the cause, the need to identify effective Google
willingness to collect and store information wireless networks and its final use.
2.2.4
Findings of investigation
Investigations verified the collection and storage by Google vehicles of personal data of
diverse nature transmitted through open WiFi networks. Among the types of personal data
transmitted through these WiFi networks, it was established that Google had collected and
stored email addresses, with names and surnames, addresses associated with email messages
and instant messaging; access to social network accounts and websites or user names and
passwords with personal data identifying owners and, in some cases, allowing access to
sensitive data.
Furthermore, it was established that Google had collected location and identification data of
the wireless networks, as the SSID, identifiers or names of the WiFi network that, in some
cases, contained the real name of the subscriber, and the MAC addresses that identifies the
router and the connected devices and the geographic position in which they were collected. In
addition, it was verified that Google had transferred personal data to the United States,
without demonstrating compliance with guarantees in order to get DPA authorisation for such
international transfers.
54
http://www.datenschutzhamburg.de/fileadmin/user_upload/documents/PressRelease_20130422_Google
WifiScanning.pdf
55
http://www.ico.org.uk/news/latest_news/2013/googlefacesfurtheractionfromicooverwifidatacollection
21062013
56
An updated explanation can be found at http://epic.org/privacy/streetview/
22
2.2.5



Forms of co-operation
The Street View WiFi case is the best example of a lack of cooperation or coordination
among DPAS and offered a clear necessity to develop cooperation tools to investigate
breaches of data protection law caused by Internet companies.
All DPAs who opened investigations adopted their own strategies and resolutions
according only to their legal framework.
All DPAs who initiated investigations had to resolve with their particular technical criteria
similar issues including the following:
1. ordering deletion or blocking of personal data stored by Google;
2. requiring Google to make a copy of the data stored on their servers;
3. analyzing technical devices of the Street View cars that collected data from wireless
networks;
4. determining Google’s willingness to store data through existing software in the Street
View cars.
Google facilitated investigations initiated by DPAs through remote access to its servers to
analyse personal data from each country but made it difficult for each DPA to get copies of
data (although finally they received requested copies). Each DPA had to conduct its own legal
analysis to determine the existence of violations of national laws on data protection:
 determining if stored information by Google were personal data permitting identification
of natural persons – particularly, SSID information (the WiFi network name) and MAC
addresses (the unique number Given to a device like a WiFi router);
 determining legal relevance of the lack of protection of wireless networks due to lack of
access passwords considering public that information and excluding or not Google
responsibility for the collection of such information;
 determining responsibilities between Google and its subsidiaries in each country that
facilitated street view cars activity;
 determining violation of legal guarantees to protect data transfers from each country to
Google servers in USA.
The inspection cooperation between DPAs was limited to informal and bilateral contacts
among some DPAs (Canada, Germany, France, Spain and the Netherlands) to share views on
purely technical aspects of the investigation. These kinds of exchanges had to respect the
confidentiality provisions in each national law. Informal discussions outside the Article 29
Working Party agenda to determine implications of the results of investigations in the
framework of the European Directive.
The lack of formal cooperation mechanisms and harmonising investigations and legal
implications of the results offered a clear divergence in the DPAs actions around the world
that can be categorized as follows:
 Inactivity of the most of DPAs that, even without starting any inspection activity, ordered
Google to delete all data collected in their country.
 Resolutions adopting investigations procedures but concluded with agreements with
Google on its improvements regarding future activity but without taking any sanction
resolutions.
 Adopting sanction procedures and fines.
23
2.2.6
Conclusions
From this case study, we draw the following conclusions:
 There is no global system of coordination among DPAs that enables DPAs to coordinate
investigations in different countries of identical breaches.
 There is no global system that enables cooperation among DPAs for harmonising legal
criteria and adopting identical resolutions on identical facts against privacy.
 Even the current European system under the Data Protection Directive – which gives
interpretation functions to the Article 29 Working Party – does not avoid divergence
among national DPAs which are able to adopt different resolutions on identical breaches
as noninitiation of any investigation, agreements with controller or effective economic
sanction.
 Limitations set forth in national laws (e.g., confidentiality provisions) make difficult or
impossible an effective coordination of investigation procedures on identical breaches.
 Google benefitted from the absence of global coordination mechanisms to establish a
single, direct and bilateral relationship with DPAs that generated confusion (about the
possibility of obtaining a copy of data stored on Google servers in USA) and led some of
them to make rash decisions (such as ordering the immediate deletion of stored data).
 Plurality of enforcement boards with investigating or sanctioning powers (DPAs,
prosecutors, judges, police, etc.) on Street View WiFi case weakens credibility of an
effective guarantee of data protection but it shows that the DPAs have a greater technical
capacity and are able sometimes to react quickly to privacy infringements.
24
2.3
2.3.1
CNIL’S INVESTIGATION OF GOOGLE’S PRIVACY POLICY
Overview
The case concerns an investigation led by the Commission nationale de l'informatique et des
libertés (CNIL), on behalf of the Art. 29 WP, into Google’s new privacy policy, introduced in
2012 to merge and consolidate different privacy policies into a single document. The new
privacy policy would have expanded Google’s data mining activities to combine user’s
personal data from different accounts and services, including Gmail, Google+ and YouTube,
with no possibility to optout. 57 The WP29 ended its investigation on 16 October 2012.
However, Google did not sufficiently comply with the WP29’s recommendations. Therefore,
on 27 February 2013, the WP29 established a taskforce of six DPAs, led by CNIL. Following
unsuccessful meetings between Google and the taskforce, the members of the task force
launched their own investigations on compliance of Google’s privacy policy with national
legislation.
2.3.2
Sequence of key events
24 January 2012
2 February 2012
3 February 2012
27 February 2012
28 February 2012
Google announces its new privacy policy to merge and consolidate
different privacy policies into a single document.
WP29 informs Google that it is preparing an analysis of the new
privacy policy under the European Data Protection Legislation,
notably under the Data Protection Directive 95/46/EC and the
ePrivacy Directive 2002/58/EC. The WP29 also asks Google to
suspend application of the new privacy policy and informs Google
that CNIL will represent the WP29. This choice can be explained
by the fact that the headquarters of Google Europe are in Paris.58
Google replies to the letter of 2 February 2012, rejecting to
postpone the posting of the new privacy policy as DPAs have
already been prebriefed and Google account holders have already
been informed of its launch on 1 March 2012.59
CNIL sends a letter to Google, in which it shares the preliminary
findings of the investigation, and reiterates to delay the
implementation of the privacy policy.60 The CNIL announces that
it will send a questionnaire on the matter to Google before mid
March 2012.
Google replies to the letter of CNIL of February 27, 2012, that it
will maintain the implementation of the privacy policy for the
57
Cunningham, Bryan, “Google's collision course with member states”, EU Observer, 8 April 2013,
http://euobserver.com/opinion/119727
58
Article 29 Data Protection Working Party, Letter to Google of 2 February 2012,
http://ec.europa.eu/justice/dataprotection/article29/documentation/other
document/files/2012/20120202_letter_google_privacy_policy_en.pdf;
59
Google,
letter
to
CNIL
of
3
February
2012,
https://docs.google.com/file/d/0B8syaai6SSfiMDEyM2Q3YmEtNWUxZi00Mzc2LTljMTktZmExYjc0M2IyZW
Vh/edit?hl=en_US
60
CNIL,
Letter
to
Google
of
27
February
2012,
http://www.cnil.fr/fileadmin/documents/en/Courrier_Google_CE121115_27022012.pdf
25
1 March 2012
16 March 2012
5 April 2012
20 April 2012
22 May 2012
21 June 2012
19 September 2012
same reasons as explained in its letter of February 3, 2012. Google
also indicates that it would like to be heard by the WP29. 61
- The Asia Pacific Privacy Authorities (APPA) sends its findings
to Google. 62
Google's new privacy policy enters into force.
CNIL sends a letter to Google with an attached questionnaire (69
questions), prepared in collaboration with all European DPAs, to
obtain clarifications on the privacy policy. 63 Google is asked to
reply before April 5, 2012, with the promise that its responses will
be kept confidential, unless Google would explicitly authorize the
CNIL to do so.
Google replies to questions 1 till 24 of the questionnaire sent by
CNIL on March 16, 2012. 64 Google also attaches an ‘Appendix on
Examples of contextual notices in Google products’,65announces
to publish its replies to the questionnaire, and reiterates its wish to
meet the CNIL and to be heard by the WP29.
Google has now responded to all the questions of the questionnaire
sent by CNIL on March 16, 2012. 66 Google asks again for a
meeting with the CNIL and the WP29, and questions the legal
basis for the WP29 to act as a regulatory body, or to mandate the
CNIL to conduct a regulatory review on behalf of other DPAs.
Google also questions the applicable law, process and ultimate
goal for the review.
CNIL sends a letter to Google with in annex some questions that
require more precise and comprehensive answers. 67 Google is
asked to reply by June 8, 2012. CNIL also says that it would be
able to clarify its questions if needed during its meeting with
Google on May 23, 2012.
Google replies to the questions annexed to a letter from the CNIL
of May 22, 2012, and questions once more the applicable law for
the review, as well as the nature of the legal basis for any possible
recommendations or conclusions. 68
CNIL meets a representative from Google to present the
evaluation of the analysis of the WP29 and the recommendations
that may ensue from it.
61
Google,
letter
to
CNIL
of
28
February
https://docs.google.com/file/d/0Bw8Krj_Q8UaEczVuWGEwWFhTSkdZZ0MyU0NQRGptQQ/edit?pli=1
62
APPA, Changes to Google’s Privacy Policy, Letter to Google of 28 February
https://www.privacy.vic.gov.au/privacy/web2.nsf/files/appatechnologyworkinggroupletterto
google/$file/appa_letter_to_google_02_2012.pdf
63
CNIL,
Letter
to
Google
of
16
March
http://www.cnil.fr/fileadmin/documents/La_CNIL/actualite/questionnaire_to_Google20120316.pdf
64
Google, letter to CNIL of 5 April 2012, http://rms3647.typepad.com/files/francegoogle.1.pdf
65
Google, Appendix 2, Examples of contextual notices in Google products, 5 April
https://docs.google.com/file/d/0B8syaai6SSfiVDNURHBqeG1TVUNzUzlBM1czSFJYUQ/edit
66
Google,
letter
to
CNIL
of
20
April
2012,
p.
https://docs.google.com/file/d/0B8syaai6SSfiSUhFMHVpMmhFUG8/edit
67
CNIL,
letter
to
Google
of
22
May
http://www.cnil.fr/fileadmin/documents/en/Letter_CNIL_to_Google_22_May_2012.pdf
68
Google,
letter
to
CNIL
of
21
June
2012,
p.
https://docs.google.com/file/d/0B8syaai6SSfiM2hmS2xjY2tzV0k/edit
26
2012,
2012,
2012,
2012,
4,
2012,
1,
12 October 2012
16 October 2012
21 November 2012
13 December 2012
8 January 2013
26 February 2013
28 February 2013
6 March 2013
8 March 2013
19 March 2013
26 March 2013
29 March 2013
2 April 2013
APPA supports the findings of the WP29.69
WP29 sends a letter to Google, signed by the 27 EU MSs, with
practical recommendations in appendix, to put Google in
compliance with the European Data Protection Legislation. 70
WP29 also asks Google to send a response to the CNIL about the
planned timing and methods to implement the recommendations.
The Office of the privacy Commissioner of Canada (OPC) sends
a letter to CNIL in support of the findings of the WP29.71
CNIL reminds Google to comply with the recommendations in the
letter of 0ctober 16, 2012, by February 15, 2013.
Google acknowledges receipt of the letter from the CNIL of
November 21, 2012.
Google informs the WP29 of certain observations on the letter of
October 16, 2012, and asks for a meeting with the WP29.
At the plenary meeting of the WP29, it is decided to establish a
task force of 6 DPAs, led by CNIL, including Germany, Italy,
Spain, UK and The Netherlands.72
CNIL informs Google that it is still not complying, and that the
task force will meet on March 19, 2013.
Google asks the CNIL information about the organization and
legal framework of the task force meeting of March 19, 2013.
CNIL replies to Google’s letter of March 6, 2013.
The task force meets with representatives from Google. However,
following the meeting, Google did not implement any significant
measures.73
In a letter, Google announces the implementation of certain
measures to improve users’ data protection.
CNIL plans an audit of Google, asks the WP29 all documents
related to Google’s privacy policy, and seeks cooperation of the
task force, in particular through exchanges of information under
Article 28(6) of Directive 95/46/EC. Thus, CNIL plans an
investigation on compliance of Google’s privacy policy with
national legislation, but as “part of an international administrative
cooperation.”74
CNIL notifies Google that it is planning an audit of Google, and
69
APPA,
Letter
to
WP29
of
12
October
2012,
http://www.cnil.fr/fileadmin/documents/en/APPA_SUPPORT_LETTERArticle_29_Letter.pdf
70
WP29, Letter to Google of 16 October 2012, http://www.cnil.fr/fileadmin/documents/en/20121016
letter_googlearticle_29FINAL.pdf ; Appendix, Google privacy policy: main findings and recommendations,
16
October
2012,
http://www.cnil.fr/fileadmin/documents/en/GOOGLE_PRIVACY_POLICY
_RECOMMENDATIONSFINALEN.pdf
71
OPC, Letter to the French Data Protection Authority Regarding its Review of Google's Privacy Policy, 16
October 2012, http://www.priv.gc.ca/media/nrc/2012/an_121016_e.asp
72
WP29, Google’s privacy policy: European data protection authorities are coordinating their enforcement
actions, press release, Brussels, 27 February 2013, http://ec.europa.eu/justice/dataprotection/article29/press
material/pressrelease/art29_press_material/20130227_pr_google_privacy_policy_en.pdf
73
CNIL, Google privacy policy: six European data protection authorities to launch coordinated and simultaneous
enforcement actions, 2 April 2013, http://www.cnil.fr/english/newsandevents/news/article/googleprivacy
policysixeuropeandataprotectionauthoritiestolaunchcoordinatedandsimultaneo/
74
CNIL, CNIL orders Google to comply with the French Data Protection Act, within three months, 20 June
2013,
http://www.cnil.fr/english/newsandevents/news/article/cnilordersgoogletocomplywiththefrench
dataprotectionactwithinthreemonths/
27
9 April 2013
17 April 2013
10 June 2013
13 June 2013
20 June 2013
11 October 2013
28 November 2013
that CNIL’s powers of investigation might involve exchanges with
other DPAs and the WP29;
The 5 other members of the task force announce to conduct their
own investigations on compliance of Google’s privacy policy with
national legislation.
WP29 sends all documents to CNIL, as requested by CNIL on
March 29, 2013;
Google asks the task force if the task force would remain its
point of contact.
CNIL replies to Google, on behalf of the task force, that Google
will also have to reply to each of the task force members in
relation to their own investigations; that information might be
shared between the DPAs; and that information addressed to the
task force will be distributed among all WP29 Members.
CNIL issues a formal notice against Google to bring its privacy
policies into compliance with the French data protection Act
within three months, at risk of a fine.75
The executive committee of the CNIL decides to make the
decision of June 10th, 2013, to issue formal notice against Google,
public.76
CNIL announces that “France, Spain, the U.K. at the start of next
week and Germany at the end of next week will all take a formal
and official decision to start repressive proceedings against
Google, and a second salvo will come from Italy and the
Netherlands by the end of July.”77
Google maintains that the French Data Protection Act, “was not
applicable to the data processing in question and that the CNIL
was therefore not competent to initiate punitive action in this
case”.78
The CNIL shares a report with Google in which the rapporteur of
the CNIL put that Google has not satisfied the terms of the formal
notice of June 10th, 2013; in which it requests the Sanctions
Committee of the CNIL to impose a financial penalty of €150.000
against Google, and to make this decision public; and in which it
puts that the Google case is on the agenda of the Sanctions
Committee for 19 December 2013.79
The Dutch Data Protection Authority publishes the findings of its
investigations of Google’s privacy policy with Dutch data
protection law. It finds violations, plans a hearing with Google
75
CNIL
Decision
of
10
June
2013,
http://www.cnil.fr/fileadmin/documents/en/D2013
025_10_Jun_2013_GOOGLE_INC_EN.pdf ;
76
CNIL, Deliberation No. 2013420 of the Sanctions Committee of CNIL imposing a financial penalty against
Google Inc, 3 January 2014, p. 3, http://www.cnil.fr/fileadmin/documents/en/D2013420_Google_Inc_EN.pdf
77
De Beaupuy, Francois, and Stephanie Bodoni, “Google gets 3 months to fix privacy or face French fines”,
Bloomberg Law, 20 June 2013, http://www.bloomberg.com/news/20130620/googletoget3monthstofix
privacypolicyorfacefrenchfine.html
78
79
Ibid., p. 4.
28
29 November 2013
13 December 2013
19 December 2013
19 December 2013
3 January 2014
following which it would decide on enforcement actions including
the imposition of sanctions.80
Google states to Bloomberg BNA that it has “engaged fully with
the Dutch DPA throughout this process and will continue to do so
going forward.”81
Google supplies written comments on the report of the rapporteur
of the CNIL of October 11, 2013.82
The Google case is on the agenda of the Sanctions Committee of
the CNIL.83 During the meeting, Google reiterated its comments of
December 13, 2013 on the report of the rapporteur of the CNIL of
October 11, 2013. Google essentially contests the applicability of
the French Data Protection Act and the competence of the CNIL to
issue formal notice and initiate sanctions procedures against
Google.84
The Spanish DPA finds three breaches by Google’s privacy policy
of the Spanish data protection law, and imposes for each breach a
fine of €300.000.85
CNIL’s Sanctions Committee imposes a fine of €150.000 on
Google, rules that the decision will be made pubic on the website
of the CNIL, and orders Google to publish a communiqué on this
decision on the homepage www.google.fr for 48 hours, within 8
days of its notification86
80
The Guardian, “Google privacy changes break Dutch data protection law, says regulator”, 29 November 2013,
http://www.theguardian.com/technology/2013/nov/29/dutchdataprivacygooglebreaksaccused ; Gardner,
Stephen, “Dutch DPA Concludes That Google Is in Breach of Data Protection Act”, Bloomberg BNA, 2
December 2013, http://www.bna.com/dutchdpaconcludesn17179880411/ ; Dutch DPA, Dutch DPA: privacy
policy Google in breach of data protection law, press release, 28 November 2013,
http://www.dutchdpa.nl/Pages/pb_20131128googleprivacypolicy.aspx ; The definitive findings of the Dutch
DPA are available here: http://www.dutchdpa.nl/downloads_overig/en_rap_2013googleprivacypolicy.pdf ; The
annex (in Dutch) to the definitive findings of the Dutch DPA is available here:
http://www.cbpweb.nl/downloads_rapporten/rap_2013googleprivacybeleid_bijlage.pdf
;
An
informal
translation
of
the
findings
of
the
Dutch
DPA
is
available
here:
http://www.cbpweb.nl/downloads_rapporten/rap_2013googleprivacybeleid.pdf
81
Gardner, Stephen, Dutch DPA Concludes That Google Is in Breach of Data Protection Act, Bloomberg BNA,
2 December 2013, http://www.bna.com/dutchdpaconcludesn17179880411/
82
Google Inc, 3 January 2014, p. 3, http://www.cnil.fr/fileadmin/documents/en/D2013420_Google_Inc_EN.pdf ,
p. 4.
83
Ibid., p. 4.
84
Ibid., p. 4.
85
El País, “Sanción a Google por vulnerar derechos del ciudadano”, 19 December 2013,
http://tecnologia.elpais.com/tecnologia/2013/12/19/actualidad/1387450618_053467.html ; Agencía Española de
Protección de Datos, The AEPD sanctions Google for serious violation of the rights of the citizens, press release,
19
December
2013,
http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2013/notas_prensa/common/diciembre/1312
19_PR_AEPD_PRI_POL_GOOGLE.pdf
86
Gévaudan, Camille, “Données personnelles: 150 000 euros d'amende pour Google”, Libération, 8 January
2014,
http://ecrans.liberation.fr/ecrans/2014/01/08/donneespersonnelles150000eurosdamendepour
google_971443?xtor=rss450 ; For the French version of the press release of the CNIL, see CNIL, La formation
restreinte de la CNIL prononce une sanction pécuniaire de 150 000 € à l’encontre de la société GOOGLE Inc., 8
January 2014, http://www.cnil.fr/linstitution/actualite/article/article/laformationrestreintedelacnilprononce
unesanctionpecuniairede150000EURalencontre/ ; For the English version of the press release of the CNIL,
see CNIL, The CNIL's Sanctions Committee issues a 150 000 € monetary penalty to GOOGLE Inc., 8 January
29
14 January 2014
Google requests the Conseil d’Etat to suspend the publication
order issued by the CNIL’s Sanctions Committee on January 3,
2014.87
7 February 2014
In a preliminary ruling, the Conseil d’Etat rejected Google’s claim
of January 14, 2014 to suspend the publication order issued by the
CNIL’s Sanctions Committee on 3 January 2014.
2.3.3
CNIL, on behalf of WP29, analyzed Google’s new privacy policy under the European Data
Protection Legislation, notably under the Data Protection Directive 95/46/EC and the
ePrivacy Directive 2002/58/EC. The analysis focused more particularly on compliance of
Google’s privacy policy with the following data protection principles:
 purpose limitation;
 the right to information;
 the right to consent;
 data quality;
 data minimization;
 proportionality;
 the right to object;
 data retention periods.
2.3.4
Considering that the case study aims to address the cooperation between DPAs, the findings
below do not cover the findings of the investigations by DPAs of Google’s privacy policy
with their national data protection laws, but are limited to the findings following the
investigation by the CNIL on behalf of the WP29. As regards compliance of Google’s privacy
policy with the data protection principles mentioned above, the investigation by the CNIL on
behalf of the WP29 unveiled that Google:88
 can combine almost any data from any services for any purposes;
 provides insufficient information to its user on the purposes and the categories of data
being processed;
2014, http://www.cnil.fr/english/newsandevents/news/article/thecnilssanctionscommitteeissuesa150000
EURmonetarypenaltytogoogleinc/ ; For the French version of the Deliberation of the Sanctions Committee
of the CNIL, see CNIL, Délibération Nr. 2013420 de la formation restreinte n°2013420 prononcant une
sanction
pécuniaire
à
l'encontre
de
la
société
Google
Inc.,
January
3,
2014,
http://www.cnil.fr/fileadmin/documents/approfondir/deliberations/Formation_contentieuse/D2013
420_Sanction_Google.pdf ; For the English version of the Deliberation of the Sanctions Committee of the CNIL,
see CNIL, Deliberation No. 2013420 of the Sanctions Committee of CNIL imposing a financial penalty against
Google Inc, 3 January 2014, http://www.cnil.fr/fileadmin/documents/en/D2013420_Google_Inc_EN.pdf
87
CNIL, The Conseil d’Etat rejected Google’s request for a suspension of CNIL’s publication order, press
release, 7 February 2014, http://www.cnil.fr/english/newsandevents/news/article/theconseildetatrejected
googlesrequestforasuspensionofcnilspublicationorder/
88
WP29, Letter to Google of 16 October 2012, http://www.cnil.fr/fileadmin/documents/en/20121016
letter_googlearticle_29FINAL.pdf ; Appendix, Google privacy policy: main findings and recommendations,
http://www.cnil.fr/fileadmin/documents/en/GOOGLE_PRIVACY_POLICY_RECOMMENDATIONSFINAL
EN.pdf
30





2.3.5
does not collect the unambiguous consent of the user for some of the purposes related
to the combination of data;
did not set any limits to the combination of data;
has not demonstrated that this collection was proportionate to the purposes for which
they are processed;
did not provide clear and comprehensive tools allowing its users to control it;
failed to provide retention periods for the personal data it processes.
The procedure for cooperation was entirely informal. The WP29 started the investigation on
its own motion. Google complied on the basis of mere goodwill. The means for cooperation
consisted in exchanges of letters and a questionnaire, as well as meetings between Google,
CNIL and the WP29.
2.3.6





Conclusions
The CNIL started the investigation at request and on behalf of the WP29, which
started the investigation on its own motion without any complaint from anyone. The
investigation did not concern an individual case, but an issue of a general nature;
Investigations were led by several parties: From February 2, 2012 till October 16,
2012, the investigation was led by the CNIL on behalf of the WP29. On February 27,
2013, the WP29 established a WP29 task force, led by CNIL, including 5 other DPAs
from Germany, Italy, Spain, UK and The Netherlands. Following unsuccessful
meetings between Google and the taskforce, the members of the task force launched
their own investigations on compliance of Google’s privacy policy with national
legislation, but as “part of an international administrative cooperation.” 89 This
situation confused Google. In a letter of April 9, 2013 Google asked the WP29 task
force if it would remain its point of contact.
Google’s proposed privacy policy also got global attention. Different global
authorities worked on different legal bases, such as the Asia Pacific Privacy
Authorities (APPA), the Office of the Privacy Commissioner of Canada (OPC), the
Information Commissioner’s Office (ICO) and the US. This raises the questions on
duplication of efforts, and whether a single investigation would have been possible?
The case shows that not the WP29 but the Member States have power to impose
sanctions for privacy violations. Enforcement powers and powers to impose sanctions
vary between Member States. For instance, the Belgium DPA has limited powers to
impose fines; the Spanish DPA has broader powers to impose fines, and in reality also
issues substantial fines. It referred to possible fines between 40,000 and 300,000
euros.90 Germany and France, on the other hand, use their substantial powers in widely
divergent ways depending on the particular case.91
In a notice of June 10, 2013, the CNIL gave Google three months to change its
privacy policies or risk a fine of up to 150,000 euros and 300,000 euros in case of a
89
CNIL, CNIL orders Google to comply with the French Data Protection Act, within three months, 20 June
2013,
http://www.cnil.fr/english/newsandevents/news/article/cnilordersgoogletocomplywiththefrench
dataprotectionactwithinthreemonths/
90
Natalie Huet and Clare Kane, “UPDATE 3France, Spain take action against Google on privacy”, Reuters, 20
June 2013, http://www.reuters.com/article/2013/06/20/googleprivacyidUSL5N0EW14X20130620
91
31
repeated offense.92 The Information Commissioner’s Office (ICO) said that, if Google
fails to comply, it would consider contempt of court, and accordingly, could issue an
enforcement notice through the courts. Moreover, in case of proven individual harm to
individuals caused by the privacy policy, Google could face a £500,000 fine.93
Thus, “[t]he types and severity of sanctions available to DPAs, depending upon
individual national laws, can include, in increasing severity: relatively informal
guidance; recommendations; investigations; formal warnings; administrative sanctions
(monetary fines); public admonishment; blocking of data processing or transfers; and,
finally, criminal sanctions. [...] It is at least possible that some member states will
attempt to make an example of Google, and deter other companies, by imposing
unusually high fines, and possibly impose injunctive remedies, such as legally
prohibiting processing of data found to violate EU privacy law. Given the EU member
states’ history, however, it seems highly unlikely that any Google officials will be
subjected to criminal process.”94
On 13 June 2013, the executive committee of the CNIL decided to make the decision
of 10 June 2013, to issue formal notice against Google to bring its privacy policies
into compliance with the French data protection Act, public “on the grounds of the
seriousness of the violations observed and the corresponding harm to fundamental
rights of the individuals concerned. It also took into account the status and size of the
company, the world leader in the market of Internet search and the provision of related
services, and, therefore, the number of persons affected by its processing (several
million in France).”95 Google, on the other hand, “maintained that the French law, in
this instance the Data Protection Act, was not applicable to the data processing in
question and that the CNIL was therefore not competent to initiate punitive action in
this case; it furthermore contested each of the violations cited against it.”96 During the
meeting of the Sanctions Committee of the CNIL of 19 December, Google contested
again the applicability of the French Data Protection Act, and the competence of the
CNIL to issue formal notice and initiate sanctions procedures against Google.97
Furthermore, on 3 January 2014, CNIL imposed not only a fine of €150.000 on
Google, but also ordered Google to publish a communiqué on this decision on the
homepage www.google.fr for 48 hours, within 8 days of its notification. More
concretely, the CNIL ordered to “publish at its expense, on its publicly available
electronic communications service accessible at the address https://www.google.fr, the
following statement:
‘Communiqué: the Sanctions Committee of the French Data Protection Authority
(CNIL) has ordered the Google company to pay a fine of 150,000 euros for breaching
92
CNIL
Decision
of
10
June
2013,
http://www.cnil.fr/fileadmin/documents/en/D2013
025_10_Jun_2013_GOOGLE_INC_EN.pdf ; De Beaupuy, Francois, and Stephanie Bodoni, “Google gets 3
months
to
fix
privacy
or
face
French
fines”,
Bloomberg
Law,
20
June
2013,
http://about.bloomberglaw.com/legalnews/googlegets3monthstofixprivacyorfacefrenchfines/
93
Charles Arthur, “European watchdogs order Google to rewrite privacy policy or face legal action”, The
Guardian, 5 July 2013, http://www.guardian.co.uk/technology/2013/jul/05/googleprivacypolicylegalaction
94
95
96
Ibid., p. 3.
97
Ibid., p. 4.
32



the rules of personal data protection conferred by the Data Protection Act. The ruling
may be read in full at the following address:
http://www.cnil.fr/linstitution/missions/sanctionner/Google/.’”98
The amount of the fine is said to be the highest ever issued by the Sanctions
Committee of the CNIL, justified by the number and seriousness of the breaches. The
publication of the decision of the CNIL on the website of Google was “justified by the
extent of Google’s data collection, as well as by the necessity to inform the persons
concerned who are not in a capacity to exercise their rights.”99
In a decision of 28 November 2013, the Dutch Data Protection Authority found
violations of Google’s privacy policy with Dutch data protection law, and planned a
hearing with Google following which it would decide on enforcement actions
including the imposition of sanctions. A spokeswoman from the Dutch DPA told
Bloomberg BNA that the Dutch DPA “does not have the power to fine Google but
could potentially impose an order requiring the company to amend its privacy policy,
with a financial penalty if the company does not comply with the order [...] The
potential financial penalty ‘depends on the kind of breach and the circumstances,’ [...]
A previous CBP order issued to Google over its alleged collection of wireless Internet
data could have resulted in a penalty of 1 million euros ($1.36 million), but Google
complied with the order, the spokeswoman added (78 PRA, 4/22/11).”100
On 19 December 2013, the Spanish DPA found three breaches by Google’s privacy
policy of the Spanish data protection law, and imposed for each breach a fine of
€300.000. The Spanish DPA put that “This action is part of the coordinated effort
carried out in collaboration with the authorities of data protection of Germany,
France, Holland, Italy and United Kingdom, [...] [which] In April 2013 [...] launched
parallel investigations and procedures pursuant to the provisions of their respective
national laws, but acting in close coordination with the French CNIL acting again as
leading authority. The resolution of the Agency inserts itself in the framework of this
coordinated action”.101
Although the results of the investigation were nonbinding, the question raises
whether it would influence any further cases on Google's privacy policy. In letter of
April 20, 2012, Google questioned the legal basis for the WP29 to act as a regulatory
body, or to mandate the CNIL to conduct a regulatory review on behalf of other
DPAs. Google also questioned the applicable law, followed process and ultimate goal
for the review.102 Moreover, on May 22, 2012, CNIL sent Google some questions that
required more precise and comprehensive answers.103 Although Google was asked to
98
Ibid., p. 28.
CNIL, The CNIL's Sanctions Committee issues a 150 000 € monetary penalty to GOOGLE Inc., 8 January
2014, http://www.cnil.fr/english/newsandevents/news/article/thecnilssanctionscommitteeissuesa150000
EURmonetarypenaltytogoogleinc/
100
Gardner, Stephen, “Dutch DPA Concludes That Google Is in Breach of Data Protection Act”, Bloomberg
BNA, 2 December 2013, http://www.bna.com/dutchdpaconcludesn17179880411/
101
El País, “Sanción a Google por vulnerar derechos del ciudadano”, 19 December 2013,
http://tecnologia.elpais.com/tecnologia/2013/12/19/actualidad/1387450618_053467.html ; Agencía Española de
Protección de Datos, The AEPD sanctions Google for serious violation of the rights of the citizens, press release,
19
December
2013,
http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2013/notas_prensa/common/diciembre/1312
19_PR_AEPD_PRI_POL_GOOGLE.pdf
102
Google,
letter
to
CNIL
of
20
April
2012,
p.
4,
https://docs.google.com/file/d/0B8syaai6SSfiSUhFMHVpMmhFUG8/edit
103
CNIL,
letter
to
Google
of
22
May
2012,
http://www.cnil.fr/fileadmin/documents/en/Letter_CNIL_to_Google_22_May_2012.pdf
99
33

reply by June 8, 2012, it only replied in a letter of June 21, 2012, and in which it also
questioned the legal basis for any possible recommendations or conclusions. 104
The president of the Dutch DPA told Bloomberg BNA that “European DPAs had
learned from previous investigations into Google Street View that a coordinated
approach was more effective for looking at Google's privacy policy (189 PRA,
9/30/13).”105
104
Google,
letter
to
CNIL
of
21
June
2012,
p.
1,
https://docs.google.com/file/d/0B8syaai6SSfiM2hmS2xjY2tzV0k/edit
105
34
2.4
2.4.1
CBP AND OPC’S INVESTIGATION OF WHATSAPP
Overview
The College Bescherming Persoonsgegevens (CBP; the Dutch Data Protection Authority),
and the Office of the privacy Commissioner of Canada (OPC) carried out a joint investigation
into the processing of personal data by WhatsApp Inc., a Californiabased developer of the
‘whatsapp’ instant messaging application that allows to send and receive messages over the
Internet.
2.4.2
Following is a timeline of the key events. 106
16 January 2012
26 January 2012
16 February 2012
22 March 2012
9 May 2012
17 May 2012
March & August 2012
September 2012
15 October 2012
30 October 2012
31 October 2012
29 November 2012
December 2012
Entry into force of the MoU regarding the mutual
exchange of investigation data, signed by CBP and OPC
prior to their joint investigation into the processing of
personal data by WhatsApp.
OPC initiates a complaint against WhatsApp under the
Personal Information Protection and Electronic
Documents Act (PIPEDA).
CBP notifies WhatsApp about the launch of the
investigation.
WhatsApp replies to the letter of CBP of February 16,
2012.
CBP asks WhatsApp for more detailed information.
WhatsApp supplies the information requested by CBP in
its letter of May 9, 2012.
CBP launches a digital investigation into the app.
In partial response to CBP’s investigation, WhatsApp
introduces encryption to its mobile messaging service.
CBP sends its own preliminary findings report of
October 2, 2012 as well as the preliminary findings of
OPC to WhatsApp, with the possibility for WhatsApp to
give its views.
WhatsApp asks in an email to postpone the deadline for
giving its views on CBP’s preliminary findings report of
October 15, 2012.
CBP replies positively to WhatsApp’s email of October
30, 2012, and allows WhatsApp to postpone its views on
the CPB’s preliminary findings report of October 15,
2012 until November 30, 2012.
In an email, WhatsApp gives its views on CBP’s
preliminary findings report of October 15, 2012.
WhatsApp strengthens its authentication process with
106
Based on CBP’s Definitive Findings report: Dutch Data Protection Authority, Investigation into the
processing of personal data for the ‘whatsapp’ mobile application by Whatsapp Inc., Z201100987, Report on
the definitive findings, 15 January 2013, pp. 67. http://www.dutchdpa.nl/downloads_overig/rap_2013
whatsappdutchdpafinalfindingsen.pdf
35
stronger password security in the latest version of the
App.
45 December 2012
In consultation with the CBP, OPC contacts WhatsApp’s
advocate delegate (by email and by telephone) to get a
reaction on a problem reported in the media.
7 December 2012
WhatsApp provides an explanation by email as a
reaction to CBP’s request of December 45, 2012
10 December 2012
The OPC, in consultation with CBP, poses additional
questions to WhatsApp by email, and requests
WhatsApp to take part, in the short term, in a video
conference call.
17 December 2012
WhatsApp replies positively to OPC’s request of
December 10, 2012.
18 December 2012
The OPC, in consultation with CBP, sends an email to
WhatsApp to explain in more detail the additional
questions of December 10, 2012.
19 December 2012
By email, WhatsApp sends two diagrams with detailed
information.
20 December 2012
By email, the OPC, in consultation with CBP, asks for
an explanation of the diagrams sent by WhatsApp on
December 19th, 2012. WhatsApp replies on the same
day.
December 2012 – January CBP conducts another digital investigation into the app.
2013
4 January 2013
A conference call takes place between CBP, OPC,
WhatsApp and its advocatedelegate.
5 January 2013
The OPC, in consultation with CBP, sends an email to
WhatsApp for further information. WhatsApp replies on
the same day.
15 January 2013
CBP approves the Definitive Findings report. OPC also
launches its report of Findings.107
2.4.3
The joint investigation focused on the following issues:




2.4.4
Access to the address book of WhatsAppWhatsApp users;
Data retention periods;
Technical and organizational measures;
Status messages.
As regards access to the address book, the investigation revealed that, except in the latest
app version on an iPhone with iOS 6, whatsapp gets access to users’ entire address book,
107
Office of the Privacy Commissioner of Canada, Report of Findings Investigation into the personal
information handling practices of WhatsApp Inc., PIPEDA Report of Findings #2013001, 15 January 2013,
http://www.priv.gc.ca/cfdc/2013/2013_001_0115_e.asp
36
including phone numbers of non whatsapp users. The lack of choice for users whether or not
to make their contacts available to whatsapp was found to be in contravention of Dutch and
Canadian privacy laws and certain international privacy principles.108
As regards data retention periods, CBP put that WhatsApp stored the personal data of
inactive users for an excessive period of one year. The OPC, on the other hand, found
WhatsApp’s data retention periods to be satisfactory on the whole, but put that users should
be informed about the data retention policies in WhatsApp’s privacy policies or via other
documentation.
As regards the issue on security measures, at the time the investigation began, whatsapp
messages were unencrypted, which facilitated eavesdropping or interception, especially over
unprotected WiFi networks. Moreover, whatsapp used a weak authentication process, with
weak password security, which created the risk of abuses by third parties.
As regards status messages, all whatsapp users can read the status messages of other users.
Although the CBP did not find a breach of the Dutch data protection law with respect to this
point, it endorsed the recommendation of the OPC to provide realtime or active notification
(e.g. popups) about status messages whenever whatsapp users change their status message.109
2.4.5
Prior to the investigation, CBP and OPC signed a MoU regarding the mutual exchange of
investigation data, which came into effect on January 16, 2012. During the investigation,
consultations took place between CBP and OPC. Moreover, CBP and OPC exchanged many
emails and even arranged a video conference call with WhatsApp.
2.4.6




