Post on 26-Aug-2018
GPEN Meeting
CONNECTED THINKING
Better enforcement outcomes through sharing methodologies and
expertise in connected privacy networks
18 October 2016
Global Privacy Enforcement Network
Global Privacy
Enforcement Network
Agenda
1. Welcome / Agenda2. Sweep Discussion3. GPEN Initiatives4. Open Working Session5. Case Studies
Global Privacy
Enforcement Network
GPEN Meeting 2016 and Beyond – A New Era in Global Enforcement Cooperation Amsterdam, 27 October 2015
GPEN SWEEP
2016 Sweep highlights
2017 Sweep topic
GPEN Side meeting, 2016 International Conference
Global Privacy
Enforcement Network
4
Internet of Things
Global Privacy
Enforcement Network
2016 Sweep in figures
5
25 authorities took part.
314 devices/companies looked at.
59% failed to explain to users how their personal
information was collected, used and disclosed.
68% failed to inform users how personal information is
stored.
38% failed to provide privacy-related contact details.
72% failed to explain how a user could delete their
data.
OutcomesAnd
feedback
Global Privacy
Enforcement Network
7
2017 Sweep
Global Privacy
Enforcement Network
Questions?emma.wills@ico.org.ukadam.stevens@ico.org.uk
Global Privacy
Enforcement Network
GPEN Initiatives
GPEN Alert
A secure Internet-based platform that allows GPEN members to:
• alert other members about investigations
• find out whether other members are investigating the same company or practice
The ability to quickly determine who is doing what will facilitate international cooperation between privacy enforcement authorities.
Global Privacy
Enforcement Network
GPEN Initiatives
Draft images / not actual data
Global Privacy
Enforcement Network
GPEN InitiativesGPEN Alert Joint Oversight Panel
Established by MOU
Guilherme Roschke: FTC
Sarah Adams-Linton: New Zealand Office of the Privacy Commissioner
Udo Oelen: Dutch Data Protection Authority
Performs operational duties of running GPEN Alert
Reviews applications / status of participants
Recommend other functions for GPEN Alert
Global Privacy
Enforcement Network
GPEN Initiatives
GPEN Alert Next Steps:
More agencies join MOU / sign certification.
Onboard individual users.
Share experiences / Best Practices
Global Privacy
Enforcement Network
GPEN Initiatives
Enforcement Survey / Cooperation Authority reference
Global Privacy
Enforcement Network
GPEN Initiatives
About the Enforcement Survey - I
The GPEN Committee will use your answers to the survey to publish a report about DPA's enforcement powers.
The purpose of the survey is to provide easily accessible, comprehensive information about the enforcement frameworks of other privacy authorities in our global network.
The information is intended to assist DPAs in their mission to strengthen cross-border privacy protection
Global Privacy
Enforcement Network
GPEN Initiatives
About the Enforcement Survey - II– The information could inform business cases for
staffing or even legislative reviews.
– The information could assist member authorities to identify partner authorities in a case.
– The report will be available for download on the GPEN website.
Global Privacy
Enforcement Network
GPEN Initiatives
About the Enforcement Survey - III
The GPEN Committee may use the information for other activities, such as:
• country pages;
• presentations,
• PR about the survey
• Cooperation with other networks
- unless your authority objects to this.
Global Privacy
Enforcement Network
GPEN Initiatives
About the Enforcement Survey - IV
• Authorities that answered the Article 29 Working Party Questionnaire (Typology of Authorities’ powers) in 2015 may copy/paste their answers where appropriate (EU –Q ….).
• In case more than one authority from your jurisdiction is a GPEN member, please coordinate the responses with the relevant authorities
Global Privacy
Enforcement Network
GPEN Initiatives
Time frame for the survey
• The survey has been launched (early Oct)
• All members should have received it already
• Please send your answers by December 31st
• The report will be finalized by the end of February 2017
Global Privacy
Enforcement Network
GPEN Initiatives
• 2017 Enforcement Practitioners Workshop
• Investigators and case handlers will• Learn investigative skills and strategies from experienced
colleagues and recognized experts
• Develop operational-level relationships with future partners
(not another “Enforcement Cooperation Meeting” -enforcement cooperation in practice)
• By learning from each other, we can achieve greater privacy-positive outcomes more efficiently
• This is a proven model that has worked in other sectors, like consumer protection
Global Privacy
Enforcement Network
GPEN Initiatives
2017 Enforcement Practitioners Workshop
• Once a year or every two years
• First event: Workshop alongside the European Case Handling Workshop in Oct 2017 - similar approach envisaged for future elsewhere
• Focus: learning about each others’ current casework challenges – GDPR, other regional approaches
• 2017 Host
Global Privacy
Enforcement Network
GPEN Initiatives
• Network of Networks (UK/OPC)
• Aims• Improved international enforcement cooperation through
enhanced dialogue and collaboration between networks of authorities that enforce privacy and other relevant laws
• Five Network Partners• Common Thread, APPA, ICDPPC, UCENET (LAP), ICPEN
• Achievements to date – e.g.• Presentations at ICPEN Annual Conference,
• Sharing Sweep Experience with UCENet
• Regular ICDPPC posts on the GPEN website
Global Privacy
Enforcement Network
GPEN Initiatives
• Network of Networks (UK/OPC)
• Next steps
– Imminent call with all partners (November)
– Potential work on enforcement database/platform
– Documentation of projects with each partner
– Call for additional partner networks to join
Global Privacy
Enforcement Network
Working Session
• Enforcement Practitioners’ Workshop
• Leveraging Survey Results (Enhanced Authorities Page)
• Other suggestions?
Ashley Madison
Investigation
Presented to GPEN Side Meeting
October 18, 2016
Brent Homan Director General
PIPEDA Investigations, OPC
THE BREACH
Security Safeguards
Coherent and adequate information security governance
framework:
• Risk management - regular
and documented assessment
• Security policies -
documented policies and
practices
• Training and implementation
– to give effect to security
policies and practices
Related Issues• Over-retention
of personal
information
• Lack of
transparency
with users
QUESTIONS?
Global Privacy
Enforcement Network
Thanks! GPEN Committee
• Sharon Azarya• Israeli Law, Information and Technology Authority (ILITA)
• Michael Maguire• Office of the Privacy Commissioner of Canada
• Hannah McCausland• UK Information Commissioner's Office
• Aki Cheung• Hong Kong Office of the Privacy Commissioner for
Personal Data• Guilherme Roschke
• U.S. Federal Trade Commission