2014 Global Privacy Enforcement Network (GPEN)

Annual Report


March 2015

 

2014: A Year of Progress for GPEN

The GPEN Committee has decided, for the first time, to issue an annual report. The Committee decided to do this to promote a better understanding of the network and to explain the Committee’s work.

The year has proved to be a significant one with the network. GPEN has embarked upon new cooperation initiatives and consolidated and improved existing ones. Participation rates continue to grow.

A few highlights:

The GPEN Committee looks forward to building on these firm foundations in 2015.

Blair Stewart
Assistant Commissioner (Auckland), Office of the Privacy Commissioner, New Zealand

Michael Maguire
Senior Advisor,Office of the Privacy Commissioner of Canada

Guilherme Roschke
Counsel for International Consumer Protection, Office of International Affairs, U.S. Federal Trade Commission

Sharon Azarya
Israeli Law, Information and Technology Authority (ILITA)

Hannah McCausland
Senior Policy Officer (International), Information Commissioner's Office , United Kingdom

 

About the Global Privacy Enforcement Network (GPEN)

In 2007, OECD adopted a recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy. The recommendation called for member countries to foster the establishment of an informal network of Privacy Enforcement Authorities.

The Global Privacy Enforcement Network was established in 2010 by 13 privacy enforcement authorities. The informal network has grown by the end of 2014 to comprise 53 privacy enforcement authorities in 39 jurisdictions around the world. GPEN's aim is to foster cross-border cooperation among privacy authorities in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context.

GPEN connects privacy enforcement authorities from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy.

It primarily seeks to promote cooperation by: exchanging information about relevant issues, trends and experiences; encouraging training opportunities and sharing of enforcement know-how, expertise and good practice; promoting dialogue with organizations having a role in privacy enforcement; creating, maintaining and supporting processes or mechanisms useful to bilateral or multilateral cooperation; and undertaking or supporting specific activities as outlined below.

GPEN is an inclusive cooperation network, open to any public privacy enforcement authority that: (1) is responsible for enforcing laws or regulations the enforcement of which has the effect of protecting personal data; and (2) has powers to conduct investigations or pursue enforcement proceedings.

The GPEN Committee comprises 5 members from the Office of the Privacy Commissioner Canada, the Israeli Law, Information and Technology Authority, Office of the Privacy Commissioner New Zealand, Information Commissioner’s Office United Kingdom and Federal Trade Commission United States. The committee provides leadership for the network and performs various tasks.


GPEN 2014 activities

 

GPEN has increased in size and level of participation

2014 has seen a significant increase in the number of GPEN members. The number of member authorities has increased from 38 to 53. These authorities are based in 39 economies, up from 27 economies in 2013.

The number of authorities participating in the Sweep has increased from 19 in the year 2013 to 26 in 2014. There has also been an increase in the number of GPEN user accounts (from 165 to 197), and an increase of 25% in the number of discussion items in GPEN Website.

Fostering Enforcement Cooperation Discussion and Awareness

One of GPEN’s key objectives is to create opportunities for dialogue and sharing of information between privacy enforcement authorities with a view to fostering increased cooperation. In 2014, GPEN sought to achieve this objective by providing increased opportunities for member authorities to share information and ideas online, via teleconference and in person.

 
GPEN Website: Consolidated List of Enforcement Contacts

GPEN added a “one-stop” list of enforcement contacts for APEC, Council of Europe and the OECD, with facility for addition of enforcement contacts from other networks in future.

GPEN Website: Gateway to International Privacy Law Library Search

The “International Privacy Law Library” (IPLL) is an online repository of thousands of privacy authority case reports and other privacy law material.  The IPLL is operated by the Australasian Legal Information Institute (AustLII) on behalf of a network of cooperating legal information institutes under the brand of World Legal Information Institute. A recent grant has enabled AustLII to significantly expand the IPLL in 2014. A gateway was added to the GPEN website to allow GPEN users to directly search thousands of reports of privacy enforcement and litigation cases hosted on the PLL.

Enhancing Committee communications

The GPEN Committee took a number of steps to improve communications with stakeholders about its various activities. For example, for the information of members, the committee began posting minutes of Committee meetings directly to the website. For the information of a wider group of stakeholders, the Committee adopted a process of issuing occasional press releases. The first such press release, reported on the GPEN workshop in Mauritius, in November 2014. An "RSS feed" was added to the website to enable interested parties to subscribe to receive GPEN Committee news releases..