Conclusions
OPC and CBP issued separate reports, respecting each country’s data protection law.
For instance, CBP and OPC took different conclusions as regards retention periods;
Unlike the CBP, the OPC does not have order making powers. The CBP has the power
to impose sanctions;
On October 30, 2012, WhatsApp succesfully asked to postpone the deadline for giving
its views on the preliminary findings report of the CBP. This reveals the flexible
nature of the investigation;
WhatsApp took steps to implement many recommendations throughout the
investigation:
o In September 2012, in partial response to CBP’s investigation, WhatsApp
introduced encryption to its mobile messaging service, which aims to preclude
eavesdropping or interception;
108
CBP & OPC, “Canadian and Dutch data privacy guardians release findings from investigation of popular
mobile app”, Ottawa, Canada and The Hague, The Netherlands, 28 January 2013,
http://www.dutchdpa.nl/Pages/en_pb_20130128whatsapp.aspx ; http://www.priv.gc.ca/media/nrc/2013/nr
c_130128_e.asp
109
Dutch Data Protection Authority, Investigation into the processing of personal data for the ‘whatsapp’ mobile
application by Whatsapp Inc., Z201100987, Report on the definitive findings, 15 January 2013, p. 3,
http://www.dutchdpa.nl/downloads_overig/rap_2013whatsappdutchdpafinalfindingsen.pdf
37



o Moreover, WhatsApp strengthened its authentication process with stronger
password security in the latest version of the App, which lowered the risk of
abuses by third parties;
o In response to the investigation by the OPC and CBP, WhatsApp
supplemented the information for users about the distribution of status
messages;
In response to the investigation by the CBP and the OPC, WhatsApp announced
following priorities on its product development agenda:
o the manual addition of contacts;
o as regards retention periods, and following the OPC’s observations, an update
and expansion of its Terms of Service and Privacy Policy by March 31, 2013;
o password security of inactive users;
o as regards status messages: the expansion of its Terms of Service and Privacy
Policy, and the integration of realtime notification into future application
releases beginning September 30, 2013.110
Following the issuance of their respective reports, OPC and CBP will pursue
outstanding matters independently. CBP provides for a second phase to examine
whether the breaches of law continue and to decide on further enforcement actions.
The OPC will monitor the company’s progress in meeting commitments made in the
course of investigation.111
The case of WP29’s & CNIL’s investigation of Google’s privacy policy and the
WhatsApp case show differences. In the first case, the WP29 started the investigation
on its own motion, whereas in the second case, the CBP and OPC signed a MoU.
Secondly, the Google case concerns an investigation led be CNIL, on behalf of WP29,
on the compliance of Google’s privacy policy with the European Data Protection
Legislation, whereas the WhatsApp case concerns a joint investigation between CBP
and OPC on compliance of the processing of personal data by WhatsApp Inc. with
their respective data protection laws. It should be noted, however, that in the former
case, following unsuccessful meetings between Google, 6 DPAs of the WP29 task
force have also launched their own investigations under an international administrative
enforcement procedure on compliance of Google’s privacy policy with their national
data protection laws. This uncovers a third difference, that is, unlike the Google case
the WhatsApp case was finished after one year. Thus, the form of investigation seems
to determine the compliance of the company being investigated: unlike Google during
the investigation by the CNIL on behalf of the WP29, WhatsApp took steps to
implement many recommendations throughout the investigation (see above).
Furthermore, on 29 November 2013, following the investigation by the Dutch DPA of
Google’s privacy policy with Dutch data protection law, Google stated to Bloomberg
BNA that, during the investigation it has “engaged fully with the Dutch DPA
throughout this process and will continue to do so going forward.”112
110
Dutch Data Protection Authority, Investigation into the processing of personal data for the ‘whatsapp’ mobile
application by Whatsapp Inc., Z201100987, Report on the definitive findings, 15 January 2013, p. 4,
http://www.dutchdpa.nl/downloads_overig/rap_2013whatsappdutchdpafinalfindingsen.pdf
111
CBP & OPC, “Canadian and Dutch data privacy guardians release findings from investigation of popular
mobile app”, Ottawa, Canada and The Hague, The Netherlands, 28 January 2013,
http://www.dutchdpa.nl/Pages/en_pb_20130128whatsapp.aspx ; http://www.priv.gc.ca/media/nrc/2013/nr
c_130128_e.asp
112
38
2.5
2.5.1
IRISH OFFICE
IRELAND
OF THE
DATA PROTECTION COMMISSIONER’S AUDIT
OF
FACEBOOK
Overview
In 2011, the Irish Office of the Data Protection Commissioner (ODPC) conducted an audit
into Facebook Ireland Ltd. The case includes strong involvement by a pressure group
(“europevfacebook.org”) putting forward complaints to the data protection authority outside
their own country and then remaining involved in the process. The case highlights jurisdiction
issues in relation to international websites, and the subsequent responsibility and leading role
of the DPA of the country in which that company is legally based. Because Facebook’s
international headquarters are in Dublin, Ireland, the changes made by Facebook in response
to the Irish ODPC’s report will likely affect all (nonUS and Canadian) Facebook users.
2.5.2
Early 2011
ODPC indicates to Facebook Ireland its intention to carry out a
general audit of its data protection practices, under Section 10 (1A)
of the Data Protection Act.
18 August 2011
europevfacebook.org files 16 complaints against Facebook Ireland
Ltd with the Irish ODPC.
19 September 2011
europevfacebook.org files a further six complaints with ODPC.
2526 October,
ODPC conducts an onsite audit of Facebook Ireland Ltd over six
1618 November and days.
14 December 2011
21 December 2011
ODPC produces report113 and appendix.114
January 2012
europevfacebook.org responds to the ODPC report.115
6 February 2012
europevfacebook.org meets with Facebook in Vienna with the aim
of finding an “amicable solution” as required under the Irish Data
Protection Act.
May/June 2012
Facebook introduces a new privacy policy worldwide.
21 September 2012
ODPC publishes a review of Facebook’s compliance with the non
binding suggestions from the December 2011 report.116
4 December 2012
europevfacebook.org publishes its full response to the audit process
as requested by the ODPC.117
2.5.3
Reasons for the investigation
Maximilian Schrems, representing the advocacy group europevfacebook.org, filed a bundle
of 22 separate complaints against Facebook Ireland Ltd with the Irish Office of the Data
113
Data Protection Commissioner, Facebook Ireland Ltd: Report of Audit, 21 December 2011.
http://www.dataprotection.ie/documents/facebook%20report/final%20report/report.pdf
114
Data Protection Commissioner, Appendicies to Facebook Ireland Audit Report, 21 December 2011.
http://dataprotection.ie/documents/facebook%20report/final%20report/Appendices.pdf
115
http://www.europevfacebook.org/ODPC_JAN_pub.pdf
116
Data Protection Commissioner, Facebook Ireland Ltd: Report of Re-Audit, 21 September 2012.
http://www.dataprotection.ie/documents/press/Facebook_Ireland_Audit_Review_Report_21_Sept_2012.pdf
117
europevfacebook.org, Response to “Audit” by the Irish Office of the Data Protection Commissioner on
“Facebook Ireland Ltd”, Vienna, 4 December 2012.
http://www.europevfacebook.org/report.pdf
39
Protection Commissioner (ODPC). The Commissioner has investigatory powers where an
individual complains that there has been a contravention of the Data Protection Act 1988.118
The complaints included: “Pokes” being kept even after a user removes them; the collection
of data about people without their knowledge and the creation of “shadow” profiles of non
users; tags are used without the consent of the subject and are optout; gathering of data
without consent through iPhone app or “Friend Finder”; deleted postings present in data sets;
users’ inability to see distribution settings for posts made on friends’ walls; messages being
stored after user deletion; a vague, unclear and contradictory privacy policy; face recognition
features as inappropriate violations of user privacy; subject access requests not being
answered fully; tags “deleted” by the user instead being deactivated and stored; no guarantees
of any level of data security; no guarantee that applications that do not meet European data
protection standards cannot be added; deleted friends’ being stored by Facebook; Facebook’s
processing of personal data as an example of excessive processing; Facebook as an optout
system, rather than an optin as required by European law; the “Like” button being used to
track users outside of Facebook and on other websites; Facebook not meeting its obligations
as a provider of cloud services; picture privacy settings being insufficient; deleting pictures
only deletes links to the picture; users can be added to groups without their consent; and
finally, privacy policies are changed too infrequently, with users being improperly informed,
and not asked for consent.119
This complaint, along with others by the Norwegian Consumer Council, and individual
complaints arising from publicity around subject access requests aligned with the ODPC’s
existing intention to conduct an audit of Facebook Ireland Ltd. The Office conducted the audit
and investigation into the complaints in parallel.
2.5.4
Findings of the investigation
Investigations under the Data Protection Act take the form of a privacy audit, with the general
aim of improving data protection practices. The findings of the audit did not constitute a
formal decision on the complaints brought to the ODPC, and did not carry an implication that
Facebook Ireland’s practices were not in compliance with Irish data protection law. The
results of most audits by the ODPC are only made publicly available with the permission or
the agreement of the organisation concerned. The publication of the audit of Facebook Ireland
is, therefore, an exception to this practice.
The ODPC report produced recommendations for Facebook Ireland. These were framed in
terms of “best practice” to which Facebook Ireland should adhere. The report made
recommendations in the areas of privacy and data use policies, advertising use of user data,
access requests, retention of data, cookies and social plugins, third party apps, disclosures to
third parties, facial recognition and suggested tags, security, the deletion of accounts, the
friend finder, tagging, posting on other profiles, Facebook credits, abuse reporting, and
compliance management and governance.
The September 2012 rereview documents the changes that Facebook Ireland has put in place
in response to the initial audit, and broadly concludes that the changes have, for the most part,
118
http://www.lawreform.ie/_fileupload/Restatement/First%20Programme%20of%20Restatement/EN_ACT_198
8_0025.PDF
119
Europe Vs Facebook, “Legal Procedure against “Facebook Ireland Limited”. http://europev
facebook.org/EN/Complaints/complaints.html
40
been implemented to their full satisfaction. The report found that although the Facebook facial
recognition feature was not necessarily in conflict with Irish law as interpreted by the Courts,
the ODPC took account of the views of the Article 29 Working Party and of German
colleagues and persuaded FacebookIreland to terminate this feature for EU users and to
delete the alreadycollected biometric templates of such users, an action that the ODPC
subsequently verified. In some cases, Facebook Ireland went beyond the ODPC
recommendations, but in the areas of new user education, deletion of social plugin data, full
verification of account deletion, minimising the potential for the use of advertising that could
potentially be considered sensitive, then full implementation had not yet been achieved. The
ODPC considers this process to be one of ongoing engagement with Facebook Ireland Ltd.120
The improvements implemented by Facebook except in relation to facial recognition were
applied to all Facebook users, including those in the US and Canada which formally come
under the jurisdiction of Facebook Inc.
The report was criticised by europevfacebook.org who did not see the audit as producing a
final decision. In a letter to the ODPC, Schrems raised the following criticisms:
 The report lists general suggestions rather than legal analysis;
 The legal analysis behind the outcome is not disclosed, and may not be in line with
Directive 95/46/EC;
 Some of the issues raised as complaints are not addressed in the report;
 That “best practices” identified in the report do not meet the standards of Directive
95/46/EC;
 The audit is too reliant on claims made by Facebook, to which the complainant does
not have access;
 There are contradictory findings in the report.
At the start of 2013, europevfacebook.org is considering requesting a formal binding
decision on the complaints from the ODPC.121
2.5.5
The audit of Facebook Ireland Ltd was primarily conducted by the ODPC alone, with pro
bono assistance from Dave O’Reilly of University College Dublin who assisted with technical
issues that arose during the audit. The main 2011 report states that the audit “builds on work
carried out by other regulators, notably the Canadian Privacy Commissioner, the US Federal
Trade Commission and the Nordic and German Data Protection Authorities”. The report also
acknowledges that it includes consideration of specific issues raised by europev
facebook.org, the Norwegian Consumer Council and individuals. 122 The ODPC also
acknowledges ongoing consultation with other data protection authorities and the Article 29
Working Party’s Technology subgroup during the processing of its followup review, 123
120
Data Protection Commissioner, Facebook Ireland Ltd: Report of Re-Audit, 21 September 2012, p. 3.
121
europevfacebook.org, “Legal Procedure against “Facebook Ireland Limited” http://europev
facebook.org/EN/Complaints/complaints.html
122
Data Protection Commissioner, Facebook Ireland Ltd: Report of Audit, 21 December 2011, p. 3.
123
Data Protection Commissioner, Facebook Ireland Ltd: Report of Re-Audit, 21 September 2012, p..3.
41
including an explicit reference to the Article 29 Working Party Opinion 02/2012 on facial
recognition.124
The ODPC argues that one of the strengths of an audit with recommendations expressed as
"best practice" is that it allows them to go beyond strict compliance with Irish law and to take
account of the views of other DPAs on such issues. The ODPC has used the same approach
with their recently completed audit of LinkedInIreland and intend to follow the same practice
in their forthcoming audits of AppleIreland, AdobeIreland and YahooIreland.
The Office of the Privacy Commissioner of Canada (OPC) conducted a parallel investigation
into two Facebook features, the “friend finder” and “people you may know”. The ODPC
report states that in order to make the best use of limited resources, the ODPC discussed the
likely findings of the OPC investigation in advance of its own audit. As the ODPC concurred
with the likely findings of the OPC, it decided not to focus upon these features in its audit.
However, the Irish audit was able to examine the use of “friend finder” technology within
Facebook, something the Canadian investigation was unable to do given the lack of the
Facebook corporate presence in Canada.125
The Federal Trade Commission had charged Facebook (in this case, the Palo Altobased
Facebook Inc) with deceiving customers by failing to keep privacy promises. This resulted in
a settlement of 29 November 2009 in which Facebook agreed not to make misrepresentations
about the privacy or security of consumers’ personal information, to obtain express
affirmative consent before overriding privacy preferences, to prevent anyone accessing a
user’s material 30 days after deleting his or her account, to maintain a comprehensive privacy
program, and to obtain independent, thirdparty audits of its privacy programme and of the
security of consumer information. 126 The ODPC considered that this settlement set high
standards, and therefore considered what analogous steps were required from Facebook
Ireland Ltd to comply with Irish data protection law.127
The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI)
suspended its own investigation into the Tag Suggest function on Facebook (in which facial
recognition technology is used to suggest people in uploaded photographs for a user to
identify). This feature was included in the Irish audit, and the feature suspended for European
users from 1 July 2012. However, the ODPC reopened its investigation in August 2012.
HmbBfDI considered that the negotiated agreement between Facebook Ireland and ODPC,
including Facebook’s concessions, did not comply with data protection standards, particularly
124
Article 29 Working Party, Opinion 02/2012 on facial recognition in online and mobile services, WP192,
Brussels, 22 March 2012. http://ec.europa.eu/justice/dataprotection/article29/documentation/opinion
recommendation/files/2012/wp192_en.pdf
125
The Canadian investigation concluded that “friend finder” and invitation services which allowed a user to
upload their email address book and then use this to send invitations to nonusers to join Facebook were not
accessing the email address books of complainants. However, Facebook Inc had failed to obtain consent for the
use of nonusers’ email addresses for the purpose of generating friend suggestions, had failed to inform non
users of the proposed use of their email address, and had failed to provide a convenient procedure for opting out
prior to this use. Office of the Privacy Commissioner of Canada, “Report of Findings – Facebook didn’t get non
members’ consent to use email addresses to suggest friends, investigation finds”, 2012. http://www.priv.gc.ca/cf
dc/2012/2012_002_0208_e.asp
126
Federal Trade Commission, “Facebook Settles FTC charges that it deceived consumers by failing to keep
privacy promises”, 29 November 2009. http://ftc.gov/opa/2011/11/privacysettlement.shtm.
127
42
in relation to consent.128 HmbBfDI then issued an administrative order against Facebook Inc.,
obliging the USbased parent company to change facial recognition methods to comply with
European data protection law. 129 Other German authorities have also issued similar
procedures.
The ODPC received complaints from the Norwegian Consumer Council, regarding third party
applications, Facebook’s privacy policy, and questions of jurisdiction. The ODPC used these
complaints, which they regarded as well researched, as an evidence base and focus for their
audit.130 These complaints had initially been made to the Norwegian Data Protection Agency
(Datatilsynet) in May 2010, which concluded that Norwegian data protection law did not
apply in this case and that the matter should be addressed to the Irish authorities due to
Facebook Europe’s location in Dublin.131
europevfacebook.org has claimed that the ODPC stopped communicating with the group
and the complainant in July 2012 after europevfacebook.org had requested access to files,
evidence and arguments put forward by Facebook. 132 European Commissioner Viviane
Reding described this case as an example of how crossnational DPA investigations should
not be conducted in future, because of the difficulty of interaction between the Austrian
complainant and the Irish DPA.133 Under the data protection reform package, she envisages a
counterexample where an Austrian citizen would be able to take their complaint to the
Austrian DPA, who would then liaise with their Irish counterparts, and the same rules would
be applicable across the EU. In his letter to the ODPC, Schrems raises a problem with the
amicable agreement approach of the ODPC. He suggests that it is inadequate and unbalanced
for an individual (in this case, a student) to be negotiating unsupported with a multinational
company.134
The ODPC report on the audit states that Facebook Europe cooperated fully during the audit,
and during the followup review.
2.5.6
Conclusions
128
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, “Proceedings against Facebook
Resumed”,
Press
release,
Hamburg,
15
August
2012.
http://www.datenschutz
hamburg.de/fileadmin/user_upload/documents/PressRelease20120815Facebook_Proceedings.pdf
129
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, “Administrative Decision against
Facebook”, Press release, Hamburg, 21 September 2012.
http://www.datenschutzhamburg.de/fileadmin/user_upload/documents/PressRelease20120921
Facebook_AdministrativeDecision.pdf
130
131
Data Protection Commissioner, Appendicies to Facebook Ireland Audit Report, 21 December 2011, p. 202
http://dataprotection.ie/documents/facebook%20report/final%20report/Appendices.pdf
132
europevfacebook.org, “Legal Procedure against “Facebook Ireland Limited”, Press release, 30 July 2012.
http://europevfacebook.org/EN/Complaints/complaints.html
133
Reding, Viviane, “The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern
Data Protection Rules in the Digital Age”, Speech, Munich, 24 January 2012. http://europa.eu/rapid/press
release_SPEECH1226_en.htm
134
Schrems, Maximillian, “Recent report on “Facebook Ireland Ltd”, Letter to Billy Hawkes, Data Protection
Commissioner, 2 January, 2012. http://www.europevfacebook.org/ODPC_JAN_pub.pdf
43



Cooperation primarily took the form of building on previous investigations, audits and
settlements, and of consultation with other European data protection agencies during the
conduct of the audit by the single DPA with acknowledged jurisdiction over Facebook
Ireland Ltd.
There has been some criticism of the effectiveness of this process, in particular, from the
complainant, and subsequent investigations from other European DPAs that explicitly
state that the ODPC audit is insufficient.
A European data protection investigation led to changes for all users of Facebook outside
of the US and Canada.
44
2.6
2.6.1
SONY PLAYSTATION NETWORK HACKS
Overview
What media reports often described as the Sony PlayStation Hack was actually a series of
hacks and problems with a set of related systems over several days. The main focus of
attention for data protection authorities was the potential theft of personal information of
more than 70 million users of the Sony PlayStation Network. The internal investigation of this
hack resulted in the PlayStation network platform being unavailable for several days.
PlayStation Network (PSN) is the network that provides the online component of the popular
PlayStation games console: it allows users to purchase and download games and additional
content, to communicate with friends and to host online multiplayer games.
Other related hacks were discovered during the investigation into the PlayStation Network
hack. First, the website of Sony Online Entertainment (SOE) was compromised, with hackers
potentially gaining access to personal information of 24.6 million customers. 135 The SOE
network was taken offline on 2 May 2011. Second, personal information on a Sony website
was indexed by Google, leading to 2,500 names and partial addresses from a 2001 Sony
sweepstake competition being discovered on a publicfacing website on 7 May 2011.136 Third,
the Sony Pictures Entertainment website was hacked between 27 May and 2 June 2011, with
the hacking group LulzSec claiming responsibility, 137 and for which several purported
members of LulzSec were subsequently charged. 138 This hack resulted in the theft of
confidential data relating to 100,000 users of the Sony Pictures website. Several other hacks
followed through May and June 2011.139
There were several investigations into the PlayStation Network data breaches, which for the
most part occurred independently of each other. Many data protection authorities rapidly
stated that they would look into the breaches to ascertain the applicability of their data
protection law to the case and any jurisdiction that their offices might have. The UK
Information Commissioner’s Office (ICO) conducted an investigation into the PlayStation
Network data breach and issued Sony with a monetary penalty of £250,000. There were also a
large number of separate investigations into this data loss by various actors in the United
States, including the Federal Trade Commission, the House of Representatives, numerous
Attorneys General, and the FBI.
2.6.2
1719 April 2011
Sony learns that the PlayStation Network and Qriocity
135
Sony Online Entertainment, “Dear Valued Sony Online Entertainment Customer”, Sony Online
Entertainment, 2 May 2011., https://www.soe.com/securityupdate/
136
Wisniewski, Chester, “Sony succumbs to another hack leaking 2,500 ‘old records’”, Naked Security, 7 May
2011. http://nakedsecurity.sophos.com/2011/05/07/sonysuccumbstoanotherhackleaking2500oldrecords/
137
FBI, “Member of hacking group LulzSec arrested for June 2011 intrusion of Sony Pictures computer
systems”, press release, Los Angeles, 22 September 2011. http://www.fbi.gov/losangeles/press
releases/2011/memberofhackinggrouplulzsecarrestedforjune2011intrusionofsonypicturescomputer
systems
138
FBI, “Six hackers in the United States and abroad charged for crimes affecting over one million victims”,
press release, New York, 6 March 2012. http://www.fbi.gov/newyork/pressreleases/2012/sixhackersinthe
unitedstatesandabroadchargedforcrimesaffectingoveronemillionvictims
139
Security Curmudgeon, “Absolute Sownage: a concise history of recent Sony hacks”, Attrition.org, 4 June
2011. http://attrition.org/security/rant/sony_aka_sownage.html
45
20 April 2011
22 April 2011
25 April 2011
26 April 2011
April 2011
2 May 2011
2nd June 2011
29th September 2011
25th July 2012
12th October 2012
19th October 2012
14th January 2013
2.6.3
network had been hacked and begins an internal investigation.
Sony PlayStation Network and Qriocity services are
suspended.
Sony confirms that the PlayStation Network suspension is
due to external intrusion.
Sony’s forensic teams confirm the scope of the personal data
they believe taken, but cannot rule out credit card
information.
Sony informs its users and the authorities about the hack on
the PlayStation Network, and that personal information on
customers may have been stolen 140 Sony initially blames
Anonymous, who deny responsibility.141
The Office of the Australian Information Commissioner
(OAIC) conducts an investigation into Sony Computer
Entertainment Australia’s role in the PSN data loss.
Sony confirms that 12,000 credit card numbers and 24.7
million customers’ account information may have been
stolen. The credit card numbers are apparently encrypted and
do not include expiry dates.
Sony restores all PlayStation Network Services in all areas
other than Japan.
The OAIC publishes results of investigation of Sony
Computer Entertainment Australia.142
The ICO serves a Notice of Intent on Sony.
The ICO receives written representation from Sony.
US Federal judge rules that plaintiffs could not claim that
Sony violated US customer protection statutes because the
PSN services were provided free of charge.
The ICO issues a penalty of £250,000 against Sony Computer
Entertainment Europe (SCEE) Limited.143
Several data protection authorities undertook investigations to determine the applicability of
local law to the hacks after they became public knowledge. The Office of the Australian
Information Commissioner (OAIC) conducted its “own motion” investigation into the
140
Information stolen likely included: name, address (city, state, zip), country, email address, birthdate,
PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that profile data,
including purchase history and billing address (city, state, zip), and PlayStation Network/Qriocity password
security answers may have been obtained. Seybold, Patrick, “Update on PlayStation Network and Qriocity”,
PlayStation.Blog , 26 April 2011. http://blog.us.PlayStation.com/2011/04/26/updateonPlayStationnetwork
andqriocity/
141
Arthur, Charles, “Anoymous says Sony accusations over PlayStation Network hack are lies”, The Guardian,
5
May
2011.
http://www.guardian.co.uk/technology/blog/2011/may/05/anonymousaccusessonyhack
PlayStationnetwork
142
Office of the Australian Information Commissioner, Sony PlayStation Network/Qriocity: Own Motion
Investigative Report, 29 September 2011.
http://www.oaic.gov.au/publications/reports/own_motion_sony_sep_2011.html
143
Information Commissioner’s Office, “Sony fined £250,000 after millions of UK gamers details
compromised”, Press release, 24 January 2013. http://www.ico.org.uk/news/latest_news/2013/iconewsrelease
2013
46
PlayStation Network hack in April 2011. This investigation was conducted because
Australian citizens had been affected by the network hack. The OAIC investigation was
limited to the activities and role of Sony Computer Entertainment Australia, a subsidiary of
SCEE. Similarly, the Office of the Privacy Commissioner for Personal Data in Hong Kong
also conducted enquiries into Sony Computer Entertainment Hong Kong. The Office of the
Privacy Commissioner of Canada announced its intention to look into the PSN data loss in
late April 2011, with particular attention to its effects on Canadians, and would determine its
next move once it had a better understanding of events.144 The Office does not appear to have
subsequently issued a report of findings on any such investigations. Other data protection
authorities, such as the New Zealand Privacy Commissioner, maintained contact with their
international equivalents without conducting their own investigation.145
The PlayStation Network platform is operated by Sony Network Entertainment Europe
Limited (SNEE), which is a wholly owned subsidiary of Sony Computer Entertainment
Europe. SNEE is responsible for the network in Europe, the Middle East, Africa, Australia
and New Zealand. The network platform, including the database of customer information,
was maintained on behalf of SNEE by a US service provider, which is another part of the
Sony group. SNEE is based in London and therefore comes under the purview of the ICO.
The ICO described the loss of customer information by Sony as “the most serious breach
reported to us”. 146 The breach was selfreported to the ICO by SNEE, and the ICO
subsequently undertook an investigation.
There were several overlapping investigations into the hack in the United States. Sony
Computer Entertainment America (SCEA) is the US/North American equivalent to SNEE and
both are part of the Sony Group, which in turn is headquartered in Japan. Sony Online
Entertainment publishes online multiplayer games. The US headquarters of Sony Online
Entertainment is in New York.147 The Federal Bureau of Investigation confirmed that it was
investigating the hacks as a cybercrime, with the focus of its investigation being the hackers
responsible, and not the involvement or conduct of Sony in regard to the breach of personal
data. The FBI subsequently arrested and charged several people allegedly involved in the
perpetrating the hacks. The House of Representatives subcommittee on Commerce,
Manufacturing and Trade conducted a hearing on the threat of data theft to American
consumers, which produced a letter to the chairman of SCEA, asking several questions about
the timing and extent of the breach, when Sony became aware of the incident, when it notified
customers and the authorities, and the details of any data security and retention practices.148
Sony’s response to this letter provided details about its internal investigation, and cited the
complexity of the investigation as the key reason for the delay in informing customers and the
authorities. 149 Twentytwo US state attorneys also demanded answers to questions from
144
Hartley, Matt, “Breach rattles watchdogs”, Financial Post, 27 April 2011.
http://business.financialpost.com/2011/04/27/breachrattleswatchdogs/?__lsa=06241046
145
Privacy Commissioner, “Media Release: PlayStation data breach”, Press release, 28 April 2011.
http://privacy.org.nz/newsandpublications/statementsmediareleases/mediareleasePlayStationdatabreach/
146
BBC “Sony fined over ‘preventable’ PlayStation data hack” BBC News, 24 January 2013.
http://www.bbc.co.uk/news/technology21160818
147
https://www.soe.com/
148
House of Representatives, “The Threat of Data Theft to American Consumers: Hearing before the
Subcommittee on Commerce, Manufacturing and Trade, of the Committee on Energy and Commerce, House of
Representatives”, US Government Printing Office, Washington, DC, 4 May 2011.
http://www.gpo.gov/fdsys/pkg/CHRG112hhrg70740/pdf/CHRG112hhrg70740.pdf
149
Hirai, Kazuo, “Letter to the Honorable Mary Bono Mack and Honorable G.K. Butterfield”, 3 May 2011.
http://www.flickr.com/photos/PlayStationblog/5686965323/in/set72157626521862165/
47
SCEA. 150 The Federal Trade Commission may also have had jurisdiction due to potential
impacts on US consumers, but does not appear to have produced a report of any investigation.
2.6.4
The Office of the Australian Information Commissioner (OAIC) investigation concluded that
as SCE Australia did not hold any personal information relating to the PlayStation Network
platform, it had therefore not breached Australia’s Privacy Act 1988. The OAIC report made
a distinction between information disclosed to the public and information accessed as a result
of “a sophisticated security cyber attack against the network platform”, and stated that a
targeted attack on an organisation did not necessarily signify that the organisation had failed
to take “reasonable steps” to secure personal data. 151 The Commissioner was, however,
concerned about the delay between SCE Europe becoming aware of the incident and notifying
both customers and the OAIC. The Privacy Commissioner for Personal Data, Hong Kong,
stated on 26 July 2012 that his office would not pursue any further investigation, on the
assumption that the cause of the intrusion had been identified, and that preventative measures
had been taken.152
The UK Information Commissioner’s Office disagreed with the Australian conclusion, stating
that the PlayStation Network hack that resulted in the loss of customers’ personal data could
have been avoided. That the database had been targeted in a deliberate criminal attack did not
mitigate the finding that the security in place was not sufficient to protect the personal data
being held. As a data controller under the Data Protection Act 1998, SCEE had failed to
ensure that the service provider maintained adequate security standards. The ICO considered
the contravention of Section 4(4) of the Data Protection Act 1998 to be serious, because the
measures taken by the data controller did not ensure a level of security appropriate to the
harm that might result from unauthorised or unlawful access and processing of the stored
information. The monetary penalty of £250,000 was therefore reasonable and proportionate,
but would not impose undue financial hardship upon the data controller. The ICO could
potentially have issued a fine of up to £500,000. 153 Aggravating factors included serious
contravention due to the nature and volume of data; placing other accounts at risk; that the
data controller should have been aware of the risk; that the data controller should have acted
sooner; and that the data controller is part of a multinational group with resources and
expertise. Mitigating factors included the focused and determined criminal attack; the
complexity of the PSN system; the fact that some steps were taken to secure the network; that
there had not been a previous similar breach; that the personal data lost is unlikely to be
misused and that no misuse has yet been reported; that data subjects were informed and
reparations offered; that the data controller fully cooperated with the commissioner; that
150
As an example, see Jepsen, George, “Re: Sony PlayStation Breach” letter, Hartford, Connecticut, 27 April
2011. http://www.ct.gov/ag/lib/ag/press_releases/2011/sonytrettonltr042711.pdf
151
Office of the Australian Information Commissioner, Sony PlayStation Network/Qriocity: Own Motion
Investigative Report, 29 September 2011.
http://www.oaic.gov.au/publications/reports/own_motion_sony_sep_2011.html
152
Office of the Privacy Commissioner for Personal Data, Hong Kong, “Privacy Commissioner completes
enquiries with Sony on Resumption of PlayStation Network Service in Hong Kong”, press release, 26 July 2012.
http://www.pcpd.org.hk/english/infocentre/press_20120726c.html
153
Information Commissioner’s Office, Data Protection Act 1998 Monetary Penalty Notice: Sony Computer
Entertainment Europe, 14 January 2013.
http://www.ico.org.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/sony_moneta
ry_penalty_notice.ashx
48
substantial remedial action has been taken; and that the breach has had a significant effect on
the data controller’s reputation.
The lawsuits filed against Sony (SCEA) alleging that Sony knew that its security was
insufficient prior to the attack were dismissed by a judge in Southern California on the
grounds that the named plaintiffs were not subscribers to the premium features of PSN, and
therefore Sony had not breached California’s consumer protection laws. Judge Anthony
Battaglia also stated that Sony could not be held fully responsible for the loss as there was no
such thing as perfect security.154
2.6.5
In general, there is little evidence of any significant or structured cooperation between data
protection authorities in the investigation of the Sony PlayStation Network data breach or
other associated hacks against Sony. Rather, investigations were primarily conducted by
national data protection authorities where they believed it appropriate. Where it occurred, co
operation between data protection authorities was limited to ad hoc communication between
the authorities and the sharing of any findings at the conclusion of individual investigations.
The OAIC investigation into SCE Australia was one of the earliest investigations. The OAIC
states that it advised other privacy regulators about its findings, particularly the Asia Pacific
Economic Cooperation (APEC) member countries. Many data protection authorities who
issued press releases regarding the Sony PlayStation breach also noted that they would
maintain communication with peers in other countries during their investigations. Details of
this communication or cooperation are generally limited. The Australian Commissioner also
stated that he did not intend to reopen this investigation following the ICO’s decision
regarding SCE Europe.155 The OAIC did, however, note the complexity of the Sony case, and
cited this as a driver towards increased international cooperation.
There is evidence of collaboration between the FBI and the Department of Justice in the
investigation of the criminal side of the hacks. 156 This presumably builds on regular co
operation between the FBI and its overseeing Department. It appears that the 22 different state
Attorneys General each wrote their own investigative letters to Sony, rather than sharing a
single inquiry.
Several parts of the Monetary Penalty Notice issued by the ICO have been redacted.157 It is
uncertain if the redacted or unredacted version of this Notice was shared with other data
protection authorities. The Notice does not give details of any collaboration between the ICO
and other data protection authorities.
154
Kerr, Dana, “Sony PSN Hacking lawsuit dismissed by judge”, CNET, 23 October 2012.
http://news.cnet.com/83011023_35753871693/sonypsnhackinglawsuitdismissedbyjudge/
155
Office of the Australian Information Commissioner, “Sony PlayStation Network: Statement from the
Australian Privacy Commissioner, Timothy Pilgrim”, press release, 25 January 2013.
http://www.oaic.gov.au/news/statements/statement_130125sony.html
156
Li, Shan, “Justice Department probes hacker attack at Sony’s PlayStation Network”, Los Angeles Times, 5
May 2011. http://articles.latimes.com/2011/may/05/business/lafisonyprobe20110505
157
http://www.ico.org.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/sony_moneta
ry_penalty_notice.ashx
49
Notably, the respective Sony subsidiaries seem to have cooperated with the law enforcement
and data protection authorities in each instance, and alongside the voluntary reporting of the
breach to the UK commissioner, this cooperation was taken into account by the ICO as a
mitigating factor in determining the appropriate monetary penalty.
2.6.6
Conclusions
 The corporate structure of Sony’s various divisions and way that it operated services
made issues of jurisdiction and responsibility potentially problematic.
 Most data protection authorities that investigated the PlayStation Network hacks
examined the activities of the local subsidiary of the Sony Group within their
jurisdiction (for example, SCE Australia and SCE Hong Kong). Several data
protection authorities therefore concluded that because those subsidiaries were not
directly involved in processing data in relation to the hacked network, there was no
further need for investigation.
 The PlayStation breach appears to have been influential in increasing the perceived
need for global cooperation between Data Protection Authorities, due to the inter
related nature of the Sony group, the complex flows of personal information involved,
and the possibility of a single event affecting a large number of citizens.
50
2.7
2.7.1
SWIFT AND US TREASURY TERRORIST FINANCE TRACKING PROGRAM (TFTP)
Overview
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a member
owned cooperative of financial organisations which is headquartered in Belgium. SWIFT
processes and transmits financial communications globally.158 In 2006, The New York Times
revealed that SWIFT had been cooperating with a US Treasury department surveillance
programme, granting the Treasury, including the U.S. Secret Service, subpoenaed search
access to SWIFT transactions globally.159 The programme is known as the Terrorist Finance
Tracking Program (TFTP).
Subsequently, SWIFT was the subject of detailed investigations by the Belgian Commission
for the Protection of Privacy 160 (the Belgian data protection authority), as well as
investigations by the Article 29 Data Protection Working Party, the European Data Protection
Supervisor and several other national data protection authorities. There was a relatively high
level of cooperation and coordination between European data protection authorities, through
the Article 29 Working Party. The case also resulted in negotiations between the US Treasury
and the EU on the continuation of the TFTP programme.
2.7.2
23 June 2006
27 June 2006
6 July 2006
17 July 2006
28 July 2006
2627 Sept 2006
The New York Times, followed by The LA Times and The Washington
Post, reveals secret SWIFT surveillance and subpoena programme run
by United States Treasury.161
Privacy International files simultaneous complaints regarding SWIFT
with data protection and privacy regulators in 32 countries, requesting
investigations.162
European Parliament Resolution on the interception of bank transfer
data from the SWIFT system by the US secret services.163
European Commission writes to the Belgian DPA requesting
information on the case.
Chairman of the Article 29 Working Party announces intent of
European data protection authorities to coordinate activities in
investigating the SWIFT case.
WP29 holds plenary discussion, agrees to continue factfinding.
158
SWIFT, “Company Information”.
http://www.swift.com/about_swift/company_information/company_information
159
Lichtblau, Eric, and James Risen, “Bank Data Is Sifted by U.S. in Secret to Block Terror”, The New York
Times, 23 June 2006. http://www.nytimes.com/2006/06/23/washington/23intel.html?pagewanted=all&_r=0
160
Commissie voor de bescherming von de persoonlijke levenssfeer (CBPL) in Dutch and Commission de la
protection de la vie privée (CPVP) in French. http://www.privacycommission.be/
161
Lichtblau and Risen, op. cit.; Meyer, Josh, and Greg Miller, “U.S. Secretly Tracks Global Bank Data”, The
Los Angeles Times, 23 June 2006, http://articles.latimes.com/2006/jun/23/nation/naswift23; Simpson, Glenn R.,
“Treasury Tracks Financial Data in Secret Program”, The Washington Post, 23 June 2006.
162
Privacy International, “PI estimates over 4 million UK financial records sent each year to U.S”, press release,
6 July 2006. https://www.privacyinternational.org/pressreleases/piestimatesover4millionukfinancial
recordssenteachyeartous
163
European Parliament resolution on the interception of bank transfer data from the SWIFT system by the US
secret services (P6_TAPROV(2006)0317).
http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/res_060706/res_060706en.pdf
51
Report of the Belgian Commission for the Protection of Privacy.164
SWIFT financial officer appears before European Parliament and
strongly objects to the Belgian report.
5 Oct 2006
European Data Protection Supervisor criticises the European Central
Bank for not informing European authorities of the SWIFT transfers.165
22 Nov 2006
Article 29 Data Protection Working Party produces Opinion 10/2006 on
the processing of personal data by SWIFT.166
13 Dec 2006
Belgian public prosecutor announces that no legal action will be taken
against SWIFT.
2 April 2007
The Privacy Commissioner of Canada concludes investigation into
SWIFT.167
23 May 2007
The Belgian Privacy Commission decides to initiate a recommendation
procedure with respect to SWIFT.
24 May 2007 and SWIFT informed orally, then by letter, of Privacy Commission’s
11 June 2007
procedure.
2728 June 2007
Agreement regarding the SWIFT surveillance programme reached
between the US and EU (Council and Commission) following
negotiations.
4 Oct 2007
SWIFT announces plans to create “closed loop” European messaging
processing zone by creating a new operations centre in Switzerland.
19 Dec 2007 to 26 Privacy Commission conducts a series of hearings and requests for
Nov 2008
evidence from SWIFT.
26 Nov 2008
Privacy Commission closes its deliberations.
9 December 2008
Belgian Commission for the Protection of Privacy publishes findings of
its full investigation into SWIFT.168
Feb 2010
European Parliament rejects conclusion of agreement allowing US
authorities access to European financial transactions data.
May 2010
European Commission starts negotiating new agreement.
June 2010
European Parliament approves conclusion of revised agreement.
27 Sept 2006
4 Oct 2006
2.7.3
SWIFT previously operated two data centres, one in Belgium and the other in Cupertino,
California. For data security reasons, transaction data for all international transactions made
through SWIFT were mirrored across both data centres. All of the SWIFT data, comprising
details of millions of financial transactions, was therefore stored in a data centre under U.S.
164
Commission de la protection de la vie privée, Avis relative à la transmission de données á caractére personnel
par la SCRL SWIFT suite aux sommations de l’UST (OFAC), Brussels, 27 Sept 2006.
http://www.privacycommission.be/sites/privacycommission/files/documents/avis_37_2006_0.pdf
165
European Data Protection Supervisor, EDPS Opinion on the role of the European Central Bank in the SWIFT
case, Brussels, 1 Feb 2007.
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Inquiries/2007/07
0201_Opinion_ECB_role_SWIFT_EN.pdf
166
Article 29 Data Protection Working Party, Opinion 10/2006 on the processing of personal data by the Society
for Worldwide Interbank Financial Telecommunication (SWIFT), Brussels, 22 Nov 2006.
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp128_en.pdf
167
Office of the Privacy Commissioner of Canada, Report of Findings - Privacy Commissioner of Canada v.
SWIFT, 2 April 2007. http://www.priv.gc.ca/cfdc/2007/swift_rep_070402_e.asp
168
Commission de la protection de la vie privée, Control and recommendation procedure initiated with respect
to the company SWIFT scrl, 9 Dec 2008.
http://www.privacycommission.be/sites/privacycommission/files/documents/swift_decision_en_09_12_2008.pdf
52
jurisdiction. Following the 11 September 2001 attacks, the U.S. Treasury department began
using broad administrative subpoenas to access large amounts of data from SWIFT as part of
efforts to trace terrorist financing. Given that SWIFT did not legally challenge these
subpoenas, it was required to comply with this classified surveillance programme. The
programme was not covered by US laws protecting private financial records as SWIFT was
considered a messaging service rather than a bank or financial institution.169 SWIFT did,
however, negotiate a way of complying with the subpoenas whilst, in their eyes, providing a
level of data protection. This included the appointment of an auditor (Booz, Allen &
Hamilton), a guarantee from the US Treasury of support in the event of censure from third
party authorities, and definitions of the purposes of the searches conducted.170
Following the press revelation of the programme, the European Parliament expressed concern
about the transfer of data to the US Treasury, and any secret operations on EU territory
without EU citizens and their representatives being informed. The Parliament called on the
European Data Protection Supervisor to ascertain if the European Central Bank had met its
obligations under Regulation (EC) 45/2001,171 and demanded that Member States check for
legal lacunae at local levels, and ensure that data protection legislation covers central banks.
The Parliament also urged the Commission to take measures to ensure that cases like SWIFT
would not occur in the future.172 In turn, the Commission requested the Belgian authorities to
investigate.173 The Belgian College of Intelligence and Security174 requested an Opinion from
the Belgian Commission for the Protection of Privacy, which had already made the decision
to investigate the SWIFT case based on the press reporting and a complaint from Privacy
International.
The Article 29 Data Protection Working Party adopted an Opinion on the case on the basis of
Articles 29 and 30 of the EU Data Protection Directive (95/46/EC).
Other data protection authorities, including Australia, Canada, New Zealand, Switzerland and
Iceland, also started their own investigations.
In May 2007, the Belgian Privacy Commissioner started a recommendation procedure into the
SWIFT case. This procedure, which can be initiated under the Commissioner’s own authority
and results in a set of recommendations to a data controller, included a more intensive
interaction with SWIFT. This was seen as necessary in order to follow up on SWIFT’s
responses to previous opinions, and to clarify the concepts of data controller and processor in
multiple, complex and interlocked processing systems transferring large volumes of data
internationally.
2.7.4
The 2006 report from the Belgian Privacy Commissioner found that SWIFT had broken
Belgian law, and that there was a conflict between European and US law. This report
169
Lichtblau and Risen, op. cit., 2006.
Commission de la protection de la vie privée, 27 September 2006, pp.67.
171
The ECB is a member of the Central Banks of the Group of Ten (G10) countries which conduct collective
oversight of SWIFT.
172
European Parliament resolution on the interception of bank transfer data from the SWIFT system by the US
secret services (P6_TAPROV(2006)0317).
173
Ibid., p. 2.
174
A committee chaired by the Prime Minister, with representatives of the Belgian intelligence services, police,
Ministry of Foreign Affairs, the college of Attorneys General and the National Security Authority.
170
53
suggested that SWIFT had made errors in judgement in responding to the subpoenas, resulting
in “hidden, systematic, massive, and longterm violation of the fundamental European
principles as regards data protection”.175 The Commissioner stated that SWIFT should have
complied with Belgian law relating to the notification of processing and transfers of data to
countries outside the EU; should have followed the principles of proportionality, limited
retention period and protection levels. Whilst SWIFT had notified G10 banks of the
programme, the banks had not in turn notified privacy commissioners.
Following the Belgian report, the European Data Protection Supervisor (EDPS), Peter
Hustinx, criticised the European Central Bank for failing to prevent the transfer of
information, or to notify other parties such as European governments and authorities about the
scheme.176 The ECB had been aware of the subpoena process since February 2002. The EDPS
also criticised the ECB’s continuing use of the SWIFT service after becoming aware of the
arrangement.177 The EDPS concurred with the Belgian Privacy Commissioner’s legal analysis
and conclusions.
The Article 29 Working Party Opinion 10/2006 concluded that Directive 95/46/EC was
applicable to SWIFT through the national laws implementing it, and that SWIFT was required
to comply with its obligations under the Directive, particularly including providing
information to individuals whose data was being transferred, notifying the Belgian DPA and
ensuring an adequate level of protection for international transfers of data. The Opinion also
concluded that, as data controllers with joint responsibility, financial institutions in the EU
had the obligation to ensure that SWIFT complied with data protection law. The Opinion
called for SWIFT to take measures to remedy the illegal state of affairs and called for
increased oversight of SWIFT. 178
The Canadian investigation concluded that whilst SWIFT was subject to Canada’s Personal
Information Protection and Electronic Documents Act (PIPEDA), the organisation did not
contravene the law when it complied with lawful subpoenas served on it in the United States.
However, the Commissioner suggested that alternate information sharing approaches, with
builtin protections for privacy and mechanisms for accountability, would be more desirable
than the use of the subpoena route.179
The Belgian privacy commissioner continued with a longer investigation under the
recommendation procedure. In contrast to the 2006 investigation, this subsequent report
cleared SWIFT of breaching the Belgian Privacy Act.180 The report took into account actions
taken by SWIFT with the intent of compliance with European data protection legislation,
following the previous Opinion, and the Opinion of the Article 29 Working Party, in the light
of better knowledge of the situation and of subsequent developments. The report highlighted
SWIFT’s otherwise strong record on security and data protection and concluded that whilst
the protections that SWIFT negotiated with the US Treasury were imperfect, they were
perhaps better than what would have been achieved from radical opposition to legally binding
subpoenas.
175
Commission de la protection de la vie privée, 26 Sept 2006.
European Data Protection Supervisor, op. cit., 1 Feb 2006.
177
EDRI, “SWIFT Found In Breach of Belgian Privacy Laws”, EDRI-gram, 4.19, 11 Oct 2006.
http://www.edri.org/edrigram/number4.19/swift
178
Article 29 Data Protection Working Party, op. cit., 22 Nov 2006.
179
Office of the Privacy Commissioner of Canada, “Privacy Commissioner concludes investigation of SWIFT”,
press release, 2 April 2007. http://www.priv.gc.ca/media/nrc/2007/nrc_070402_e.asp
180
Commission de la protection de la vie privée, 9 Dec 2006, p.74.
176
54
2.7.5
There was broad agreement amongst European institutions mentioned above regarding the
appropriateness of delegating the initial investigation to the Belgian data protection authority,
given the legal location and identity of SWIFT as a Belgian cooperative. Whilst the Belgian
DPA investigated SWIFT, other national data protection authorities contacted their relevant
national banking organisations, and the European Data Protection Supervisor investigated the
European Central Bank. The investigation by the Office of the Privacy Commissioner of
Canada was independent of other investigations, and focused solely on the applicability of
PIPEDA in the Canadian context.
The Article 29 Working Party acted as a point of coordination. The initial 2006 report from
the Belgian DPA was presented to the Article 29 Data Protection Working Party, and the
Belgian DPA consulted with the Working Party during the preparation of its Opinion.181 The
EDPS stated that it received answers to its questions from SWIFT both directly and indirectly
through the Working Party, and through the Belgian Privacy Commission. 182 The 2006
Article 29 Working Party Opinion stated that European DPAs “have joined forces in the
investigation of the data flow and the analysis of its compliance with the European privacy
principles, in particular with the Data Protection Directive”. 183 The Working Party held a
plenary meeting on 2627 September 2006, and the subsequent Opinion is a substantial
analysis of the case from a combined European perspective. The Article 29 Working Party
expressed regret that no prior consultation, formal or informal, was conducted by SWIFT or
partner financial institutions with European data protection authorities regarding the
processing or mirroring of personal data in the US.184
The 2006 Belgian report was a starting point for several other investigations. The EDPS
Opinion drew upon (and concurred with) the first Belgian report. The EDPS stated in the
conclusion of its 2006 Opinion that “the EDPS remains available to advise the ECB and other
relevant institutions on all matters concerning the processing of personal data in the
framework of payment systems.” 185 As a member of the Working Party, the EDPS
contributed towards the drafting of its Opinion.
The investigation by the Federal Data Protection and Information Commissioner (FDPIC) of
Switzerland also built strongly on the foundations of the 2006 Belgian report. Disclosures of
information revealed by the Belgian investigation were also seen as infringements of Swiss
data protection law. The report of this investigation notes that whilst SWIFT is covered under
Belgian data protection (there was no processing of personal data by SWIFT in Switzerland),
the decision of joint responsibility between SWIFT and financial services did provide grounds
for FDPIC’s investigation of Swiss financial services. Additionally, the report identifies the
181
Commission de la protection de la vie privée, 27 Sept 2006, p. 3.
European Data Protection Supervisor, EDPS Opinion on the role of the European Central Bank in the SWIFT
case, Brussels, 1 Feb 2007.
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Inquiries/2007/07
0201_Opinion_ECB_role_SWIFT_EN.pdf
183
Article 29 Data Protection Working Party, op. cit., 22 Nov 2006, p. 5.
184
Ibid, p. 20.
185
European Data Protection Supervisor, op. cit., 1 Feb 2007, p. 12.
182
55
importance of considering the broader international dimension whilst having a focus upon
Switzerland.186
Despite the findings of its initial report, the Belgian DPA lacked the power to fine or censure
SWIFT, which would have been the responsibility of the Belgian public prosecutor. The
public prosecutor took the decision not to pursue any legal action against SWIFT despite the
wishes of the Belgian DPA, and the Opinion of the Article 29 Working Group. Belgian Prime
Minister Guy Verhofstadt favoured negotiation between the EU and US to achieve legal
certainty for companies involved in international data transfer.
The SWIFT issue did result in negotiations between the EU and the US. The US Treasury
made representations to the Council in which it committed to processing personal data
originating in EU Member States in compliance with specific data protection principles. The
Article 29 Working Party was kept informed of these discussions, but was not a participant in
them. The resulting TFTP agreement between the US and the EU entailed that information
would only be obtained from SWIFT for counterterrorism purposes, and the information
would not be kept longer than necessary. The Commission, in consultation with the US
Treasury, the President of the Permanent Representatives Committee, and the President of the
Committee of Civil Liberties, Justice and Home Affairs of the European Parliament, would
have appointed an “eminent European” to independently monitor compliance with the
agreement, and report to the Commission, who will in turn inform the Council and
Parliament.187
Following the changes in SWIFT’s architecture to introduce the closed European processing
loop, there was subsequent disagreement between the European Commission and Parliament
over the details of the negotiated agreement with the US regarding access to European
financial transaction data, based on privacy, proportionality and reciprocity. 188 The
Commission envisaged an international agreement between the EU and the US which would
require transfer to the US Treasury of relevant financial data necessary for the Treasury’s
Terrorist Finance Tracking Programme. The European Parliament gave its approval for a
revised agreement in July 2010. The revised agreement gives Europol the “eminent
European” role and the responsibility for determining if requests from the US for SWIFT data
comply with the terms of the agreement.189 The EDPS was invited to consult on the second
draft agreement.190 The European Commission has produced two subsequent reports on the
implementation of the agreement in 2011 and 2012. 191 The first report concluded that the
186
Federal Data Protection and Information Commissioner, Access to SWIFT Transaction Data – Opinion of the
Federal Data Protection and Information Commissioner, Bern, 31 October 2006.
http://www.edoeb.admin.ch/datenschutz/00626/00755/00972/index.html?lang=en
187
Council of the European Union, Processing and protection of personal data subpoenaed by the Treasury
Department from the US based operation centre of the Society for Worldwide Interbank Financial
Telecommunication (SWIFT), 11291/2/07 REV 2, Luxembourg, 28 June 2007.
188
European Parliament, “European Parliament votes down agreement with the US”, Press Release, 11 Feb
2010.
http://www.europarl.europa.eu/sides/getDoc.do?type=IM
PRESS&reference=20100209IPR68674&language=EN
189
Europol, “Europol JSB inspects for the second year the implementation of the TFTP agreement”, press
release, Brussels, 14 March 2012.
http://www.privacycommission.be/sites/privacycommission/files/documents/tftppublicstatement_1.pdf
190
Council of the European Union, Note from European Data Protection Supervisor to delegations, 11580/10,
Brussels, 28 June 2010. http://register.consilium.europa.eu/pdf/en/10/st11/st11580.en10.pdf
191
European Commission, Report on the joint review of the implementation of the Agreement between the
European Union and the United States of America on the processing and transfer of Financial Messaging data
from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program,
56
agreement had been implemented in accordance with the provisions, but recommended
greater public information about the functioning of the scheme. The second review looked in
greater depth at the functioning of the agreement. The review team was satisfied that
recommendation in the first review had been carried out by the time of the second, and stated
that the sensitive programme is well protected and scrupulously managed. Recently, the
implications for the TFTP programme arising from the revelations of NSA spying were
discussed in the European Parliament.
The 2008 report from the Belgian privacy commissioner highlighted the absence of a
European assistance mechanism for organisations that find themselves in a position similar to
that of SWIFT, having legal obligations in a third country, but also a requirement to comply
with EU data protection law. The report concluded that it was unreasonable to expect such
organisations to simply report to the national data protection authority or to the Article 29
Working Group, where local law requires secrecy or would criminally sanction any such
disclosure. However, those organisations should be involved in regulation and guidance
activity. The report identified a role in this for the EU – US Contact Group on the protection
of personal data, which could examine problematic situations and assess any guarantees given
to such organisations by the US.192
2.7.6
Conclusions
 The case at first appears to demonstrate differences between US and European law.
The subpoena programme was legal in the United States, and required SWIFT to
comply. This meant it was also legal in Canada, given that PIPEDA respected local
law. Initial European responses were highly critical of the programme, and seemed to
indicate different attitudes to this form of financial surveillance. However, later and
more detailed investigations did not find a legal breach.
 It is possible that even in the absence of a finding against SWIFT in the second
Belgian investigation, the recommendation process itself put pressure on SWIFT to
adjust its infrastructure and manner of operation, including opening a new data centre
in Switzerland, so as to allow SWIFT to securely mirror transaction data without
bringing that data under US jurisdiction.
 The case demonstrates fairly substantial cooperation and coordination between
European data protection authorities, primarily in the form of a division of
responsibility between national DPAs to investigate elements of the case within their
jurisdictions, coordinated through the Article 29 Working Party.
 Data protection agencies were potentially sidelined during the later negotiations
between the US and the EU over the continuation of the TFTP.
Brussels, 16 March 2011. http://ec.europa.eu/dgs/homeaffairs/news/intro/docs/commissionreportonthejoint
reviewofthetftp.pdf , European Commission, Report on the second joint review of the implementation of the
Agreement between the European Union and the United States of America on the processing and transfer of
financial messaging data from the European Union to the United States for the purposes of the Terrorist Finance
Tracking Program, SWD(2012) 454 final, Brussels, 14 Dec 2012. http://ec.europa.eu/dgs/home
affairs/pdf/20121214_joint_review_report_tftp_en.pdf
192
Commission de la protection de la vie privée, op. cit., 9 Dec 2006, p.73.
57
2.8
2.8.1
TELECOMMUNICATIONS DATA RETENTION
Overview
In 2010 the Article 29 Working Party coordinated a joint enforcement action into the traffic
data retention practices of major telecommunications and Internet service providers relating to
the Data Retention Directive 2006/24/EC. The Directive obliges telecommunications
providers to store traffic and location data for their customers’ communications for access by
law enforcement agencies. The Working Party concluded that the Directive had been
inconsistently implemented at the national level, with a “patchwork” of implementation
measures. The European Commission also conducted an evaluation of the implementation of
the Directive in 2011, and there are extant legal challenges to the Directive.
2.8.2
15 March 2006
25 March 2006
20 June 2007
17 July 2008
14 May 2009
3 December 2010
October 2009March 2010
Directive 2006/24/EC of the European
Parliament and the Council, on the retention
of data generated or processed in connection
with the provision of publicly available
electronic communications services or of
public communications networks and
amending Directive 2002/58/EC adopted.193
Article 29 Working Party publishes Opinion
on the Directive (WP 119)194
Report of Article 29 first joint enforcement
action195
Enforcement Task Force (ETF) mandated by
Article 29 Working Party to plan and carry
out enforcement action in accordance with
WP152196
Conference “Towards the evaluation of the
Data Retention Directive” hosted by the
Commission.
Conference “Taking on the Data Retention
Directive” hosted by the Commission
Commission meetings with Member States
and EEA countries representatives as part of
evaluation.
193
http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF
Article 29 Data Protection Working Party, Opinion 3/2006 on the Directive 2 006/24/EC of
the European Parliament and of the Council on the retention of data generated or processed in connection with
the provision of publicly available electronic communications services or of public communications networks
and amending Directive 2002/58/EC, Brussels, 25 March 2006.
195
Article 29 Data Protection Working Party, Report 1/2007 on the first joint enforcement action: evaluation and
future steps, WP137, Brussels, 20 June 2007.
196
Article 29 Data Protection Working Party, Mandate to the Enforcement Subgroup to proceed to the 2nd joint
investigation action, WP152, 17 July 2008.
194
58
13 July 2010
5 May 2010
22 June 2010
17 April 2011
18 April 2011
18 December 2012
2.8.3
Article 29 Data Protection Working Party
publishes Report on second joint enforcement
action.197
Irish High Court ruled in favour of a request
to challenge the Data Retention Directive at
the EU Court of Justice.
Joint letter to Cecila Malmstrom, European
Commissioner for Home Affairs calling the
repeal of the Directive.198
European Digital Rights publishes “Shadow
evaluation report” on the Data Retention
Directive.199
European Commission publishes Evaluation
report on the Data Retention Directive200
Austrian Constitutional Court submits
questions to the EU Court of Justice on the
interpretation of the Charter of Fundamental
Rights in relation to the Data Retention
Directive.
The European Commission generally requested the Article 29 Working Party to conduct
sectorrelated investigations at EU level on implementation of the Data Protection Directive
95/46/EC.201 The Working Party itself decided to conduct an inquiry into conduct of national
level telecommunications providers and Internet service providers (ISPS). The aim was to
assess the compliance of telecommunications providers and ISPs with the obligations required
from national traffic data retention legislation on the legal basis of articles 6 and 9 of the e
Privacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC amending the e
Privacy Directive. Directive 2006/24/EC functions to harmonise national retention obligations
that apply to traffic data.
This selection was supported by the criteria from the Declaration of the Article 29 Working
Party on Enforcement202, and based on the specific scope of 2006/24/EC and the way that it
derogates from the general principle of the eprivacy Directive 2002/58/EC that traffic data
197
Article 29 Data Protection Working Party, Report 01/2010 on the second joint enforcement action:
Compliance at a national level with the obligations required from national traffic data retention legislation on the
legal basis of articles 6 and 9 of the ePrivacy Directive 2002/58/EC and the Data Retention Directive
2006/24/EC amending the ePrivacy Directive, WP172, 13 July 2010.
198
http://www.vorratsdatenspeicherung.de/images/DRletter_Malmstroem.pdf
199
European Digital Rights, Shadow evaluation report on the Data Retention Directive (2006/24/EC), Brussels,
17 April 2006.
200
European Commission, Report from the Commission to the Council and the European Parliament: Evaluation
report on the Data Retention Directive (Directive 2006/24/EC), COM(2011) 225 final, Brussels, 18 April 2011.
http://ec.europa.eu/commission_2010
2014/malmstrom/pdf/archives_2011/com2011_225_data_retention_evaluation_en.pdf
201
Commission of the European Communities, Report from the Commission: First report on the implementation
of the Data Protection Directive (95/46/EC), COM(2003) 265 final, Brussels, 15 May 2003. http://eur
lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2003:0265:FIN:EN:PDF
202
Article 29 Data Protection Working Party, Declaration of the Article 29 Working Party on Enforcement, WP
101, Brussels, 25 November 2004. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2004/wp101_en.pdf
59
must be erased or made anonymous when no longer required for the purposes of transmission.
The Working Party was concerned about the vague definition use of “Serious Crime” as the
motivation for communications traffic retention given the different interpretations of Serious
Crime in national laws. The Working Party had also expressed reservations regarding the
Directive in Opinions on the draft of the directive, and the Directive respectively (WP 113
and WP 119).
The investigation was mandated to focus on the measures adopted by telecommunications and
Internet service providers for security and the prevention of abuse, their adherence to storage
limit obligations, and the type of data retained (traffic and/or content data).
The Data Retention Directive itself made provisions for the Commission to conduct an
evaluation of the application and the impact of the directive, and to submit the findings of this
to the European Parliament and the Council. The EDRi was not satisfied with the evaluation
processes being used by the Commission and therefore produced a shadow evaluation report
in parallel, under its own initiative.
Both the Irish High Court and the Austrian Constitutional Court had addressed the issue of the
Directive’s compatibility with the European Charter of Fundamental Rights to the Court of
Justice of the European Union. The court’s decision on this matter is still pending.
2.8.4
The Working Party investigation involved a questionnaire and onsite inspections of the main
national telecommunications operators and of a significant market share of ISPs. The
questionnaire asked about the technological solutions implemented for retention purposes,
such as IT security, logical and physical protection, authentication/authorisation, logs,
encryption, protocols for disclosure and transmission, and backup/disaster recovery
mechanisms.
The Working Party concluded that the Directive had been inconsistently implemented at the
national level, with a “patchwork” of implementation measures across Member States. The
retention of telephone traffic data is more homogeneous than that of Internet services. A press
release from the Working Party states that the current implementation of the data retention
directive was found to be illegal.203 It states that the obligation to retain telecommunications
and Internet traffic data has not been applied correctly in the Member States, and service
providers were found to both retain and hand over data to law enforcement in ways that
contradicted the Directive. Some providers were retaining content data as well as traffic data.
The Working Party called for the definition of minimum security standards to be applied by
providers. It also suggested that selfregulation was insufficient because of the uneven
balance of power between law enforcement authorities and service providers.
The Commission’s evaluation of the Directive concluded that data retention was a valuable
tool for criminal justice, that the harmonisation of data retention had been limited, and that the
EU should use common rules to ensure that high standards for storage, use and retrieval of
traffic and communication data are maintained. The Commission state its intention to amend
the Directive, based on impact assessment. The evaluation was based on stakeholder
203
Article 29 Data Protection Working Party, European Data Protection Authorities find current implementation
of data retention directive unlawful, Press release, Brussels, 14 July 2010.
60
consultation and meetings with representatives of Member States and EEA countries, and a
survey in September 2009.
The Shadow evaluation report by EDRi was strongly critical of Directive 2006/24/EC,
describing it as an unnecessary and unprecedented violation of fundamental rights. 204 The
report was also highly critical of the evaluation methods used by the Commission. Similarly,
the European Data Protection Supervisor, Peter Hustinx described the Directive as “the most
privacy invasive instrument ever adopted by the EU in terms of scale and number of people it
affects” and criticised its failure to harmonise national legislation.205
2.8.5
The enforcement action drew on the experience of the first Joint Enforcement Action
conducted by the members of the Article 29 Working Party into the data protection practices
of private health insurance companies.
The investigation was coordinated by the Enforcement SubGroup of the Working party and
carried out by the Data Protection Authorities of: Belgium, Bulgaria, Cyprus, Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia,
Liechtenstein, Luxembourg, Lithuania, Malta, Netherlands, Poland, Romania, Slovak
Republic, Slovenia, Spain, and the United Kingdom.
At the time of the Action, the Enforcement subgroup was composed of the DPAs of Austria,
Belgium, Cyprus, Finland, France, Germany, Greece, Ireland, Italy, Lithuania, Netherlands,
Poland, Romania, Spain, Sweden and the United Kingdom. Bulgaira, Czech Republic,
Denmark, Estonia, Hungary, Latvia, Liechtenstein, Luxembourg, Malta, Slovak Republic,
Slovenia participated, but were not on the subgroup. Sweden was on the enforcement sub
group but does not appear to have participated in the joint action. Sweden had not at this time
implemented the Data Retention Directive, but this did not prevent other countries from
participating in the joint investigation (Germany and Poland). The SubGroup was to take
into account previous Opinions from the Working Party on the Data Retention Directive,
particularly the minimum standards proposed in Opinion 3/2006 (WP119).
The Working Party adopted a standard questionnaire. Onsite inspects were conducted as
required as determined by the participating Data Protection Authorities and on the basis on
their inspection powers under national law (not all participants possessed such powers). Each
participating DPA produced a national report, which was summarised in the Working Party
report of July 2010.
The Commission’s evaluation of the Data Retention Directive was intended to take account of
the observations submitted by Member States and the Article 29 Working Party. The report
on the second joint enforcement action should be considered the Article 29 Working Party’s
contribution towards the Commission’s evaluation. The Commission was due to complete its
evaluation of the Directive by September 2010. It instead published the evaluation report on
the 18th of April 2011. The Report suggested that there were issues with the provision of
statistical information on data retention. Under Article 10 of the Data Retention Directive
Member states are to provide the Commission with yearly statistics on the use of traffic data
204
European Digital Rights,
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches
/2010/101203_Data_retention_speech_PH_EN.pdf
205
61
retained under the provisions of the Directive. These statistics should report the cases where
information was transmitted to LEAs, the time elapsed from the date on which the
information was retained and the date on which LEAs requested such information, and any
cases where the data requests could not be complied with.
This data is to inform any future revisions to the directive. Only a few Member States did
provide this data, despite repeated request from the Commission, and the Article 29 Working
Party suggested that this might hinder the entire assessment exercise.206 The evaluation also
drew on position papers produced by the Platform on Electronic Data Retention for the
Investigation, Detection and Prosecution of Serious Crime, an expert group established under
Commission Decision 2008/324/EC, containing representatives of Member States law
enforcement, members of the European Parliament, associations of the electronics
communication industry, representatives of DPAs, and the European Data Protection
Supervisor.207
EDRi associates the seven month delay with mistakes in the evaluation process. Its other
criticisms of the evaluation process include the Commission limiting the scope of the
evaluation by only asking questions about the assumed value of data retention to national
governments, and not collecting information from Member States that have not implemented
the Directive.208 It argues that the Commission has not commissioned independent research
into whether such data retention as the Directive mandates is “necessary in a democratic
society”, the minimum standard for a measure to be legal under the EU Charter of
Fundamental Rights and the European Convention on Human Rights.209 Further, EDRi states
that the Commission’s evaluation report does not demonstrate that any benefits for crime
prosecution from blanket data retention may not also be achieved through alternative targeted
data preservation schemes. 210 The shadow evaluation draws on some of the evidence for
differential retention periods, and the inadequacy of security standards gathered by the Article
29 Working Party through its joint action, as well as on the decisions of the constitutional
courts of Member States that had rejected the directive (Romania) or its national
implementation (Cyprus, Czech Republic, Belgium and Germany).
2.8.6
Conclusions
From this case study we draw the following conclusions:

Relatively unproblematic cooperation and coordination between the data protection
authorities themselves with regard to the initiation, organisation and enactment of the
joint enforcement action.
o This drew on the experience of the first joint action.
o Absence of some members of the Enforcement SubGroup from the joint
action.
206
p. 16. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp172_en.pdf
Up to 25 members in total, with up to 10 representatives of law enforcement, up to two members of the
European Parliament, up to eight representatives of associations of the electronics communication industry, and
up to four representatives of DPAs.
http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:111:0011:0014:EN:PDF
208
EDRi, op. cit., 17 April 2010, p. 3.
209
Ibid., p. 4.
210
Ibid., p. 7.
207
62



Disagreement between the Working Party and the Commission regarding the direction
of the Data Retention Directive.
Strong opposition from various sources to the Data Retention Directive, including
criticism of the evaluation process used by the Commission, and the data drawn upon
in this process.
o Statistics on effects of data retention not provided by Member States to either
the Article 29 Working Party or to the Commission.
Legal challenges to the legality of the Data Retention Directive are still outstanding.
63
2.9
2.9.1
WORLD ANTI-DOPING AGENCY CODE AND STANDARD REVISIONS
Overview
The World AntiDoping Agency (WADA) is an independent foundation set up by the
International Olympic Committee and headquartered in Montreal, Canada, to coordinate,
promote and monitor efforts against doping in sport. Revisions to WADA’s World AntiDoping Code and the newly created International Standard for the Protection of Privacy and
Personal Information, placed requirements upon athletes to regularly communicate data,
including sensitive data, to antidoping organisations (including a database hosted in Canada).
The revisions also included provisions for publicly revealing the findings of doping tests in
certain circumstances. The Article 29 working party considered that aspects of this code
raised questions about their compatibility with European data protection standards. WADA
reacted strongly to the Working Party’s Opinions.
The AntiDoping Administration Management System (ADAMS) is a clearing house database
for doping control data, located in Montreal Canada. The database contains the personal
information of Athletes who are included in registered testing pools, including “whereabouts”
information. Whereabouts information supports a requirement in the code for professional
athletes to provide information on where and when they will be available for nonotice drugs
testing by antidoping officials. Athletes are required to specify one hour a day, between 6am
and 11pm, 90 days in advance, when they available for outofcompetition drug testing.
Failure to be in this location at this time three times in an 18 month period can result in a
doping offence and a related suspension from professional sport. This information may be
stored in the ADAMS database and made available to relevant domestic antidoping officials
(the decision to use the database is made by national AntiDoing organisations). The Code
revision was intended to end inconsistencies between existing whereabouts regimes in
different national antidoping organisations.211
2.9.2
2006
June to July 2007
1517 November 2007
April 2008
May 2008
7 July 2008
World AntiDoping Association opens
consultation process on new Code and
International Standard
3rd Phase of WADA consultation process
Adoption of amended World AntiDoping
Code
WADA met with representatives of the
Commission’s data protection unit and the
Spanish Data Protection Authority in April
2008 and revised the standard to fit European
concerns, citing the benefits of collaboration
rather than confrontation.
WADA executive committee approves
revised version on the basis of these
discussions
Draft International Standard submitted to the
211
Halt, James. “Where is the Privacy in WADA’s “Whereabouts” Rule?”, Marquette Sports Law Review, Vol.
20, Issue 1, 2009. http://scholarship.law.marquette.edu/cgi/viewcontent.cgi?article=1017&context=sportslaw
64
1 August 2008
1 January 2009
January 2009
21 February 2009
6 April 2009
9 May 2009
11 May 2009
16 June 2009
28 January 2010
7 February 2012
9 February 2012
Article 29 Working Party
Article 29 Working Party publishes Opinion
3/2008 on the World AntiDoping Code Draft
International Standard for the Protection of
Privacy212
WADA Code and Modified International
Standard comes into force
Legal challenge by the Belgian organisation
Sporta and 65 Belgian athletes to the Flemish
regional government on the compatibility of
the Code with Article Eight of the European
Convention on Human Rights.
EU Sports Commissioner calls for WADA to
suspend Whereabouts rule until his ruling.
Article 29 Working Party publishes Second
Opinion 162 on the World AntiDoping
Agency (WADA) International Standard for
the Protection of Privacy and Personal
Information, on related provisions of the
WADA Code and on other privacy issues in
the context of the fight against doping in
sport by WADA and (national) antidoping
organizations213
WADA Executive Committee adopts revised
International Standard.
European Commission greets the revised
standard as the outcome of successful co
operation between the EU and WADA214
WADA meets with Article 29 Working Party
at 71st Plenary session. Working Party calls
for WADA to continue to amend the standard
as key issues highlighted in Second Opinion
have yet to be addressed.215
Spanish court rules that implementation of
whereabouts programme by International
Cycling Union does not breach Spanish data
protection law.
Article 29 Working Party writes to
Commissioner for Education, Culture,
Multilingualism and Youth, in advance of
meeting with WADA
WADA meets with European Commission
212
214
WADA, Annotated version of Second Opinion 4/2009 on the World AntiDoping Agency (WADA)
International Standard for the Protection of Privacy and Personal Information. p.5 http://www.wada
ama.org/Documents/World_AntiDoping_Program/WADPISPPPI/WADA_Comments_WP29_FullVersion.pdf
215
Article 29 Data Protection Working Party, Press release, Brussels, 16 June 2009.
http://ec.europa.eu/justice/policies/privacy/news/docs/pr_16_06_09_en.pdf
213
65
2.9.3
The European Commission's Directorate for Education and Culture (DG EAC) requested an
opinion from the Article 29 Working Party on the draft International Standard on the
protection of privacy prepared by the World AntiDoping Agency (WADA) in 2007.
After the revised WADA Code and International Standard came into force in 2009, its legality
was challenged in several European jurisdictions. A group of 65 Belgian athletes raised a
legal complaint with Flemish regional government on the compatibility of the Code with
Article Eight of the European Convention on Human Rights in 2009, and a group of Spanish
professional cyclists raised a challenge to the implementation of the Code based upon its
incompatibility with Spanish data protection law.
2.9.4
The Art 29 WP published two opinions, Opinion 156 and Second Opinion 162. Opinion 156
noted WADA’s initiative in seeking minimum standards of privacy and data protection for
athletes and others involved in antidoping practices, and acknowledged the role that such a
standard could play outside the jurisdiction of European data protection law. However, the
Working Party did not believe that the standard reached the minimum standards required by
European data protection law. Opinion 156 stated that there was insufficient reference to the
data processing that would be conducted in the ADAMS database, and recommended greater
detail be added or that WADA develop procedural policies for users of the database. It also
highlighted the importance of EU law in relation to the transfer of data from the EU to
Canada. Opinion 156 also raised the issue of freely given and informed consent. It considered
that the processing of data collected in the context of the execution of the obligations of the
World Antidoping Code was neither freely given nor informed, due to the sanctions
associated with noncompliance and the processes through which a data subject is informed of
such processing. The Opinion requested that WADA consider the banning of automated
individual decisions, independent control over implementation of the standard, a right of
remedy and compensation for processing incompatible with the standard, the applicability of
national data protection laws to national antidoping organisations.
Second Opinion 162 was published by the Article 29 Working Party after the revised
Standard had come into force in 2009. It acknowledged that some of the Working Party’s
previous remarks had been incorporated into the Standard, but maintained that there were still
continuing concerns. The Opinion moved beyond commenting on the standard to include
references to the Code and to the ADAMS database. The Working Party asserted the primacy
of domestic law (in this case Directive 95/46/EC and Member State laws implementing it)
over the international agreements providing the authority for the WADA Code and Standard,
and that national data controllers must disregard the WADA Code and Standard to the extent
to which they contradict domestic law. The Opinion also made further statements about data
transfers to countries outside the EU (in particular to the ADAMS database), data retention
periods, and sanctions (including public reports of doping violations).
2.9.5
WADA was running a consultation exercise during the revision of the Code. WADA had
approached the Article 29 Data Protection Working Party for comment on the draft
66
International Standard. The Working Party reiterated at several points its support for
WADA’s development of policies on data protection privacy, but also interacted with WADA
in several ways.
Several alterations were made to the draft International Standard on the Protection of Privacy
and Personal Protection by WADA on the basis of the Article 29 Working Party’s first
opinion and WADA’s meeting with representatives of the Commission's data protection unit
and the Spanish Data Protection Authority in April 2008. WADA provided additional
information in response to the Working Party's requests for clarification between the two
Opinions, and revised the standard to fit European concerns, citing the benefits of
collaboration rather than confrontation.
However, WADA was “deeply disappointed” with the tone of the Second Opinion, which
they described as “overtly confrontational”. WADA stated that the Opinion made
requirements upon the Standard that went beyond the requirements of EU law. WADA
indicated that these opinions reflected an imperfect or incomplete understanding of anti
doping practices, contained various factual and legal errors and were having a negative impact
upon antidoping efforts, and disagreed with the opinions. 216 WADA also expressed
disapproval for the way in which the Article 29 Working party used references in the
Standard to the Code and the ADAMS database to go beyond the scope of WADA’s initial
request for comment.217 WADA argued that the Standard was a minimal standard, and that
rather than conflict with European law, the data protection and privacy requirements in the
standard could be built upon by stronger EU legislation. The same response accuses the
Working Party of “legislative imperialism” and of lacking the legal competence to determine
if antidoping efforts do or do not serve an important public interest. WADA states its
requests to meet with the Working Party subgroup communicated both in February and
March 2009 were denied by the Commission Secretariat.218
WADA provided a submission to the European Commission’s consultation on the legal
framework for the fundamental right of personal data and the effectiveness of EC Directive
95/46/EC. In this submission WADA states that it has regular interaction with various
European data protection bodies including the Council of Europe, the Article 29 Working
Party and the national data protection authorities. WADA expressed fears that “some
regulators are engaging in an overly restrictive interpretation and application of EU data
protection rules and thereby threatening to undermine the very antidoping programs that
Europe, both at the community and local level has been promoting and supporting around the
world for many years.”219 This submission suggested amendments to the Directive to provide
an explicit legal basis for the processing of sensitive data by antidoping organisations and to
allow antidoping organisations to transfer personal data where necessary in connection with
their legitimate activities.
216
International Standard for the Protection of Privacy and Personal Information.
http://www.wada
217
http://www.wadaama.org/Documents/World_AntiDoping_Program/WADPIS
PPPI/WADA_Comments_WP29_FullVersion.pdf
218
International Standard for the Protection of Privacy and Personal Information. Pg.5 http://www.wada
219
World AntiDoping Agency, European Commission Consultation: the legal framework for the fundamental
right of personal data, undated.
http://ec.europa.eu/justice/news/consulting_public/0003/contributions/organisations_not_registered/wada_en.pdf
67
The EU Commission, the Council of Europe and WADA reached agreement on the
International Standard in 2009, apparently including solutions to issues raised by the Article
29 Working Party. The Commission welcomed the adoption of the revised International
Standard in May 2009, and stated that it looked forward to further cooperation on data
protection matters which could not be addressed in the standard.220
The Article 29 Working Party hosting a hearing with WADA representatives at its plenary
meeting in 2009, where it discussed the issues raised in the Second Opinion. Following the
hearing the Working Party maintained that whilst the Standard had been slightly amended,
key issues still needed to be addressed. 221 Additionally, in advance of a meeting between
WADA and the European Commission in 2012, the Article 29 Working party wrote to the
Commission to reiterate that there remained suggested modifications to the Standard from
the Second Opinion that had still not yet been implemented. 222 The Working Party last
discussed the WADA case at a meeting in February 2013223 and wrote to WADA in March
2013. Whilst this letter thanked WADA representatives who had attended a subgroup
meeting and had contributed to a better understanding of the situation, the letter again re
iterated that data protection is a fundamental right, and again called upon WADA to take the
Article 29 Working Party’s previous comments into account. 224 In addition to the two
published Opinions previously mentioned, the Working Party also made a contribution to the
public consultation.225
The Article 29 Working Party consulted with the Canadian Privacy Commissioner, who
provided information in a letter dated 10th November 2008 on the applicability of the
Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) to
WADA and ADAMS. Similar information was also provided by the Montreal Privacy
Commissioner.
Several sportsrelated bodies (Antidoping Denmark, Canadian Heritage, AntiDoping
Norway, Royal Ministry of Culture and Church Affairs (Norway), Federal Office of Sport
FOSPO (Switzerland), Canadian Centre for Ethics in Sport, Danish sport community) also
raised issues of data protection in their general submissions to the initial WADA consultation
220
European Commission, World Anti-Doping Agency adopts revised data protection standards and continues
successful dialogue with the EU. Press Release IP/09/733, Brussels, 11 May 2009. http://europa.eu/rapid/press
release_IP09733_en.htm?locale=en
221
http://ec.europa.eu/justice/policies/privacy/news/docs/pr_16_06_09_en.pdf
222
document/files/2012/20120207_letter_to_comm_vassiliou_re_wada_en.pdf
223
Article 29 Data Protection Working Party, Draft Agenda, 2627 February 2013.
http://ec.europa.eu/justice/dataprotection/article29/pressmaterial/agenda/files/public_agenda_20130226
27_en.pdf
224
Article 29 Data Protection Working Party, Letter to World AntiDoping Agency, Brussels, 5 March 2013.
http://ec.europa.eu/justice/dataprotection/article29/documentation/otherdocument/files/2013/20130305_letter
towada_en.pdf
225
document/files/2013/20130305_lettertowada_annex_en.pdf
68
exercise (amongst other nonDP issues).226 Several more organisations raised data protection
issues of various sorts in their specific submissions in relation to Article 14 of the Code.227
WADA had conducted an earlier consultation exercise on its standards in 2002 which had
received little attention from data protection authorities, with the exception of the Privacy
Commissioner of New Zealand. A proposed resolution on Data Protection and International
Resolutions, which specifically mentions these WADA standards, was put before the 25th
International Conference of Data Protection and Privacy Commissioners in 2003.228 Greater
engagement at this point between DPAs and WADA may have been able to avoid some of the
more “confrontational” tone of later discussions.
2.9.6
Conclusions



The Article 29 Working Party adopted and consistently maintained the collective
position that the draft and subsequently adopted WADA Code and International
Standard did not comply with European privacy and data protection law.
The interaction between the Article 29 Working Party and WADA is an ongoing
process, which has remained relatively stable since 2009, with the Working Party still
requesting that WADA revise its Code and Standard in line with European data
protection law. Parts of this interaction have been conducted in a fairly intemperate
manner. Since 2009 this position appears to have reached a stalemate.
The European Commission and Council of Europe seem more satisfied with the
existing revisions to the WADA Code and Standard than the Article 29 Working
Party.
226
WADA, Feedback on Code 2007: Draft Version 2.0 General, 01 October 2007. http://www.wada
ama.org/Documents/World_AntiDoping_Program/WADPThe
Code/Code_Review/3rd_Consultation/WADA_Code_2007_V2.0_GeneralComments_EN.pdf
227
WADA, Feedback on Code 2007: Draft Version 2.0 – Article 14, 1 October 2007. http://www.wada
ama.org/Documents/World_AntiDoping_Program/WADPThe
Code/Code_Review/3rd_Consultation/Part_I/3rd_Part_1_Article14.pdf
228
http://www.worldlii.org/int/other/ICDPPCRD/2003/2.html
69
2.10 GLOBAL PRIVACY ENFORCEMENT NETWORK “SWEEP”
2.10.1 Overview
19 privacy regulatory authorities participated in the Global Privacy Enforcement Network
(GPEN)’s first annual “Privacy Sweep” in 2013. The authorities designated representatives of
their organisations to search the Internet and assess privacy issues on websites.
2.10.2 Sequence of key events
12 June 2007
Summer 2008
March 2010
15 June 2012
612 May 2013
6 May 2013
7 May 2013
13 August 2013
OECD Recommendation on CrossBorder
Cooperation in the Enforcement of the Laws
Protecting Privacy.229
Privacy
regulatory
authorities
start
exchanging information via a web utility
GPEN established by eleven privacy
enforcement authorities
Action Plan for the Global Privacy
Enforcement Network adopted
First annual privacy sweep
Office of the Privacy Commissioner of
Canada, CNIL, conduct sweep
Privacy Commissioner for Personal Data,
Hong Kong, conducts sweep
Initial findings of sweep published by Privacy
Commissioner of Canada230.
2.10.3 Reasons for investigation
The sweep was selfinitiated by the GPEN. Stated goals of the sweep include increasing
public and business awareness of privacy rights and responsibilities; encouraging compliance
with privacy legislation; identifying concerns which may result in follow up action (such as
education or enforcement), and enhancing cooperation amongst privacy enforcement
authorities. The theme of the 2013 sweep was privacy practice transparency.
The Office of the Privacy Commissioner of Canada stated that it would be examining
websites for the presence of a privacy policy, the difficulty of finding information on a sites
privacy practices, the ready availability of contact information for privacy questions, and the
readability of the information on privacy practices.231
The Commission Nationale de l’Information et des Libertés saw the purpose of the sweep as
reviewing if Internet users were properly informed of the types of personal data collected, the
229
OECD, Recommendation on CrossBorder Cooperation in the Enforcement of Privacy Laws, 2007
http://www.oecd.org/internet/ieconomy/38770483.pdf
230
Office of the Privacy Commissioner of Canada, “Results of the 2013 Global Privacy Enforcement Network
Internet Privacy Sweep”, Ottawa, 13 August 2012. http://www.priv.gc.ca/media/nrc/2013/bg_130813_e.asp
231
Office of the Privacy Commissioner of Canada, “Privacy enforcement authorities launch firstever
international Internet privacy sweep”, Press Release, Ottawa, 6 May 2013. http://www.priv.gc.ca/media/nr
c/2013/nrc_130506_e.asp
70
purposes of the collection, whether personal data are transferred to third parties, and whether
web users can object to the transfer of their personal data to third parties.232
2.10.4 Findings of investigation
The sweep was not an indepth investigation, but aimed to replicate the consumer experience
by checking each site briefly against a set of common indicators. The sweep was intended to
provide additional information on trends which might guide future education and outreach.
The full collated findings of the sweep have not yet been made public, but will be published
by the Office of the Privacy Commissioner of Canada, who intends to publish a report in
Autumn 2013.233 Some participants released limited findings in press releases relating to the
sweep. For example, the Office of the Privacy Commissioner of New Zealand stated that
many New Zealand schools lacked a privacy policy, whilst the majority of games websites
targeted at children did have detailed privacy policies, but that these were based upon U.S. or
European law. The US Federal Trade Commission sent warning letters to ten data brokers
immediately following its sweep.234 The Canadian OPC released some initial findings relating
in August 2013. These suggested that participants found too many websites with no privacy
policy available, one third of policies raised concerns with respect to the information
provided, one third of policies raised concerns about readability, and mobile app privacy
policies lagged behind websites. The findings did also include some of the best practices
observed.235
2.10.5 Forms of co-operation
The sweep was an initiative of Global Privacy Enforcement Network and coordinated by
Canadian Privacy Commissioner. The Network is the result of a 2007 OECD
Recommendation on CrossBorder Cooperation in the Enforcement of the Laws Protecting
Privacy, 236 and was launched at an OECD meeting. GPEN’s statement of mission mirrors the
Recommendation and states that GPEN “connects privacy enforcement authorities from
around the world to promote and support cooperation in crossborder enforcement of laws
protecting privacy.”237 This is to be achieved through exchanging information, encouraging
training opportunities and sharing of enforcement expertise and good practice, promoting
dialogue between organisations with privacy enforcement roles, and creating and maintaining
processes that support cooperation. GPEN has 26 Members, who are national Data Protection
or Information Commissioners. GPEN collaboration builds upon a mechanism started in
Summer 2008, via a web utility.238 The GPEN action plan is not legally binding, and co
232
Commissioner Nationale de l’Information et des Libertes , “Journée d'audit en ligne à la CNIL : les 250
principaux sites informentils suffisamment les internautes?”, Press release, 6 May 2013.
http://www.cnil.fr/linstitution/actualite/article/article/journeedauditenlignealacnilles250principauxsites
informentilssuffisammentlesinte/
233
Williams, Ian, “Blog: ICO joins global sweep to improve website privacy policies” Information
Commissioner’s Office, 10 May 2013. http://www.ico.org.uk/news/blog/2013/icojoinsglobalsweepto
improvewebsiteprivacypolicies
234
Federal Trade Commission, “FTC Warns Data Broker Operations of Possible Privacy Violations”, Press
release, 7 May 2013. http://www.ftc.gov/opa/2013/05/databroker.shtm
235
Office of the Privacy Commissioner of Canada, “Results of the 2013 Global Privacy Enforcement Network
Internet Privacy Sweep”, Ottawa, 13 August 2012. http://www.priv.gc.ca/media/nrc/2013/bg_130813_e.asp
236
OECD, Recommendation on CrossBorder Cooperation in the Enforcement of Privacy Laws, 2007
http://www.oecd.org/internet/ieconomy/38770483.pdf
237
https://www.privacyenforcement.net/public/activities
238
https://www.privacyenforcement.net/
71
operation is subject to applicable laws in the jurisdictions involved. New participants apply to
the existing members, and are expected to endorse the Action Plan.239
According to the OECD, and in line with the Recommendation, the focus of GPEN is
primarily on facilitating cooperation in the enforcement of privacy laws governing the
private sector. That however does not exclude cooperation on matters involving the
processing of personal data in the public sector.240
The OECD also hosts www.privacyenforcement.net, a web platform for GPEN. This site
provides a restrictedaccess platform for sharing of documents and news. It also includes
collaboration tools such as discussion forums, an events calendar and other functionalities.
Each participating regulatory authority selected a specific day within the week of 612 May
2013. Participants included Australia (Office of the Australian Information Commissioner),
Canada (both the Office of the Privacy Commissioner of Canada, and the Information and
Privacy Commissioner of British Columbia), Estonia (Estonian Data Protection Inspectorate),
Finland (Office of the Data Protection Ombudsman), France (Commission Nationale de
l’Information et des Libertes), Germany (four regional data protection authorities and the
Federal Data Protection Commission), Hong Kong (Office of the Privacy Commissioner for
Personal Data), Ireland (Office of the Data Protection Commissioner), Macao (Office for
Personal Data Protection, Government of Macao), Macedonia (Directorate for Personal Data
Protection), New Zealand (Office of the Privacy Commissioner), Norway (Data Protection
Authority), United Kingdom (Information Commissioner’s Office) and the United States
(Federal Trade Commission).
The participating authorities used a common analytical framework to establish a global
overview of the practices of major websites.241 GPEN agreed a focus upon key indicators of
availability, findability, contactability, Readability and relevance. However, the common
theme (privacy practice transparency) was chosen in order to allow individual participants to
tailor their sweep to particular legislation or strategic priorities. Each individual participant
also determined which websites it would investigate. 242 As an example, the Privacy
Commissioner for Personal Data of Hong Kong selected to focus upon the privacy statements
and information on local smart phone applications.243 The numbers of sites also varied. The
UK Information Commission’s Office examined 250 UK based sites, whilst the US Federal
Trade Commission acted as a testshopper, contacting 45 US companies.
239
GPEN, Action Plan for the Global Privacy Enforcement Network, 15 June 2012.
https://www.privacyenforcement.net/public/activities
240
OECD, “Report on the Implementation of the OECD Recommednations on the Crossborder Cooperation in
the Enforcemnet of Laws Protecitng Privacy” OECD Digital Economy Papers, No.178, 2011.
241
Commissioner Nationale de l’Information et des Libertes , “Journée d'audit en ligne à la CNIL : les 250
principaux sites informentils suffisamment les internautes?”, Press release, 6 May 2013.
http://www.cnil.fr/linstitution/actualite/article/article/journeedauditenlignealacnilles250principauxsites
informentilssuffisammentlesinte/
242
Office of the Privacy Commissioner of Canada, Global Privacy Enforcement Network Internet Privacy Sweep
Questions and Answers, Ottawa, 6 May 2013. http://www.priv.gc.ca/media/nrc/2013/nrc_130506_qa_e.asp
243
Office of the Privacy Commissioner for Personal Data, Hong Kong, The PCPD Commences to Study Privacy
Policies
of
Local
Smartphone
Apps,
Press
Release,
7
May
2013,
https://www.pcpd.org.hk/english/infocentre/press_20130507.htm
72
2.10.6 Conclusions




Large number of participating organisations across a diverse range of jurisdictions,
with relatively high public profile.
Strong cooperation associated with a proactive mode, with time for planning and
execution, rather than in response to specific trigger event.
Depth of cooperation may be limited as there was significant local variation in what
was “swept” for.
High publicity value of global cooperation between regulatory authorities, with
encouraging cooperation as a specific stated goal.
73
2.11 GOOGLE GLASS
2.11.1 Overview
In June 2013, Canadian Privacy Commissioner Jennifer Stoddart and 36 of her provincial and
international counterparts collaborated in the issue of a joint letter to Google Chief Executive
Officer Larry Page seeking responses to questions and concerns related to Google Glass, the
company’s new Internetconnected glasses. 244 Commissioner Stoddart said, “Google Glass
raises significant privacy issues and it is disappointing that Google has not engaged more
meaningfully with data protection authorities about this technology.”
2.11.2 Reasons for investigation
The letter notes that Google Glass has been the subject of many articles that have raised
concerns about the privacy implications of a device that can be worn by an individual and
used to film and record audio of other people. Data protection authorities have emphasised the
need for organisations to build privacy into the development of products and services before
they are launched and to consult in a meaningful way with DPAs, which has not happened
regarding Google Glass.
Among the questions asked by the DPAs are the following:








How does Google Glass comply with data protection laws?
What are the privacy safeguards Google and application developers are putting in
place?
What information does Google collect via Glass and what information is shared with
third parties, including application developers?
How does Google intend to use this information?
Although Google has decided not to include facial recognition in Glass, how does
Google intend to address the specific issues around facial recognition in the future?
Is Google doing anything about the broader social and ethical issues raised by such a
product, for example, the surreptitious collection of information about other
individuals?
Has Google undertaken any privacy risk assessment the outcomes of which it would
be willing to share?
Would Google be willing to demonstrate the device to our offices and allow any
interested data protection authorities to test it?
2.11.3 Findings of investigation
Google Inc. provided a letter in response to the inquiry from the data protection authorities on
27 June 2013.245 Google’s response, from Peter Fleischer, Google’s Global Privacy Counsel,
focused upon the preliminary, exploratory nature of its initial release of Google Glass, and
attempted to demonstrate that privacy was a concern for the company. The response
highlighted the controls that the Google Glass user has over the technology in terms of
244
Office of the Privacy Commissioner of Canada, “Data protection authorities urge Google to address Google
Glass concerns”, News release, 18 June 2013. http://www.priv.gc.ca/media/nrc/2013/nrc_130618_e.asp
245
Office of the Privacy Commissioner of Canada, “Response from Google to data protection authorities
regarding
Google
Glass”
News
release,
25
July
2013.
https://www.priv.gc.ca/media/nr
c/2013/let_130627_google_e.asp
74
activating functionality, installing and removing applications, deletion of content from the
device, and the limitations placed upon application developers. The response letter did not
appear to answer many of the the questions that the DPA’s had put forward in their initial
letter. Additionally, the response identified local privacy, legal and policy experts who would
“serve as your points of liaison going forwad”, which may represent an effort on the part of
Google not to engage with data protection authorities collectively, but rather through national
channels. The Office of the Canadian Privacy Commissioner acknowledged the response from
Google, but identified that the next step was to established meaningful discussion with
Google Canada.246
2.11.4 Forms of co-operation
This investigation was conducted through a coordinated letter cosigned by the DPAs
involved. Signatories were:










