Privacy authorities typically perform regulatory and enforcement functions on their own - or occasionally with another public body - within their domestic jurisdiction. They know the domestic law they enforce. The law will clearly lay out the authority’s role and provide a clear pathway to the intended outcomes.
By contrast, cross-border cases offer none of these certainties.
We were recently asked the question: “What international privacy enforcement cooperation initiatives are in operation and what practical tools are available to facilitate cooperation?”
There are several difficulties:
For the past 10 years, much effort has been expended at an international level to create conditions whereby the chances of successful cross-border cooperation amongst regulators are improved. Here are some of those efforts and examples of the practical tools that now exist.
Building the right environment
Before turning to precise enforcement cooperation tools, it may be helpful first to canvas cooperation more widely.
It is probably unrealistic to expect instant success in cross-border enforcement, if an authority remains entirely domestically focused until it encounters its first case with a cross-border element.
Where would such a domestically focused authority turn? How would they know who to approach for assistance in a foreign jurisdiction? What would they know of the other jurisdictions law and how would they find out? What would an authority in another jurisdiction think of a request for assistance arriving ‘out of the blue’ from an authority it had never heard of?
Three approaches to creating cooperation might briefly be mentioned:
1. Networking with peers
The likelihood of successful cooperation across borders may be enhanced if you know your counterpart before that first case arises.Privacy authorities have networked with their peers for four decades through the International Conference of Data Protection and Privacy Commissioners.
Privacy authorities also network at a regional level. In our region this happens through the Asia Pacific Privacy Authorities Forum. Our French and Spanish speaking counterparts also have networks of their fellow-linguistic colleagues.
There are also two specialised enforcement cooperation networks set up in 2010:
More information on these networks is available at the ICDPPC website.
2. Connecting with stakeholders
Regulators and privacy enforcement bodies should engage with stakeholders such as global business, privacy professionals and civil society to build an environment for successful cooperation. Efforts by groups such as IAPP and iappANZ to build compliance capacity are positive steps that create an environment for cooperation.
3. Access to law
While no regulator has the time or inclination to become an expert in every other economy’s law, there are clearly benefits in some general information sharing about laws and legal interpretations. There is also benefit in being able freely to access legal information in greater detail as needed. In the area of privacy law, many of the key interpretations are issued by regulators rather than in court decisions, and may not be available through mainstream law reports.
There have been various efforts to address these deficits in legal information. Three examples from our own region are:
Tools for cooperation
The following are a selection of the practical tools developed in the last 10 years to promote enforcement cooperation:
Updating existing laws
The OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy (2007) provides a blueprint for upgrading privacy laws more effectively to deal with cross-border cooperation.
The OECD Recommendation on Cross-border Cooperation suggested a need for cooperation networks of privacy authorities. Several networks have accordingly been established since 2007:
Templates for cross-border assistance
Both the OECD and APEC have released Request for Assistance templates for seeking assistance from authorities in other member economies.
Directories of enforcement contacts
The OECD, APEC and Council of Europe have each established processes for nominating and listing national or economy contact points. These three international organisations have cooperated in maintaining a combined directory which is maintained for access by authorities through the GPEN website.
APEC has established a requirement for authorities that participate in the CPEA to publish standard statements of enforcement cooperation practices. This is published both on the authority’s own website and centrally on APEC’s system.
GPEN has a facility for general discussions amongst enforcement staff on its password-protected forum pages. It also hosts 20 discussion teleconferences each year. These are split into two regions - Pacific and Atlantic.
Information sharing agreements
GPEN has a standard information sharing agreements applicable to the GPEN Alerts System. ICDPPC’s Enforcement Cooperation Arrangement also features an optional template for an information sharing agreement.
Information exchange platforms
GPEN has established the secure GPEN Alerts System.
In the past 10 years, and particularly since the publication of the OECD’s 2007 Recommendation, considerable progress has been made in creating conditions conducive to cross-border cooperation and to provide privacy authorities with the tools they need.
Cross-border cooperation remains difficult and the greatest progress will probably only been made when all privacy laws are upgraded, as recommended by the OECD, with cross-border action in mind.
Image credit: Wagah border ceremony - Wikipedia