GPEN Pacific and Atlantic Teleconferences

One of GPEN's most successful activities is periodic conference calls and meetings to discuss enforcement issues, trends, and experiences with its members. There are usually 2 monthly conference calls, though open to all, one series is scheduled for the Pacific group of members and one for the Atlantic group, to allow all members to participate in at least one call during office hours.

In 2014 GPEN held 8 Atlantic teleconferences and 10 Pacific teleconferences, with average participants of 25. The discussions included the following topics:

 
GPEN's Workshop on Enforcement Related Publicity

GPEN held a workshop on the use of publicity as a regulatory compliance technique in Mauritius on 12 October 2014, during the 36th International Conference of Data Protection and Privacy Commissioners. The workshop was attended by 44 commissioners and staff from 21 privacy enforcement authorities from around the world. The workshop heard of the diverse approaches taken to enforcement publicity from presenters from 8 jurisdictions. Participants also received a presentation of the latest research on the effectiveness of monetary penalties in the enforcement of data protection laws. The event was followed by a GPEN-arranged public demonstration of the International Privacy Law Library, the largest freely accessible and searchable database of privacy law material in the world.

GPEN at the International Enforcement Coordination Annual Event

GPEN participated in the UK ICO’s 2014 International Enforcement Coordination Annual Event, held in April. The first day’s meetings included a successful GPEN member authority meeting with attendance by 25 participants from 20 privacy enforcement authorities from around the world. Members were updated on progress with the GPEN Secure Alert Tool from the FTC and on the evolving functionality of the GPEN website, getting authorities to think more deeply about what kinds of cooperation they might be willing to explore.

GPEN Alert

GPEN members made significant developments towards launching the GPEN Alert information sharing system.  GPEN Alert is intended to be a secure Internet-based platform that will allow GPEN members to alert other members about investigations and find out whether other members are investigating the same company or practice. GPEN members from British Columbia, Canada, the United Kingdom, Norway, Australia, Ireland and New Zealand pledged significant financial support to the development of the system.  GPEN members participated in several exchanges of proposed documentation, culminating in a “near final” version of the GPEN Alert documents being distributed in November of 2014.

Specific enforcement cooperation: GPEN "mobile apps" Sweep

"The Sweep" is a GPEN initiative whereby privacy enforcement authorities work together for a week, once every year, to protect the privacy rights of individuals around the world. The 2014 sweep, which took place on May 12 to 18, involved 26 privacy enforcement authorities from around the world, up from 19 international participants during last year’s inaugural event. The growth of this year’s Sweep shows privacy enforcement authorities are more committed than ever to working together to promote privacy protection. 

The GPEN initiative is aimed at encouraging organizations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities. Concerns identified during the Sweep will result in follow-up work such as outreach to organizations, deeper analysis of privacy provisions and/or enforcement action.

The theme of the 2014 Sweep was mobile privacy. In total, 1,211 apps were examined.

Participants looked at the types of permissions apps were seeking, whether those permissions exceeded what would be expected based on the apps’ functionality, and most importantly, how the apps explained to consumers why they wanted the personal information and what they planned to do with it.

One key conclusion from the 2014 Sweep was that as mobile apps explode in popularity, many of them are seeking access to large amounts of personal information without adequately explaining how that information is being used. More specifically, Sweep participants noted that three quarters of apps requested permission to access users' personal information; almost 60% offered insufficient pre-installation communications; 43% of privacy communications were difficult to read on the small screen; and over 30% of apps left sweepers wondering why the app required certain permissions.

Specific enforcement cooperation: Joint Open Letter to App Marketplace Following the Sweep

Following the sweep, 23 authorities signed a joint letter that was sent to seven major app marketplaces.

The signing authorities stated that they believe that an app marketplace operator should, acting as a responsible corporate citizen, make the basic commitment to require each app that can access or collect personal information, to provide users with timely access to the app’s privacy policy by including a link to its privacy policy in the app’s marketplace listing. The privacy authorities expressed their expectation that a marketplace operator would put in practice, if it had not already, this advice, and implement the necessary protections, to ensure the privacy practice transparency of apps offered in their stores.

 

2015 Work Plan Highlights

In 2015, GPEN intends to