Jennifer Stoddart, Privacy Commissioner of Canada
Jacob Kohnstamm, Chairman of the Article 29 Working Party, on behalf of the
members of the working party247
Timothy Pilgrim, Privacy Commissioner of Australia
Marie Shroff, Privacy Commissioner, New Zealand
Alfonso Orñate Laborde, Secretary for Data Protection, Federal Institute for Access to
Information and Data Protection, Mexico
Rivki Dvash, Head of the Israeli Law, Information and Technology Authority
Hanspeter Thür, Swiss Federal Data Protection and Information Commissioner
Jill Clayton, Information and Privacy Commissioner of Alberta
Jean Chartier, President, Commission d’accéss à l’information du Québec
Elizabeth Denham, Information and Privacy Commissioner of British Columbia
This letter was independent of a similar letter sent to Google by the members of the US
Congressional Bipartisan Privacy Caucus on 16 May248, although there was some overlap
between the question sets. Congressman Joe Barton, a member of the Caucus, stated that he
was disappointed with the responses received from Google.249
2.11.5 Conclusions
This comparatively small investigation, conducted on the basis of a letter inquiring about an
area of potential concern shows how investigative factfinding at an early stage of a
technology development can be coordinated between data protection authorities. The
investigation itself is not rigorous (being based upon a set of questions and a voluntary
response) and did not include any inspection or verification, but it did minimise the
duplication of effort in an inquiry about a technology which was of potential concern to
246
Taddese, Yamri, “Stoddart to meet Google officials about concerns with Glass product”, Legal Feeds, 02
August 2013. http://www.canadianlawyermag.com/legalfeeds/1607/stoddarttomeetgoogleofficialsabout
concernswithglassproduct.html
247
The figure of 36 signatories is achieved by the inclusion of all European DPAs as part of the Article 29
working party.
248
EPIC.org, “Congress investigates Glass Privacy Risk”, Undated,
https://epic.org/privacy/google/glass/default.html
249
Collins, Katie, “Google tells Congress it won’t change privacy policy for Glass”, Wired, 2 July 2013,
http://www.wired.co.uk/news/archive/201307/02/googleglassprivacypolicywontchange
75
several DPAs. The difference between this case and the Google Buzz case is that in the case
the coordinated letter was an investigative inquiry, whereas in the Google Buzz case, the
letter was more critical and normative, informing Google of the position of the cosignatories.
76
2.12 HORIZONTAL ANALYSIS
Considering these eleven case studies together provides a range of insights. Over the time
period analysed, we can identify an increasing number of mechanisms for international
collaboration between data protection authorities (for example the development of GPEN).
There is also good evidence of and a clear desire for information sharing between DPAs, even
on unrelated cases. DPAs generally appear interested in learning from the experiences of
other DPAs and engage in informal adhoc consultation and “watching with interest”. Co
ordination appears to be easier and occur more smoothly in active modes, when coordination
has been planned and agreed upon in advance of an action, rather than reactive, where DPAs
attempt to coordinate in response to a complaint or an unanticipated issue.
The case studies demonstrate a strong central role of the Article 29 Data Protection Working
party in European collaboration. The SWIFT, data retention and WADA case studies suggest
that the Working Party is not always supported by other European institutions, but that it can
be quite influential when it is supported. Opinions from the Working Party are regularly cited
in other European documents and texts. The Working Party has also engaged in some co
operation (information sharing and parallel investigations) outside Europe.
Several of the case studies demonstrated a perceived need among data protection authorities
for collaboration driven by international dataprotection incidents and uneven responses to
these. Decentralisation and coordination has arisen in response to an international data
protection and privacy environment typified by different national jurisdictions, legal
frameworks and particular contexts, and to data protection issues that are large and cross
multiple jurisdictions. One of the most common reactive modes of coordination is the
collective identification of the data protection authority that has local jurisdiction over an
issue and then delegating to them, allowing them to have a strong role in any collective
response. A second common mode of coordination is decentralised information gathering
combined with centralised reporting or sharing of that information. This appears an effective
response to multinational issues (for example, national data protection authorities contacting
national central banks for information in the SWIFT case). Problems potentially arise when
individual DPAs do not have investigation or audit powers, or have weaker sanctions than
other DPAs. They may therefore not be able to carry their weight in a delegated, multi
national investigation.
77
3
CO-OPERATION AND CO-ORDINATION WITHIN EUROPE
In this chapter and the following one, the PHAEDRA partners identify and evaluate existing
mechanisms for cooperation and coordination in enforcement. Chapter three focuses upon
cooperation and coordination within Europe, whilst Chapter four expands this perspective to
examine cooperation and coordination internationally, including cooperation and co
ordination between the EU and third countries. This section includes the European
Conference of Data Protection Commissioners (the “Spring Conference”), the Article 29 Data
Protection Working Party, the Council of Europe TPD, DAPIX, the International Working
Group on Data Protection in Telecommunications, the Working Party on Police and Justice,
the Central and Eastern Europe Data Protection Authorities, the Conference of Balkan Data
Protection Authorities, the Coordinated Data Protection Supervision Groups of both Eurodac
and the European Visa Information System, the Joint Supervisory Board Europol, the Joint
Supervisory Authorities of the Schengen Information System and the European Customs
Information System and other initiatives.
3.1
EUROPEAN CONFERENCE
CONFERENCE")
OF
DATA PROTECTION COMMISSIONERS ("SPRING
The data protection authorities from Member States of the EU and of the Council of Europe
meet annually for the European Conference of Data Protection Commissioners (also known as
the “Spring Conference” 250 ) to discuss matters of common interest and to exchange
information and experiences on different topics. The European Data Protection Supervisor
also actively contributes to the discussions. The one and half to twoday conference usually
ends with the adoption of a number of important documents.
Members include European national DPAs, European subnational DPAs, European DPAs
within an international or supranational body, and supranational or international bodies that
play a role in the European data protection context (such as the European Commission and the
Council of Europe). Participants should be European, and have independent status, and
adequate functions and powers.251 Nonaccredited data protection authorities that wish to join
the conference have to be accredited by members of the conference by completing an
application based upon guidelines for admission. The decision upon acceptance or refusal of
accreditation is taken at the conference. Until the Seville conference in 2005, attendance was
based upon invitation from the organising authority. The Guidelines for admission to the
Conference of European Data Protection Authorities were adopted by the conference in
Rotterdam in 2004, based upon a desire to formalise admission criteria.252 European Data
Protection authorities that had already been accredited as DPAs for the International
Conference of Data Protection and Privacy Commissioners did not have to apply, and could
gain membership of the Conference upon request. Applicants complete a form which asks
250
The Conference should not be confused with the Annual European Data Protection & Privacy Conference,
organised by Forum Europe.
251
Conference of European Data Protection Authorities, “Guidelines for the admission to the Conference of
European Data Protection Authorities”, Final, 25 March 2004. http://springconference2013.cnpd.pt/wp
content/uploads/GuidelinesforadmissiontotheSpringConference.pdf
252
Conference of European Data Protection Authorities, “Guidelines for the admission to the Conference of
European Data Protection Authorities”, Final, 25 March 2004. http://springconference2013.cnpd.pt/wp
content/uploads/GuidelinesforadmissiontotheSpringConference.pdf
78
questions about the status of the applicant authority, its independence, legal basis, and
appropriate functions.253
Inclusion of newly established data protection authorities as equals with more established
authorities is seen by the conference as a positive way to integrate the latter into the European
data protection community.254 However, The Conference members in 2004 determined that
there was a need to retain coherence amongst the membership, in order to retain the ability to
make clear statements. Subnational DPAs are allowed to participate as full members of the
conference, however, the decision making operates on a “onestate, onevote” system so as to
avoid an unbalanced increase in the weight of some countries in the decision making process.
European DPAs within an international or supranational body have full voting rights, but
DPAS within an international or supranational body that is composed of representatives of
national DPAs will only have voting rights on issues within their areas of competence. The
European Commission and Council of Europe have observer status at the Conference, and the
possibility exists to exclude then from areas of discussion, to be notified in advance.
The following table shows the locations of the previous spring conferences.
December 1991
December 1992
February 1993
April 1993
1994
1995
1996
1997
1998
1999
2000
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
The Hague
Dublin
Boppard, Germany
Paris
Madrid
Lisbon
Manchester
Vienna
Dublin
Helsinki
Stockholm
Athens
Bonn
Seville
Budapest
Lanarka, Cyprus
Rome
Edinburgh
Prague
Brussels
Luxembourg
Lisbon
253
Conference of European Data Protection Authorities, “Application form for accreditation as a member of the
Conference of European Data Protection Authorities”, Lisbon, undated. http://springconference2013.cnpd.pt/wp
content/uploads/Applicationformforaccreditation2013.pdf
254
Conference of European Data Protection Authorities, “Application form for accreditation as a member of the
Conference of European Data Protection Authorities”, Lisbon, undated. http://springconference2013.cnpd.pt/wp
content/uploads/Applicationformforaccreditation2013.pdf
79
The participants in the first conference were the Data Protection Commissioners from
Belgium, Denmark, France, Germany, Ireland, Luxembourg, the Netherlands and the United
Kingdom.
A certain amount of time at the conference is reserved by the organising DPA for a closed
session for the EU national DPAs to discuss specifically EU topics. Where meetings of
European Data Protection Authorities occur in the closed sessions of other international
conferences, these meetings are usually chaired by the host of the previous Spring
Conference.
Cooperation between data protection authorities has been a relatively frequent topic of
discussion at recent Spring Conferences. 255 Based upon the programmes for previous
Conferences, the twoday event is based around a series of themed panel sessions with
speakers. Participating Data Protection Authorities tend to be represented by senior members
of staff of their respective authorities. The final session is generally devoted to reports and
resolutions. The 2013 conference, hosted by the Portuguese data protection authority (DPA),
addressed issues related to the way DPAs are collaborating to ensure an efficient
implementation of data protection rules against the background of rapidly developing
technologies. The participants also discussed the modernisation of the Council of Europe data
protection convention and the data protection reform package currently being discussed at EU
level.
Each Conference produces Resolutions, issued with a collective voice on behalf of the
Conference. Resolutions discussed at the 2013 Conference included a Resolution on the
future of data protection in Europe, a resolution on to ensure data protection in a transatlantic
freetrade area, a resolution on Europol, an accreditation resolution, and a resolution on
procedural rule concerning draft resolutions. The 2012 Conference in Luxembourg produced
a single resolution on European data protection reform. From 2013, the texts of draft
resolutions are to be made available to members two weeks prior to the Conference.
The Conference previously had a working group on ex“Third Pillar” policing issues. When
the Article 29 Working Party decided to engage with exThird Pillar issues in 2011, the
Spring Conference working group was dissolved. In comparing the Spring Conference with
the Article 29 Working Party, Clara Guerra of the Comissão Nacional de Protecção de Dados,
Portugal, suggested that the Conference predated the Working party, was a more expanded
forum, and was more focused upon practical issues rather than the policyfocused Working
Party.
The host DPA is responsible for creating and maintaining the website for that year’s
Conference. The Spring Conference also has access to an interest group contact list through
the CIRCA network provided by the European Commission.
3.1.1
Case-Handling Workshop
The CaseHandling Workshop, previously held twice a year in spring and autumn, but now
held onceyearly, is a series of events organised by a different data protection authority each
255
Buttarelli, Giovanni, “How could DPAs better cooperate and provide leadership for the future”, Spring
Conference, Data Protection, Lisbon, 17 May 2013. http://springconference2013.cnpd.pt/wp
content/uploads/GiovanniButtarelliAssistantEDPS%E2%80%93HowcouldDPAsbettercooperateand
provideleadershipforthefuture.pdf
80
time to help promote the exchange of information on case studies and practical issues at the
operational level (“staff level”), as well as increasing general contacts between employees.
The Workshop is a subgrouping of the European Conference of Data Protection
Commissioners, with overlapping participants drawn from the accredited membership of the
Conference. It is not a policymaking workshop. Initially named the Complaints Handling
Workshop, one of the aims of the Workshop was the use of a common procedure for handling
international complaints. The initiative for the Workshop comes from the Spring Conference
held in Helsinki in 1999 in pursuit of Article 28(6) Directive 95/46/EC requiring supervisory
authorities to collaborate with each other. A revised Framework for activities document for
the Workshop was adopted in 2005256 and a paper on the future of case handling workings in
2009.257
The Workshop generally lasts two full days. The Conference suggests the alternation between
large and small authorities and supports the concept of joint hosting. It also suggests a
“friends of the host” group comprising previous and future organisers to support the host.
Topics for discussion are chosen in advance by the host DPA, although the Conference
suggests a questionnaire for participants to advise this choice and to identify topics of highest
relevancy. The Conference also suggests at least one session dedicated to operational
challenges of case handling. Case studies (potentially drawn from the experience of the
hosting DPA) are seen by the Conference as a useful method for achieving useful discussion
and interaction.
The workshops are aimed mainly at data protection authority employees whose role is case
handling and who deal with complaints. Staff from other parts of the office may attend
depending on relevant agenda items. The 2005 Framework for activities suggest that one
participant from each DPA is a regular attendee in order to increase consistency. The
workshops are not seen as appropriate for very senior staff and Commissioners, who have
access to other discussion forums such as the Spring Conference. Papers from the previous
two Workshops are occasionally discussed at the Spring Conference. The Workshop also
reports to the Article 29 Data Protection Working Party. Decisions on the structure of the
Workshop are made at the Conference.
A report on the Workshop presented to the Conference in 2004 stated that:
the Workshop has been a success in facilitating mutual daytoday cooperation by the
creation of a network of contacts between Data Protection Authorities at staff level. Also the
website and related mailing list are regularly used for fast information requests to colleagues,
information exchange and cooperation in the contexts of international complaints.258
256
European Privacy and Data Protection Commissioners’ Conference, “Case Handling Workshop – Framework
of activities”, March 2005. www.giodo.gov.pl/data/filemanager_pl/665.pdf
257
European Privacy and Data Protection Commissioner’ Conference, “The future of the case handling
workshops”, Edinburgh, 234 April 2009.
https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Cooperation/Conference_EU/0904
23_Edinburgh_case_handling_wk_EN.pdf
258
The International Complaints Handling Workshop, “The International Complaints Handling Workshop:
Evolution & Consolidation” Presented to the Spring Conference of European Data Protection Authorities,
Rotterdam, 2004. http://www.giodo.gov.pl/data/filemanager_pl/667.pdf
81
3.1.2
Working Party on Police and Justice (WPPJ)
The Working Party of Police and Justice was set up as a working group of the Conference of
the European Data Protection Authorities (“Spring conference”) in 2007. It was mandated to
monitor and examine the developments in the area of police and law enforcement to face the
growing challenges for the protection of individuals with regard to the processing of their
personal data. The Working Party was a development of the Police Working Party, which had
the task of preparing the introduction of Schengen, Europol and Customs supervisory
arrangements. The PWP was reorientated to ensure greater continuity with a permanent
secretariat and a longer duration for the chair. The renamed WPPJ was granted the authority
to represent the Spring Conference if a quick reaction was urgently needed in this area. Due to
a lack of independent budget, meetings were often convened alongside meetings of the
various supervisory authorities. The WPPJ had three sub groups, one on technological
development, the second on the Prüm Treaty and a third on supervisory policies.
The WPPJ focused on the following activities:






monitoring the implementation of the Framework Decision 2008/977/JHA on the
protection of personal data processed in the framework of police and judicial
cooperation in criminal matters;
developing new, more systematic measures for cooperation with Article 29 Working
Party and other entities dealing with personal data protection on supranational level,
including exthird pillar supervisory authorities (JSB Europol, JSA Schengen, etc.);
monitoring the relevant developments in relation with Eurodac;
issues concerning the transposition of the Prüm Treaty implementing decisions ;
issues related to crossborder flows of information for law enforcement purposes, in
particular towards the USA;
issues related to SWIFT case and the transfer of bank transaction data to the USA
from European countries of countering terrorism and serious crime.259
The Foreword to the 2007-2008 Annual Activity Report of the WPPJ provides that:
though acknowledging the significance of the instrument in question [the draft framework
decision on data protection in the III pillar], which is expected to enhance data protection in an
area where data are increasingly exchanged, we stressed that a major shortcoming of the draft
decision consisted in its failure to envisage the coordination between national data protection
authorities and joint supervisory authorities”, and refers to “the increasing trend to provide
crossborder exchange of enforcement data under the availability principle, which
undoubtedly creates an extra burden for the data subject in the exercise of his fundamental
rights. The search for enhanced cooperation between national data protection authorities is,
therefore, on the WPPJ's agenda. A questionnaire was developed to collect information
concerning the competences of data protection authorities in their Member States concerning
the supervision of law enforcement entities. Based on the answers similarities and differences
will be mapped and a common ground will be sought to arrive at a policy on supervising as a
logical data protection answer to the increasing exchange of information within the EU. The
answers will also help the WPPJ to develop rules for cooperation between authorities, helping
259
Information Commissioner, Republic of Slovenia, “Working Party on Police and Justice (WPPJ)”, Online,
Undated. https://www.iprs.si/index.php?id=601
82
data subjects to use their rights in case their data are processed in another European State
(italics added).260
The activity also report also highlighted the issue that the WPPJ was set up on a voluntary
basis, and that it was inadequately supported by European institutions.
In 2007, the WPPJ began to explore ways to increase the effectiveness of supervision
(inspections and interventions) and to develop a common policy on supervision for European
DPAs. The WPPJ saw enhanced cooperation between data protection authorities as important
in the context of increased cooperation between law enforcement authorities and the extra
burden this could place upon data subjects in the exercise of their fundamental rights. The
WPPJ examined the mandates of national DPAs, finding that all European DPAs have
competencies in this area, and that most had specific strategies for law enforcement
supervision and inspection. Further the WPPJ developed the basis for a common approach to
risk assessment and an approach to harmonising inspection methods.261
In 2009 the WPPJ and the Article 29 Data Protection working party provided a joint response
to the Commission’s consultation on the legal framework for the fundamental right to the
protection of personal data. This response highlighted the unsatisfactory nature of personal
data protection in relation to former third pillar operations, and the need for a comprehensive
and consistent data protection framework.262
The role of the WPPJ has since been taken over by the Article 29 Data Protection Working
Party.
3.2
3.2.1
ARTICLE 29 WORKING PARTY
Organisation
The Article 29 Working Party was set up under Directive 95/46/EC and is composed of the
representatives of the supervisory authorities of EU Member States, the supervisory
authorities set up within the EU institutions and bodies, and a representative of the European
Commission. Adopted in October 1995, the Directive established the requirement for the
European data protection supervisory authorities, and at the same time established a co
ordination body, and the duty of the authorities to participate in it. 263 The name “Article 29”
derives from Article 29 of Directive 95/46/EC. Of particular interest in the current context,
are the elements of the Directive providing that authorities can be asked to exercise their
260
Pizzetti, Francesco, Foreword to the 2007-2008 Annual Activity Report of the Working Party on Police and
Justice, Brussels, 16 December 2008, available at the website of the Belgian DPA, Category “About the CPP” >
International > Working Party on Police and Justice, pp. 1 and 3.
http://www.privacycommission.be/sites/privacycommission/files/documents/05.02.02%20wppjactivityreport
20072008.pdf
261
Working Party on Police and Justice, A Data Protection Catalogue on Cooperation and Supervision in the
area of Law Enforcement in Europe, 24 March 2009.
https://www.ada.lt/images/cms/File/Tarptautinis_bendradarbiavimas/Wppj_co
ordination_and_joint_activities_200904%20Edinburgas.pdf
262
Article 29 Data Protection Working Party & Working Party on Police and Justice, The Future of Privacy:
joint contribution to the Consultation of the European Commission on the legal framework for the fundamental
right
to
the
protection
of
personal
data,
WP168,
Brussels,
1
December
2009.
263
OECD, Report on the CrossBorder Enforcement of Privacy Laws, Paris, October 2006, p. 22.
83
powers by authorities in other EEA states, and the requirement that authorities shall co
operate with one another.
The Opinions of the Working Party are not legally binding, and the Working Party has no
independent enforcement powers. The role of the Working Party is largely to advise the
European Commission, but it has become a principal means of establishing both common
views between European data protection authorities and more recently joint enforcement
operations.264The primary objectives of the Working Party are to:




To provide expert opinion from Member State level to the Commission on questions
of data protection.
To promote the uniform application of the general principles of the Directives in all
Member States through cooperation between data protection supervisory authorities.
To advise the Commission on any Community measures affecting the rights and
freedoms of natural persons with regard to the processing of personal data and
privacy.
To make recommendations to the public at large, and in particular to the Community
institutions on matters relating to the protection of persons with regard to the
processing of personal data and privacy in the European Community.265
Part of the Working Party role is to provide the European Commission with an Opinion on the
level of data protection in the Community and Third Countries.
Article 15 of the Directive 2002/58/EC of the European Parliament and of the Council of 12
July 2002 concerning the processing of personal data and the protection of privacy in the
electronic communications sector (Directive on privacy and electronic communications) also
gives a role to the Working Party in performing its Directive 95/46/EC tasks in relation to the
protection of fundamental rights and freedoms and of legitimate interests in the electronic
communication sector.266
The Working Party’s secretariat is located in Brussels and is provided by the Commission.
The Working Party elects a chairman and two vicechairmen from its members with a two
year term. The Working Party can be convened at the initiative of the chair, on request of one
third of its membership or at the request of the European Commission. The normal timeframe
for inviting participants to a meeting is three weeks, but can be two weeks in emergency
situations. Agendas for meetings of the Working Party are publicly available, whilst minutes
and draft documents are restricted.267
3.2.2
Article 29 WP subgroups
264
Article 29 Working Party, “Tasks of the Article 29 Data Protection Working Party”, Undated.
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/tasksart29_en.pdf
266
European Parliament and the Council, Directive 2002/58/EC of 12 July 2002 concerning the processing of
personal data and the protection of privacy in the electronic communications sector (Directive on privacy and
electronic communications), OJ L 201, 31 July 2002.
http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML
267
Article 29 Data Protection Working Party, Working Party on the protection of individuals with regard to the
processing of personal data: Rules of procedure, Brussels, 15 February 2010.
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/rulesart29_en.pdf
265
84
The Article 29 Working Party frequently delegates particular tasks to subgroups. Subgroups
have included:








3.2.3
Technology Subgroup
Borders Travel Law Enforcement Subgroup,
WADA Subgroup
SG Future of Privacy,
SG Key Provisions,
SG EGovernment,
SG International Transfers,
SG Financial Matters
Initiatives to improve co-operation
The Article 29 Data Protection Working Party is a cooperative forum for European Data
Protection Authorities. As such, regular meetings between European DPAs under the context
of the Article 29 Working Party can create opportunities for formal and informal exchanges as
well as developing habits of cooperation and mutual understanding. 268 Participants at
meetings typically present a short overview of significant data protection events and issues in
their own countries.
Several of the case studies in Section 2 of this report reveal that the Article 29 Data Protection
Working Party has been involved in several key incidents of cooperation between European
Data Protection Authorities. The Working party was involved in cooperative activities in the
Google privacy policy, SWIFT, telecommunications dataretention and WADA cases. CNIL
investigated Google’s new privacy policy on behalf of the Working Party, and the Working
Party hosted meetings and coordinated collective letter writing. In the investigation of
SWIFT, the Working Party coordinated the investigation by national DPAs of the related
activities and knowledge of their respective national banks, produced Opinion 10/2006 and
hosted a plenary meeting. The Telecommunications data retention investigation was co
ordinated by the Working Party’s Enforcement subgroup, at the request of the Commission.
The participating DPAs used a coordinated questionnaire and conducted onsite inspections.
The Working Party was involved in a series of disagreements with the World AntiDoping
Agency (WADA) over the revision of the WADA code. The Working Party contributed to
WADA’s consultation, published Opinion 3/2008, and hosted meetings with WADA. WADA
described the Working Party as “confrontational” and engaged in “legislative imperialism”.269
An analysis by Linklaters assessed the impact of the soft law Opinions of the Working Party.
It found that Working Party Opinions were only rarely referred to by the European Court of
Justice (but that this might be due to the limited number of ECJ decisions on data protection
issues). It found that that the Opinions exercised a strong influence on the positions of
European Data Protection Authorities, but were only rarely referenced directly by European
268
Poullet, Yves, and Serge Gutwirth, “The contribution of the Article 29 Working Party to the construction of a
harmonised European Data Protection system: an illustration of “Reflexive Government”, in Maria Veronica
Perez Asinari and Pablo Palazzi (eds.), Challenges of Data Protection and Privacy Law, Brussels, Bruylant,
2008, p. 183.
269
International Standard for the Protection of Privacy and Personal Information. Pg.5 http://www.wada
85
courts. The analysis concluded that Working Party Opinions were a “classic example of soft
law” allowing flexibility, experimentation, adjustment and national variation on issues that
would otherwise block soft law, but drew attention to a potential lack of democratic
mandate.270 This analysis does not take into account that Working Party Opinions are directly
transmitted to the European Commission, Parliament and the Article 31 Committee, and that
the Directive obliges the Commission to inform the Working Party about any followup to its
Opinions.271
In their analysis of the Working Party’s contribution to the creation of a harmonised European
Data Protection system, Poullet and Gutwirth identify harmonisation as a major concern of
the Working Party.272 The Working Party is seen as a unique organisation with no European
parallel; a “privacy lobby group” within the European institutions.273 The authors see the
Working Party as having adopted a range of collaborative strategies including forming
alliance with other EU actors (including positive examples of cooperation with the
Commission, common positions adopted with the European Parliament, and a position of non
competition with the European Data Protection Supervisor), enlarging its competences
(including cooperation with the Schengen Data Protection Joint Supervisory Authority on
data protection issues in the Third Pillar) and increasing its own visibility (transparency, a
detailed website, and consultation activities) They identify a limited engagement by the
Working Party with other stakeholders as the result of limited organisational resources. Their
concluding analysis is broadly supportive of the cooperative nature of the Working Party:
Our analysis of the work, working methods, strategies and achievements of the Working Party
do effectively show a continuous, pragmatic and constructivist learning process by all the
protagonists involved. It is by learning from the others, both externally and internally, by
taking into account inputs from key players (such as European Commission and Parliament,
he European Court of Human Rights, etc.), that questions are framed and answered in such
way that they fit in the very complex cobweb that makes data protection exist as a dynamic
fundamental right. This is no minor task since the Art. 29 W.P. has a double role to play as a
‘watchdog’ denunciating privacy threats and having a non neutral position in favour of
privacy and data protection interests, and simultaneously, as independent authority in charge
of administrative tasks and searching for compromises and consensus. Such a double role can
only be successfully played through a precautious step by step and case by case approach, in
which listening to concerns and carefully articulating them is quintessential.274
3.2.3.1 Binding Corporate Rules and mutual recognition
The Working Party has been involved in the establishment of the Binding Corporate Rules
system (BCR). This allows multinational corporations to legally transfer personal data from
the EEA to group members or affiliates outside the EEA. Applicants adopt a draft set of
BCRs, and select a Data Protection Authority to act as lead authority. This choice is
dependent upon the location of the corporate headquarters, or the location of the branch of the
corporation responsible for data protection oversight. If the lead authority is satisfied that the
adopted BCRs provide adequate safeguards, then it circulates the draft BCRS to the DPAs of
270
Church, Peter, “Should you care what the Article 29 Working Party says?” Linklaters, Technology, Media
and Telecommunications News, 20 September 2011.
http://www.linklaters.com/Publications/Publication1403Newsletter/TMTnewsletterSeptember
2011/Pages/Article29workingparty.aspx
271
Poullet, Yves and Serge Gutwirth, op. cit., p. 577.
272
Poullet and Gutwirth, op. cit., p.575
273
Ibid, p. 572.
274
Ibid., p. 597
86
the other countries where company collects or processes personal data. The lead authority
collates feedback and coordinates the response to the applicant, and any changes the
applicant needs to make. The processes for BCR were first set out in 2003 in WP74275 and the
cooperation procedure for issuing common opinions was set out in 2005 in WP107.276 The
Working party has also produced a number of sample forms, checklists and FAQs in relation
to BCRS.277 The Linklaters analysis describes the Working Party as having been responsible
for creating a “detailed framework including criteria for determining a lead regulator, standard
application forms, and a summary of national filing requirements for binding corporate rules”
and that this has had “real practical effect”.278
Currently, 21 countries participate in the mutual recognition procedure in relation to BCR:
Austria , Belgium, Bulgaria, Cyprus, Czech Republic, , France, Germany, Iceland, Ireland,
Italy, Latvia, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Slovakia,
Slovenia, Spain, and the United Kingdom.279 Mutual recognition means that if a lead authority
is satisfied with a BCR application, other involved authorities should follow the lead authority
and accept its findings without further scrutiny.
3.2.3.2 Article 29 Working Party website
The Article 29 Data Protection Working Party maintains a website280 with the support of he
European Commission Directorate General Justice. Located under the broader heading of
Data Protection on the DG website, the Article 29 pages contain opinions, working
documents, recommendations, letters, and other material produced by the Working Party as
well as administrative material such as meeting agendas, and correspondence received by the
Working Party. The website also provides information on the structure of the Working Party
and also allows users to register for a mailing list.
3.3
COUNCIL OF EUROPE T-PD
The Council of Europe Consultative Committee on the protection of personal data (the TPD,
which stands for traité protection de données) acts as a forum for exchanges on privacy
challenges and developments. It was established in Chapter V of the Council of Europe
Convention 108 on the protection of personal data.
275
Article 29 Data Protection Working Party, Working Document: Transfers of personal data to third countries:
Applying article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data
Transfers, WP74, 3 June 2003. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp74_en.pdf
276
Article 29 Data Protection Working Party, Working Document Setting Forth a CoOperation Procedure for
Issuing Common Opinions on Adequate Safeguards Resulting from “Binding Corporate Rules”, WP107, 14
April 2005. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2005/wp107_en.pdf
277
See Article 29 Data Protection Working Party, Working Document setting up a table with the elements and
principles
to
be
found
in
Binding
Corporate
Rules,
WP153,
24
June
2008.
http://www.ico.org.uk/for_organisations/data_protection/overseas/~/media/documents/library/Data_Protection/D
etailed_specialist_guides/BCR_TABLE_WP153.ashx; Article 29 Data Protection Working Party, Working
Document setting up a framework for the structure of Binding Corporate Rules, WP154, 24 June 2008.
http://www.ico.org.uk/for_organisations/data_protection/overseas/~/media/documents/library/Data_Protection/D
etailed_specialist_guides/BCR_FRAMEWORK_WP154.ashx; Article 29 Data Protection Working Party,
Working Document on Frequently Asked Questions (FAQs) related to Binding Corporate Rules, WP155 rev.04,
24 June 2008. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp155_rev.04_en.pdf
278
Church, op. cit.
279
European Commission, “What is mutual recognition?” 16 July 2013. http://ec.europa.eu/justice/data
protection/document/internationaltransfers/bindingcorporaterules/mutual_recognition/index_en.htm
280
http://ec.europa.eu/justice/dataprotection/article29/index_en.htm
87
In January 1981, the Council of Europe opened for signature its Convention 108 on the
protection of personal data. The Convention proved to be the principal international driving
force for data protection in Europe throughout the 1980s and early 90s.281 The convention was
the first legally binding international instrument with worldwide significance on data
protection. It currently applies to 46 State parties, with the recent accession of Uruguay, and
has been ratified by 45 of the 47 members of the Council. There is also an Additional Protocol
to the Convention regarding supervisory authorities and transborder data flows.282
3.3.1
Organisation
The Consultative Committee is composed of representatives of the contracting parties, as
notified to the Secretary General of the Council of Europe, observers from Council of Europe
member states who are not party to the Convention, delegates from Council of Europe bodies
and invited experts or representatives of international institutions and organisations. The
Committee meets at least every two years, and are generally held in Strasbourg or Paris. After
each meeting the Committee is to submit a report on its work and the functioning of the
convention to the Council of Ministers of the Council of Europe. The work of the Committee
between meetings is coordinated by a Bureau composed of the Chair, two ViceChairs of the
Committee, four elected members (on two year terms), and (de jure) the outgoing Chair.283.
The functions of the Committee are set out in Articles 19 and 20 of the Convention. Article 19
states that the Consultative Committee:
a. may make proposals with a view to facilitating or improving the application of the convention;
b. may make proposals for amendment of this convention in accordance with Article 21;
c. shall formulate its opinion on any proposal for amendment of this convention which is
referred to it in accordance with Article 21, paragraph 3;
d. may, at the request of a Party, express an opinion on any question concerning the application
of this convention.284
3.3.2
Co-operation and co-ordination activities
The Chair of the Committee has stated that:
This committee has been instrumental in the development of the Council of Europe’s data
protection standards and has offered since its creation a unique forum of discussion for its
members. It currently enables over 60 specialists (members and observers participating in
discussions in a spirit of equality) from over the world to meet on a regular basis to address
common data protection challenges, provide regulatory guidance as well technical expertise
281
Council of Europe, Additional Protocol to the Convention for the Protection of Individuals with regard to the
Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows,
Strasbourg, 8 November 2001. http://conventions.coe.int/Treaty/en/Treaties/Html/181.htm
283
Council of Europe Consultative Committee on the Convention for the Protection of Individuals with regard to
the Automatic Processing of Personal Data.
284
Council of Europe, Convention on the Protection of Individuals with regard to Automatic Processing of
Personal Data, Stasbourg, 28 January 1981. http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm
282
88
on some particular aspects of a domestic system and discuss means to tackle differences in
countries.285
Chapter IV of Convention 108 includes extensive provisions on Mutual Assistance and for
ease of reference they are set out in Annex D. Article 13 contains the general duty to render
mutual assistance including the requirement to nominate at least one authority for these co
operative purposes. It need not be a special data protection authority. The primary duty is to
provide information on law and administrative practice in the field of data protection. Article
14 requires the provision of assistance to foreign data subjects. Article 15 imposes
restrictions on the use to be made of information obtained in the course of rendering
assistance (that the authority will not use the information received for purposes other than the
assistance request, that the persons handling the request will be bound by appropriate
obligations of secrecy and confidentiality, and that requests for assistance on behalf of a data
subject can only be made with the consent of the person concerned286) and Article 16 provides
an exhaustive set of grounds on which assistance can be refused (the request is not compatible
with the powers of agency to which it is made, that it does not comply with the Convention,
or that it is incompatible with sovereignty, security or public policy of the requested party, or
with the fundamental rights and freedoms of persons under the jurisdiction of that party).
Article 17 makes provision for the costs and procedures of rendering assistance. In addition,
although not well recorded in public documents, the experience of regulators is that these
provisions have been used, perhaps not extensively and frequently, but regularly over the
years. 287
Chapter V of the Convention was the basis for cooperation between many European States
until the adoption of Directive 95/46/EC by the European Union. It still provides for co
operation in areas outside the scope of the Directive, such as policing, and in cases where one
country is outside the European Economic Area (EEA), but has ratified the Convention.288
The Additional Protocol also acknowledges the central role of Data Protection Authorities in
international cooperation. 289 Parties to the protocol shall provide independent authorities
responsible for ensuring compliance with domestic law giving effect to the principles in
Chapters II and III of the Convention, and that these authorities will have powers of
investigation and intervention, and that they will cooperate with one another, in particular by
sharing information.
The Council of Europe has taken up since 2010 the double challenge of modernising and
strengthening Convention 108, as well as promoting its implementation worldwide. The
Consultative Committee worked intensively on the modernisation of Convention 108 and
reached consensus on the modernisation proposals which were adopted at its 29th plenary in
November 2012. The TPD identified key objectives in the modernisation effort; that the
convention’s provisions must remain technologically neutral, that coherence with other legal
frameworks (in particular the EU data protection framework) must be maintained, and that the
Convention must remain its open character. Part of the proposed modernisation effort is an
285
Walter, JeanPhillipe., “The role of Convention 108 in the international cooperation” PHAEDRA workshop,
Warsaw, 24 September 2013.
http://www.coe.int/t/dghl/standardsetting/DataProtection/Articles/Phaedra%20workshop%20varsovie,%20J
Ph%20W.pdf
286
Ibid.
287
288
Ibid.
289
Walter, op. cit.
89
attempt to encourage international cooperation, to strengthen the competence and
independence of DPAs and strengthen the functions and powers of the Consultative
Committee. The draft proposes a conference or network of supervisory authorities to organise
their cooperation on the exchange of information, coordination of investigations,
interventions and actions, and provision of information on law and practice. 290
The Council of Europe Committee of Ministers decided on 10 July 2013 to set up an ad hoc
Committee on data protection (CAHDATA), bringing together representatives of all Council
of Europe member States, other Parties to the Convention as well as other nonEuropean
States and entrusted with the task of finalising the modernisation work started by the TPD by
formally negotiating an Amending Protocol to Convention 108. 291
The Committee has also recommended that its delegates join the list of enforcement contact
points maintained by the Global Privacy Enforcement Network (GPEN, see section 4.3). In
2010 it requested that the secretariat set up a collaborative space within an updated website on
data protection that was being developed.292 It is unclear if this has been developed, and if it
has some DPAs are unaware of it.
3.4
WORKING PARTY ON INFORMATION EXCHANGE AND DATA PROTECTION (DAPIX)
The DAPIX working party is one of more than 150 working parties and committees
supporting the EU Council of Ministers. It comprises officials from the 28 Member States.
DAPIX addresses issues relating to information exchange and data protection. On the
information exchange side, this working party draws up EU strategies for ensuring the
exchange of information between the law enforcement authorities of the Member States. In
the area of data protection, the working party helps to ensure that data are exchanged in
compliance with current principles and rules on personal data protection.
The DAPIX working party discussed and produced a revised version of the draft General Data
Protection Regulation under the Lithuanian Presidency.293
3.5
INTERNATIONAL
WORKING
TELECOMMUNICATIONS
GROUP
ON
DATA
PROTECTION
IN
The International Working Group on Data Protection in Telecommunications has been called
the Berlin Group, as it has been chaired by the Berlin Data Protection and Freedom of
Information Commissioner since its creation in 1983. The Group is composed of experts in
290
The consultative committee of the Convention for the Protection of Individuals with regard to the Automatic
Processing of Personal Data [ETS No.108], Propositions of Modernisation, TPD 2012 04Rev4, Strasbourg, 18
December
2012.
http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T
PD%282012%2904Rev4_E_Convention%20108%20modernised%20version.pdf
291
Council of Europe Ad Hoc Committee on Data Protection (CAHDATA), Information Document,
CAHDATA(2013)Inf, Strasbourg, 17 September 2013.
http://www.coe.int/t/dghl/standardsetting/dataprotection/CAHDATA/CAHDATA%282013%2901_En_Informati
on%20document.pdf
292
Consultative Committee of the Convention for the Protection of individuals with regard to automatic
processing of personal data (TPD), 26th Plenary Meeting, Stasbourg, 4 June 2010.
http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD%20_2010_%20RAP%2026%20Abr_eng.pdf
293
The DAPIX version is dated 16 Dec 2013. See
http://register.consilium.europa.eu/doc/srv?l=EN&t=PDF&gc=true&sc=false&f=ST%2017831%202013%20INI
T
90
communication and information technologies and in personal data protection. It was formed
on the initiative of national data protection authorities, under the framework of the
International Conference of Data Protection and Privacy Commissioners, but its membership
is not restricted to data protection authorities, also including representatives of private sector
and NGO organisations. Secretariat services and a web page for the group are provided by the
data protection authority of Berlin. Since the mid1990s its work has focused upon data
protection and privacy matters on the Internet. The IWGDPT meets biannually.
The Group’s work results in common positions and working papers on requirements and
conditions which should be met both by products created by technology providers and by the
entities using these products, e.g., telecommunications operators, web services and end users
of the products294, in order to improve the protection of privacy. Recent Working Papers have
included web tracking and privacy; cloud computing; privacy by design and smart metering;
privacy and electronic micropayments; event data recorders on vehicles; and mobile
processing of personal data. Working papers are available in both English and German.295
The 51st meeting of the International Working Group on Data Protection in
Telecommunications, was held on 2324 April 2012 in Sopot, Poland. It concentrated on data
processing in cloud computing solutions, execution of the right to be forgotten and profiling
of the Internet users by marketing companies using special analysis tools. The meeting saw
the adoption of a working document comprising the common position of the Group on the
principles of privacy protection in data processing with the use of cloud computing, called the
Sopot Memorandum.296
There were two meetings of the group in 2013. The 53nd meeting in Prague in April 2013
produced working papers on the publication of personal data on the web and on web tracking
and privacy. The 54rd meeting in Berlin in September produced working papers on privacy
and aerial surveillance, and the human right to telecommunications secrecy.
3.6
CENTRAL AND EASTERN EUROPE DATA PROTECTION AUTHORITIES
The first Meeting of Central and Eastern European Data Protection Commissioners took place
in Warsaw on 17 December 2001. Since then, the group has met 14 times. In a declaration on
new members emanating from its 14th Meeting held in Kiev on 2122 May 2012, the group
expressed “the need to continue our cooperation and exchange of experiences in the field of
personal data and privacy protection”. 297 It confirmed the provisions contained in the
Declaration on future cooperation adopted in Smolenice on 24 May 2005 and further
specified in the Declaration on cooperation adopted in Kazimierz Dolny on 3 June 2008. It
acknowledged “that in the age of global economy and development of IT technologies, the
cooperation between data protection commissioners from various countries plays an essential
role in ensuring the efficiency of data protection systems”. It also said that “the unique
experiences of the members of the group of Central and Eastern European Data Protection
294
GIODO, “Meeting of the Berlin Group, 2324 April 2012” http://www.giodo.gov.pl/259/id_art/736/j/en/
The archive of working papers is available at: http://www.datenschutzberlin.de/content/europa
international/internationalworkinggroupondataprotectionintelecommunicationsiwgdpt/workingpapers
andcommonpositionsadoptedbytheworkinggroup
296
International Working Group on Data Protection in Telecommunications, Working Paper on Cloud
Computing – Privacy and Data protection issues- “Sopot Memorandum”, Sopot, 24 April 2012.
http://www.giodo.gov.pl/data/filemanager_pl/dif/Sopot_Memorandum.pdf
297
A copy of the Declaration can be found here: http://www.giodo.gov.pl/259/id_art/741/j/en/
295
91
Commissioners in the field of implementation of data protection legislation… may be useful
to the countries where data protection legislation has recently been adopted”.
The host of the Meeting in Kiev in May 2012 was the State Service of Ukraine on Personal
Data Protection. The meeting was attended by representatives of Data Protection Authorities
from Poland, Ukraine, Czech Republic, Serbia, Macedonia, Slovenia, Estonia, Montenegro,
Russia, Hungary, Moldova, Bulgaria and Albania. 298 Two declarations were adopted by
CEEDPA members. The first one was the Declaration on the new members of the group of
Central and Eastern European Data Protection Commissioners under which the data
protection commissioners of Bosnia and Herzegovina as well as Montenegro were accepted as
members of CEEDPA. In the second declaration, proposed by the Polish DPA and not
formally discussed in the official conference, the Central and Eastern Europe Data Protection
Commissioners (with the exception of Estonia) declared their support for the European data
protection reform.
The 15th CEEDPA meeting was held on the 1012 June 2013 in Serbia. Participants from 14
DPAs discussed issues relating to data safety, data processing in the field of employment, and
the independence of data protection authorities. The meeting identified similarities in personal
data breaches across Eastern Europe. The third session focused upon the challenges that
DPAs face, including to their independence. Other challenges discussed included transborder
transfers of data, video surveillance of public areas and hate speech. 299 The Russian
Federation, which previously held observer status was admitted to full membership at this
meeting.
The 16th meeting will be organised in 2014 in Macedonia. Both the representatives of the
data protection authorities of Hungary, and of Bosnia and Herzegovina have expressed their
willingness to host the 17th meeting in 2015.
More information on CEEDPA is available at http://www.giodo.gov.pl/272/j/en/ as well as at
http://www.ceecprivacy.org.
3.7
CONFERENCE OF BALKAN DATA PROTECTION AUTHORITIES
The first Balkan Conference of personal data protection authorities was held on 1718
December 2012 in Skopje by the Directorate for Personal Data Protection, Republic of
Macedonia in cooperation with TAIEX (the Technical Assistance and Information Exchange
instrument managed by the DirectorateGeneral Enlargement of the European
Commission 300 ). The conference resulted from the meeting of personal data protection
regulatory authorities as part of the Conference on the Modernization of EU legislation on the
protection of personal data, also held by the Directorate, in May 2012. The intent was to start
a series of conferences to support information and experience exchange between Western
Balkan data protection authorities and cooperation with European data protection authorities.
Participants have signed a Declaration of Cooperation. Participating countries included the
298
The information in this section comes from GIODO’s website: http://www.giodo.gov.pl/259/id_art/741/j/en/
Central and Eastern Europe Data Protection Authorities, “15th Meeting of the Central and Eastern European
Data
Protection
Authorities”,
CEEDPA
News
and
Events,
1012
June
2013.
http://www.ceecprivacy.org/main.php?s=5
300
TAIEX supports partner countries with regard to the approximation, application and enforcement of EU
legislation. It is largely demand driven and facilitates the delivery of appropriate tailormade expertise to address
issues at short notice. See TAIEX, “What is TAIEX?”, 1 July 2013. http://ec.europa.eu/enlargement/taiex/what
istaiex/index_en.htm
299
92
Czech Republic, Slovenia, Albania, Bosnia and Herzegovina, Croatia, Kosovo, Montenegro
and the former Yugoslav Republic of Macedonia.
The 2012 conference was subtitled “Joint aspirations and cooperation”, and focused upon
the transfer of personal data to third countries, supervision of transmission, cooperation with
Eurojust, the balance between the right to protection of personal data and the fight of free
access to public information, and ISO standardisation of employees in privacy protection
organisations. The conference also involved work on the joint application by the Balkan data
protection authorities to use support from the EU’s Instrument for PreAccession Assistance
(IPA) funds.301
There are also a number of bilateral collaboration agreements between Balkan Countries. For
example, the National Agency for Personal Data Protection Kosovo has signed Declarations
on further collaboration with the Agency for Personal Data Protection, Republic of
Montenegro, the Directorate for Personal Data Protection, Republic of Macedonia, and the
Information Commissioner, Republic of Slovenia.302
3.8
3.8.1
FORMER THIRD PILLAR SUPERVISORY AUTHORITIES
Joint Supervisory Authority of the Schengen Information System
The Schengen Agreement, signed in 1985 and supplemented by the Schengen Convention in
1990, created the Schengen area in Europe in 1995. The Schengen area abolishes internal
border controls and implements a common visa policy. The Schengen Information System
(SIS) is a database which allows the participating states to share information for border
control, national security and law enforcement purposes. The data protection elements of the
SIS were supervised by the Schengen Joint Supervisory Authority (JSA). With the current
shift to the expanded SIS II system, the JSA has been dissolved as of April 2013 and replaced
by coordinated supervision between national data protection authorities and the European
Data Protection Supervisor. The JSA was the first EU supervisory authority which promoted
joint coordinated supervisory activities in the law enforcement area as regards the inspection
of largescale databases. This approach to the supervisory role was apparently successful,
being influential on future coordinated supervision efforts such as the Eurodac, VIS and
Customs supervisory bodies.303
The Schengen Convention304 established the Joint Supervisory Authority. Article 115(3) of
the Schengen Convention stipulates that the JSA was responsible for:
301
Directorate for Personal Data Protection, Personal Data Protection Directorate 2012 Annual Report, Skopje,
March 2013, pp.4344. http://www.dzlp.mk/sites/default/files/DPDP_%20Annual_Report_2012.pdf
302
National Agency for Protection of Personal Data, Republic of Kosovo, “International Agreements”, Undated.
http://www.amdprks.org/web/?page=2,53
303
Schengen Joint Supervisory Authority, Activity Report – December 2005 - December 2008, 2008, p. 11.
http://www.llv.li/pdfllvdssjsa_sch.act.rep.en.pdf
304
Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French
Republic, 304 The Schengen acquis Convention implementing the Schengen Agreement of 14 June 1985
between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and
the French Republic on the gradual abolition of checks at their common borders.
Official Journal L 239 , 22 Sept 2000, pp. 1962.
http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:42000A0922%2802%29:en:HTML
93




