GPEN Meeting

CONNECTED THINKING

Better enforcement outcomes through sharing methodologies and

expertise in connected privacy networks

18 October 2016

Global Privacy Enforcement Network

Global Privacy

Enforcement Network

Agenda

1. Welcome / Agenda2. Sweep Discussion3. GPEN Initiatives4. Open Working Session5. Case Studies

Global Privacy

Enforcement Network

GPEN Meeting 2016 and Beyond – A New Era in Global Enforcement Cooperation Amsterdam, 27 October 2015

GPEN SWEEP

2016 Sweep highlights

2017 Sweep topic

GPEN Side meeting, 2016 International Conference

Global Privacy

Enforcement Network

4

Internet of Things

Global Privacy

Enforcement Network

2016 Sweep in figures

5

25 authorities took part.

314 devices/companies looked at.

59% failed to explain to users how their personal

information was collected, used and disclosed.

68% failed to inform users how personal information is

stored.

38% failed to provide privacy-related contact details.

72% failed to explain how a user could delete their

data.

OutcomesAnd

feedback

Global Privacy

Enforcement Network

7

2017 Sweep

Global Privacy

Enforcement Network

Questions?emma.wills@ico.org.ukadam.stevens@ico.org.uk

Global Privacy

Enforcement Network

GPEN Initiatives

GPEN Alert

A secure Internet-based platform that allows GPEN members to:

• alert other members about investigations

• find out whether other members are investigating the same company or practice

The ability to quickly determine who is doing what will facilitate international cooperation between privacy enforcement authorities.

Global Privacy

Enforcement Network

GPEN Initiatives

Draft images / not actual data

Global Privacy

Enforcement Network

GPEN InitiativesGPEN Alert Joint Oversight Panel

Established by MOU

Guilherme Roschke: FTC

Sarah Adams-Linton: New Zealand Office of the Privacy Commissioner

Udo Oelen: Dutch Data Protection Authority

Performs operational duties of running GPEN Alert

Reviews applications / status of participants

Recommend other functions for GPEN Alert

Global Privacy

Enforcement Network

GPEN Initiatives

GPEN Alert Next Steps:

More agencies join MOU / sign certification.

Onboard individual users.

Share experiences / Best Practices

Global Privacy

Enforcement Network

GPEN Initiatives

Enforcement Survey / Cooperation Authority reference

Global Privacy

Enforcement Network

GPEN Initiatives

About the Enforcement Survey - I

The GPEN Committee will use your answers to the survey to publish a report about DPA's enforcement powers.

The purpose of the survey is to provide easily accessible, comprehensive information about the enforcement frameworks of other privacy authorities in our global network.

The information is intended to assist DPAs in their mission to strengthen cross-border privacy protection

Global Privacy

Enforcement Network

GPEN Initiatives

About the Enforcement Survey - II– The information could inform business cases for

staffing or even legislative reviews.

– The information could assist member authorities to identify partner authorities in a case.

– The report will be available for download on the GPEN website.

Global Privacy

Enforcement Network

GPEN Initiatives

About the Enforcement Survey - III

The GPEN Committee may use the information for other activities, such as:

• country pages;

• presentations,

• PR about the survey

• Cooperation with other networks

- unless your authority objects to this.

Global Privacy

Enforcement Network

GPEN Initiatives

About the Enforcement Survey - IV

• Authorities that answered the Article 29 Working Party Questionnaire (Typology of Authorities’ powers) in 2015 may copy/paste their answers where appropriate (EU –Q ….).

• In case more than one authority from your jurisdiction is a GPEN member, please coordinate the responses with the relevant authorities

Global Privacy

Enforcement Network

GPEN Initiatives

Time frame for the survey

• The survey has been launched (early Oct)

• All members should have received it already

• Please send your answers by December 31st

• The report will be finalized by the end of February 2017

Global Privacy

Enforcement Network

GPEN Initiatives

• 2017 Enforcement Practitioners Workshop

• Investigators and case handlers will• Learn investigative skills and strategies from experienced

colleagues and recognized experts

• Develop operational-level relationships with future partners

(not another “Enforcement Cooperation Meeting” -enforcement cooperation in practice)

• By learning from each other, we can achieve greater privacy-positive outcomes more efficiently

• This is a proven model that has worked in other sectors, like consumer protection

Global Privacy

Enforcement Network

GPEN Initiatives

2017 Enforcement Practitioners Workshop

• Once a year or every two years

• First event: Workshop alongside the European Case Handling Workshop in Oct 2017 - similar approach envisaged for future elsewhere

• Focus: learning about each others’ current casework challenges – GDPR, other regional approaches

• 2017 Host

Global Privacy

Enforcement Network

GPEN Initiatives

• Network of Networks (UK/OPC)

• Aims• Improved international enforcement cooperation through

enhanced dialogue and collaboration between networks of authorities that enforce privacy and other relevant laws

• Five Network Partners• Common Thread, APPA, ICDPPC, UCENET (LAP), ICPEN

• Achievements to date – e.g.• Presentations at ICPEN Annual Conference,

• Sharing Sweep Experience with UCENet

• Regular ICDPPC posts on the GPEN website

Global Privacy

Enforcement Network

GPEN Initiatives

• Network of Networks (UK/OPC)

• Next steps

– Imminent call with all partners (November)

– Potential work on enforcement database/platform

– Documentation of projects with each partner

– Call for additional partner networks to join

Global Privacy

Enforcement Network

Working Session

• Enforcement Practitioners’ Workshop

• Leveraging Survey Results (Enhanced Authorities Page)

• Other suggestions?

Ashley Madison

Investigation

Presented to GPEN Side Meeting

October 18, 2016

Brent Homan Director General

PIPEDA Investigations, OPC

THE BREACH

Security Safeguards

Coherent and adequate information security governance

framework:

• Risk management - regular

and documented assessment

• Security policies -

documented policies and

practices

• Training and implementation

– to give effect to security

policies and practices

Related Issues• Over-retention

of personal

information

• Lack of

transparency

with users

QUESTIONS?

Global Privacy

Enforcement Network

Thanks! GPEN Committee

• Sharon Azarya• Israeli Law, Information and Technology Authority (ILITA)

• Michael Maguire• Office of the Privacy Commissioner of Canada

• Hannah McCausland• UK Information Commissioner's Office

• Aki Cheung• Hong Kong Office of the Privacy Commissioner for

Personal Data• Guilherme Roschke

• U.S. Federal Trade Commission