checking the implementation of the provisions of the Schengen Convention, as regards
the technical support function of the Schengen Information System,
examining any difficulties of application or interpretation that may arise during the
operation of the Schengen Information System,
for studying any problems that may occur with the exercise of independent
supervision by the national supervisory authorities of the Contracting Parties or in the
exercise of the right of access to the system,
drawing up harmonised proposals for joint solutions to existing problems.
In implementing the Convention, the JSA conducted inspections at national level, with the
intent of understanding how the Schengen States were implementing and using the Articles of
the Schengen Convention, and an overview of practical problems that may occur with
implementation. The JSA conducted its task through regular plenary meetings in Brussels,
issuing opinions, conducting surveys and inspections at national level, inspections at central
level and monitoring technical and legal developments. The Authority could intervene on its
own initiative or at the request of the national supervisory authority of a Schengen Member
State, a Contracting Party or a body of the Schengen System in compliance with the
provisions of the Convention.
The Schengen JSA was composed of national data protection authorities from the contracting
parties to the Schengen Convention. Each authority had one vote. The meetings were not
public, and the JSA itself decided which of its acts and reports were to be made public. The
JSA could appoint working groups as it required and could invite external experts. The
authority could designate one or more members to conduct onsite verifications. The JSA
budget came from the wider Schengen budget. The membership of the Schengen JSA strongly
overlaps with the membership of the Europol JSB. The rules of procedure were approved by
the JSA on 2 February 1996, amended on 4 July 1997 and 27 April 1998.305 The enlargement
of the Schengen area on 21 December 2007 with the addition of 9 new members also saw the
enlargement of the JSA. The new members had previously been participating as observers.
The JSA believes that this observer status was useful for both old and new members. 306
Several Member States did not attend JSA meetings, citing financial difficulties. In 2010, the
JSA wrote to the relevant government departments of the Slovak Republic to highlight the
fact that Member States are legally obliged to carry out their supervisory responsibilities with
regard to the SIS, including regular attendance at JSA meetings. 307 SIS includes some
members that are not Member States of the EU. Therefore the requirement for adequate
safeguards for the transmission of personal data applies.
In the period December 2005 to December 2008, the Schengen JSA focused upon the correct
interpretation of the Schengen Convention and assessing if Schengen member states had
implemented the legal framework in a harmonised and appropriate manner.308 From 2004 the
305
Joint Supervisory Authority, Rules of Procedure of the Joint Supervisory Authority. 27 April 1998.
http://schengen.consilium.europa.eu/media/158305/schaut
cont%20%2895%29%2025%20rev.%205%20schengen%20jsa%20rules%20of%20procedure,%20with%20ame
ndment.pdf
306
Schengen Joint Supervisory Authority, Activity Report – December 2005 - December 2008 [undated, no
location], p. 10. http://www.llv.li/pdfllvdssjsa_sch.act.rep.en.pdf
307
Schengen Joint Supervisory Authority, Ninth Activity Report: January 2009 – April 2013: Crossing Borders,
Brussels, 1 April 2013, p. 5.
http://schengen.consilium.europa.eu/media/251646/schengen%20activity%20report%202008%20
%202013%20final.3.pdf
308
Schengen Joint Supervisory Authority, Activity Report – Decemebr 2005 – December 2008, op. cit.
94
JSA has also been involved in the development of the second generation of the Schengen
Information System (SIS II). This involved providing advice and assistance to involved EU
institutions. It issued an Opinion on the legal basis for SIS II in September 2006.
The Chair and members of the JSA were also part of an expert working group set up during
the 2011 European Privacy and Data Protection Commissioners' Conference to focus on the
future of supervision in the freedom, security and justice area, particularly with regard to what
makes supervision effective. The group held its first meeting in June 2011 then continued to
meet quarterly. In early 2013, the group finalised a report on the future of data protection
supervision in the area of law enforcement, which explains its vision for the future.309
The application of Council Decision 2007/533/JHA of 12 June 2007 on the establishment,
operation and use of the second generation Schengen Information System (SIS II) (the
Council Decision) and Regulation (EC) No 1987/2006 of the European Parliament and of the
Council of 20 December 2006 on the establishment, operation and use of the second
generation Schengen Information System (SIS II) (the Regulation), will change the future
joint supervisory framework for the SIS II. 310 On 9 April 2013, the secondgeneration
Schengen Information System II (SIS II) is expected to take over from SIS. The data
protection supervision of SIS II becomes the responsibility of the national data protection
authorities and the European Data Protection Supervisor in a coordinated structure.311 The
Decision created a new legal framework for cooperation between EDPS and the national
DPAs to ensure coordinated supervision of SIS II.
The national supervisory authorities and the European Data Protection Supervisor, will each
act within the scope of its respective competences, and are to:





to exchange relevant information,
assist each other in carrying out audits and inspections, examine difficulties of
interpretation or application of the Council Decision (the Regulation),
study problems with the exercise of independent supervision or in the exercise of the
rights of data subjects,
draw up harmonised proposals for joint solutions to any problems and
promote awareness of data protection rights, as necessary.
European Data Protection Supervisor and the national supervisory authorities are to meet at
least twice a year.312
SIS II will comprise a central system, EU States’ national systems and a communication
network between the central and the national systems. The European Commission is
responsible for the development of the SIS II central system, while SIS II national systems are
developed by the Schengen States. SIS II will be managed by the independent European
Agency for the operational management of largescale IT systems in the area of freedom,
security and justice. This Agency will also be tasked with managing EURODAC and the Visa
309
Schengen Joint Supervisory Authority, Ninth Activity Report: January 2009 – April 2013: Crossing Borders,
Brussels, 1 April 2013.
%202013%20final.3.pdf
310
Schengen Joint Supervisory Authority, Activity Report – Decemebr 2005 – December 2008, op. cit.
311
Schengen Joint Supervisory Authority, 1 April 2013, op. cit.
312
Schengen Joint Supervisory Authority, Activity Report – December 2005 - December 2008 , op.cit.
95
Information System313 The SIS database was physically located in France, and the SIS II
database is located in France with a backup centre in Austria. Moves towards interoperability
between Schengen, VIS and Eurodac may have implications for coordinated supervision.
3.8.2
Joint Supervisory Authority of the European Customs Information System
The Customs Information System (CIS) was established under the 1995 Convention on the
use of information technology for customs purposes and Council Regulation (EC) No515/97
of 13 March 1997 on mutual assistance between the administrative authorities of the Member
States and cooperation between the latter and the Commission to ensure the correct
application of the law on customs and agricultural matters.314 The aim of the CIS is to assist in
combating customs related crime by facilitating cooperation between European customs
authorities. CIS stores information on commodities, means of transport, persons and
companies in order to assist in preventing, investigating and prosecuting actions in breach of
customs and agricultural legislation or serious contraventions of national customs laws. There
are two CIS databases, one relating to national law and other to European law. The central
database can be accessed by member states and the European Commission and went live on
24 March 2003.
The CIS Convention divides the data protection of CIS between national data protection
authorities and the Joint Supervisory Authority for the Customs Information Service (JSA).
The Member States are responsible for the processing of personal data in the CIS according to
the CIS Convention and they are supervised by the national Data Protection Authorities. The
Joint Supervisory Authority for the Customs Information Service was established in the
Article 18 of Convention on the use of information technology for customs purposes. The
JSA has the overall task to supervise the technical support function of the CIS. This function
is responsible for distributing the data entered in the CIS to all Member States. JSA is an
independent authority composed of two representatives of the data protection authorities of
each Member State that signed this CIS convention.315 The JSA has a secretariat located in
Brussels.
JSA is responsible for supervising the operation of the CIS and to:
 examine any difficulties of application or interpretation which may arise during the
system’s operation;
 study problems that may arise when the system is in operation;
 study problems which may arise with regard to the exercise of independent
supervision by the national supervisory authorities of the Member States, or in the
exercise of rights of access by individuals to the System and draw up proposals for the
purpose of finding joint solutions to problems.316
 to draw up proposals for the purpose of finding joint solutions to problems;
 to draw up opinions on the satisfactory nature of the measure for data protection.
313
Schengen Joint Supervisory Authority, 1 April 2013, op. cit, p. 13.
%202013%20final.3.pdf
314
Council Regulation, On mutual assistance between the administrative authorities of the Member States and
cooperation between the latter and the Commission to ensure the correct application of the law on customs and
agricultural matters, (EC) No515/97, OJ L 83, 13 March 1997. http://ec.europa.eu/anti_fraud/documents/eu
revenue/consolidated_r515_97_en.pdf
315
http://www.privacycommission.be/en/jsacustomsinformationsystem
316
Ibid.
96
The JSA can inspect the central CIS database, located in Brussels. National supervisory
authorities must also supervise the national use of the CIS database. Any individual may ask
any national supervisory authority to check the personal data related to them contained and
process by CIS, subject to national subject access request laws. If the data were inputted to the
system by another Member State, the inspection should be carried out in collaboration with
national supervisory authority of this Member State.
3.8.3
Coordinated Data Protection Supervision Group of the European Visa
Information System (VIS)
The European Visa Information System (VIS) is a database of information on visa
applications from third country nationals. It includes personal and biometric data. This
information is collected by national consulates and then transferred to a central database,
where it becomes accessible to all Member States. One intended purpose is preventing failed
applicants for visas making repeated applications to different EU Member States. Rollout of
VIS started in 2009.
The Visa Information System Supervision Coordination Group was set up by Article 43 of the
VIS Regulation. 317 It is a coordination platform for those data protection authorities with
responsibilities for supervision of the European Visa Information System. Supervision of the
central unit of VIS is the responsibility of the European Data Protection Supervisor, whilst
supervision of its operation and use at the national level is the responsibility of the respective
Member State’s Data Protection Authorities.
The Group will:







endeavour to enhance cooperation between the supervisory authorities and shall
ensure coordinated supervision of VIS and the national systems;
exchange relevant information;
assist the supervisory authorities in carrying out audits and inspections, as necessary,
each acting within the scope of their respective competences;
examine difficulties of interpretation or application of the VIS Regulation;
study problems with the exercise of independent supervision or with the exercise of
the rights of data subjects;
draw up harmonised proposals for joint solutions to any problems;
promote awareness of data protection rights, as necessary.318
The group is composed of one representative from each of the national supervisory
authorities, and the European Data Protection Supervisor. Each delegation has one vote. A
chairperson is selected by the group for a twoyear term.
The VIS supervision group held its first meeting in November 2012. The meeting was
primarily concerned with the rollout of VIS and discussion of a work programme for the
317
European Parliament and the Council, Regulation (EC) No 767/2008 Concerning the Visa Information
System (VIS) and the exchange of data between Member States on shortstay visas (VIS Regulation), 9 July
2008. OJ L 218/60. http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:218:0060:0081:EN:PDF
318
Visa Information System (VIS) Supervision Coordination Group, “Rules of Procedure”, Brussels, April 2013.
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/VIS/1304
11_VIS_Supervision_Coordination_Group_RoP_EN.pdf
97
group. Rules of Procedure were adopted in April 2013. The group meets twice a year
(normally in Brussels), with additional meetings at the request of twothirds of the
membership. The group is to draw up an activity report every two years. Minutes and internal
documentation (including drafts of reports) will not be made public, but reports and opinions
will be publicly available, unless the group determines otherwise. The budget for the meetings
comes from the EDPS. EDPS conducted a security audit at VIS in November 2011.319 EDPS
also provides secretariat services to the Supervision Group.
3.8.4
Coordinated Data Protection Supervision Group of Eurodac
EURODAC is a fingerprint database of applicants for asylum and illegal immigrants found
within the EU. The system has been operational since 15 January 2003 and is currently used
by the 27 EU Member States as well as Iceland, Liechtenstein, Norway and Switzerland.
EURODAC consists of a Central Unit, operating the system’s central database and National
Access Points which transmit data between the Member States and the central database.
The supervision of the processing of personal data in the central database was previously
conducted by a provisional Joint Supervisory Authority. However, this was replaced by the
European Data Protection Supervisor (EDPS) in early 2004. In order to ensure a coordinated
approach between EPDS and the national data protection authorities in EU Member States
that supervise the processing of data by national authorities and transmission to the central
EURODAC unit, the authorities meet regularly as the EURODAC Supervision Coordination
Group to discuss common problems, and seek common solutions. 320 The EURODAC
Supervision Coordination Group is therefore a cooperation platform for the data protection
authorities responsible for the supervision of EURODAC. The Group will:





examine implementation problems in connection with the operation of Eurodac;
examine difficulties experienced during checks by the supervisory authorities;
examine difficulties of interpretation or application of the Eurodac Regulation;
draw up recommendations for common solutions to existing problems, and
endeavour to enhance cooperation between the supervisory authorities. 321
The coordinated EURODAC supervision group issued its first coordinated inspection
reports in 2007.322 Formal Rules of Procedure for the group were adopted on 19 December
2007 and amended on 17 December 2008.323
319
European Data Protection Supervisor, Annual Report 2012, Publications Office of the European Union,
Luxembourg, 2013.
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Annualrep
ort/2012/AR2012_EN.pdf
320
EDPS, “EURODAC”. https://secure.edps.europa.eu/EDPSWEB/edps/Home/Supervision/EURODAC
321
EURODAC Supervision Coordination Group, “Rules of Procedure for the Eurodac Supervision Coordination
Group” Brussels, 17 December 2008.
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Eurodac/0812
17_Eurodac_rulesofprocedure_EN.pdf
322
EURODAC Supervision Coordination Group, “Report of the first coordinated inspection”, Secretariat of the
Eurodac Supervision Coordination Group, EDPS, Brussels, 17 July 2007.
17_Eurodac_report_EN.pdf
323
EURODAC Supervision Coordination Group, 17 December 2008, op. cit.
17_Eurodac_rulesofprocedure_EN.pdf
98
The EDPS performed its first inspection of the EURODAC central unit in 2006, followed by a
security audit in 2007. A second inspection in 2011 assessed the implementation of the
recommendations from the first report. The onsite audit was conducted by four
representatives of the EDPS and one representative of the Spanish Data Protection Authority.
The report of the second inspection found that generally, the overall level of data protection
and security of the EURODAC central unit was high, and that most of the previous
recommendations had been taken into account. However the EDPS raised issues relating to
the operation of the archiving system, business continuity, some inadequate technical security
measures relating to patch management, user management, log files and backups, and some
organisation security inadequacies relating to personal data breach handling, audit, data
destruction, change management, and removable media policy.324
The secretariat of the EURODAC Supervision Coordination Group is provided by and located
at the EDPS in Brussels. Meetings are often held after or before meetings of other Joint
Supervisory Groups (Schengen, Europol or Customs Information Systems). Meetings often
include a presentation on the management of EURODAC from the Commission
representatives, and then discussion between DPAs.
Recent topics discussed have included the annual inspect reports, programmes of work,
legislative reform proposals (including reform of the EURODAC Regulation), advance
deletion, stakeholder engagement, developments at national level, the development of
common assessment methodologies for EURODAC national contact points, and a security
audit methodology. On this latter point, a subgroup drafted a questionnaire that can serve as
the basis for a common baseline for inspections at the national level.325
The EURODAC Supervision Coordination Group was consulted on the supervision process
for European Visa Information System, as the legal basis for VIS envisages a coordinated
supervision group similar to that operated for EURODAC.
3.8.5
Joint Supervisory Board Europol
Europol was established in 1999 as an intelligence broker for coordinated police work in
Europe. The Joint Supervisory Board is Europol’s independent data protection supervisor.326
In the European Council Decision of 6 April 2009 the Member States recognised the need to
provide special, tailormade data protection rules for Europol. To stress this point, the
legislator emphasised that “specific provisions on the protection of personal data” were
essential “because of the particular nature, functions and competences of Europol”. 327
Consequently, while the Decision reflects the same values as Directive 95/46/EC, it contains
detailed Europolspecific and unique provisions. Several entities monitor and ensure
compliance with the data protection rules at Europol. These include the Data Protection
Officer, the Joint Supervisory Body and National Supervisory Bodies.
324
EDPS, “EURODAC Central Unit Inspection Report” Case File 20111103. Brussels, June 1012.
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/EURODAC/12
0614_EURODAC_inspection_report_EN.pdf
325
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/EURODAC/12
0704_EURODAC_Activity_Report_EN.pdf
326
Information on the activities of the JSB can be found at http://europoljsb.consilium.europa.eu/about.aspx
327
Council of the European Union, Council Decision of 6 April 2009 establishing the European Police Office
(Europol), 2009/371/JHA. OJ. L 121/37, Brussels, 15.5.2009.
https://www.europol.europa.eu/sites/default/files/council_decision.pdf
99
The Joint Supervisory Body (JSB) is independent entity set up to review the activities of
Europol in order to ensure that the rights of the individual are safeguarded during the storage,
processing and utilisation of personal data held by Europol. The JSB is the external
counterpart to the DPO’s internal perspective. The Rules of Procedure for the JSB, adopted 22
June 2009 and approved by the Council on 20 November 2010, state that the tasks of the JSB
are:
reviewing and inspecting, in accordance with the Europol Decision, the activities of Europol
in order to ensure that the rights of the individual are not violated by the storage, processing
and use of personal data held by Europol. In addition, it shall monitor the permissibility of the
transmission of data originating from Europol.328
The JSB therefore issues opinions on draft data sharing agreements between Europol and
third countries, the legal basis for data processing by Europol and implementation of data
processing rules. The JSB produces an activity report. These reports were previously every
two years, but the fifth report covered the period 20082012.329
This body is composed of two representatives of the independent national data protection
authority of each EU Member State, selected internally, who are appointed for a period of five
years. Each delegation is entitled to one vote for decisionmaking purposes. It meets at least
four times a year, and at the initiative of the Chairman. The Director of Europol can also
propose that the Body be convened. The meetings are not public, but the documents of the
Body are publicly available (except the results of the annual inspection reports). The JSB has
an independent secretariat, located in Brussels.
The Joint Supervisory Body also monitors the permissibility of the transmission of data
originating from Europol. It is under this capacity that the JSB inspected Europol’s
implementation of the TFTP Agreement (see section 4.7). Any individual has the right to
request the Joint Supervisory Body to ensure that the manner in which his or her personal data
have been collected, stored, processed and utilised by Europol is lawful and accurate.330 The
JSB appeals committee is also responsible for managing appeals against Europol’s handling
of the exercise of rights of access and correction. The JSB has the power to inspect any and
all Europol files, and conducts an inspection visit of Europol premises at least once a year.
This inspection results in a report.331 The chairman of the Body can request the attendance of
the Europol Director.
The JSB is also tasked with cooperation, as necessary, with other supervisory authorities for
the fulfilment of its tasks and to contribute to the improvement of consistency in the
application of data processing rules and procedures. The JSB states in its most recent activity
report that it works closely with Europol, often in the early stages of projects to attempt to put
data protection standards in place prior to operation. 332 The JSB has jointly organised and
328
Council, Act No 29/2009 of the Joint Supervisory Body of Europol of 22 June 2009 laying down its
procedure, OJ 2010/C 45/02. http://europoljsb.consilium.europa.eu/media/63193/lexuriserv.en.pdf
329
Europolo Joint Supervisory Body, “Activity Report, October 2008 – October 2012: Converging Paths.
Brussels, 24 April 2013. http://register.consilium.europa.eu/pdf/en/13/st08/st08659.en13.pdf
330
Europol, “Management and Control” https://www.europol.europa.eu/content/page/management147
331
Data Protection Office, Data Protection at Europol, Europol, The Hague, 2012.
https://www.europol.europa.eu/sites/default/files/publications/europol_dpo_booklet_0.pdf
332
Europol Joint Supervisory Body, “Activity Report, October 2008 – October 2012: Converging Paths.
Brussels, 24 April 2013. p.8. http://register.consilium.europa.eu/pdf/en/13/st08/st08659.en13.pdf
100
participated in plenary meetings with the joint supervisory authorities of the Schengen and
Customs Information Systems and the Eurojust Joint Supervisory Body, to specifically
discuss the future of supervision in the police and judicial cooperation area. The JSB Chair
and Secretariat are also part of an expert working group set up during the 2011 European
Privacy and Data Protection Commissioners' Conference to focus on the future of supervision
in the freedom, security and justice area.
The JSB believes that its work has a positive impact upon data protection at national levels.
Experience gained by national representatives working as part of the JSB on joint onsite
inspections contributes to harmonisation of national practices. Joint decisions of the JSB are
also applied at national levels. The JSB has also collaborated with the former Working Party
on Police and Justice (under the mandate of the European Privacy and Data Protection
Commissioners’ Conference), and has adopted joint opinions on the TFTP Agreement with
the Article 29 Working Party. The JSB is an accredited member of the Spring Conference and
the International Conference of Data Protection and Privacy Commissioners.
The National Supervisory Bodies are national authorities that monitor the communication of
personal data to and from Europol, in line with their respective national laws. These bodies
have access to the documents and premises of their national Liaison Officers at Europol.
3.8.6
Joint Supervisory Body Eurojust
Formally established in 2002, Eurojust, the European Union’s judicial cooperation unit, is
responsible for encouraging and facilitating coordination of investigations and prosecutions
between competent authorities in the Member States, making these more effective in dealing
with crossborder crime. Eurojust’s competencies match those of Europol. As part of this role,
Eurojust may process significant amounts of information, including personal data. The Joint
Supervisory Body (JSB is an independent external supervisor of Eurojust in the area of data
protection. Its role is to monitor. The JSB discusses compliance with the Eurojust data
protection officer and can undertake spot inspections. Eurojust JSB was accredited as an
independent supervisory authority member of the International Conference of Data Protection
and Privacy Commissioners in 2010, and by the European Data Protection Commissioner’s
Conference in October 2011, and has a secretariat based in the Hague. Unlike the other EU
JSBs discussed in this section, the Eurojust JSB is not is necessarily composed of
representatives of national Data Protection Authorities (although several are members), but
can also include judges and other similarly independent roles.
The JSB was heavily involved in the drafting of the Rules of Procedure on Data Protection
which were adopted by the College of Eurojust in October 2004, and played a role in the
development of Eurojust’s case management system, which the JSB considers to be a good
example of privacy by design.333
3.9
OTHER INITIATIVES
333
Joint Supervisory Body of Eurojust, Activity Report of the Joint Supervisory Body of Eurojust 2012, The
Hague, 2012, p. 6
http://www.eurojust.europa.eu/doclibrary/Eurojust
framework/jsb/JSBAnnualActivityReport/Activity%20Report%202012/JSBActivityReport2012EN.pdf
101
The data protection authorities of the Nordic countries (Denmark, Finland, Iceland, Norway,
Sweden) collaborate at the regional level.334 This includes meetings every one or two years
between the authorities looking at planning, benchmarking and management, as well as more
regular cooperation on case handling and media relations. Cooperation arrangements also
include a staff exchange programme, although not all authorities have participated in this. The
group produced a joint set of questions to Facebook and a joint report.335 The group has the
following meetings:



Nordic data manager meeting - fællesnordiske datachefmøde
Nordic caseworker meeting - årlige fællesnordiske sagsbehandlermøde for
sagsbehandlere – fortrinsvis jurister – fra de nordiske datatilsynsmyndigheder: annual
joint for practitioners mostly lawyers from the Nordic Data Protection Authorities
Nordic technician meeting - Nordisk Teknikermøde
The Visegrad Group, consisting of the Czech Republic, Hungary, Poland and Slovakia works
together on a number of areas of common interest within European integration. The group is
not institutionalised, but consists of meetings of its representatives at various levels, including
ministerial cooperation. Areas of cooperation include the area of Justice and Home Affairs,
Schengen cooperation, including protection and management of the EU external borders,
visa policy.
The Isle of Man mentioned regular informal communication and exchange of views between
its Office, the UK, Ireland, Jersey, Guernsey and Gibraltar.
The German DPA said it provides cooperation and support on request or on a casebycase
basis, and has done so in the instances of, inter alia, the DPAs from Bulgaria, Macedonia and
Moldova.
GIODO said it was also participating in some international projects: the Leonardo da Vinci
(LDV) mobility projects, LDV partnership projects, study visits, twinning projects.
334
Data Inspection Board, “International cooperation”. http://www.datainspektionen.se/inenglish/international
cooperation/
335
Jonasson, David, “Facebook’s data protection questioned by Nordic authorities”, Stockholm News,
Stockholm, 12 June 2011. http://www.stockholmnews.com/more.aspx?NID=7485
102
3.10 CONCLUSIONS
Figure 2: European DPA coordination and coordination mechanisms
The above figure visualises the overlapping membership of the various European
collaboration arrangements (Countries in white text are also OECD member countries). This
visualisation shows that there is a core group of DPAs who are involved in the full range of
cooperation and coordination mechanisms, with a number of other DPAs who are not
involved in particular mechanisms. Within the EU, these exclusions are primarily a result of
other political decisions by the countries involved (such as nonparticipation of the United
Kingdom in the Schengen acquis) rather than the activities of the DPAs themselves.
The preceding overview of cooperation and coordination in Europe supports the following
observations.
There are multiple levels of cooperation and coordination in Europe. There are mechanisms
at the level of senior representatives, privacy commissioners and heads of DPAs, such as the
Spring Conference and the Article 29 Working Party. These mechanisms are important for
high level discussion and agreement, the development of shared positions and the expression
of collective voice. This interaction often occurs through relatively short one or two day
conference or workshops. There are cooperation mechanisms at the operational level, such as
the Case Handling Workshop associated with the Spring Conference. There may be an
opportunity to develop these mechanisms to encompass nonenforcement issues such as
media and public communication or technology watch functions. Thirdly, there are co
ordination mechanisms for the representatives of Member States other than DPAs (DAPIX)
103
and finally, there are mechanisms which include representatives from the private sector and
NGOS (the Berlin group).
There are also a range of cooperation and coordination mechanisms in Europe operating at
different scales, ranging from bilateral agreements between two DPAs to regional
organisations (such as the Balkan DPAs and the Easter European DPAs), subEuropean
groupings around particular organisational structures (such as the supervisory groups of
Schengen and VIS), the core grouping of all European Member State DPAs in the Article 29
Data Protection working party, up to the broader European memberships of the Spring
Conference and Council of Europe.
This European network of overlapping mechanisms for cooperation provides a range of
options for collaboration and the building of consensus at different levels and to different
purposes. It provides European DPAs with a degree of flexibility in forming different
coalitions. Regular interaction may be supportive of developing habits of communication, co
operation and coordination. The organisations are frequently interlinked by more than
overlapping membership (for example, the Case Handling Workshop reporting to the Article
29 Working Group, or the Europol JSB attending the Spring Conference).
The statutory requirement for European DPAs to collaborate in the Article 29 working party
(arising from Directive 95/46/EC) is an important element of European cooperation and co
ordination, and the working party has been influential, including expanding its mandate to
incorporate the work of the WPPJ. It has utilised a range of cooperative strategies, soft law
and learning from experience. The Article 29 Working Party has become a key vehicle for the
expression of collective views. The Council of Europe Convention 108 requirement for
mutual assistance (primarily in the form of the provision of information) is also important in
ensuring the drive towards cooperation.
There is also cooperation in regard to “European surveillance infrastructure” such as the
Schengen, VISA and customs database, which may increase the habitual working together of
DPAs. For their particular task – oversight of multistate information systems this
collaboration is vitally important. The functional model of Schengen and EURODAC acted as
an inspiration for subsequent supervisory groups for VIS, Europol, and customs. However,
these mechanisms cannot really be repurposed for other coordination tasks, given their focus
upon a particular task or system. These groups have however had plenary meetings between
themselves, and acted as a source of expertise on these topics for Art 29 and expert groups at
the Spring Conference.
Finally, European DPAs do have access to a small number of communication tools and
platforms (such as the GPEN list of contact points, the Council of Europe TPD website, and
the Case Handling Workshop mailing list) that can be used for more frequent coordination
(including at operational level) than that allowed by infrequent formal meetings.
104
4
CO-OPERATION AND CO-ORDINATION GLOBALLY
Mechanisms for international cooperation and coordination analysed in this chapter include
are the following: the International Conference of Data Protection and Privacy
Commissioners (ICDPPC), the Council of Europe TPD, the OECD WPISP, APEC ECSG
DPS, the Asia Pacific Privacy Authorities (APPA), the IberoAmerican Data Protection
Network, the Association of Francophone Data Protection Authorities, the Article 29
Working Party, GPEN, International Working Group on Data Protection in
Telecommunications (IWGDPT) and CPEA. In examining these existing mechanisms, the
partners have contacted DPAs and privacy commissioners to elicit their views on how
existing mechanisms could improve practical cooperation and in what areas such co
operation could be improved. The partners particularly focus on the GPEN and the working
group of the ICDPPC which are the only two global mechanisms. The PHAEDRA partners
also explore networks established by action of national governments acting collectively
(Art.29 WP, CPEA); mandates exclusively focused upon enforcement cooperation (GPEN,
CPEA) and the track record of enforcement cooperation work (Art. 29 WP, APPA, CPEA).
This chapter describes efforts to improve practical cooperation between DPAs, privacy
commissioners and privacy enforcement authorities including the Article 29 Working Party’s
efforts to improve cooperation, the APEC Crossborder Privacy Enforcement Arrangement
(CPEA) and the subsequent developments in CPEA, the creation of the Global Privacy
Enforcement Network (GPEN) and its Action Plan, the creation of a working group as a result
of the Resolution of the 33rd International Conference which met in Montreal in May 2012
and which reported back to the 34th International Conference in Uruguay in October 2012. It
refers to Blair Stewart’s paper on improved coordination which was submitted to the
November 2011 meeting of the GPEN. This chapter refers to the outreach efforts at co
operation by, for example, the French and Spanish DPAs. For example, France promotes data
protection in francophone countries, while Spain does the same in Latin America (this is
normal, because many services, e.g., call centres, are provided from those countries.).
Europe’s supporting improved cooperation with third countries yields benefits for Europe,
e.g., in encouraging third countries to adopt our approach to privacy and data protection.
This section also examines existing cooperation efforts between the European Commission
and Data Protection Authorities both inside and outside of the EU. These measures include
the TAIEX instrument, the Leonardo Da Vinci funding programme, and twinning projects.
4.1
INTERNATIONAL
COMMISSIONERS
CONFERENCE
OF
DATA
PROTECTION
AND
PRIVACY
The International Conference of Data Protection and Privacy Commissioners has been
meeting annually since the Conference was established in 1979. The purposes of the
conference are:



To promote and enhance internationally personal data protection and convenes
once a year. In the last few years, the Conference has grown into a oneweek
event, encompassing an Open Session accessible to all professionals involved
in privacy rights.
To draft and adopt joint resolutions
To be a meeting point between accredited members and other international
fora or organisations that share common objectives.
105


To encourage and facilitate cooperation and the exchange of information
among accredited members, in particular regarding enforcement actions.
To promote the development of international standards in the field of
protection of personal data.336
In the course of the International Conference, all issues related to data protection and privacy
may be discussed. Generally, the Open Session of the Conference embraces two days of
meetings, both in plenary and breakout sessions, on a number of topics related to the main
theme. In 2011, it was decided that in order to encourage dialogue, cooperation and
information sharing the Closed Session would form the main part of the Conference. It is left
up to the discretion of the Hosting Authority – elected in the previous year by the membership
of the Conference – to organize an Open Session as well as several side meetings to provide a
forum for international and nongovernmental organizations. Since 2012, the Closed Session
comprises one and a half days of meetings. All along this period of time, a full day is devoted
to an internal discussion and declarations on subjects that warrant the common interest or
concern of the accredited members, and promote their implementation.
4.1.1
Organisation
The conference is governed by an Executive Committee, consisting of three representatives of
national authorities, elected on twoyear terms, the immediate previous hosting authority and
the next hosting authority. One of these members will be elected to chair the committee by the
closed session. The conference is hosted by a different Data Protection or Privacy authority
each year. The intention is to vary the geographical, cultural and legal backgrounds of the
host country.
The conference now runs for a week, with a combination of open sessions for general privacy
experts, including industry and academia, closed sessions for data protection and privacy
authorities, and side sessions hosted by other organisations and institutions. The closed
sessions are the core of the conference, with details of the open sessions left to the discretion
of the host authority, but often based around topics related to a central theme. The closed
session lasts for one and half days.337
For both the open and the closed Session, expert speakers are invited by the Conference
organization and/or the Executive Committee. In order to become members of the
Conference, supervisory authorities must be public entities created by appropriate legal
instruments for their country, compatible with international legislation and instruments on
data protection, with legal powers appropriate to their functions, and that have appropriate
autonomy and independence. Public entities that do not meet these criteria but are involved
with privacy and data protection can apply for Observer status.
4.1.2
Co-operation and co-ordination activities
Being an International Conference, the Conference has no geographical limitations upon
membership and is therefore the data protection forum with the widest possible membership.
336
Executive Committee of the Conference of Data Protection and Privacy Commissioners, Rules and
Procedures, undated.
https://privacyconference2013.org/web/pageFiles/kcfinder/files/RULES_AND_PROCEDURES2.pdf
337
GIODO, “Conference” undated, https://privacyconference2013.org/About_the_Conference_
106
The Conference regularly issues a number of resolutions. Decisionmaking in the closed
session is based upon consensus when possible or by majority vote.
The Conference convened in Warsaw in September 2013 issued a Resolution on International
Enforcement Coordination.338 The resolution built on previous resolutions encouraging co
operation in crossborder privacy enforcement.
4.1.3
ICDPPC Resolutions
In this section, we present a selection of resolutions from recent International Conferences.
We especially draw attention to the resolutions dealing with international cooperation.
35th International Conference, Warsaw, 23-26 September 2013339
The 35th International conference, themed “Privacy: A compass in a turbulent world” adopted
several resolutions. The resolutions are typically short documents, written in a relatively
accessible format, that present common positions and shared perspectives from the attendees
at the conference. The host DPA, GIODO, stated that
We do believe that the conference contributed to better understanding of data protection issues
around the world as well as gave the ground for exchanging the experiences and views in this field
and benefited to better explanation of the problems related to data protection.340









Warsaw declaration on the “appification” of society341
Accreditation resolution
Profiling resolution
Strategic direction resolution
Enforcement coordination resolution
International Enforcement Coordination law resolution
Openness resolution
Digital education resolution
Webtracking Resolution
The Resolution on international enforcement coordination resolved to further encourage
efforts to bring about more effective coordination of crossborder investigation and
enforcement. It mandated the International Enforcement Coordination Working Group to
work with other networks to develop a common approach to cross border enforcement and
case handling expressed in a multilateral framework document. This approach will build upon
the work of GPEN and will address sharing of information. The resolution also encouraged
DPAs to seek out opportunities to cooperate, and supported the development of a secure
information platform.342
338
http://www.priv.gc.ca/information/conf2013/res_04_coordination_e.asp
https://privacyconference2013.org/Declaration_and_Resolutions_adopted_at_35th_International_Conference
340
https://privacyconference2013.org/
341
Wiewiorowski, Wojciech Rafal, and Jacob Kohnstamm, Warsaw declaration on the “appification” of
society, 35th International Conference of Data Protection and Privacy Commissioners, Warsaw, 2326 September
2012. https://privacyconference2013.org/web/pageFiles/kcfinder/files/ATT29312.pdf
339
342
https://privacyconference2013.org/web/pageFiles/kcfinder/files/4.%20Enforcement%20coordination%20resoluti
on%20EN%20.pdf
107
34th International Conference, Punta del Este, Uruguay, 23-24 October 2012: “Privacy
and Technology in balance”343
This Conference dealt with the balance between technology and privacy. In addition, new
opportunities and problems were analyzed, trying to outline the path that our civilization
would go through in the coming years.
More than 90 speakers represented 40 countries. The 34th conference of data protection
control commissioners ended successfully and the following resolutions were adopted out of
it:
 Resolution on Cloud Computing
 Resolution on the future of privacy
 Uruguay Declaration on profiling
33rd International Conference, Mexico City, 2-3 November 2011: “Privacy: The Global
Age”344
This International Conference was focused on the challenges associated with managing and
protecting personal data in an era characterized by the constant, instantaneous transfer of
information across the globe.
Content:
 Big Data. Databases and Technology in the New Economic Era
 The Factors Driving New Data Protection Laws
 Security Risks in the Modern World
 Mechanisms of Organizations Used to Identify and Mitigate Risks to Individuals
Resolutions adopted:
 Data Protection and Major Natural Disasters
 Privacy Enforcement and Coordination at the International Level
 The Use of Unique Identifiers in the Deployment of Internet Protocol Version 6
32nd International
Generations”345
Conference,
Jerusalem,
27-29
October
2009:
“Privacy:
The conference was organized by the Israeli Law, Information and Technology Authority
(ILITA), which was established by the Ministry of Justice of Israel in September 2006 to
become Israel's data protection authority.
The mission of ILITA was to reinforce personal data protection with a view to regulate the
use of electronic signatures and at the same time to increase the enforcement of privacy and
ITrelated offenses. ILITA also acted as a central knowledgebased within the Government
for technologyrelated legislation and large governmental IT projects.
Resolutions adopted:
 Resolution on Improvement of the Conference Organizational Set up
343
https://www.http://privacyconference2012.org/english/sobrela
conferencia/noticias/Resoluciones+y+declaraciones+adoptadas
344
http://privacyconference2011.org/index.php?lang=Eng
345
http://www.justice.gov.il/PrivacyGenerations
108

Resolution on Privacy by Design
31st International Conference, Madrid, 4-6 November 2009: "Privacy: Today is
Tomorrow" 346
This conference was a review of some of the issues currently discussed not only by the
guarantors of privacy and data protection but by society in general, given the relevance of the
decisions that are taken in this field for citizens.
In accordance with this, one of the main issues that was thoroughly analysed was the
relentless development of information technology, especially on the Internet, an essential tool
in presentday society which required a great deal of reflection in the light of the proliferation
of new services due to their impact in terms of data protection and privacy.
Without disregarding the influence of new technologies, one of the core subjects at the
conference was education of minors, challenges in the digital world in addition to data
protection as an element of strategy in the scope of business and international data transfers in
the frame of a globalized world.
Apart from that, it was also discussed the new advertising models and new sales techniques
and their incidences in the field of data protection and the security, specially in relation to
systems that caused an important degree of controversy, or those which used the human body
as their support.
Resolutions:
 International Standards on the Protection of Personal Data and Privacy
 Industry Statement on the Necessity of International Frameworks in Support of The
Protection of Privacy and Personal Data
 Global Privacy Standards for a Global World. The Civil Society Declaration
Following is a list of several previous conferences and the titles of their principal resolutions.
30th International Conference, Strasbourg, 15-17 October 2008






Resolution on the Urgent Need for Protecting Privacy in a Borderless World, and for
Reaching a Joint Proposal for Setting International Standards on Privacy and Personal
Data Protection
Resolution Concerning the Establishment of a Steering Group on Representation at
Meetings of International Organisations
Resolution on Children's Online Privacy
Resolution on Privacy Protection in Social Network Services
Resolution of the Website Working Group
Resolution to Explore Establishing an International Privacy/Data Protection Day or
Week
29th International Conference, Montreal, 25-28, September 2007347
346
347
http://www.privacyconference2009.org/home/indexidenidweb.html
http://www.privacyconference2007.gc.ca/terra_incognita_home_e.html
109



Resolution on International Cooperation
Resolution on the Urgent Need for Global Standards for Safeguarding Passenger Data
to be Used by Governments for Law Enforcement and Border Security Purposes
Resolution on Development of International Standards
28th International Conference, London, 2-3 November 2006348


London Declaration
Resolution on Privacy Protection and Search Engines
27th International Conference, Montreux, 14-16 September 2005349



Declaration of Montreux: “The Protection of Personal Data and Privacy in a
Globalised World : A Universal Right Respecting Diversities”
Resolution on the Use of Personal Data for Political Communication
Resolution on the Use of Biometrics in Passports, Identity Cards and Travel
Documents
26th International Conference, Wroclaw, 14-16 September 2004350


Amendment to 2003 Conference Resolution on Automatic Software Updates
Resolution on a Draft ISO Privacy Framework Standard
25th International Conference, Sydney, 10-12 September 2003





Resolution Concerning the Transfer of Passengers' Data
Resolution on RadioFrequency Identification
Resolution on Data Protection And International Organisations
Resolution on Automatic Software Updates
Resolution on Improving the Communication of Data Protection and Privacy
Information Practices
24th International Conference, Cardiff, 9-11 September 2002

Statement of the European Data Protection Commissioners at the International
Conference in Cardiff on mandatory systematic retention of telecommunication traffic
data
Previous conferences were hosted in the following countries:
23rd Conference Paris, (2426 September 2001)
22nd Conference – Venice, Italy (2830 September 2000)
21st Conference – Hong Kong (1999)
20th Conference – Santiago de Compostella – Spain (1998)
19th Conference – Brussels – Belgium (1997)
18th Conference – Ottawa – Canada (1996)
348
http://www.privacyconference2006.co.uk/
http://www.privacyconference2005.org/
350
http://26konferencja.giodo.gov.pl/
349
110
17th Conference – Copenhagen – Denmark (1995)
16th Conference – The Hague – The Netherlands (1994)
15th Conference – Manchester – United Kingdom (1993)
14th Conference – Sydney – Australia (1992)
13th Conference – Strasbourg – Council of Europe (1991)
12th Conference – Paris – France (1990)
11th Conference – Berlin – F.R.Germany (1989)
10th Conference – Oslo – Norway (1988)
9th Conference – Quebec – Canada (1987)
8th Conference – Lisbon – Portugal (1986)
7th Conference – Luxembourg (1985)
6th Conference – Vienna – Austria (1984)
5th Conference – Stockholm – Sweden (1983)
4th Conference – London – United Kingdom (1982)
3rd Conference – Paris – France (1981)
2nd Conference – Ottawa – Canada (1980)
1st Conference – Bonn – F.R.Germany (1979)351
4.1.4
International Working Group on Coordination of Privacy Enforcement
The International Conference can form Working Groups composed of members of the
conference. These groups derive their mandate from and report to the closed session of the
Conference. The participation in these groups is voluntary.
4.2
ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT
The Parisbased Organisation for Economic Cooperation and Development (OECD) was on
to the issue of privacy cooperation and coordination early on. The OECD saw it as an
important policy issue, and recognised the need for an interoperable approach to privacy and
the need to establish common objectives and understanding regarding privacy and enforcing
laws.
Also relevant to protecting privacy, the OECD produced security guidelines in 2002. OECD
has adopted a riskbased approach to security. The UN Resolution on security in 2002 was
largely based on OECD work. The OECD has been studying national cyber security strategies
for some years. The OECD is currently reviewing its security guidelines and to develop a set
of security indicators. The OECD has also looked at identity management and the protection
of children in an online environment.
In July 2013, the OECD produced a revision of its influential 1980 privacy guidelines.352 The
revisions include:
 A Recommendation of the OECD Council concerning Guidelines governing the
Protection of Privacy and Transborder Flows of Personal Data (July 2013); and
 A new explanatory memorandum providing context and rationale for the July 2013
revisions.
351
GIODO, “Conferences”, 2013, https://privacyconference2013.org/Conferences
Organisation for Economic Cooperation and Development, OECD Guidelines on the Protection of Privacy
and Transborder Flows of Personal Data, Paris, 23 Sept 1980.
http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonald
ata.htm. The revised guidelines can be found here: http://www.oecd.org/sti/ieconomy/privacy.htm
352
111
The process to revise the Guidelines was led by the OECD’s Working Party on Information
Security and Privacy (WPISP) working from terms of reference released at an OECD
conference on global interoperability in Mexico City in November 2011. In accordance with
the terms of reference, the WPISP convened a multistakeholder group of experts from
governments, privacy enforcement authorities, academia, business, civil society and the
Internet technical community. This expert group was chaired by Jennifer Stoddart, Privacy
Commissioner of Canada. Omer Tene, consultant to the OECD, served as rapporteur. On the
basis of the work by the expert group, proposed revisions were developed by the WPISP and
approved by the Committee for Information, Computer and Communications Policy (ICCP),
before final adoption by the OECD Council in July 2013.
4.2.1
OECD Working Party on Security and Privacy in the Digital Economy (SPDE) formerly Working Party on Information Security and Privacy (WPISP)
The Working Party on Information Security and Privacy (WPISP) is part of the Organisation
for Economic Cooperation and Development (OECD) Directorate for Science, Technology
and Industry. It reports to the Committee for Information, Computers and Communications
Policy (ICCP), which in turn reports to the OECD Council.
WPISP is an intergovernmental forum that focuses upon the economic and social aspects of
cyber security and privacy. It develops public policy analysis and recommendations intended
for governments and other stakeholders to ensure that security and privacy protection
contribute to the development of the information economy. The information economy is seen
by the OECD as a platform for economic and social prosperity.
WPISP’s conducts policy development, monitors trends, allows policy makers to share
experiences, and analyses the impact of technology on information security and privacy
policy making. It also maintains a network of experts from government, business, civil society
and the Internet technical community. WPISP meets two times per year in Paris, and
organises expert forums. Its activities are supported by the OECD secretariat. All OECD
members can be members of the WPISP. About 34 countries participate but they vary. Also
the agencies who participate in the WPISP meetings vary in some cases.
According to WPISP, its work:
 Serves as a foundation for developing national coordinated policies.
 Is balanced and pragmatic, respects cultural, legal and social differences.
 Benefits the broader international community through OECD’s cooperation with non
members and other international and regional organisations (such as Council of
Europe and APEC).
353
 Supports OECD’s core values.
WPISP has been involved in developing the OECD Guidelines on the Protection of Privacy
and Transborder Flows of Personal Data354, the report “Privacy Online: OECD Guidance on
353
OECD, “What is the Working Party on Information Security and Privacy (WPISP), undated.
http://www.oecd.org/sti/whatistheoecdworkingpartyoninformationsecurityandprivacywpisp.htm
354
OECD, “OECD Guidelines on the Protection of Privacy and Trasnborder Flows of Personal Data”, undated.
http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.ht
m
112
Policy and Practice”, and the OECD privacy policy generator.355 It is also involved in ongoing
cooperation on privacy law enforcement. In addition to work on privacy, WPISP is also
involved in work on information security, primarily towards the development of a “culture of
security” which promotes security in the design and use of ICT, and also helps various
participants become aware of risks and assume responsibility for enhancing the security of
information systems and networks. WPISP’s direction has been influenced by the Ottawa
Ministerial Declaration 1998356, which charged the OECD with providing practical guidance
to member countries on the implementation of the OECD privacy guidelines, and by the
integration of the action items in the Declaration into the OECD Action Plan. This direction
includes:






Encouraging the adoption of privacy policies;
Encouraging the online notification of privacy policies to users;
Ensuring that enforcement and redress mechanisms are available in cases of non
compliance;
Promoting user education and awareness about online privacy and the means at their
disposal for protecting privacy;
Encouraging the use of privacyenhancing technologies; and
Encouraging the use and development of contractual solutions for online transborder
data flows.
The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
were a response to both the development of the automatic processing of personal data, and to
the potential for disparities in national legislation to impede the free flow of data across
borders. The OECD guidelines were therefore intended to harmonise national legislation. The
OECD issued a Recommendation on the 23 September 1980. The OECD Recommended:
 that Member countries take into account in their domestic legislation the principles
concerning the protection of privacy and individual liberties set forth in the
Guidelines;
 that Member countries endeavour to remove or avoid creating, in the name of privacy
protection, unjustified obstacles to transborder flows of personal data;
 that Member countries cooperate in the implementation of the Guidelines set forth in
the Annex;
 that Member countries agree as soon as possible on specific procedures of consultation
and cooperation for the application of these Guidelines.357
Section Five of the Annex to the Recommendation deals with international cooperation. This
requests that member countries make known to other members the details of the observance
of the principles in the guidelines, and ensure that processes for transborder flow of
information and the protection of privacy and other liberties are both simple and compatible
with those of other members also in compliance. Member countries should establish
procedures to facilitate information exchange and mutual assistance in procedural and
investigative efforts. A report by WPISP on the 30year anniversary of the Guidelines found
355
OECD, “OECD Privacy Statement Generator”, undated.
http://www.oecd.org/sti/ieconomy/oecdprivacystatementgenerator.htm
356
Working Party on Information Security and Privacy, “Ministerial declaration on the protection of privacy in
global networks”, Ottawa, 79 October 1998. http://www.oecd.org/sti/ieconomy/1840065.pdf
357
OECD , “OECD Guidelines on the Protection of Privacy and Trasnborder Flows of Personal Data”, undated.
http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.ht
m
113
that: “The Guidelines have been a remarkable success. They represent an international
consensus on personal data protection in the public and private sectors. They have influenced
the development of national legislation and model codes within OECD member countries, and
beyond.”358
Privacy Online: OECD Guidance on Policy and Practice359 focuses upon the implementation
of the OECD privacy guidelines online and offers policy and practical guidance. It also
collates the activities of WPISP up to 2003. The OECD privacy policy generator was an
online educational tool to support the conduct of an internal review of personal data practices
and the development of privacy policies. The tool was created in support of encouraging the
adoption and posting of consistent privacy policies, and lasted for ten years from 2000 before
being retired. 360 OECD work on privacy also included research into alternative dispute
resolution methods and an inventory of Privacy Enhancing Technologies.361
WPISP was involved in the review of the OECD privacy guidelines, which was completed in
2013.362 Following initial workshops and a questionnaire circulated to stakeholders, OECD
members agreed terms of reference363 which were published in November 2011. WPISP has
expressed the intent to hold multistakeholder expert discussion on the OECD framework,
which would encompass the roles and responsibilities of key actors, geographic restrictions
on data flows, and proactive implementation and enforcement. The discussions were intended
to include experts from governments, international organisations, privacy enforcement
authorities, academics, business, civil society, and the Internet technical community. The
invited experts’ recommendations for consideration were presented to OECD members by
October 2012. The aim of these discussions was to advise the OECD membership on keeping
the OECD privacy guidelines relevant. The revised guidelines include the OECD encouraging
member countries to enter into international agreements that give practical effects to the
revised guidelines, with the aim of improving the interoperability of privacy frameworks.
WPISP recently changed its name to the OECD Working Party on Security and Privacy in the
Digital Economy (SPDE).
4.2.2
OECD Report on the Cross-border Enforcement of Privacy Laws (2006)
In October 2006 the OECD published a Report on the Crossborder Enforcement of Privacy
Laws. 364 The report was based upon a questionnaire of OECD governments conducted by
358
Working Party on Information Security and Privacy, “The evolving privacy landscape: 30 years after the
OECD privacy guidelines”, DSTI/ICCP/REG(2010)6/ final, Paris, 6 April 2011.
http://www.oecd.org/sti/ieconomy/47683378.pdf
359
OECD, “Privacy Online: OECD guidance on policy and practice, Paris, 2003.
360
OECD, “OECD Privacy Statement Generator”, undated.
http://www.oecd.org/sti/ieconomy/oecdprivacystatementgenerator.htm
361
OECD, “Privacy Online: OECD guidance on policy and practice”, Paris, 2003, pp. 1612.
362
OECD, “OECD Guidelines governing the protection of privacy and transborder flows of personal data”,
https://www.huntonprivacyblog.com/wpcontent/files/2013/09/2013oecdprivacyguidelines.pdf
363
Working Party on Information Security and Privacy, “Terms of reference for the review of the OECD
guidelines governing the protection of privacy and transborder flows of personal data”.
DTSI/ICCP(2011)4/FINAL, OECD, 31 October 2011.
364
OECD, “OECD Recommendation on the Crossborder Cooperation in the Enforcement of Privacy Laws”,
OECD, 2007. http://www.oecd.org/sti/ieconomy/37558845.pdf
114
WPISP.365 The findings in this report suggest a number of possible topics for further study
and consideration, including:








4.2.3
Examination of approaches to handling and classifying crossborder complaints.
Work towards identifying common priorities for enforcement cooperation.
Ways to improve cooperation between authorities with respect to notifications,
information sharing, and investigative assistance.
Consideration of the adequacy of sanctions and remedies available to privacy
enforcement authorities in the context of crossborder cases.
Work towards improving the prospects of international judgment recognition and
enforcement of orders for monetary redress for individuals who suffer privacy
breaches.
Examination of informal methods of international cooperation – often through
regional networks – that allow for information exchange on current issues and best
practices.
Consideration of the need for practical tools, like contact lists, forms to request
assistance from another authority, crossborder complaint forms, common approaches
to reporting case results, etc.
Work towards establishing a more complete and robust set of indicators about the
dimensions of crossborder privacy problems.366
OECD Recommendation on Cross-border Co-operation in the Enforcement of
Laws Protecting Privacy, 2007.
Following on from the Report, the OECD published a Recommendation on Crossborder Co
operation in the Enforcement of Laws Protecting Privacy in 2007. 367 This set forth a
framework for cooperation on the enforcement of privacy laws. The WPISP work on the
Recommendation was led by Jennifer Stoddart, Privacy Commissioner of Canada. The OECD
recommended that member countries cooperate across borders in the enforcement of laws
protecting privacy, taking appropriate steps to:




Improve their domestic frameworks for privacy law enforcement to better enable their
authorities to cooperate with foreign authorities.
Develop effective international mechanisms to facilitate crossborder privacy law
enforcement cooperation.
Provide mutual assistance to one another in the enforcement of laws protecting
privacy, including through notification, complaint referral, investigative assistance and
information sharing, subject to appropriate safeguards.
Engage relevant stakeholders in discussion and activities aimed at further cooperation
in the enforcement of laws protecting privacy.368
The Recommendation identified the need to develop domestic measures in order to improve
crossborder privacy cooperation. Such measures included ensuring that privacy enforcement
365
OECD, “OECD Questionnaire on the crossborder enforcement of privacy laws”, DSTI/ICCP/REG(2006)1,
2006. http://www.oecd.org/sti/ieconomy/37572050.pdf
366
OECD, Report on the Cross-Border Enforcement of Privacy Laws, Paris, October 2006, p. 26.
367
OECD, Recommendation on Crossborder Cooperation in the Enforcement of Laws Protecting Privacy,
Paris, 2006. http://www.oecd.org/sti/ieconomy/38770483.pdf
368
OECD, Report on the Cross-Border Enforcement of Privacy Laws, Paris, October 2006.
115
authorities have the necessary powers and authority, including significant sanctions, and
clarifying or removing legislation that might prevent the exchange of information on cases
between different privacy authorities. It also identified barriers to cooperation arising from
the inability of some authorities to determine their own investigative priorities and from
resource constraints.
The Recommendation calls upon OECD members to share information on enforcement
outcomes. It also identifies multilateral or bilateral memoranda of understanding as a useful
tool for improving crossborder cooperation. Whilst most of the responsibility for
implementing the Recommendation sits with member governments, the OECD also works to
facilitate some elements, particularly in relation to international cooperation (see below).
4.2.4
Report on the Implementation of the OECD Recommendation on Cross-border
Co-operation in the Enforcement of Laws Protecting Privacy, 2011.
The OECD digital economy paper 178 was a report by WPISP on the implementation of the
2007 Recommendation.369 This report was also included in the document Thirty Years After
the OECD Privacy Guidelines.370 The report sets out WPISP activities (detailed below) and
concludes that the Recommendation is stimulating improvements in members to cooperate
across borders in the enforcement of privacy laws. It does not identify and adverse effects of
increased cooperation, and whilst there is general willingness to cooperate amongst privacy
enforcement authorities, actual instances of cooperate are limited. The report suggests that
members should:





4.2.5
Designate a contact point in order to be able to be contacted for crossborder issues
Share case related information in individual crossborder cases and information on
technical expertise and investigation methods
Share information on enforcement outcomes by publishing case reports, possibly in a
common format that would make comparisons easier.
Consult with other types of criminal law enforcement authorities, private sector groups
and civil society.
Consider becoming a member of regional or global enforcement arrangements or
develop memoranda of understanding with other authorities.371
Privacy enforcement authorities
Currently, nearly all OECD members have laws that established authorities with privacy
enforcement authorities. The OECD sees this as an improvement over the third of members
that had such authorities when the Privacy Guidelines were adopted in 1980. However, the
OECD notes the variance between the scope of laws, regulatory models, complaint handling
processes, and investigation and audit powers in different member states.
369
OECD, Report on the Implementation of the OECD Recommendation on Cross-border Co-operation in the
Enforcement of Laws Protecting Privacy, OECD Digital Economy Papers, No.178, 2011. http://www.oecd
ilibrary.org/scienceandtechnology/reportontheimplementationoftheoecdrecommendationoncross
bordercooperationintheenforcementoflawsprotectingprivacy_5kgdpm9wg9xsen
370
OECD, Thirty years after the OECD Privacy Guidelines, Paris, 2011.
371
OECD, Report on the Implementation of the OECD Recommendation on Cross-border Co-operation in the
Enforcement of Laws Protecting Privacy, OECD Digital Economy Papers, No.178, 2011. http://www.oecd
ilibrary.org/scienceandtechnology/reportontheimplementationoftheoecdrecommendationoncross
bordercooperationintheenforcementoflawsprotectingprivacy_5kgdpm9wg9xsen
116
Following on from the 2007 Recommendation, the OECD conducted work to support
international cooperation between privacy enforcement authorities. The OECD hosts the
website and online platform for the Global Privacy Enforcement Network (GPEN). The
OECD also maintains a list of national contact points for cooperation and mutual assistance
under the 2007 Recommendation. 23 member countries had designated a contact point to the
OECD by 2011 and this is seen by WPISP as an area in need of improvement and of co
ordination with other lists of contact points (such as maintained by the Article 29 Working
Party or APEC). This contact list has been shared with privacy enforcement authorities
outside of the OECD membership. WPISP developed a Request for Assistance form 372 to
standardise the categories of information presented to an authority receiving a request for
assistance. The OECD form has also been adopted by APEC.373
The WPISP receives reports on the progress of GPEN work. It also collects contact point
information from the authorities for enforcement actions, which was also part of the
Recommendation.
Cooperation between privacy enforcement authorities can also potentially occur under the
OECD Recommendation on antispam law enforcement cooperation.374
4.3
GLOBAL PRIVACY ENFORCEMENT NETWORK (GPEN)
The origins of the Global Privacy Enforcement Network (GPEN) came out of the OECD
work on crossborder cooperation in 2006. The OECD secretariat sent a questionnaire to
OECD members on how OECD members enforce privacy, which led to a highlevel,non
binding Council Recommendation. One of the items in the Recommendation concerned
establishment of GPENlike mechanism, structured like some consumer actions. GPEN was
set up by the authorities who participate in it.
Founded in September 2010, GPEN aims to facilitate crossborder cooperation in the
enforcement of privacy laws. 375 Membership in GPEN enables privacy regulators from
around the world to work more closely as they address risks to the personal information of
their citizens.
Taking into consideration the initiatives of international groups such as the Asia Pacific
Economic Cooperation forum (“APEC”), the International Conference of Data Protection and
Privacy Commissioners (“ICDPPC”), the Article 29 Working Party, and the Organization for
Economic CoOperation and Development (“OECD”), 13 authorities responsible for privacy
enforcement formed an international Global Privacy Enforcement Network (GPEN) on 10
March 2010 in order to support data protection and the right to privacy on a global level.376
372
OECD, Request for Assistance Form v-1.0. http://www.oecd.org/sti/ieconomy/38772442.doc
OECD, Thirty years after the OECD Privacy Guidelines, Paris, 2011.
374
OECD, Recommendation on Cross-Border Co-operation in the Enforcement of Laws against Spam, Paris, 13
April 2006.
375
www.privacyenforcement.net
376
The information in this section has been extracted from a GIODOL news release found at:
http://www.giodo.gov.pl/259/id_art/679/j/en/
373
117
The Network is the result of a June 2007 OECD Recommendation on CrossBorder
Cooperation in the Enforcement of the Laws Protecting Privacy, 377 and was launched at an
OECD meeting. The Recommendation called for member countries to foster the
establishment of an informal network of Privacy Enforcement Authorities [para. 21]. It further
specified a number of tasks for the network:




Discuss the practical aspects of privacy law enforcement cooperation;
Share best practices in addressing crossborder challenges;
Work to develop shared enforcement priorities; and
Support joint enforcement initiatives and awareness campaigns.
GPEN’s statement of mission mirrors the Recommendation and states that GPEN “connects
privacy enforcement authorities from around the world to promote and support cooperation in
crossborder enforcement of laws protecting privacy.” 378 This is to be achieved through
exchanging information, encouraging training opportunities, sharing of enforcement expertise
and good practice, promoting dialogue between organisations with privacy enforcement roles,
and creating and maintaining processes that support cooperation.
In the summer of 2008, privacy authorities began to exchange experiences and discuss the
practical aspects of enforcement cooperation via a Web utility. 379 The OECD hosts
www.privacyenforcement.net, a web platform for GPEN. This site provides a restricted
access platform for sharing of documents and news. It also includes collaboration tools such
as discussion forums, an events calendar and other functionalities.
The mission of this organisation, as specified in the “Action Plan” setting up GPEN is, among
other things, sharing information about privacy enforcement issues, trends and experiences;
participating in relevant training; cooperating on outreach activities; engaging in dialogue
with relevant private sector organizations on privacy enforcement and outreach issues; and
facilitating effective crossborder privacy enforcement in specific matters by creating a
contact list of privacy enforcement authorities interested in bilateral cooperation in cross
border investigations and enforcement matters. The GPEN action plan is not legally binding,
and cooperation is subject to applicable laws in the jurisdictions involved.
The action plan states that GPEN is focused on the practical aspects of privacy enforcement
cooperation and Participants do not intend for GPEN to issue public opinions, position papers,
or recommendations on privacy policy. However, GPEN may develop and share consensus
views with other bodies on means to advance crossborder privacy enforcement cooperation.
GPEN has 46 Members, who are national Data Protection authorities or Information
Commissioners. More than one privacy enforcement authority from a single country,
economy or jurisdiction can participate in GPEN. Membership requirements include
responsibility for enforcing laws or regulations on personal data, and powers to conduct
investigations or enforcement actions.
377
OECD, Recommendation on Cross-Border Co-operation in the Enforcement of Privacy Laws, OECD, Paris,
2007. http://www.oecd.org/internet/ieconomy/38770483.pdf
378
Global Privacy Enforcement Network, Action Plan for the Global Privacy Enforcement Network, 15 June
2012; Part E amended 22 January 2013, https://www.privacyenforcement.net/public/activities
379
Global Privacy Enforcement Network, http://www.privacyenforcement.net/
118
Country
Albania
Australia
Belgium
Bulgaria
Canada
China
(Special
Administrative
Regions)
Colombia
Czech Republic
European Union
Estonia
France
Gibraltar
Germany
Guernsey
Hungary
Ireland
Isle of Man
Israel
Italy
Korea
Lithuania
Luxembourg
Mauritius
Mexico
Moldova
Monaco
Netherlands
New Zealand
Norway
Poland
380
GPEN Member380
Commissioner for Personal Data Protection (KMDP) of the Republic
of Albania
Office of the Australian Information Commissioner;
Office of the Victorian Privacy Commissioner;
Office of the Information Commissioner, Queensland
Information and Privacy Commission, New South Wales
Northern Territory Information Commissioner
Data Protection Commission
Bulgarian Commission for Personal Data Protection
Office of the Privacy Commissioner of Canada;
Information and Privacy Commissioner of British Columbia;
Information and Privacy Commissioner, Ontario;
Information and Privacy Commissioner of Alberta
Office for Personal Data Protection, Macau SAR, China
Superintendencia de Industria y Comercio (SIC)
Office for Personal Data Protection of the Czech Republic
European Data Protection Supervisor
Estonian Data Protection Inspectorate
Commission Nationale de l’Informatique et des Libertés
Gibraltar Regulatory Authority
Federal Data Protection Commission;
Berlin Commissioner for Data Protection and Freedom of Information
Data Protection Office
National Authority for Data Protection and Freedom of Information
(NAIH)
Office of the Data Protection Commissioner
Data Protection Commissioner
The Israeli Law, Information and Technology Authority
Garante Per La Protezione Dei Dati Personali
Ministry of Public Administration and Security;
Korea Internet Security Agency;
Personal Information Protection Commission
The State Data Protection Inspectorate
Commission nationale pour la protection des données (CNPD)
Data Protection Office of the Republic of Mauritius
Federal Institute for Access to Information and Data Protection (IFAI)
Moldova Data Protection Authority
The Commission de Contre le des Informations Nominatives (personal
data supervisory commission) of Monaco
Dutch Data Protection Authority
Office of the Privacy Commissioner
Data Protection Authority
Office of the Inspector General for the Protection of Personal Data
(GIODO)
Global Privacy Enforcement Network http://www.privacyenforcement.net/
119
Slovenia
Spain
Switzerland
Ukraine
United Kingdom
United States
Information Commissioner
Agencia Española de Protección de Datos
Federal Data Protection and Information Commissioner
State Service of Ukraine on Personal Data Protection
Information Commissioner’s Office
Federal Trade Commission
The founding authorities of the Global Privacy Enforcement Network (GPEN) were:
 U.S. Federal Trade Commission
 Office of the Privacy Commissioner of Canada
 Commission Nationale de l’Informatique et des Libertés (France)
 Office of the Privacy Commissioner, New Zealand
 Israeli Law, Information and Technology Authority
 Office of the Privacy Commissioner, Australia
 Office of the Data Protection Commissioner, Ireland
 Agencia Española de Protección de Datos (Spain)
 Information Commissioner’s Office (United Kingdom)
 Garante Per La Protezione Dei Dati Personali (Italy)
 Dutch Data Protection Authority (the Netherlands)
 Federal Commissioner for Data Protection and Freedom of Information (Germany)
 Office of the Victorian Privacy Commissioner, (Victoria, Australia)
New participants apply to the existing members, and are expected to endorse the Action
Plan.381 More information can be found at: www.privacyenforcement.net
4.3.1
Distinguishing between co-operation and co-ordination
Blair Stewart (Office of the Privacy Commissioner, New Zealand) presented a paper at the
November 2011 meeting of the GPEN on the subject of global privacy enforcement co
ordination as an adjunct to ongoing efforts in privacy enforcement cooperation. Co
ordination is absent from the OECD Recommendation that serves as the basis for GPEN, but
the paper argues that an increasing number of cases in which multiple privacy enforcement
authorities have investigated the same case across multiple jurisdictions suggests an increased
need for coordination. The paper argues that parallel investigations, where even the
investigators do not know who else is investigating, or what, will lead to wasted resources,
duplicated effort, to poorer and slower results than coordinated investigations, and even
allow uncooperative investigation subjects to playoff different investigators against each
other. Further, Stewart suggests that the need for global coordination is most apparent where
there is a single incident warranting investigation that affects individuals across numerous
jurisdictions. However, other scenarios also benefit from coordination
The paper draws together definitions of coordination in the context of multilateral privacy
enforcement, to suggest combining, synchronising and integrating the efforts and resources of
privacy enforcement authorities involved in investigating an incident to produce harmonious
results. This suggests the requirements for mechanisms for the combination of efforts, the
establishment of common objectives, the identification of incidents liable to lead to co
381
Global Privacy Enforcement Network, Action Plan for the Global Privacy Enforcement Network, 15 June
2012; Part E amended 22 January 2013. https://www.privacyenforcement.net/public/activities
120
ordinated investigation, agreement on desirable outcomes, synchronisation methods, and the
identification of collective resources.
The paper presents a range of forms of coordination ranging from no coordination, through
light, moderate and strong informal coordination, to formal coordination based upon some
kind of formal treaty or legal basis. Light informal coordination involves the sharing of
information, much of which is already public. Moderate information coordination adds
sharing of nonpublic information, for example, the names of assigned investigators, and
information on the stages on an investigation, as well as forum for adhoc coordination
efforts aside from the main cooperation structures. Strong cooperation also adds central
leadership elements to coordinate the timing of investigations.
The paper also identifies potential barriers to coordination, including domestic law and
particularly prohibitions and restrictions on the sharing of information. After briefly
examining alternate venues, the paper identifies GPEN, and the password protected website,
as a suitable vehicle for increased coordination efforts at the global level, although this
would require changes to the current GPEN action plan. It envisages coordination on
particular investigation actions on an optin basis, with potential efforts identified through
GPEN teleconferences. The paper suggests increased security measures for the website in
response to concerns from member over the secure sharing of sensitive information.
4.4
ASIA-PACIFIC ECONOMIC CO-OPERATION
AsiaPacific Economic Cooperation (APEC) is a forum for 21 Pacific Rim countries that
seeks to promote free trade and economic cooperation throughout the AsiaPacific region.382
It was established in 1989 in response to the growing interdependence of AsiaPacific
economies and the advent of regional trade blocs in other parts of the world. APEC works to
raise living standards and education levels through sustainable economic growth and to foster
a sense of community and an appreciation of shared interests among AsiaPacific countries.
APEC includes newly industrialised economies (NIEs), although the agenda of free trade was
a sensitive issue for the developing NIEs at the time APEC founded, and aims to enable
ASEAN economies to explore new export market opportunities for natural resources such as
natural gas, as well as to seek regional economic integration (industrial integration) by means
of foreign direct investment. Members account for approximately 40% of the world's
population, approximately 54% of the world's gross domestic product and about 44% of world
trade.
4.4.1
APEC Cross-border Privacy Enforcement Arrangement (CPEA)
The APEC Privacy Framework was endorsed by APEC ministers in 2004 and published in
2005. The Framework aims to improve information sharing among government agencies and
regulators, facilitate the safe transfer of information between economies, establish a common
set of privacy principles, encourage the use of electronic data as a means to enhance and
expand business, and provide technical assistance to APEC economies that have yet to
address privacy regulation or policy. Encouraging the flow of data is seen by APEC as a
component part of facilitating free trade in the AsiaPacific region.
382
www.apec.org. See also http://en.wikipedia.org/wiki/APEC
121
APEC created a Crossborder Privacy Enforcement Arrangement (CPEA) as a framework for
regional cooperation on privacy enforcement. CPEA emerged from the Data Privacy
Pathfinder initiative, and focuses upon the particular Framework objective to facilitate
domestic and international efforts to promote and enforce privacy protections. The CPEA was
endorsed by APEC Ministers in November 2009 and commenced on 16 July 2010.
CPEA establishes a protocol under which participating authorities may contact each other for
assistance in collecting evidence, share information during investigations, and liaise with one
another for enforcement actions. The aims of CPEA are to facilitate information sharing
between APEC privacy enforcement authorities, provide mechanisms for effective cross
border cooperation in the enforcement of privacy law, and to encourage information sharing
and cooperation with privacy enforcement agencies outside of APEC.
Participation in CPEA is required in order to also participate in the CrossBorder Privacy
Rules (CBPR) system. More than one privacy enforcement authority from each member
economy can participate. CPEA participation establishes networks of voluntary cooperation
seen as necessary for effective international privacy protection.383 The CPEA network may
contribute to the crossborder enforcement of the APEC CrossBorder Privacy Rules
system.384
CPEA membership includes:
 the Office of the Australian Information Commissioner (OAIC)
 New Zealand Office of the Privacy Commissioner (NZOPC)
 the United States Federal Trade Commission (FTC)
 Office of the Privacy Commissioner for Personal Data, Hong Kong, China (PCPD)
 Office of the Privacy Commissioner of Canada (OPCC)
 Ministry of Foreign Affairs of Japan
 Ministry of Economy, Trade and Industry of Japan
 Ministry of Internal Affairs and Communications of Japan
 Ministry of Finance of Japan
 Ministry of Justice of Japan
 Ministry of Agriculture, Forestry and Fisheries of Japan
 Ministry of Land, Infrastructure, Transport and Tourism of Japan
 Ministry of Defense of Japan
 Ministry of Health, Labour and Welfare of Japan
 Ministry of Education, Culture, Sports, Science and Technology of Japan
 Ministry of Environment of Japan
 Cabinet Office of Japan
 Consumer Affairs Agency of Japan
 Financial Services Agency of Japan
 National Police Agency of Japan
 Ministry of Public Administration and Security (MOPAS) of Korea
383
Chatelois, Daniele, and Josh Harris, “Introduction to the APEC CrossBorder Privacy Rules System: Data
privacy in Canada”, Presentation to the American Bar Association, Privacy and Information Security Committee,
16 April 2012.
http://www.americanbar.org/content/dam/aba/publications/antitrust_law/20120416_at12416_materials.authcheck
dam.pdf
384
Yeo, Vivian, “APEC leads new initiative for privacy cooperation”, ZDNet, 16 July 2010.
http://www.zdnet.com/apecleadsnewinitiativeforprivacycooperation2062201400/
122



Federal Institute for Access to Information and Data Protection of Mexico
Reconstruction Agency of Japan
Personal Data Protection Commission, Singapore (PDPC)
The role of the cooperation framework administrator can be performed by the APEC
secretariat, a Privacy Enforcement Authority, or jointly between the secretariat and an
authority, as designated by the Electronic Commerce Steering Group. The administrator is
responsible for assessing membership applications, maintaining uptodate information and
compiling contact points, and may conduct publicity activities and promote cooperation
initiatives.
Participants should assist one another by considering other participants’ requests for
assistance and referrals for investigation or enforcement, and share information and cooperate
on the investigation or enforcement of Privacy Laws. Participants may decline requests for
assistance, or limit their cooperation on the basis of inconsistency with domestic law,
requests being outside the authority’s jurisdiction, lacking the authorisation to investigate,
resource constraints, prioritisation, absence of mutual interest, the matter being outside the
scope of the cooperation agreement, another body is more appropriate, or any other
applicable circumstances. The determination of these circumstances is at the discretion of the
participant.385
The cooperation agreement sets out the encouraged information sharing activities. These
include designation of a contact point for other privacy enforcement authorities, the
preparation of the statement of practices, policies and activities to be made available to other
participants, and the sharing of experiences. Participants are encouraged to provide
information to other participants respecting important relating to matters within the scope of
the Cooperation Arrangement, including:
 surveys of public attitudes bearing upon enforcement matters;
 details of research projects having an enforcement or crossborder cooperation
dimension;
 enforcement training programmes;
 changes in relevant legislation;
 experiences with various techniques in investigating privacy violations and with
regulatory strategies, including selfregulatory strategies, involving such violations;
 information about trends and developments in the types and numbers of complaints
and disputes they handle; and
 opportunities for privacy enforcement staff training and employment.386
4.4.2
Data Privacy Subgroup of the APEC Electronic Commerce Steering Group
In November 2004, Ministers of the AsiaPacific Economic Cooperation (APEC) endorsed
the APEC Privacy Framework, developed by the Data Privacy Subgroup of the Electronic
Commerce Steering Group. The Framework acknowledges the importance of protecting
information privacy alongside the desirability of maintaining information flows between
economies in the Asia Pacific region. Lack of consumer trust and confidence in the privacy
385
APEC, APEC Cooperation Arrangement for Cross-Border Privacy Enforcement, Japan, 28 February 2010.
386
APEC, APEC Cooperation Arrangement for Cross-Border Privacy Enforcement, Japan, 28 February 2010.
123
and security of online transactions and information networks is seen as a potential barrier to
realising the benefits of electronic commerce for member economies. The framework is
positioned as being consistent with the OECD's 1980 privacy Guidelines.
1998
Electronic Commerce Steering Group (ECSG) established
2001
eAPAC Strategy includes focus on data protection and consumer trust387
2003
ECSG Data Privacy Subgroup (DPS) established
November 2004 APEC Privacy Framework endorsed by APEC ministers
2005
APEC Privacy Framework published388
2006
Data Privacy Individual Action plans
2007
Data Privacy Pathfinder
2009
CrossBorder Privacy Enforcement Arrangement (CPEA)
2011
CrossBorder Privacy Rules (CBPR) system finalised
Table: key events in APEC privacy cooperation
The Framework consists of nine principles to assist APEC countries in developing approaches
to privacy that maximise privacy protection whilst at the same time encouraging the cross
border flow of information. The principles are preventing harm, notice, use, collection
limitation, choice, security safeguards, integrity, access and correction, and accountability.
The Framework's privacy principles and implementation guidance are focused on the
achievement of four main goals:




To develop appropriate privacy protections for personal information.
To prevent the creation of unnecessary barriers to information flows.
To enable multinational businesses to implement uniform approaches to the collection,
use, and processing of data; and
To facilitate both domestic and international efforts to promote and enforce
information privacy protections.” 389
The Framework is intended to be implemented in a flexible manner which may differ between
member economies. However, different methods of implementation should be designed so as
to maximise compatibility of approaches in privacy protection across the region. Member
economies are encouraged to share information on matters with impacts upon privacy, on
educational and training efforts, on experiences of investigations, on regulatory strategies, and
to designate public authorities responsible for crossborder cooperation and information
sharing in relation to privacy protection.390
The Framework asks member economies to consider developing cooperative arrangement
and procedures to facilitate cross border collaboration in the enforcement of privacy laws
(taking into account existing international arrangements and the requirements of domestic
law). The Framework envisages cooperative arrangement as including mechanisms for
efficient notification of investigations, information sharing, investigative assistance,
prioritisation, and the maintenance of confidentiality. The Guidance for Domestic
387
Electronic Commerce Steering Groups, e-APEC Strategy, People’s Posts & Telecommunications Publishing
House, October 2001. http://publications.apec.org/publicationdetail.php?pub_id=584
388
AsiaPacific Economic Cooperation, APEC Privacy Framework, APEC Secretariat, Singapore, 2005.
http://publications.apec.org/publicationdetail.php?pub_id=390
389
OECD, Report on the Cross-Border Enforcement of Privacy Laws, Paris, October 2006, p. 23.
390
AsiaPacific Economic Cooperation, APEC Privacy Framework, APEC Secretariat, Singapore, 2005. p. 34.
http://publications.apec.org/publicationdetail.php?pub_id=390
124
Implementation of the APEC Principles also annexes a future work agenda that includes the
following:
“Member Economies should cooperate in relation to making remedies available against
privacy infringements where there is a crossborder dimension. In order to contribute to this
goal, Member Economies will endeavour to develop cooperative arrangements between
privacy investigation and enforcement agencies of Member Economies.” 391
A stocktaking exercise of the national implementation of the APEC Privacy Framework is
part of the 20132014 work programme for the Data Privacy Subgroup.
In line with the call in the Framework, APEC’s Data Privacy Subgroup developed Cross
Border Privacy Rules along with information and cooperation among privacy regulators in
the area of investigation and enforcement. 392 The Data Privacy Subgroup also had
responsibility for the Data Privacy Pathfinder Initiative. The APEC Data Privacy Pathfinder
was established in 2007. The aim of the pathfinder was to allow for accountable crossborder
flow of personal information in the APEC region. Amongst other projects, this was to be
achieved through the development and implementation of a set of CrossBorder Privacy Rules
(CBPR) consistent with the APEC Privacy Framework. CrossBorder Privacy Rules allow
businesses to set out their practices for collecting and processing personal information, and to
use these rules as internal procedures. The rules must comply with the APEC Privacy
Framework and the national laws of the countries where the business operates. 393 The
Framework implementation guidance notes that organisations are still responsible for
complying with local data protection laws, but that CBPR allows mutual recognition between
economies. The Data Privacy Subgroup has recently worked upon a CBPR Glossary.
Currently the USA and Mexico have applied and met the requirements for participation in
CBPR.
APEC members also develop Data Privacy Individual Action Plans (IAP) and lodge these
with APEC.394 The aim of the IAP is to allow member economies to understand the stage of
data privacy that another member economy has reached, and thereby facilitate the
development of common effective privacy protections and the crossborder flow of
information. IAPs are intended to update periodically to reflect domestic implementation of
the APEC Privacy Framework, although only five out of 14 have been updated since 2006.
2013 saw the first meeting of the APEC/EU Working Team under the auspices of the 27th
Meeting of the Electronic Commerce Steering Group. The EU was represented by officials
from the French, German and EU data protection authorities as part of the Article 29 Data
Protection Working Party. The discussion centred upon the relationship between the European
Binding Corporate Rules and APEC CBPR.
4.4.3
APEC – Art 29 WP Promoting Co-operation on Data Transfer Systems
391
OECD, October 2006, op. cit., p. 23.
Ibid p. 24.
393
Attorney General’s Department, “AsiaPacific Economomic Cooperation privacy”, undated.
http://www.ag.gov.au/RightsAndProtections/Privacy/Pages/APECprivacy.aspx
394
APEC, “Data Privacy Individual Action Plan”, undated. http://www.apec.org/Groups/CommitteeonTrade
andInvestment/ElectronicCommerceSteeringGroup/DataPrivacyIndividualActionPlan.aspx
392
125
Representatives of the Article 29 Working Party and the Asia Pacific Economic Cooperation
(APEC) met for the first time, in Jakarta, with the aim of facilitating transfers of personal
data, for multinational companies that operate both in Europe and the AsiaPacific.395
In the European Union, Binding Corporate Rules (BCR) have been developed to govern
international data transfers made by companies or groups of companies. These binding
internal rules define a company’s policies on data transfers in order to ensure adequate
safeguards for personal data transferred from the European Union to third countries.
In 2012, APEC Member Economies completed development of CrossBorder Privacy Rules
(CBPR) for the protection of personal data throughout the AsiaPacific. Like BCRs, CBPRs
are designed to ensure that a company’s privacy policies meet established standards for the
protection of personal information. Such policies must be validated by APECrecognised
Accountability Agents.
Both BCRs and CBPRs use of internal binding rules for crossborder transfers of personal
data, subject to prior approval by EU Data Protection Authorities or by APECrecognized
Accountability Agents.
Before the Jakarta meeting, the Article 29 WP conducted a study of CBPRs to identify the
similarities and differences with BCRs. Using this initial comparison as a starting point, the
Article 29 WP and participating APEC member countries are cooperating to develop
practical tools, including a common referential, for those multinational companies that have
data collection and/or processingrelated activities in both the EU and APEC region.
In January 2013, a BCR/CBPR committee met for the first time to discuss this topic.
Participants from the EU included representatives from the CNIL (France), the German
Federal Commissioner for Data Protection and Freedom of Information, the European Data
Protection Supervisor and the European Commission. From APEC, 10 member countries
participated including Canada, Chinese Taipei, Japan, Korea, Malaysia, New Zealand, the
Philippines, Singapore, Thailand and the United States. The committee set to work on the
development of a roadmap for continuing cooperation and for developing practical tools for
use by companies doing business in Europe and the AsiaPacific region.
4.5
ASIA PACIFIC PRIVACY AUTHORITIES (APPA)
APPA brings together privacy regulators from Pacific Rim countries for cooperation and
collaboration.396 APPA convenes twice a year, sharing jurisdictional reports and discussing
topical issues including privacy and security, crossjurisdictional law enforcement in the
Pacific Rim, privacy legislation amendments, and personal data privacy.
Established in 1992, the Asia Pacific Privacy Authorities is a forum for privacy authorities
from the AsiaPacific region. The APPA was formerly known as PANZA and PANZA+
395
The information in this section has been adapted from Article 29 Data Protection Working Party, “Promoting
Cooperation on Data Transfer Systems Between Europe and the AsiaPacific”, Press release, Brussels, 26 March
2013.http://ec.europa.eu/justice/dataprotection/article29/pressmaterial/press
release/art29_press_material/20130326_pr_apec_en.pdf. APEC issued a similar press release. See
http://www.apec.org/Press/NewsReleases/2013/0306_data.aspx. Additional details about APEC meetings,
events, projects and publications can be found at www.apec.org.
396
APPA’s website is located at www.appaforum.org.
126
(Privacy Agencies of New Zealand and Australia plus Hong Kong and Korea). An internal
review in 2005 resulted in updating the name of the forum to more accurately reflect its
membership and to put a formal structure in place.
The objectives of the forum are to facilitate knowledge sharing between the region’s privacy
authorities, foster cooperation in privacy and data protection, jointly promote privacy
awareness activities, promote best practice among privacy authorities, improve regulatory
performance, and support efforts to improve crossborder cooperation in privacy
enforcement.397
APPA only allows as members authorities that have been accredited by the International Data
Protection Commissioners Conference398 and, since 2010, participants in the APEC Cross
border Privacy Enforcement Arrangement (CPEA) and members of the OECD Global Privacy
Enforcement Network (GPEN). APPA also aims to maintain positive relationships with such
complementary networks. Current APPA members include the following:
















Federal Institute for Access to Information and Data Protection, Mexico
Federal Trade Commission, United States
Information and Privacy Commission, NSW
Korea Internet and Security Agency
Korea Personal Information Protection Commission
Office for Personal Data Protection, Macau
Office of the Australian Information Commissioner, Australia
Office of the Information and Privacy Commissioner, British Columbia
Office of the Information Commissioner, Queensland
Office of the Northern Territory Information Commissioner
Office of the Privacy Commissioner for Personal Data, Hong Kong
Office of the Privacy Commissioner, Canada
Office of the Privacy Commissioner, New Zealand
Office of the Victoria Privacy Commissioner
Superintendencia de Industria y Comercio (SIC), Colombia
National Authority for Data Protection, Peru
The APPA meeting in Auckland in July 2013 was its 39th meeting. Issues commonly
discussed at the forum include current privacy enforcement issues, jurisdictional reports,
significant privacy and data protection events, the activities of and cooperation with other
data protection networks, reports from the working groups, and presentations from invited
external guest speakers.
Since December 2009, APPA has a Secondment Framework that exists to foster collaboration
between APPA members and promote best practice. The framework acknowledges the
relatively small staff numbers of APPA members, and limited opportunities for internal
promotion. Secondments help employees to develop new skills and experience, to transfer
knowledge and experience, and even to fill gaps during absences.399
397
APPA, Statement of Objectives. http://www.appaforum.org/resources/#objectives
Greenleaf, Graham, “Independent of Data Privacy Authorities: International Standards and the AsiaPacific
Experience”, Computer Law & Security Review, Vol. 28, Issues 1 & 2, 13 December 2011.
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1971627
399
Asia Pacific Privacy Authorities, APPA Secondment Framework, December 2009.
398
127
APPA is also responsible for the coordination of Privacy Awareness Week, held in lateApril
or earlyMay each year since 2006. The purpose of the Week is to promote greater privacy
awareness and the importance of protecting personal information. The privacy awareness
week website (http://www.privacyawarenessweek.org) hosts resources (particularly for young
people) as well as collating links to individual campaigns conducted by individual data
protection authorities under the Privacy Awareness Week banner.
In November 2005, APPA agreed a standardised citation system for case notes issued by
members, to facilitate reference to cases and investigations conducted by privacy authorities
in the region. In November 2006, APPA adopted a recommended method for the
dissemination of case notes in order to make these as widely available as possible and
therefore maximise collective regional benefit. APPA encourages members to cooperate with
third party publishers that wish to republish these notes, and to make them available in an
electronic format to a regional consolidated access point. The suggested access point is the
World Legal Information Institute’s Privacy Law Library.400
The Office of the Australian Information Commissioner provides the APPA secretariat.
4.5.1
Technology Working Group
The Technology Working Group is made up of representatives with an interest in technology
and privacy from each APPA member organisation. The Group collaborates on common
issues experienced across APPA jurisdictions.
The APPA Technology Working Group considered Google’s Privacy Policy in 2012. It
adopted a position supportive of the Article 29 Working Party’s investigation of the Policy.401
4.5.2
Communications Working Group
The Communications Working Group is made up of communications professionals from each
APPA member organisation, who consult on communications matters. The group coordinates
Privacy Awareness Week.402
4.6
IBERO-AMERICAN DATA PROTECTION NETWORK
In 2003, the Spanish Data Protection Authority (Agencía española de protección de datos,
AEPD) founded the IberoAmerican Data Protection Network (RIPD) as an advisory forum
for national data protection efforts in Latin America.403 The network was established as a
consequence of the agreement reached at the IberoAmerican Data Protection Meeting held in
La Antigua, Guatemala in 2003, attended by representatives of 14 Latin American countries.
This initiative had political support from its outset as it was reflected in the Final Declaration
of the XIII Summit of Heads of State and Government of Latin American countries held in
Santa Cruz de la Sierra, Bolivia, on the 14th and 15th of November, 2003.
http://www.appaforum.org/resources/APPA_Secondment_Framework_.pdf
400
http://www.worldlii.org/int/special/privacy/
401
Pilgrim, Timothy, “Google’s Privacy Policy”, Letter to Jacob Kohnstamm, 12 October 2012.
http://www.cnil.fr/fileadmin/documents/en/APPA_SUPPORT_LETTERArticle_29_Letter.pdf
402
See www.privacyawarenessweek.org
403
128
These members were fully aware of the nature concerning personal data protection as a
fundamental right as well as the importance of Latin American regulatory initiatives to protect
the privacy of their citizens. It became therefore a forum to promote the Fundamental Right to
data protection law in that Community.
The RIPD was regulated through the rules adopted on the occasion of the VI IberoAmerican
Data Protection held in Cartagena de Indias, Colombia (from 27 to 30 May 2008). In turn, the
RIPD was opened to all Latin American countries to promote and implement initiatives and
projects related to this subject. The aim was to create a forum to involve various stakeholders,
both public and private. So, the intention was to promote, maintain and strengthen a close and
continuous exchange of information, experience and knowledge among them and, at the same
time, to promote policy developments to ensure advanced regulation of data protection rights
in a democratic context, taking into consideration the need for a continuous data flow between
countries with different approaches but the same concern for this right.
In terms of activity, there have been ten Annual Meetings in addition to many other seminars
on a variety of topics of interest such as data protection of minors, health data, financial
frauds, business and marketing industry concerns, especially the fight against spam, new
technologies and their impact on privacy, international transfers and so on.
This line of work has served to establish a leading development and promotion of dialogue
and policy initiatives in the region, which have meant that over than 150 million Latin
American citizens have today, alongside the traditional defense of habeas data, standards
which effectively ensure the use of personal information and also specialized authorities with
powers to protect such as guarantees.
One of the strategic objectives of the RIPD is the definitive consolidation of this forum
suitable for making decisions, taking documents and securing their future strategies.
Eventually, it is of paramount interest for the institutions that currently make up the RIPD, to
encourage the promotion and implementation of the Fundamental Right to Protection of
Personal Data through entities with the capacity and skills to encourage national governments
to develop regulatory legislation in this area. This is required in order to reach the attainment
of Adequacy Statement by the European Commission in addition to achieve harmonization of
national laws on data protection at a global level so that the development of international
trade and new communication technology might be compatible with the protection of the
rights of individuals.
The RIPD is structured through the following organizational structures:
The Presidency of RIPD is elected among the members attending the RIPD´s Assembly and is
responsible for representing RIPD in all national and international fora, promoting and
supporting national legislative initiative and standing for RIPD in all social activities in Latin
America. Currently, the Presidency is held by Mexico, and it is exerted by the Federal
Institute of Access to Information and Data Protection.
The Executive Committee is integrated by the Presidency and four Members of the RIPD, and
its main functions are to approve the working program for the upcoming year and to promote
all the necessary actions for the celebration of the next Annual Meeting. Currently, Executive
Committee is integrated by Spain, Portugal, Argentina, Mexico and Chile.
129
The RIPD´s Secretariat is assumed by the Spanish Data Protection Agency, which is in charge
of coordinating tasks as the technical body and of the followup of the RIPD´s activities. The
RIPD´s Secretariat is liable for maintaining a continuous relationship with the RIPD´s
Executive Committee, establishing contacts with national and international organizations,
carrying out, together with the Working Groups, the development of decisions and projects
approved by the RIPD, making easier an open communication and exchange of information
among the RIPD members and coordinating Seminars and Working Groups.
The IberoAmerican General Assembly of the RIPD is held once a year. It is considered as a
RIPD body, as well as a forum for direct discussion and adoption of decisions and documents.
4.6.1
Spanish DPA’s other outreach efforts in Latin America and East European
countries
The Spanish Data Protection Agency (AEPD) has been cooperating with other Latin
American countries for many years in the framework of many bilateral memorandums of
understanding with Colombia (2012), Perú (2012), Chile (2011), Bolivia and the Mexican
States of Nuevo León (2011), Distrito Federal (2009), Oaxaca (2009), Jalisco (2009) and
Hidalgo (2009).
In addition of that, it has been supporting and cooperating with others Eastern European
countries data protection agencies such as:
1. The Czech Office for Personal Data Protection and the Spanish Data Protection Agency
adopted a statement affirming the excellent results obtained while carrying out the Twinning
Project PHARE CZ2000/IB/OT/03, in implementation of the Covenant signed by both
parties. Both institutions were aware of the unavoidable need to increase cooperation between
data protection authorities, with a view to the establishment of a uniform application of data
protection legislation existing in different countries.
2. Bulgaria and the Spanish Data Protection Agency developed a twinning project PHARE
BG/2005/IB/OT/02 that was signed on December 27th 2006 and its performance started in
January as per the provisions of the contract.
In that Project, 42 activities were included (37 work meetings and seminars in Bulgaria and 5
study visits in Spain) which covered the institutional development and those related to their
investments in the Bulgarian CPDP so as to achieve higher effectiveness and better
effectiveness of the activities in the field of personal data protection within the country, by
means of acceptance and performance of the best practices of the EU with regard to
preventing the infringements related to personal data protection, as well as providing their
best protection.
3. The Twinning project IS/2007/ENPAN/JH/01 was brought about between Israel (The
Israeli Law, Information and Technology Authority (ILITA), the data protection in Israel) and
its counterpart in Spain (AEPD) and was set in motion on June 3rd, 2009. This twinning
program aimed to strengthen the effective protection of personal data in Israel by developing
ILITA's operational and effective enforcement capabilities, with the goal of bringing them in
line with international standards and those set out in the EU data protection directive.
130
The twinning project consisted of the following aspects:
 The enhancement of ILITA's competencies through the development and
implementation of a personal data protection strategy plan, as well as enhancing
ILITA's effective regulatory powers.
 The enforcement enhancement through staff training in complaint handling and
streamlining ILITA's complainthandling procedures, as well as through setting in
place investigative and relevant intelligence capabilities.
 Increase the awareness among data controllers, data subjects, policymakers,
lawmakers and the general public about the importance of personal data protection,
and increasing adherence to personal data protection legislation.
4. The European Union IPA Program for Croatia was founded by IPA 2007 EU. Its twinning
project HR/2007/IB/JH/02 was titled “The Capacity of the Croatian Agency for Protection of
Personal Data”. It started in August 2010 ending 22 months later. This EU project used the
expertise of Spain, specially the Spanish Data Protection Authority in order to reach an
efficient institutional framework capable of dealing with all the requirements of the Common
data protection policies. The overall objective was the strengthening of the consultative and
supervisory role of the Croatian Agency for Protection of Personal Data. This EU project was
divided into two clearly distinct components: the first one dealt with legal issues while the
second one tackled with Information security.
4.7
ASSOCIATION OF FRANCOPHONE DATA PROTECTION AUTHORITIES
The Association francophone des autorités de protection des données personnelles (AFAPDP)
has an important capacitybuilding component.404 The association of authorities for personal
data protection of the Frenchspeaking countries was founded in 2007 and consists of 27
authorities for personal data protection from the 24 member states of the International
Organization of the Francophone. Members of the Association are authorities for personal
data protection from Albania, Andorra, Austria, Belgium, Bulgaria, Burkina Faso, Canada
(federal authority, Quebec and New Brunswick), Cyprus, Croatia, Czech Republic, France,
Greece, Hungary, Lithuania, Luxembourg,, Macedonia, Monaco, Poland, Romania, Senegal,
Slovakia, Slovenia, Switzerland, Cape Verde and Tunisia.
The Association promotes cooperation and training between countries that speak French in
the area of personal data protection. The commitment is to create a structure for support and
sharing of knowledge. The Association is also a source of expertise for countries where there
is no legislation for personal data protection. The Association participates in dialogue and the
implementation of the right to privacy and personal data protection in the framework of
international organizations such as the United Nations, the European Union, and the Asia
Pacific Economic Cooperation. At the same time the Association has an observer status in the
Consultative Committee of the Convention on the Protection of Individuals with regard to
Automatic Data Processing (Convention 108).
In 2008, the Association held its second annual conference in Strasbourg immediately after
the International Conference of Commissioners on Data Protection and Privacy. The
404
http://www.afapdp.org/
131
workshops of the conference were devoted to sensitivity and training on good practices,
technical elements related to mobility and geolocalisation.”405
4.7.1
CNIL’s outreach efforts at co-operation
The French data protection authority (CNIL) promotes data protection in francophone
countries.
4.8
BRITISH, IRISH AND THE ISLANDS DPAS
This informal and loose network covers the DPAs of: the United Kingdom ; Ireland; British
Crown Dependencies with separate DPAs: Isle of Man, Jersey, Guernsey, Gibraltar; and other
countries/territories with an historical association with Britain (e.g. Malta, Cyprus) and has
existed since around 1989. Representatives from Bermuda have also been attending recently
in anticipation of enactment of data protection legislation. In general, it is a loose gathering
that anyone with a link to Britain and or commonlaw can ask to attend. It does not have a
formal constitution or rules of procedure.
In recent years, it has met once per year, with DPAs taking turns to host Gibraltar hosted last
year, with Ireland hosting this year. The agenda of the meeting is as requested by members,
but standard items includes a review of developments in the different jurisdictions and a
review of developments in the EU (even though some members are nonEU for data
protection purposes).
4.9
EU-US AD HOC WORKING GROUP ON DATA PROTECTION
The EU and US launched an ad hoc working group on data protection in Washington DC on 8
July 2013 with a first meeting in Brussels 2223 July 2013. 406 The EU side comprises
representatives from the EU Presidency, the Commission, the Counterterrorism Coordinator,
the European External Action Service (EEAS), a member of the Article 29 Working Party and
10 experts from the Member States. The EU side is cochaired by the European Commission
and the Presidency. The Chairs will report in due course to the COREPER which will decide
on the followup to the outcome of the group.
A hot issue of discussion between the EU and American sides in the working group is
surveillance of EU premises. COREPER has discussed the modalities through which EU
institutions and Member States will have the possibility to exchange information and co
ordinate their dialogues with their US counterparts.
4.10 MEMORANDA OF UNDERSTANDING (MOUS)
405
Directorate for Personal Data Protection, Republic of Macedonia, “Association francophone des authorites de
protection des donnes personnelles (AFAPDP)”, Undated. http://dzlp.mk/en/node/622
406
Lithuanian Presidency of the Council of the European Union, Presidency statement on outcome of
discussions on EU–US working group, 19 July 2013.
http://www.eu2013.lt/en/news/statements/presidencystatementonoutcomeofdiscussionsoneuusworking
group
132
Data protection authorities and privacy commissioners are using memoranda of understanding
(MoUs) to foster cooperation and coordination. One example of such an MoU is that signed
in October 2012 by Canadian Privacy Commissioner Jennifer Stoddart and German Federal
Data Protection Commissioner Peter Schaar, the aim of which is to strengthen their mutual
cooperation in the crossborder supervision of data protection.407
Under the agreement, both data protection authorities will exchange information in
connection with their supervisory activities and inform each other about important events or
complaints. In concrete cases – contrary to previous practice – coordinated supervisory
procedures relating to data protection law may take place in order to ensure the data subjects’
protection regardless of the location of the data processing.
Another example of such an MoU is that signed between Irish Data Protection Commissioner
Billy Hawkes and US Federal Trade Commissioner Edith Ramirez in July 2013.408 The MOU
aims to support increased cooperation and communication between the two sides in their
efforts to ensure protection of consumer privacy and data protection rights.
The FTC describes itself as the chief U.S. consumer privacy agency. It uses law enforcement,
research, policy initiatives, and consumer and business education to protect consumers’
personal information. Its functions mirror those of the Commissioner in the area of data
protection.
The MoU provides a basis for the sharing of experiences and knowledge of issues
encountered by both agencies in their interactions with consumers and businesses and in
relation to crossborder enforcement cooperation. Both sides expect the MoU will help
companies to do business internationally while meeting their data protection responsibilities.
Many U.S. multinational companies have subsidiaries in Ireland, and Irish companies have a
“significant” investment in the U.S. It is important to both agencies that these companies
respect the privacy rights of their customers and comply with applicable law.
The MOU is a framework for voluntary cooperation and will not change existing law in either
country. Even before signing the MoU, the two agencies had cooperated informally on cross
border policy and enforcement, through the London Action Plan (LAP, an antispam network)
and the Global Privacy Enforcement Network (GPEN).
Christopher Kuner from Brussels law firm Wilson Sonsini commented that the MOU was a
significant development. "It continues the trend toward agreements between privacy
enforcement authorities worldwide… It is particularly important given that many large
multinationals have their main European establishment in Ireland, meaning that the Irish DPA
is the main European enforcement authority for many leading companies. Both companies
and consumers need better cooperation and coordination between data protection and privacy
407
German Federal Commission for Data Protection and Freedom of Information, “German and Canadian data
protection authorities establish a basis for enhanced cooperation”, Press release, Bonn, 15 Oct 2012.
http://www.bfdi.bund.de/EN/PublicRelations/PressReleases/2012/21_DCANEstablishABasisForEnhancedCoop
oration.html?nn=410156
408
Office of the Data Protection Commissioner, “Data Protection Commissioner signs Memorandum of
Understanding with U.S. Federal Trade Commission”, Press release, 9 July 2013.
http://www.dataprotection.ie/docs/27613PressReleaseDataProtectionCommissionersignsMemorandum
ofUnderstandingwihFTC/1317.htm
133
enforcement authorities in different countries, and bilateral memoranda like this are a good
way to achieve that goal."409
Finally, the Macedonian DPA has signed several MoU with various DPAs.410
4.11 TAIEX PROGRAMME
TAIEX is the Technical Assistance and Information Exchange instrument managed by the
European Commission’s DirectorateGeneral Enlargement. 411 TAIEX supports partner
countries with regard to the approximation, application and enforcement of EU legislation. It
is largely demand driven and facilitates the delivery of appropriate tailormade expertise to
address issues at short notice. The objectives of the TAIEX programme are:
 To provide shortterm technical assistance and advice on the transposition of EU
legislation into the national legislation of beneficiary countries and on the subsequent
administration, implementation and enforcement of such legislation.
 To bring ENPI412 partner countries closer to the European Union, through increased
economic integration and a deepening of political cooperation by sharing the
experience gained during the enlargement process.
 To provide technical training and peer assistance to partners and stakeholders of the
beneficiary countries.
 To be an information broker by gathering and making available information.
 To provide database tools for facilitating and monitoring the approximation progress
as well as to identify further technical assistance needs.
Strengthening the European Union as an area of freedom, security and justice without internal
borders constitutes an important focus of TAIEX assistance.
Technical assistance through the TAIEX instrument comes in many different forms and
across a wide range of areas. Partner administrations can benefit from TAIEX’s flexibility to
help meet wider training needs in EU legislation by reaching a significant number of officials.
At the same time, it is important to retain an awareness of and be responsive to more targeted
requests. In this regard, the expert and study visit format, depending entirely on requests
received from beneficiary partners, provides a complementary institutionbuilding service.
TAIEX is aimed at the following groups of countries:
 Croatia, Iceland, Turkey, former Yugoslav Republic of Macedonia;
 Albania, Bosnia and Herzegovina, Montenegro, Serbia and Kosovo*;
 Turkish Cypriot community in the northern part of Cyprus;
409
Bracy, Jedidiah, “FTC, Irish DPA Reach Mutual Enforcement Agreement”, The Privacy Advisor (IAPP), 27
June 2013.
https://www.privacyassociation.org/publications/ftc_irish_dpa_reach_mutual_enforcement_agreement
410
http://dzlp.mk/mk/potpisani%20deklaracii
411
http://ec.europa.eu/enlargement/taiex/whatistaiex/index_en.htm
412
ENPI is the European Neighbourhood Partnership Instrument. The ENPI is the EC’s main source of funding
for the 17 partner countries (10 Mediterranean and six Eastern European countries, plus Russia). The ENPI
replaces the cooperation programmes TACIS (for the Eastern European countries) and MEDA (for the
Mediterranean countries). The main purpose is to create an area of shared values, stability and prosperity,
enhanced cooperation and deeper economic and regional integration by covering a wide range of cooperation
areas. The overall allocation for the ENPI instrument for the sevenyear period 20072013 amounted to almost
€12 billion. http://ec.europa.eu/europeaid/where/neighbourhood/overview/
134

Algeria, Armenia, Azerbaijan, Belarus, Egypt, Georgia, Israel, Jordan, Lebanon,
Libya, Moldova, Morocco, the Palestinian Authority, Syria, Tunisia, Ukraine and
Russia.
The beneficiaries of TAIEX assistance includes those sectors, both public and private, who
have a role to play in the beneficiary countries in the transposition, implementation and
enforcement of EU legislation or in the case of the ENPI countries, in deepening economic
and political cooperation. The main target groups are:
 Civil servants working in public administrations; at national and subnational level
and in associations of local authorities;
 The judiciary and law enforcement authorities;
 Parliaments and civil servants working in Parliaments and Legislative Councils;
 Professional and commercial associations representing social partners, as well as
representatives of trade unions and employers’ associations;
 Interpreters, revisers and translators of legislative texts.
TAIEX does not provide direct support to private citizens, or to individual companies.
The role of TAIEX is that of mediating between experts, who provide direct assistance, and
users, for whom the assistance is intended. The beneficiaries of TAIEX assistance include
those sectors playing a role in the beneficiary countries in relation with transposition,
implementation and enforcement of EU legislation, particularly in data protection. Those
experts who participate in the TAIEX programme are selected by European Union Member
States. They are representatives of the administrations of EU Member States, EU institutions
and experts coming from universities and private sectors.
During recent years TAIEX has organized visits, workshops and provided experts to data
protection agencies in Bosnia and Herzegovina, Macedonia and Croatia. As an example of
TAIEX assistance, on 2223 September 2011, a study visit of representatives of the Albanian
Data Protection Authority, organised jointly by the Inspector General for Personal Data
Protection (GIODO) and the European Commission, took place at the GIODO offices in
Warsaw. The study visit focused on the following issues: law and bylaw drafting,
investigation and inspection, as well as approximation of Albanian legislation with the EU
acquis on data protection.413
4.12 LEONARDO DA VINCI (LDV) PROGRAMME
The Leonardo da Vinci (LDV) Programme 414 funds practical projects in the field of
vocational education and training. Initiatives range from those giving individuals workrelated
training abroad to largescale cooperation efforts. The LDV programme funds many different
types of activities of varying scales. These include “mobility” initiatives enabling people to
train in another country, cooperation projects to transfer or develop innovative practices, and
networks focusing on topical themes in the sector. Beneficiaries of the programme range from
trainees in vocational training to people who have already graduated, as well as professionals
in vocational education and training and anyone from organisations active in this field.
The LDV programme enables organisations in the vocational education sector to work with
partners from across Europe, exchange best practices, and increase their staff’s expertise.
Innovation projects are key to the programme. They aim to improve the quality of training
413
414
http://www.giodo.gov.pl/259/id_art/711/j/en/
http://ec.europa.eu/education/lifelonglearningprogramme/ldv_en.htm
135
systems by developing and transferring innovative policies, courses, teaching methods,
materials and procedures.
4.13 TWINNING
Twinning is a European Commission initiative originally designed to help candidate countries
acquire the necessary skills and experience to adopt, implement and enforce EU legislation.415
Since 2003, twinning has been available to some of the Newly Independent States of eastern
Europe and to countries of the Mediterranean region. Twinning projects bring together public
sector expertise from EU Member States and beneficiary countries with the aim of enhancing
cooperative activities. They must yield concrete operational results for the beneficiary
country under the terms of the Association Agreement between that country and the EU.
Twinning projects are built around the secondment of at least one fulltime Member State
expert who then goes to work in a beneficiary country administration: they are called Resident
Twinning Advisers (RTAs) and are accredited by the European Commission. Projects can
also include a number of other actions, usually run by relevant public bodies, including
workshops, training sessions, expert missions and counselling. Neighbouring countries in
which the Commission’s twinning initiative is available are:
South: Algeria, Egypt, Israel, Jordan, Lebanon, Morocco and Tunisia.
East: Armenia, Azerbaijan, Georgia, Moldova and Ukraine.
4.14 OTHER INITIATIVES
4.14.1 New Zealand – Privacy (Cross-border Information) Amendment bill
The government of New Zealand introduced an amendment (section 72c) to its Privacy Act
1993 by means of its Privacy (Crossborder Information) Amendment Bill that deals with
"referral of complaint to overseas privacy enforcement authority".
4.14.2 Communication from the Commission on fighting spam, spyware and malicious
software
In a related field, A Communication from the Commission on fighting spam, spyware and
malicious software contains a section on “International Cooperation”, which provides that
“[t]he Commission is further promoting international cooperation initiatives. The US and
the EU have agreed to cooperate to tackle spam through joint enforcement initiatives, and
explore ways to fight against illegal ‘spyware’ and ‘malware’. The Commission also
takes part in the Canadian International Collaboration working group on Spam.
Discussions are taking place with major international partners e.g., China, Japan.
Concerning Asia the Commission initiated a Joint Statement on International Antispam
Cooperation which was adopted at the ASEM conference on eCommerce in February
2005416”.417
415
http://ec.europa.eu/europeaid/where/neighbourhood/overview/twinning_en.htm
http://www.asemeclondon.org/
417
European Commission, Communication to the European Parliament, the Council, the European Economic
and Social Committee and the Committee of the Regions on fighting spam, spyware and malicious software,
Brussels, 15 November 2006 COM(2006) 688 final, pp. 45.
http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2006:0688:FIN:EN:PDF
416
136
The same Communication also contains a section on “Cross border cooperation”, that
provides that “[r]ecently the Australian and Dutch spam fighting authorities cooperated in
bringing down a large spam operation.”418
4.14.3 ROSKOMNADZOR Conference
Since 2010 the Russian Federal Service for Supervision of Communications, Information
Technology and Mass Media has held an annual conference on Personal Data Protection. The
conference traditionally features representatives of federal executive and legislative
authorities of the Russian Federation, nongovernmental organizations, and information
security experts. Participants of the Conference have included representatives of DPAs from
Europe, Asia and Pacific, and the Commonwealth of Independent States, as well the Council
of Europe, Europol, and Eurojust. Resulting from the conference, memoranda of
understanding were signed between the competent authorities of Russia, Moldova,
Kyrgyzstan, Armenia, Ukraine and Macedonia.419
4.15 CONCLUSIONS
From the preceding overview of international mechanisms for cooperation and coordination
between data protection authorities, we can draw the following observations and conclusions.
As within the European Union, at the international level there exist a range of institutional
frameworks which can and do support cooperation and coordination between data protection
authorities. These can be understood as complimentary networks, in that they offer a range of
options for DPA willing to increase their international collaboration. Privacy enforcement
collaboration has been discussed in several of these international fora, alongside other forms
of cooperation and coordination such as information exchange, staff exchanges, study visits
and the sharing of best practice.
The following figure shows the overlapping memberships of several of the key international
DPA cooperation and coordination mechanisms discussed in this section. It should be
viewed in parallel with the European diagram in the previous chapter, which provides a more
granular image of overlapping European coordination mechanisms. GPEN act as a potential
critical bridge between the cluster of European DPAs and the looser cluster of APEC
CPEA/APPA. The groupings of DPAs and other responsible agencies, with the notable
exception of the relatively new GPEN, appear to follow conventional regional or linguistic
divisions, with origins in organisations such as the EU and APEC. The visualisation also
allows the identification of a core group of European DPAs that participate in most of the co
ordination mechanisms available to them. The larger networks are supported by a range of
bilateral agreements and memoranda of understanding between individual DPAs.
The international networks are primarily voluntary, and are not legally binding. Those
networks that do have binding requirements are those membership organisations based around
preexisting political affiliations, that often have regional entry requirements and can make
commitments upon members in areas beyond data protection and privacy (such as the OECD,
APEC and indeed, the European Union). Cooperation arrangements such as the APEC
protocol for requesting assistance have a presumption of cooperation, but provide many
418
419
Ibid., p. 7.
http://eng.rkn.gov.ru/personal_data/international_conference_personal_data_protection/
137
grounds for a DPA to decline to provide assistance, up to and including at the judgement of
the DPA. The ICDPPC, potentially reaches over the geographical spread of this diagram,
however, its membership requirements include assumptions about the organisational and
institutional form of what constitutes a data protection and privacy commissioner prevents
some organisation (particularly from outside Europe)from being members
Figure 2: Key international cooperation and coordination mechanisms, showing the overlap between
their memberships
In addition to dedicated networks of data protection authorities, three international
governmental organisations exert particular influence in the field of privacy and data
protection cooperation. The OECD has generated a number of recommendations and
guidelines on privacy protection and enforcement, and has provided support to GPEN.
Support from OECD countries for GPEN may result more OECD members participating in
GPEN The EU has outreach programmes both at the EU level (e.g., TAIEX) and from the
DPA of individual member states such as Spain and France, which are involved in language
based networks of DPAS. There is evidence of interaction and learning between the groups.
Examples include the APEC privacy principles being based on the 1980 OECD guidelines.
Similarly APEC CPEA adopted the request for assistance form developed by the OECD.
There is ongoing cooperation between APEC and the EU into the compatibility between
APEC CBPR and the EU’s BCR, which on the surface appear to share similar intentions.
There is also evidence of logistical cooperation when possible, such as the clustering of
conference of the francophone DPA network to follow on from the ICDPPC in Strasbourg.
138
In addition to the organisational structures that are already a range of tools available for co
ordination and cooperation between DPAs. Examples include the GPEN website and online
platform (hosted by the OECD) as well as lists of contact points (although there are multiple
of these and they may require reconciliation and combination).
Finally, there is evidence to suggest that cooperation can encourage further cooperation. For
example, the Memorandum of Understanding between the Irish DPA and the US Federal
Trade Commission followed on from the two organisation’s cooperation in GPEN and the in
the London Action Plan antispam campaign.
139
5
5.1
PHAEDRA SURVEY OF DPAS ON IMPROVED CO-OPERATION AND COORDINATION
RESULTS OF THE SURVEY QUESTIONNAIRE
In midFebruary 2013, the PHAEDRA consortium sent out a questionnaire to 79 data
protection authorities and privacy commissioners around the world. The twopage
questionnaire had 10 questions asking about areas for improving cooperation and co
ordination, possible constraints, measures for improving coordination of investigations,
sharing information, suggestions for case studies and examples of cooperation. This chapter
summarises the results of the survey.
As of March 2014, the consortium had received 53 responses. The respondents were mainly
from European DPAs and privacy commissioners, but also included responses from the
Americas, Asia/Pacific, and the Middle East, as depicted in Figure 3 below.
Respondent Percentage by Region
67%
12%
19%
2%
Figure 3: Respondent percentage by region
This section presents the collated answers to the questions from the survey.
140
1. In what areas would you like to see improved co-operation and co-ordination with other
privacy commissioners and data protection authorities (DPAs)?
DPAs were asked to rank five possibilities. Discounting “Other”, the overall ranking from
most important to least important is shown in the following charts:
Figure 4: Importance of factors to improve cooperation and coordination
The list of areas or factors from the questionnaire included:
 Coordination in enforcement actions, especially against multinational data
controllers, to avoid duplication of effort and make more efficient use of resources
 Exchange of knowledge, experience and best practice
 Consistency (i.e., avoiding situations where privacy commissioners and DPAs apply
different criteria in enforcement actions)
 Measures aimed at converging the powers of privacy commissioners and DPAs
 Other
In evaluating responses, we also looked at the most highly ranked (i.e., given importance of 1
or 2) and the least highly ranked items (given importance of 3, 4 or 5), which revealed that the
two most highly ranked areas retained that designation when the rankings were combined,
with a slight edge for “Coordination in enforcement actions...”.
Nineteen respondents identified “Exchange of knowledge, experience and best practice”, as
the most important factor to improve cooperation and coordination, while 17 identified “Co
ordination in enforcement”.
141
Figure 5: Frequency with which each area is ranked as of high importance
Figure 6: Frequency with which each area is ranked as less important
142
2. What are the chief constraints on you in achieving more co-operation and better coordination?
DPAs were asked to rank five possibilities. Again, discounting other, the first possibility
below was regarded as the most serious and the last as least serious.




Lack of information from other privacy commissioners and DPAs about cooperation
and coordination activities
Limited budgetary and/or human resources
Legal constraints
Language differences
Figure 7: Frequency with which each constraint is ranked as of high importance
Figure 8: Frequency with which each constraint is ranked as less important
143
3. At what level would you like to see improved co-operation and co-ordination? Please tick
the relevant ones.
DPAs were offered three choices, in addition to other, i.e., at the regional and international
levels and by language group (e.g., IberoAmerican group, Francophone group). Most
respondents indicated that they would like to see improved coordination and cooperation at
either the regional level, the international level or both. In a few cases (10), respondents
expressed an interest in improved coordination by language group.
Figure 9: levels at which improved cooperation and coordination is desired
144
4. What measures do you think could be taken to improve co-operation and enhance coordination of investigations with other privacy commissioners and DPAs?
DPAs were given several options to rank in order of importance. Discounting the other
option, the first below was regarded as most important, followed in order by the others.
 Online tools to facilitate sharing of information (e.g., intranet)
 Additional resources (manpower, budget).
 A small secretariat for exchange of information and best practice
 An international treaty (i.e., binding instrument)
 A memorandum of understanding or other nonbinding instrument
 Amending your enabling legislation
 Regularly scheduled teleconferences to discuss common issues
It is interesting to note that DPAs place greater importance on collaboration than on additional
resources, even though many have a shortage of resources for the tasks they perform.
.
Figure 10: Frequency with which each measure is ranked as of high importance
Figure 11: Frequency with which each measure is ranked a less important
145
5. Some measures (e.g., an international treaty or amendment of your enabling legislation)
might take a long time. Which measures do you think could be taken in the short term to
improve co-operation and co-ordination?
DPAs made various suggestions. Albania, BosniaHerzegovina, Costa Rica, the Czech
Republic, Macau, the Isle of Man, Poland, Portugal and Sweden said that the signing of
memoranda of co-operation or other nonbinding instruments would help foster closer co
operation between privacy commissioners and provide procedures for more effective
exchange of information between competent authorities. Hungary agreed with this, but
emphasised bilateral and regional agreements. Israel also thought an MoU would be useful,
especially for training, educating and exchanging personnel and sharing practical information.
Uruguay said it was establishing MoUs with Mexico, Costa Rica and Canada. Poland
advocated standardised forms and procedures.
Portugal had some specific suggestions regarding an MoU. It said its implementation could be
better and more easily achieved through the establishment of a common information
platform (internal website), where key information should be available, such as a list of
contact persons; a resumé of the powers and functions of each DPA and sectors covered; a
repository of guidelines, enforcement actions, best practices and case law (by themes and
covering different areas), initiatives aimed at raising awareness; a discussion forum where any
DPA may request assistance or advice; where they can discuss “hot” topics informally; where
they can share news and experience, where they can find a calendar of major international
activities; and where they can collaborate on joint actions. Portugal felt that some mechanism
was needed to push DPAs to participate regularly. It said some basic rules might be needed,
for example, regarding deadlines to reply to each other, otherwise cooperation won’t be
effective. Serbia and Vietnam also mentioned online tools to facilitate sharing of information
(e.g., an intranet).
Australia said the OECD Global Privacy Enforcement Network has already developed a
website to share information, and is in the process of developing a nonbinding instrument to
facilitate coordination and cooperation.420 The Asia Pacific Privacy Authorities (APPA) is
another network established to facilitate exchange of information between DPAs. 421 The
GPEN would seem to address Hong Kong’s perceived need for online and informal sharing of
views, enforcement actions being taken and/or experience sharing in a secured environment.
France said it believes that the International Conference is the most appropriate basis on
which cooperation should be built. However, it recognises that the GPEN offers a privileged
opportunity for the exchange of good practice and that it is a useful forum and an efficient
tool for cooperation. It felt consideration should be given to the possibility that the GPEN be
involved and participate in the work of the International Conference (e.g., by creating
windows of cooperation).
Bavaria and Finland saw need for clear agreements, especially about who is the leading
institution in an enforcement action. Bavaria suggested the creation of an online portal for an
exchange of views. It also saw a need for a repository of data protection acts, translated into
at least English. Estonia was of a similar mind regarding a website operated by a small
secretariat that could initiate questionnaire and topics. Cyprus, Ireland, the Isle of Man,
Ontario, Macedonia, Moldova, Russia and Switzerland also supported an Intranet for DPAs,
420
421
http://www.privacyenforcement.net/
http://www.appaforum.org/
146
teleconferencing and a small secretariat. Estonia referred to CIRCA 422 for uploading
documents, but said there is a lack of an interactive environment for the exchange of
comments and questions.
Bulgaria saw a need for a framework document containing common rules for information
exchange and cooperation on joint inspections.
Canada and Belgium saw a need for an efficient, secure mechanism for authorities to
indicate that they are interested in an issue or incident, determine whether other authorities are
interested in working together on a particular issue and forming a group to pursue the matter.
Canada and New Zealand said authorities should consider making greater use of GPEN,
although the functionality of the website needs to be improved. Also needed is a discussion
of how GPEN relates to other initiatives, such as the working group to promote international
enforcement coordination, created at the Mexico City International Conference in 2011.
Canada said authorities need to assess their ability to cooperate and share information and,
where necessary, discuss this with their governments. New Zealand said countries could refer
to the OECD Recommendation on Enforcement Cooperation as a blueprint for updating their
data protection laws. The Slovak Republic also said DPAs should work toward a legally
binding instrument for privacy coordination.
Belgium, Colombia, Germany and Japan saw a need for information sharing on major cross
border cases/issues, including legal assessments and envisaged measures; sharing of best
practices; joint case studies; regular meetings, workshops and conferences on defined cases
and issues with high relevance for data protection in an international context. Liechtenstein
also saw a need for regional meetings of Germanspeaking countries. The Slovak Republic
also said cooperation could start at the neighbour level.
France suggested the creation of a task force dedicated to enforcement with regular meetings
in order to exchange about best practices, ongoing cases or technical aspects.
Greece suggested each DPA should appoint at least one contact person who would be
responsible for coordination of all activities between the DPAs.
Iceland saw a need for regular interEuropean meetings but commented that it could not
attend such meetings due its severe lack of funding. Italy, Lithuania, Serbia, the Slovak
Republic and Sweden also mentioned a need for additional resources.
Israel suggested developing a model proactive regulatory approach towards data protection
and combining legal and technological R&D activities, somewhat like the Article 29 Working
Party, but able to undertake a wider range of activities.
Japan felt that nonbinding instruments like the APEC CrossBorder Privacy Enforcement
Agreement were helpful for improving the international framework of cooperation.
422
CIRCA: Communication and Information Resource Centre Administrator, is a simple groupware, developed
by the European Commission under the IDA Programme. It is a webbased application providing online services
that offer a common virtual space for Workgroups, enabling the effective and secure sharing of resources and
documents. Its architecture is based on Open Source Software. It has been widely used by the EU public
administrations since 1996. It is also a generic service (including help desk, assistance and training services)
operated by the European Commission's DirectorateGeneral for Informatics (DIGIT) to support the work of the
numerous EU committees. For more information see: http://ec.europa.eu/idabc/en/document/6540.html
147
Mexico, Montenegro and Ontario had several suggestions for improving shortterm co
operation and coordination, but all in line with other DPAs. Mexico mentioned:
 Establishing cooperation agreements between authorities to coordinate enforcement
actions;
 Sharing information on criteria, studies, guidelines, resolutions and relevant case cross
or common materials that could serve as a reference to other authorities;
 Creating a website that would serve as a kind of library, in which the authorities could
find different types of documents (resolutions, criteria, guidelines, regulation) on
various topics of interest;
 Creating working groups with welldefined objectives that provide continuity for
specific cooperation projects;
 Developing forums and conferences focused on regional, international or group issues;
 Providing training and professional practices to the personnel of other data
protection authorities. Moldova also supported joint workshops and study visits in
order to share experiences and best practices. Ukraine cited a need for some training
and an expert from some other DPA to help them. Belgium also suggested creation of
a program between DPAs that could help in the exchange of experiences and best
practices with regard to, for example, binding corporate rules (BCRs), privacy impact
assessments, inspections and internal organisation of work. Vietnam said that trainers
should have (of course) good skills, good communication and a sensitivity towards
international cultures.
Netherlands said that, in the absence of enabling legislation, DPAs could overcome co
ordination difficulties by identifying and recognising the differences in their legal frameworks
and trying to find work-arounds, or to limit their co-operation to those areas where cooperation is feasible. This could already be done on the basis of a bilateral MoU. The US
was of a somewhat similar view: It felt that adoption of an online enforcement coordination
tool, and informal arrangements with other authorities to cooperate on appropriate matters
using existing authority, are the most promising shortterm measures.
In the short term, the UK said all privacy enforcement authorities should sign up to an
international enforcement coordination mechanism which would allow for (a) sharing of
best practice and information exchange for both public and private, national and regional
activity and (b) pooling intelligence about past cases involving data controllers not
established in the context of the processing in the privacy enforcement authority’s
jurisdiction. It should allow for knowing where a data controller is established and identify
the relevant authority for taking this forward. It should also allow for PEAs to signal that they
are interested in the particular issue because they have legal authority regarding the data
controller or because they have a complaint about the data controller from their citizens. This
would allow other PEAs and the lead DPA to coordinate action as appropriate.
Vietnam said that establishing a higher level of trust and sustaining relationships between
DPAs so that they are willing to share information would help improve cooperation and co
ordination in the short term.
148
6. If you were to undertake an enforcement action against a data controller suspected of
non-compliance with data protection or privacy legislation in your jurisdiction and where
the case has cross-border dimensions, would you be able to share information, including
confidential information, with other privacy commissioners and DPAs?
Although DPAs have frequently mentioned the difficulties in sharing information, especially
confidential information, as a potential barrier to improved coordination enforcement actions
internationally, in their responses to this question, it seems that most privacy commissioners
and data protection authorities are able to share information with their counterparts in other
countries, as depicted in the figure below. However, in many instances, whether DPAs are
able to share confidential information is either contextdependent (the possibility of sharing
information depends on the particular situation) or comes with conditions or there are no
provisions in their relevant legislation dealing with such matters.
Figure 12: Ability of DPAs to share information across borders
149
7. How many full-time employees does your organisation have? Of those, how many work on
international relations, either full-time or for a significant part of their time? Does your
organisation have a unit or department dedicated to international relations?
The responses to this question are summarised in the following table:
Data Protection
Authority
Albania
Australia
Austria
Bavaria
Belgium
Berlin
Bosnia & Herzegovina
Bulgaria
Canada
Colombia
Costa Rica
Cyprus
Czech Rep
Denmark
Estonia
Finland
France
Germany
Greece
Hong Kong
Hungary
Iceland
Ireland
Isle of Man
Israel
Italy
Number of
employees
Number dedicated
to international
relations
Does the DPA have a unit
dedicated to international
relations?
29
62
6
1
1.5
1
1
2
Y
N
N
Y
N
Y
3
4
6
3 parttime
[3]
3
1 + 4 parttime
0
5 (0.5FTE)
Y
Y
N
Y
[Y]
16
50
37
24
73
170
20
1 [28]423
14
100
32
18
20
171
80
39
76
59
4
26.5
4
25
109
7
7
7 (1 FTE)424
0
5
4
0
0
1
4
423
Y
N
N
N
Y
Y
N
N
Y
N
N
N
N
Y
The Costa Rican authority said it was soon to begin a major recruitment, which would result in staff numbers
as indicated in the square brackets.
424
Seven staff work on international relations, but their total time is equivalent to one fulltime employee (FTE).
150
Data Protection
Authority
Number of
employees
Number dedicated
to international
relations
Does the DPA have a unit
dedicated to international
relations?
Japan425
Korea
Liechtenstein
Lithuania
Macau
Macedonia
Mexico
Moldova
Montenegro
Netherlands
New Zealand
Ontario
Poland
Portugal
Russia
Serbia
Singapore426
Spain
2 13
40
2
30
31
26
87
18
15
80
30
100
130
26
298
43
40
164
04
1
1
3
2
1
11 parttime
3
2
7
1
9
8
1
Y
N
N
Y
N
Y
Y
Y
N
Y
N
N
Y
Y
N
Y
2
2 (+5)
Y
Slovak Republic
Slovenia
Sweden
Switzerland
Ukraine
UK
USA (FTC)
Uruguay
Vietnam
28
33
40
22.7
43
350
45
12
40
1
4
1 + 4 parttime
0.8
4
2
6
12 parttime
2
N
N
Y
N
Y
Y
Y
N
Y
The figures on international relations employees are misleading. Some DPAs have shown the
number of all employees fully or partly dedicated to international relations (e.g., Estonian
DPA: 5 of 18, but the real fulltimeequivalent is around 0.5). Some have shown the fulltime
equivalent and some have shown only fulltime employees (e.g., Denmark: 0 of 32).
425
The Japanese Ministry of Economy, Trade and Industry (METI) responded to the questionnaire. However, in
doing so, it noted that, in Japan, there is no authority dedicated to data protection. Each ministry enforces privacy
in its own jurisdiction, and each ministry and external agency has a unit working on data protection. METI’s
response to the questionnaire joined answers from various ministries and agencies. With regard to FTEs, it said
there are cases where some departments or units also cooperate on privacy issues. The number of employees
within a ministry/agency working on international relations on privacy and data protection ranged between 0 and
4. While it has a department or unit dedicated to international relations, data protection was only a part of its
function.
426
Singapore’s Personal Data Protection Commission (PDPC) was formed in January 2013; hence, it is still
ramping up its recruitment. It envisages 4050 employees.
151
We aim to compile a set of case studies, as examples where DPAs or privacy commissioners
have investigated the same issue (e.g., Google Street View) and where privacy commissioners
and DPAs collaborated or shared the results of their investigation with other privacy
commissioners and DPAs (e.g., CNIL shared the results of its investigation into Google’s
combining its privacy policies). Could you suggest from your experience any other case
studies you think the PHAEDRA consortium could usefully investigate?
DPAs suggested a range of case studies worthy of investigation. The PHAEDRA consortium
has carried out 11 case studies, most of which were mentioned by the DPAs in their response
to Question 8. Following is a list of the cases mentioned by DPAs. Some of the cases
mentioned below are examples of successful cooperation and coordination, others not.
Suggested cases marked with an * have been explored as case studies in section 2 of this
report.
 Assessment of the implementation of the Data Retention Directive (2006/24/EC)*
 Badoo case (Cyprus DPA cooperated with CNIL and the ICO)427
 Big data
 CCTV in public spaces and in the workplace
 Children’s use of the Internet
 Cloud computing
 Consent in the technological age
 Corporate information and advertising
 Data breach at Sony Computer Entertainment Europe Limited*
 Data losses, e.g., a case involving the Isle of Man and the UK ICO
 Data protection implications regarding the research in, and disclosure of, records of
the Historic Archive of the National Security Services
 Electronic medical records
 Eurodac
 Europol
 Google’s privacy policy*
 Google Street View and the collection of WiFi data*
 Health data
 Heritage information centres and credit risk assets (private and public)
 IberoAmerican Data Protection Network
 Investigations or studies into MNC [multinational company] data controllers by a
single DPA
 ISO standardisation
 LinkedIn
 Methodologies for controllers to fulfil their obligations
 Microsoft Services Agreement
 Microsoft’s Office 365, which involves cloud services
 Nordic Inspection Cooperation
 Personal data protection in registers of voters
 Powers of tax administration and data protection
 Privacy notices
427
Wikipedia says Badoo is a datingfocused social discovery website, founded in 2006 and managed out of its
Soho, London headquarters, but owned by a company based in Cyprus, which is ultimately owned by Russian
entrepreneur Andrey Andreev. Opinions of Badoo.com on TrustPilot, which are based on user reviews, rather
than press releases, rate the site as 'Very low'.
152


















Protection of personal data in public records (land registry, central population register)
Right to be forgotten
Schengen
Selfregulation
Smartphone applications
Social networks (mainly Facebook), notably the investigations by the Irish DPA* and
the Nordic countries
Spam (Colombia and Spanish DPAs)
SWIFT case, investigated by the Belgian DPA, results of which were shared with the
Article 29 Working Party*
The annual Iberian meetings of Portuguese and Spanish DPAs to share experiences
and discuss common issues and cases involving companies with a presence in both
countries
The Article 29 WP investigations regarding data retention by health insurance
companies and telecom providers
The casehandling workshops under the aegis of the Spring Conference and DPAs’
use of the CIRCA network to exchange information and request assistance for
handling similar cases or with the same companies
The investigation of TJX Companies Inc. conducted by the Office of the Privacy
Commissioner of Canada and the Information and Privacy Commissioner of Alberta
Unsolicited direct marketing and spammers
Use of biometrics and its relationship with credentials or identity cards
W3C "Do not track" (standardisation)
WhatsApp*
Google Glass*
Bilateral cases regarding websites/ services operating in one country and processing
data related to subjects from another country.
153
8. Could you also provide some other examples involving co-operation (e.g., training)
between your organisation and one or more other privacy commissioners and DPAs?
Albania mentioned the training of its personnel that it had received from other DPAs. It has
also undertaken some study visits to more developed European authorities.
As an example of cooperation, Australia cited the fact that the Asia Pacific Privacy
Authorities (APPA, see section 4.5) has established a Technology Working Group made up of
representatives from each APPA member organisation. The Group collaborates on common
issues experienced across APPA jurisdictions such as the changes to Google’s privacy policy.
APPA has also established a Communications Working Group made up of communications
professionals from each APPA member organisation, who consult on communications
matters. The Group's principal activity is collaborating on Privacy Awareness Week.428 Other
examples of successful cooperation include the Asia Pacific Economic Cooperation (APEC,
see section 4.4) Crossborder Privacy Enforcement Arrangement (CPEA, section 4.4.1)429 and
the GPEN (section 4.3 and the case study in section 2.10).430
Austria said one of its
employees
underwent
a
training of two months at
CNIL, while another spent
several weeks at the Swedish
DPA. The Austrian DPA
contributed to several data
protectionrelated twinning
projects and cooperated
closely with the concerned
DPAs
(Montenegro,
Lithuania, Latvia, Czech
Republic, Malta, Croatia).431
Bavaria cited examples of co
operation and coordination
among the German DPAs in
regard to GoogleAnalytics, analysis of apps, regular meetings on special themes. It cited
examples between European DPAs such as exchange about questions of international data
processing, i.e., standard contractual clauses and binding corporate rules.
The Berlin DPA also mentioned Google Analytics, as an issue intensively discussed at the
national level. This resulted in concessions by Google (limited to Germany).
Furthermore, since 1980, the Berlin Commissioner for Data Protection has been convening
the International Working Group on Data Protection in Telecommunications (see section 3.5)
which has provided a platform for exchanging information on these issues and which has
adopted numerous common positions, working papers and memoranda.432
428
http://www.privacyawarenessweek.org/
http://www.apec.org/Groups/CommitteeonTradeandInvestment/ElectronicCommerceSteering
Group/CrossborderPrivacyEnforcementArrangement.aspx
430
http://www.privacyenforcement.net
431
Word cloud created utilising tool at Wordle.net
432
These can be found at http://www.datenschutzberlin.de/content/europainternational/internationalworking
groupondataprotectionintelecommunicationsiwgdpt.
429
154
The Bosnia and Herzegovina DPA has benefitted from “Twinning Assistance to the Personal
Data Protection Agency” in cooperation with the Data Protection Commissioner of Saxony
(Germany). The purpose of this project was to strengthen the protection of personal data
processed by public authorities and law enforcement agencies in accordance with European
standards. The project was successfully completed on 31 March 2010.
Canada said it has hosted several delegations over the last few years, including the
Commissioner of a newly created authority in the Caribbean who spent several days at the
OPC. Canada has also hosted a South African delegation and officials from Burkina Faso and
Benin, who spent a week at the OPC. Canada was one of the founding members of the
Association francophone des autorités de protection des données personnelles (AFAPDP, see
section 4.7), which has an important capacitybuilding component.433 The Canadian OPC has
had several shortterm (of four or five weeks duration) staff exchanges with the CNIL, the
FTC, the ICO and Mexico’s IFAI.
As an example of good cooperation, the Czech Republic mentioned the TAIEX seminars and
study visits held in cooperation with DPAs from different countries, mostly from the Central
and Eastern Europe region (see section 4.10).434
Denmark said the Nordic countries have a tradition of meetings and sharing experiences and,
some years ago, training. They also undertake joint supervisory actions on a casebycase
basis. Finland also mentioned Nordic cooperation in meeting with expert lawyers and media
officers. Iceland mentioned the Nordic countries’ having an exchange program for DPA
employees, although it had not used that program.
The Baltic DPAs (Estonia, Latvia and Lithuania) meet regularly (see section 3.7). They have
cooperated regionally on two joint supervisions, one of which was of the Radisson Blu
hotels. They also cooperate on monitoring and issuing recommendations.
The Federal Commissioner of Germany said it is a member of and cooperates with the
following bodies:
 International Conference of Data Protection and Privacy Commissioners (section 4.1)
 International Working Group on Coordination of Privacy Enforcement (section 4.1.4)
 International Working Group on Data Protection in Telecommunications ("Berlin Group")
 OECD Working Party on Information Security and Privacy (WPISP) (section 4.2.1)
 Global Privacy Enforcement Network (GPEN)
 Accountability Project
 Council of Europe TPD (Convention 108) (section 3.3)
 Article 29 Working Party and its Technology Subgroup, Borders Travel Law Enforcement
Subgroup and WADA Subgroup as well as its subgroups on the Future of Privacy, Key
Provisions, EGovernment, International Transfers, Financial Matters. (section 3.2)
 Coordinated Data Protection Supervision Group of Eurodac (section 3.8.4)
433
http://www.afapdp.org/
TAIEX is the Technical Assistance and Information Exchange instrument managed by the Directorate
General Enlargement of the European Commission. TAIEX supports partner countries with regard to the
approximation, application and enforcement of EU legislation. http://ec.europa.eu/enlargement/taiex/whatis
taiex/index_en.htm
434
155






Coordinated Data Protection Supervision Group of the European Visa Information
System (VIS) (section 3.8.3)
Joint Supervisory Board of Europol (section 3.8.5)
Joint Supervisory Authority of the Schengen Information System (SIS I; in near future
SIS II) (section 3.8.1)
Joint Supervisory Authority of the European Customs Information System (section 3.8.2)
European Conference of Data Protection Commissioners ("Spring Conference") (section
3.1)
CaseHandling Workshop (section 3.1.1)
In addition, it has a bilateral cooperation arrangement with the Privacy Commissioner of
Canada. It has also cooperated with other DPAs on a casebycase basis, inter alia with the
DPAs of Bulgaria, Macedonia and Moldova.
Japan has cooperated with other privacy commissioners and DPAs in a case involving the
leakage of personal data, but did not provide further details. For its part, Macao said it co
operated with some other DPAs, by contacting a designated contact person in GPEN. It raised
formal requests of assistance and, on one occasion, technical support to find out the physical
location of a website server. It sent staff to Hong Kong to attend training courses organized by
the Office of the Privacy Commissioner for Personal Data.
The Polish DPA (GIODO) also mentioned most of those bodies listed above, as well as the
Central and Eastern Europe Data Protection Authorities Group. GIODO said it was also
participating in some international projects: the Leonardo Da Vinci (LDV) mobility projects,
LDV partnership projects (section 4.12), study visits and twinning projects (section 4.13) .435
Greece and Hungary also mentioned the Case Handling Workshop as an example of co
operation as well as twinning projects.
Hong Kong gave as examples the APEC CrossBorder Privacy Enforcement Arrangement
(CPEA), the Data Privacy Subgroup of the APEC Electronic Commerce Steering Group, the
Asia Pacific Privacy Authorities (APPA) and the Technology Working Group (TWG) of
APPA, which Hong Kong convenes. The TWG has carried cooperation including the enquiry
into Google’s privacy policy change, sharing of views on cloud computing for the purpose of
publishing guidelines for industry, and other exchanges of information on technology
developments that might impact personal data protection.
Several countries, including Hungary and Ireland, mentioned the TAIEX study visits (section
4.11). Ireland said it had hosted other DPAs at its office and gave one DPA inspection powers
under its Act in the conduct of an audit.
The Isle of Man mentioned regular informal communication and exchange of views between
its Office, the UK, Ireland, Jersey, Guernsey and Gibraltar.
Israel mentioned the AEPDILITA twinning program, which was “a successful, enriching and
important program that allowed ILITA staff to discuss cutting edge issues with international
colleagues”.
435
http://ec.europa.eu/education/lifelonglearningprogramme/ldv_en.htm
156
The Italian DPA gave as an example of cooperation its membership in the EU privacy
taskforce, led by CNIL, which investigated Google’s privacy policy changes and the relevant
consequences for users. It also mentioned GPEN of which it has been a member since 2010. It
has also participated in several twinning and TAIEX projects (involving the DPAs and/or
competent institutions from Croatia, Turkey, Albania, former Yugoslav Republic of
Macedonia, etc.), providing knowhow and experience in implementing their data protection
legislation.
Mexico cited as an example of cooperation the trainings provided by senior officials from the
Canadian Privacy Commissioner’s Office and the US Federal Trade Commission. Mexico
noted that it is already part of the system APEC Cross Border Privacy Rules (CBPRs), holds
the presidency of the IberoAmerican Data Protection Network (section 4.6) and is an active
member of the APPA (section 4.5). Mexico has also collaborated bilaterally with CNIL
regarding the Airline Advance Passenger Information System (APIS), particularly with regard
to the legal basis for international data transfers between Mexico and France.
Montenegro gave examples of a Twinning project “Implementation of Personal Data
Protection Strategy” and study visits to Austria, Germany and Slovenia.
The Dutch and Canadian privacy enforcement authorities jointly carried out an investigation
into the handling of personal information by WhatsApp Inc., a Californiabased mobile app
developer (see case study in section 2.4 of this report) .436
Vietnam said its opportunities to cooperate with others have been somewhat limited. It does,
however, attend the International Conference as well as other conferences and events within
APEC.
436
For more information about the joint investigation, see http://www.dutchdpa.nl/Pages/en_pb_20130128
whatsapp.aspx
157
9. Do you have any other comments or suggestions regarding legal, technical and/or
political factors that could help improve co-operation or that act as barriers to cooperation?
The following is a selection of the responses received. The Office of the Australian
Information Commissioner (OAIC) said that enforcement in the online environment continues
to be a challenge, particularly in relation to jurisdiction issues. The OAIC would welcome the
sharing between DPAs of legal reasoning relating to how DPAs establish jurisdiction in
matters relating to global data flows.
Belgium said that an Internet platform, such as a discussion forum accessible to all DPAs,
could be organised to help DPA to communicate easily, receive responses quickly and to
access information in an organised manner.
The Office of the Privacy Commissioner of Canada (OPC) said that, in its view, the most
important priority is working together on enforcement and compliance issues and that it is
valuable to share information on government initiatives. “Once we have a clearer idea of what
we are trying to achieve, we need to develop a plan or strategy to achieve this,” said the
Canadian respondent. “Identifying collective issues or priorities would be valuable,
recognizing that events may require flexibility.”
Cyprus said the issue of international cooperation with third countries should be given
thorough consideration in the frame of the discussions about the proposed DP Regulation.
The Finnish DPA suggested creation of a legal database where each data protection authority
could share decisions with others. The legal database would help avoid divergent decisions
about the same matter.
CNIL said that data protection authorities should have a view of the forensic tools used by
other DPAs in order to have a common technical approach.
The German DPA said that cooperation and informationsharing between DPAs should focus
on crossborder cases of high relevance for data protection in an international context, i.e.,
cases where data subjects at an international level are affected or cases concerning
international transfers between private or public bodies. Common technical and language
standards are important. A good example of a body performing effective information sharing
is the secretariat of the Article 29 Working Party. Effective information sharing and co
operation should not result in additional transfers of huge amounts of data.
Greece said that factors that would help improve cooperation include these:
 more human resources
 online tools
 an instrument to facilitate the exchange of information
 a coordinator or coordination body.
The Hungarian DPA said that shortterm study visits and seminars were useful to gain first
hand experience and knowledge from other colleagues.
158
The Icelandic DPA is facing severe budget cuts, which will affect the work of the Authority.
The number of cases grows every year and, at the same time, the cases are becoming bigger
and more complicated.
IILITA, the Israeli DPA, said the connection between the data protection authorities and other
policymaking fora, such as the WTO and UNCITRAL, should be explored. Harnessing trade
and economic discussions to data protection issues may promote these issues as part of the
international discussion, in order to create a global policymaking network, like the work
done by the Article 29 Working Party. The interaction between data protection, information
security and cybersecurity may have the potential for ripe data protection concepts to break
new ground.
Garante, the Italian DPA, said there should be a specific provision in the law to facilitate a
fruitful exchange of information among DPAs without breaching confidentiality rules, which
should also make up the legal basis for enforcing procedures or measures initiated by other
DPAs. The issues of jurisdiction and applicable law should also be addressed and clarified. In
the light of the new cooperation and consistency mechanism pursuant to Article 55 and other
Articles in chapter VII of the proposed EU General Data Protection Regulation, there will be
an increase of the activities at EU level. This is why the Italian DPA considers it necessary to
introduce a European funding mechanism to enable the DPAs to fulfill the aforementioned
obligations to cooperate.
The Liechtenstein DPA said it has participated several times in the CaseHandling
Workshops, which have been useful. However, these are held less frequently now due to
budgetary cuts. Small secretariats seem to be necessary for the organisation of exchanges of
views.
The Mexican DPA said one of the main barriers is the lack of regulation and an authority
guarantor of the right to protection of personal data with sufficient powers to enforce the
regulations that exist to regulate this right, as well as the principles and criteria relevant to this
right. It is essential to develop tools and mechanisms to harmonise the various regulations and
establish minimum standards for the treatment of personal data internationally.
The Dutch DPA cited the collaboration between the Dutch and Canadian authorities and their
having made the best use of each other’s expertise in their joint WhatsApp investigation.
The Office of the Privacy Commissioner (OPC) of Canada said that generally there could be
better coordination among DPAs, which may yield better outcomes for consumers and
leverage use of limited DPA technical resources. Sometimes political or philosophical
differences get in the way of global cooperation, but there are large areas of commonality. It
would be helpful if the PHAEDRA project could address this issue. The project could also
consider the need to collectively finance a cooperative infrastructure (e.g., a small
secretariat). Relying on volunteers to host meetings or manage projects results in
discontinuity, the lack of consistent ongoing strategies, an undue burden on a handful of
leading DPAs, and overall slow progress. Insightful suggestions from expert outsiders as to
what might work would be welcomed.
The Ontario DPA noted that, in 2010, data protection authorities and privacy commissioners
from around the world unanimously adopted a resolution in which privacy by design was
cited as an essential component of privacy protection. Recently, jurisdictions such as the U.S.
159
and EU have introduced privacy by design into proposed data protection regulation and
policies. If data protection authorities and privacy commissioners continue to incorporate
privacy by design into their respective laws, cooperation on investigations and enforcements
will be advanced and organisations will avoid privacy harms, as opposed to offering systems
of redress after the breaches have occurred.
Poland said that cooperation is composed of three elements: the expertise and availability of
the DPA, the possibility of cooperation and its actual application. One of the solutions for an
improvement of the actual cooperation in the shortterm would be a nonbinding instrument
in order to reach common understanding of the procedures for cooperation (forms, language,
time limits, expected activities). In the EU, several forms of cooperation (including
enforcement actions) have been developed but still most of them are not used by DPAs. The
problem is the awareness of the existence of the possible procedure and readiness to follow
usually nonbinding procedures.
The Portuguese DPA said that international cooperation is an urgent need, as is a
consideration of the problems related to applicable law and jurisdiction. As major companies
conducting business in Europe are established in the USA, European DPAs face difficulties in
enforcement and effectiveness. DPAs have limited powers. At best, DPAs can manage
damage control and minimise risks at a later stage. The longterm objective should be to build
a worldwide understanding or agreement to tackle privacy problems. While developing short
term strategies to increase effectiveness, consistency and cooperation, DPAs should also
invest and develop a binding international framework for the protection of citizens’ privacy
rights. DPAs should raise the awareness of stakeholders at the international level to provide
an adequate response to the challenges to the individual’s rights presented by the rapid
evolution of information technology.
Republic of Macedonia is not yet member state of the European Union, which prevents it
from being included in some EU bodies and institutions It hopes for better cooperation with
no borders and limitations.
The Russian DPA said the following could contribute to improving international cooperation
in personal data protection:
 development and adoption of unified approaches in order to stop violation of laws
concerning personal data, implementation of law enforcement practices appropriate to the
purposes;
 establishment of a small secretariat to ensure the coordination of DPA activity in solving
issues requiring multilateral engagement;
 creation of a DPA contact list with email addresses for the rapid exchange of
information;
 participation in the work of international consultative and advisory bodies;
 broader representation of foreign DPAs in the protection of personal data and the rights of
citizens.
DPAs should aim to protect and improve the rights of citizens as personal data subjects and to
ensure compliance with the rights to privacy, protection of privacy, personal and family life,
regardless of the country of residence.
The Slovak DPA said that DPAs of Member States have many problems, tasks, issues in the
rapidly developing environment of IT technology, Internet and electronic tools for monitoring
160
and collection of data. DPAs have budgetary and legal constraints and staff shortages. It is
necessary to have clear, stable and binding legislation.
The Swedish DPA said a clear legal basis for international cooperation and joint supervisory
measures, including exchange of information, should be part of the EU rules on data
protection.
The ICO is open to any mechanisms which are easy to implement, are clear and provide
sufficient safeguards when sharing information, including personal data which any privacy
enforcement authority (PEA) would have the ability to choose the level of coordination and
cooperation suits them.
FTC staff believe that the best way to improve crossborder cooperation is for privacy
enforcement authorities to seek opportunities for practical cooperation, even where the ability
to cooperate remains subject to legal and resourcerelated constraints. Any effort will provide
experience, which, in turn, will help authorities identify and inform any legal and logistical
improvements needed. Better understanding of authorities’ differing confidentiality
requirements in nonpublic investigations could improve crossborder informationsharing
and cooperation. FTC investigations are generally nonpublic and confidential until a case is
filed in court or other appropriate circumstances arise. Thus, FTC staff generally can only co
operate with counterpart enforcement authorities willing and legally able to protect the
confidential nature of any communications in the course of an ongoing investigation. Also,
privacy enforcement authorities without the legal ability to share nonpublic, confidential
information and casespecific evidence with their counterparts across borders should obtain
that authority. Promoting enforceable codes of conduct for crossborder data transfers, such as
the APEC CrossBorder Privacy Rules, promotes crossborder enforcement cooperation
between privacy authorities.
Vietnam views international cooperation as a bridge between VECITA (the Vietnamese
authority) and other more experienced authorities around the world to share information,
experiences and skills. It looks forward to having further international cooperation.
161
5.2
RESULTS OF FOLLOW-ON INTERVIEWS
In addition to the questionnaire survey sent to 79 data protection authorities, PHAEDRA has
conducted oneonone telephone interviews with data protection authorities, privacy
commissioners and other privacy enforcement authorities to gain deeper insights into privacy
enforcement instruments and views on improving privacy enforcement coordination
internationally. We have conducted interviews with representatives from the following
agencies with responsibilities for privacy and data protection:
Office of the Privacy Commissioner of Canada
Commission Nationale de l’informatique et des libertés (CNIL)
Office of the Data Protection Commissioner, Ireland
Garante per la protezione dei dati personali, Italy
Netherlands DPA
Organisation for Economic Cooperation and Development (OECD)
Portuguese Comissão Nacional de Protecção de Dados (CNPD)
US Federal Trade Commission
UK Information Commissioner’s Office
Office of the Data Protection Ombudsman, Finland
Israeli Law Information and Technology Authority (ILITA)
European Data Protection Supervisor (EDPS)
Personal Data Protection Commission, Singapore
Office of the Australian Information Commissioner
Consumer Affairs Agency, Japan
Spanish Data Protection Agency (AEPD)
Mexican Data Protection and Information Commissioner (IFAI)
Colombian Data Protection Authority
Uruguay Data Protection Authority
Among the issues discussed in the interviews were the following:
Differences in powers
In Canada, the OPC cannot levy fines directly. It has to go a federal court and seek statutory
damages as administered by the court. Nor does the OPC have ordermaking powers.
The Office of the Australian Information Commissioner (OAIC) has an enforceable
undertaking instrument, whereby it gets a company to agree to an undertaking and if it doesn’t
that it can take the company to court.
In Europe, one leading DPA noted that being compliant with the Data Protection Directive is
one thing, but the way in which it has been transposed into national law is another. The
proposed Data Protection Regulation is expected to lead to a harmonised administrative law
within the EU. Even so, differences in powers will remain between EU DPAs and privacy
enforcement authorities in other countries. The Netherlands and Canada cooperated in the
WhatsApp case to show that it was possible to coordinate an action internationally, even if
the enforcement powers are different. That effort was successful. It started within an MoU
between the two authorities, and led to two reports. Ninety per cent of the conclusions of the
conclusions were the same, but one report referred to Canadian law and the other to Dutch
law.
162
He was of the view that to have harmonised administrative laws outside the EU would take a
long time. The main point is to share information, notably within GPEN and/or the working
group of the International Conference.
Sharing confidential information
Some of those interviewed mentioned the difficulty of exchanging confidential information.
One European DPA said that they cannot say who they are investigating, while another DPA
has to say who they are investigating. Hence, it is necessary to be careful about what
information to share and when.
Some EU Member States can’t exchange with nonEU countries, unless they establish a
bilateral agreement. For some, collaboration between independent DPAs is easier than those
that are statecontrolled. Some privacy enforcement authorities said that there has to be a clear
legal basis for sharing information. “We need a legal framework for sharing information,”
said one DPA. Another cited paragraph 46 of the APEC Privacy Framework437, which states:
“Member Economies will endeavour to support the development and recognition or
acceptance of organizations' crossborder privacy rules across the APEC region, recognizing
that organizations would still be responsible for complying with the local data protection
requirements, as well as with all applicable laws. Such crossborder privacy rules should
adhere to the APEC Privacy Principles.” The security of information exchanges is still a
challenge affecting the sharing of confidential information, said one interviewee.
One European DPA suggested that privacy enforcement authorities could adopt a “layered”
approach for sharing information, where some information is “semiopen” and can be more
easily shared than other information which is secret or confidential. He said most authorities
agree to such a layered approach to enforcement.
One privacy enforcement authority said it could share confidential information, but it would
need authorisation from its Attorney General before it could do so.
Article 29 WP and APEC
There is interest in improving collaboration and interchange between the Article 29 Working
Party and APEC as manifested by the efforts aimed at achieving some interoperability (e.g., a
double certification) between the Article 29 WP’s Binding Corporate Rules (BCRs) and
APEC’s CrossBorder Privacy Rules (CBPRs).
The International Conference and GPEN
Some of the interviewees noted the difference between the International Conference of Data
Protection and Privacy Commissioners, which does not have a website or permanent
secretariat, whereas GPEN, with a somewhat different membership, does. The OECD
developed and has been hosting the GPEN website, and seems willing to continue to do so,
although the OECD is also constrained by its budget. While OECD hosts the website,
members provide the content.
437
APEC Secretariat, APEC Privacy Framework, Singapore, 2005. http://www.apec.org/Groups/Committeeon
TradeandInvestment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx
163
The International Conference has some 50 national and 40 subnational DPAs accredited,
while GPEN currently has many fewer members, about 32. GPEN aspires to be global in
participation, so gaining more participants is a challenge. However, one DPA emphasised that
there is no competition between the International Conference and GPEN. While there might
be some overlap, one privacy enforcement authority said that did not matter so much as the
fact that people are talking to each other, improving their relationship and the prospect of
working together.
Another said there needs to be (and are) criteria for participating in the International
Conference, but for the GPEN the bar does not need to be so high. “It’s the difference
between policy and operations.” Even so, another DPA representative felt that while GPEN is
useful for public information, it is not secure enough for sharing operational intelligence. An
OECD representative said the real value – and challenge of GPEN – is to establish trusted
relationships between DPAs and privacy enforcement authorities to facilitate cooperation and
coordination. GPEN members also exchange good practices and information about how they
perform certain activities.
PHAEDRA discussed the working group chaired by representatives from the UK Information
Commissioner’s Office and the Office of the Privacy Commissioner of Canada. The working
group was established by the International Conference in Mexico in 2011 and held its first
meeting in Montreal in May 2012, with representatives from Canada, the EDPS, Israel, Italy,
Mexico, New Zealand, Poland, Spain, the UK and US. Representatives from the Netherlands,
France and Germany have also participated subsequently. Membership is fluid, and any of the
DPAs can join.
Among the 10 action items from the Montreal meeting were the following:
1. Enforcement authorities are encouraged to join the Global Privacy Enforcement
Network (GPEN), to use the GPEN website, to populate the fields related to their own
authority including conditions for cooperation, and to explore its potential secure
information sharing tool.
2. This Working Group shall take the lead in organizing regular videoconferences among
enforcement authorities to identify specific issues and technologies that raise privacy
concerns, and to coordinate action on targeted data holders.
7. Strategies are to be developed for national authorities to explain to the media,
government and citizens of their jurisdiction the new international approach of
identifying a lead authority, and to further explain this scheme when specific cases
arise.
8. Enforcement authorities are urged to address the issues that constitute hurdles to
cooperation. This exercise could also be used to contribute information to the
PHAEDRA project.
The next meeting was held in Washington, DC, in March 2013, where an action plan was
agreed. In addition, members of the group have held conference calls. The working group has
focused on process issues (i.e., how can DPAs coordinate better their efforts?) as well as
substantive issues (on which specific investigations do they wish to collaborate?).
One DPA said it was useful now to get the right point of contact, but there is an issue re
security of information shared with GPEN, because the GPEN website is not particularly
secure.
164
An ICDPPC website and secretariat
PHAEDRA posed some questions about the prospects for an ICDPPC website and secretariat,
but such a prospect does not appear likely in the foreseeable future. The funding issue is
difficult for the ICDPPC to deal with: who would collect the funding and how would
members share the costs?
However, an improved GPEN website is expected to be discussed in Warsaw. At least one
privacy commissioner is willing to provide some funding for this, while another privacy
enforcement authority seems willing to provide some technical support.
A lead DPA in investigating issues of concerns to multiple DPAs
One of the cochairmen opined that DPAs need to be more precise what they are trying to
achieve re sharing information and collaboration, and argued that there is a lot that privacy
commissioners and DPAs can already do. He said that it doesn’t make sense to have 25
commissioners pursuing the same investigation, but saw a potential problem in how DPAs
could explain to their publics that they aren’t pursuing a particular issue because others are.
He also said the closed sessions of the International Conference are getting better and more
time. The relationship between the International Conferences and GPEN has been an issue of
discussion. Although there are some differences in membership, there is some overlap
between the two, but probably a role for both. More than one of the DPAs interviewed
expressed the wish that the International Conference had an online archive and uptodate e
mail list. The ICO sent a short questionnaire to its Article 29 WP colleagues seeking views on
two parallel issues – the international enforcement coordination framework which has been
developed by the international conference working group, and GPEN, which is one possible
way of helping to deliver international enforcement coordination.
One privacy commissioner representative said the best way to improve cooperation and co
ordination is personal relationships at both the Commissioner and staff level. He added that it
was useful different points of view on an issue.
Complaints
DPAs get an increasing number of complaints about the way both governments and the
privacy sector handle personal data. The Dutch DPA said it had been receiving some 6,000
complaints or requests for advice each year. It decided to stop responding to all these
requests, because it was not efficient, and instead to refocus its efforts on enforcement.
The main types of complaints received by the OPC of Canada are the following:
Use and disclosure: Complaints involving allegations that personal information was
inappropriately used or disclosed, without consent, for purposes other than those for which it
was collected.
Access: Complaints about difficulties gaining access to personal information.
Collection: Complaints involving the unnecessary collection of personal information or
personal information collected unfairly or unlawfully, such as without proper consent.
Malta only has three people and they get about 100 DP complaints a year, but the ICO
handles around 25,000 complains a year.
165
Instruments for enforcing privacy
A principal issue discussed during the interviews was instruments for enforcing privacy.
Examples of instruments are the following.
 Receiving and investigating complaints
 Advice or guidance
 Inspections (or audits)
 Warnings or notifications
 Naming and shaming
 Orders
 Fines
 Criminal sanctions
 Taking away licences
One DPA dismissed the utility of advising companies at an early stage. From his experience,
such an instrument had not proven successful. “Free information is worth nothing.”
A representative of the FTC said that its best instruments are the FTC Act and its provisions
against unfair and deceptive practices. He said the FTC can get redress; it can go to Federal
court to get actions. It can get companies to agree to consent orders. It can investigate
companies and then file in federal court or administrative court.
Many DPAs don’t have a capacity for punitive fines. One said “We can say publicly to a
company that it has to comply within three months or six months or whatever. The company
has to redress what’s wrong. If it doesn’t do so, we will issue a fine. It could be any amount.
We don’t fine right away. We give a warning. We have ‘cease and desist’ order power. In one
case, we issued such a penalty for €50,000 which could make or break a small company, and
in a Google case we fined them €1.5 million, which is nothing for Google, but they said they
would comply.” In another case, the regulatory investigated a large company which had
announced its intention to profile its big clients. The regulator wrote to the company and it
stopped, but it wasn’t clear whether it was because of a threat to incur a fine or potential
damage to its reputation.
Not all DPAs can make unannounced inspections. However, one that can said unannounced
inspections were better because if the inspection is announced in advance, the company can
simply destroy evidence of wrongdoing.
In many countries, organisations are obliged to notify the privacy enforcement authority
before they can establish a database. If the organisation runs afoul of the privacy legislation,
the regulator can take away its authorisation or licence.
Actions to improve co-ordination globally
One DPA said that the Google Street View case was not a good example of coordination.
Various DPAs investigated Street View and, even within Europe, “we ended up with several
different views on Street View. We learned a lot from that case.” In the instance of Google’s
combining its privacy notices, CNIL led the investigation and worked with the Article 29
technology subgroup and a “coalition of the willing” to try to persuade Google to the
collective findings.
166
One privacy enforcement authority said that GPEN members are looking at an online
mechanism to discover which other GPEN members might be interested in collaborating on a
particular enforcement action. Concerns regarding the security of the GPEN website could be
minimal if it was used just for finding out whether some privacy authorities are interested in
collaborating on an enforcement action.
Other privacy authorities should be encouraged to join GPEN. Privacy commissioners should
communicate regularly via GPEN. Currently, GPEN members have periodic conference calls
(via landline telephones), usually every other month, to discuss recent enforcement issues and
logistical or procedural issues. Typically, about 15 people participate in these calls. The
conference calls are regarded as productive and help to build relationships among privacy
authorities.
Challenges to improve enforcement co-ordination
Some DPAs said the main challenge was to be aware of which other privacy authorities might
be interested in pursuing a particular issue. Another challenge, as mentioned above, is the
inability of some DPAs to share confidential information.
One nonEuropean privacy enforcement authority described the Article 29 Working Party as a
model of international cooperation and knowledgesharing. It spoke favourably of the Article
29 WP as creating a network of professionals and a body of best practices.
Privacy, security and consumer protection
An OECD representative said that privacy is still discussed in isolation, separate from security
and consumer protection, yet these have also established cooperation and coordination
mechanisms. It might be useful to do a comparison. How do others collaborate? PHAEDRA
should try to explore consumer protection and crossborder consumer protection, to see if
there are lessons to be learned for privacy protection.
167
6
BENEFITS FOR EUROPE OF INTERNATIONAL CO-OPERATION AND COORDINATION
This section of the report summarises the benefits for Europe of International cooperation
and coordination. Individual DPAs have recognised the benefits (and necessity) of
international cooperation in responding to privacy issues that cross borders. There are also a
number of policy benefits from cooperation between DPAs that will accrue to the EU and its
citizens.
6.1
PREVENT REGULATORY ARBITRAGE
Coordination in enforcement actions helps ensure that data controllers are not able to shop
for the most favourable regulatory regime. It also prevents data controllers from claiming that
an issue has already been investigated on the basis of an unsatisfactory investigation,
potentially conducted by a DPA with limited capacity or with little capacity for sanctions or
fines.
6.2
HARMONISATION OF PRIVACY ENFORCEMENT
Similarly, increased coordination and cooperation between DPAs within Europe, including
the sharing of best practices and legal reasoning can contribute to the harmonisation of the
practical activity of data protection authorities. This would mean that data controllers would
better know what to expect from their interactions with DPAs and not have to deal with a
wide range of different methodologies and approaches. This would have benefits for the
common market.
6.3
EXPAND EUROPEAN MODEL OF PRIVACY AND DATA PROTECTION
The activity of the Article 29 Working Party has been identified as particularly influential and
a model of good practice for coordination, even by some DPAs outside of the EU. If the EU
is able to offer strong lessons and best practice, based on its experience in data protection
activity and privacy enforcement, then this offers a potential for the expansion of the
European model of privacy and data protection outside the EU, as other countries work with
EU DPAs and potentially learn from them. There are of course limits to this process based
upon national privacy and data protection regimes.
6.4
PROTECT EUROPEANS IN THIRD COUNTRIES
Coordination helps ensure that Europeans are protected in third countries. By building
relationships with nonEuropean DPAs and equivalent organisations European DPAs acquire
avenues for communication and interaction which can be used to ensure that the data
protection rights of European citizens are not infringed.
6.5
RAISE OVERALL STANDARD OF PRIVACY PROTECTION
Finally, cooperation should help raise the overall standard of privacy protection. More
resources can be brought to bear more efficiently on particular investigations and issues. This
provides a greater change for the appropriate and adequate handling of privacy investigations
and the protection of European citizens’ privacy and data protection rights. Additionally,
168
different perspectives on these issues can be illuminative, increasing the collective expertise
of the privacy protection community.
169
7
FINDINGS AND RECOMMENDATIONS
In this section we bring together the findings from this study and then present
recommendations on improving cooperation and coordination for privacy enforcement.
There is no global system for Privacy enforcement co-operation,
There is currently no single global system for cooperation and coordination of privacy
enforcement activities. There is no foundational international treaty in this area. There are a
variety of national and regional legal regimes.
However, Privacy enforcement co-operation and co-ordination is occurring
The case studies in section two show that privacy enforcement cooperation has occurred, and
may be increasing in both frequency and level of organisation. However this collaboration
remains primarily in adhoc forms. Cooperation ranges from full joint investigations, to
shared inquiries and letterwriting. The most common mode of European cooperation for
individual investigations is the identification of the data protection authority with appropriate
jurisdiction, then delegating the leadership for any collective response to this authority.
Similarly, group investigations tend to be formed by “coalitions of the willing”
…with some regional clusters and emergent organisations
The EU, OECD and APEC have particular influence in this field. The European case studies
and the overview of the Working Party’ coordination work demonstrated a strong role for the
Article 29 Data Protection Working Party in European collaboration. More generally, the
European network of overlapping mechanisms for cooperation provides a range of options
for collaboration and the building of consensus at different levels and to different purposes. It
provides European DPAs with a degree of flexibility in forming different coalitions. Regular
interaction may be supportive of developing habits of communication, cooperation and co
ordination. This interaction is supported by data protection law (Directive 95/46/EC) and the
Council of Europe Convention 108. International networks are generally voluntary and not
legally binding. GPEN is a relatively new development which has demonstrated some initial
successes. It is a nonbinding network for cooperation between privacy enforcement
authorities, with an open, potentially global membership and some organisational support
from the OECD.
…but is not as effective as it could be
DPAs themselves identified a large number of cases of potential and actual, effective and
ineffective international cooperation between DPAs. Several cases in the case study analysis
demonstrate that whilst there have been effective collaborations between DPAs there have
also been some cases that clearly exhibit duplicated effort, or incomplete communication (for
example, the multiple investigations of the Sony network hacking and in the Google Street
View case).
Co-operation and co-ordination mechanisms do exist at multiple levels
The analysis of cooperation and coordination mechanisms, in the EU and internationally,
shows that multiple networks and organisations of DPA and privacy enforcement authorities
170
exist at multiple levels. These range from bilateral memoranda of understanding, language
groupings, regional grouping, up to the international level. The survey results suggest that
DPAs primarily desire more cooperation and coordination at the international level. These
networks can be seen as complimentary rather than in competition with each other, however
limited resources means that some DPAs can only participate is some selected networks, and
that this presents these DPAs with a choice about which they may find the most effective.
…but are primarily conducted through senior roles
There are several mechanisms at the level of senior representatives, privacy commissioners
and heads of DPAs, such as the Spring Conference and the Article 29 Working Party, but
there are fewer opportunities for coordination at operational levels, unless these are
established by the individual DPAs in the course of a collective investigation. In this case,
these mechanisms are likely to be informal and ad hoc. The Case Handling Workshop, study
visits and staff exchanges are important counterweights to this tendency.
Clear desire for co-operation and co-ordination among DPAs
From the case studies, survey and interviews, there is also good evidence of a clear desire for
increased cooperation and coordination enforcement, as well as information sharing between
DPAs, even on unrelated cases. DPAs generally appear interested in learning from the
experiences of other DPAs and engage in informal adhoc consultation and “watching with
interest”. DPAs appear to recognise that they face challenges in privacy enforcement that
cross national boundaries, including specific incidents that require a coordinated response,
and that they may well be responding to similar issues to their peers in other countries. Even
when individual DPAs felt unable to cooperate with their peers, for example for manpower
or resource limitations, they expressed a desire to do so, and a belief that such cooperation
would be productive and beneficial.
Not all DPAs co-operated and co-ordinate to the same extent
There appear to be a core group of DPAs, many of these are located in European Member
States, which are involved in almost all of the cooperative arrangements available to them,
These are also the DPAs with the largest resources and the most staff associated with
international relations. Encouraging networking amongst these DPAs is therefore not
particularly problematic, and it may be worthwhile focusing policy attention elsewhere. These
DPAS might however be expected to play a leadership role in expanding the opportunities for
cooperation and coordination out to other DPAs outside of this “core”.
Some tools for co-ordination exist, but these are currently limited and under-used
There are multiple lists of nominated DPA contacts (OECD, Case Handling workshop
mailing list, GPEN, APEC, Article 29) but these lists are currently separate from each other,
and need to be reconciled together, in a manner which is sustainable. Similarly, a number of
websites act as potential hubs for information sharing (Article 29, Council of Europe TPD,
Berlin Group) The responses to the survey suggest a clear desire for online tools to facilitate
sharing information, but also that not all DPAs are aware of all the cooperative resources and
networks that might be available to them.
171
Key challenges for co-operation and co-ordination remain
Situational awareness of the international privacy enforcement context is a key barrier to
effective cooperation. DPAs identified a lack of information from their peers about co
operation and coordination activities. This highlights the important role that centralised
groups with regular channels of communication can play. From the survey and interviews,
legal barriers to sharing of information between DPAs appear to be less significant than may
have been believed, although they remain particularly significant for some DPAs due to their
legal constitution. In the absence of harmonised legislation (which may be facilitated by the
GDPR) it becomes important for cooperating DPAs to understand the limitations, powers
and capacities of their peers.
Limited resources that can be devoted to international working are a key issue that limits co
operation and coordination, whilst in part driving the desire for increasing these. DPAs have
variable funding, capacity, experience and different powers in enforcement, investigation and
audit, whilst some can only investigate following complaints. Responses to the survey showed
that DPAs, both within Europe and externally had highly variable numbers of staff. However,
converging the powers of DPAs was not seen as the highest priority for increasing co
ordination and cooperation. The WhatsApp case study suggests that cooperation on privacy
enforcement is possible even across different legal regimes and with different enforcement
powers.
DPAs are not the only organisations that need to be involved in coordination of privacy
enforcement activity. Well supported DPAs and networks are better able to leverage co
operation. When they are not well supported (as in the case where the Commission and the
article 29 working party adopted differential positions on WADA’s code review (see section
2.8)) then coordination efforts can be undermined. Similarly, whilst it is important to have
closed sessions, and networks with membership limited to accredited DPAs for sensitive
discussions and building common positions, it is also important to have networks that can
include other authorities with some form of privacy enforcement brief, and even
representatives from government, NGOs, academia and the private sector. The mix of
overlapping networks currently contributes to this capacity.
7.1
RECOMMENDATIONS.
Based on the research and analysis in this report, including from our survey of and interviews
with DPAs, we present the following summary of suggested measures to improve co
operation and coordination. Alongside these suggestions we present some reflection on these
suggestions.
Proposed measures for
Evaluation and related issues
improving co-operation and coordination between DPAs on
privacy enforcement
Memoranda of co-operation / Several MoU already exist and DPAs have found these
Memoranda of understanding / useful, both in spelling out what forms cooperation can
take, as well as their protocols for cooperation and co
Bilateral agreements
ordination. Some DPAs require such an agreement
before they can cooperate or share information. These
can be achieved relatively easily, if two parties are
172
willing, and do not require the same degree of
consensus as required for forming or operating in larger
groups.
Expand non-binding instruments Nonbinding agreements between DPAs can provide the
basis for coordination in terms of expected methods of
communication, protocols for requesting assistance,
standard forms, and fora for interaction. Being non
binding they allow DPAs to build the foundations for
coordination whilst respecting national law and the
discretion of the participants.
Some regional agreements already exist, and
Regional agreements
participants appear to find these useful, especially when
the regions share common languages, or systems of law
and government. The larger regional organisations,
including the supranational governments such as the EU
play an important role in supporting cooperation and
coordination in data protection and privacy
enforcement.
Common information platform / Several DPAS suggested the creation or development of
a common information platform for DPAs in order to
intranet for DPAs
make key information available, host discussion fora,
communicate easily, receive responses quickly and to
access information in an organised manner. A platform
like this would respond to the challenges of situational
awareness. Such a system would need to be secure in
order to protection confidential information and to
encourage open discussion between participants. It
would also need to have layered access controls so that
DPAs could share information with appropriate
participants only. Beyond these requirements there are
several options for what sort of information should be
hosted on such a system which are explored below.
Several lists of contact persons for international
…with a list of contact persons
communication between DPAs exist. It would be
advisable to attempt to collate and coordinate these
lists into a single, regularly maintained, database of
international contact points.
…with a repository of best Would allow DPAs (including operational staff) to
learn from their international peers. Best practice could
practice
expand beyond privacy enforcement to include media
and public communication, training, technology watch
and other areas of interest to DPAs. A repository of best
practice should be combined with a discussion forum or
commenting system to allow participants to discuss
(and challenges) these best practices.
…with a repository of case law / Maintaining and sharing a database of the legal
reasoning that DPAs have used to come to particular
legal reasoning
decisions can help avoid divergent decisions about the
same matter. This resource would also allow DPAs
within the same legal regime to learn from the
173
...with a repository of DPA
powers / data protection acts
…with a secure mechanism to
indicate interest in investigation
Co-operation between
organisations
Workshops and conferences
Increased funding and additional
resources
Combined technological
R&D activities
and
experiences of their peers.
A central accessible database of the foundational
legislation granting DPAs their authority and powers,
translated into common languages would allow
participants in cooperative exercises to understand the
capacities of their partners. The PHAEDRA project
deliverable 2.1 Legislative Review has collated legal
provisions that both facilitate and impede cooperation
and coordination.438
One challenge to cooperation is knowing when other
authorities are interested in or intending to start an
investigation, which would be conducted collectively,
or coordinated in some other manner. One response to
this, potentially based on the GPEN website, would be a
mechanism for indicating such interest to other DPAs.
There is already cooperation between organisations,
but also the potential for this to be increased and
improved. For example, involving GPEN more closely
in the work of the International Conference. Those
DPAs that are involved in multiple networks are in a
strong position to support this activity, which could
bring the strengths of different networks into play. The
overlapping and complimentary networks that currently
exist do offer some advantages and it may not be
necessary to bring these networks into full alignment.
This suggestion involves expanding existing workshops
and conferences, or hosting more of these. Whilst this
will likely have benefits in terms of increased
interaction and communication between DPAs
(including staff at operational levels) there are already a
number of workshops and conferences available (likely
more than several DPAs can attend due to budgetary
limits) and such benefits may have diminishing
marginal returns. Coordination at the level of
conferences and workshops appears to be relatively
strong and it may be most effective to devote resources
to other forms of coordination.
Whilst increased funding and resources is seen as
desirable for many DPAs, this is not seen as particularly
likely. DPAs may need to decide how much of their
own internal resources they need to devote to
international collaboration. Strong evidence on the
benefits of international cooperation and coordination
may help with this.
In addition to privacy enforcement cooperation, it may
be possible for DPAs to engage in combined
438
De Hert, Paul and Gertjan Boulet, “Deliverable 2.1 A compass towards best elements for cooperation
between data protection authorities”, PHAEDRA project deliverable 2.1, Brussels, February 2014. Available at
http://www.phaedraproject.eu/wpcontent/uploads/PHAEDRA_D2.1_final.pdf
174
Training for staff on
operation and co-ordination
co-
Identification of areas where cooperation and co-ordination is
possible, and where it is not
Collective plan or strategy
International secretariat
Linking privacy to other issues
(security, consumer protection)
technological and R&D activities, as this is another area
when they are likely to be encountering similar issues
(for example new and emerging technologies which
may pose privacy challenges) and there might be a
similar duplication of effort. R&D may also involve the
development or assessment of forensic tools for use in
investigations. Such cooperation may be best
determined by individual DPAs, again in coalitions of
the willing and able, although efforts should be made to
share and distribute the results of such efforts through
the existing international networks and organisations.
International cooperation between DPAs is a relatively
new area, and staff may not have experience or skills to
undertake these activities. Including training on
international cooperation and coordination in
professional development programmes for DPA staff
may support this, but it is unclear if the capacity to
develop the content of such training yet exists.
Because they may operate under different legal regimes,
different DPAs may not be able to conduct the same
actions in the same contexts. However this is not
necessarily a barrier to coordination and cooperation,
as long as the various parties are aware of the capacities
of their partners. Rather than attempting to identify
these capacities in the course of an investigation (with
the risk that these have not been identified in advance
and have adverse effects on the investigation) these
possibilities (and limitations) should be explored by the
DPAs. On the basis of this, intelligent coordination
may be achieved. This task would require analysis of
the capacities of each DPA, and the collective analysis
of the how these capacities and restrictions interacted.
Increased precision about what is to be achieved
through international coordination and cooperation
could be established through a collective plan or
strategy developed by DPAs.
Both the Article 29 Working Party and GPEN have a
secretariat, but the ICDPPC does not. The absence of a
secretariat means that the ICDPPC is organised by a
new team each year, and suffers from discontinuity
problems. Establishing a small international secretariat
was seen by some DPAs as a way of facilitating co
ordination and building institutional structures for co
operation. Finding agreement on funding, as well as
location, capacity, and the particular role and
responsibilities of the secretariat make this a
challenging effort.
Rather than engaging only with other DPAS, it may be
possible to connect other networks on related issues.
These areas may have existing cooperation and co
175
ordination arrangements or mechanisms, which DPAs
could either learn from, work with, or potentially join.
176

Co-ordination and co-operation between Data

Transcription

Similar documents

Newsletter 7 1984 - Tools and Trades History Society

Form 990 for GLADWYNE MONTESSORI SCHOOL (23

pri·va·cy - Dictionary.com

PIPEDA 101 PowerPoint (Done by Communications)

PIPEDA 101 PowerPoint (Done by Communications)

View the presentation

LeadManager

DIVO Record Sheet

STATEMENT OF PATIENT PRIVACY RIGHTS