Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Further resources

The Office of the Privacy Commissioner hosted this workshop on 17 and 18 July to mark the 3rd anniversary of APEC’s Cross-border Privacy Enforcement Arrangement. 

Listed below is the programme outline with links to speakers' presentations where available.

Keynote address:  Strategic enforcement
Panel 1:  Regulatory and enforcement approaches 
Panel 2:  Emerging business processes and what they mean for effective enforcement 
Presentation:  The human factor in compliance and enforcement
Presentation:  The objectives of enforcement cooperation   
Panel 3:  Enforcement cooperation  
Panel 4:  The enforcement toolbox - Part 1: The spectrum of enforcement tools - persuasive to punitive   
Keynote address:  European experiences in enforcement cooperation  
Panel 5:  APEC Cross Border Privacy Rules System: How does CBPR enforcement work for consumers, businesses and privacy enforcement authorities?   
Panel 6:  Breach notification  
Panel 7:  The enforcement toolbox - Part 2: The value of publicity - cooperation, reporting and knowledge sharing   
Panel 8:  Organisational accountability in privacy compliance
Workshop Completion Report

Day One

Keynote: Strategic enforcement

A presentation by Edith Ramirez (USA) on the US Federal Trade Commission’s priorities in global enforcement. 

Panel 1: Regulatory and enforcement approaches 

This panel explored the objectives of privacy enforcement and how regulatory powers may effectively be used to achieve those objectives.

Moderator: Malcolm Crompton (Australia) was joined by panellists Robert Gellman (USA) and Amos Tan (Singapore).

The session included a pre-recorded video presentation by Rosemary Jay (UK) and Richard Thomas (UK) on “Being selective to be effective”.

Panel 2: Emerging business processes and what they mean for effective enforcement

This panel focused upon emerging business processes such as ‘Big data’, global research, distributed responsibility (mobile, public cloud) and observational businesses and explored the implications for enforcement. The session grappled with the challenges of how to protect privacy without stifling innovation. It looked at how privacy enforcement authorities may need to adapt to the new risks in an all-networked world – for instance by evolving their staff skill sets or sharing resources or specialist expertise. The role of corporate responsibility as an aid to enforcement was highlighted. 

Moderator Marty Abrams (USA) was joined by panellists Peter Cullen (USA), Martin Cocker (NZ), Elizabeth Denham (Canada) and Hilary Wandall (USA).

The human factor in compliance and enforcement

Daimhin Warner (NZ) introduced the speaker, Kathleen Callaghan (NZ) who explained that ‘human factors’ present the ‘Swiss Cheese’ model and explore the use of incentives and punishments.

The objectives of enforcement cooperation

David Wright (UK) explained why global privacy enforcement cooperation is important and introduced the multi-year PHAEDRA Project (Improving Practical and Helpful Cooperation between Data Protection Authorities).

Panel 3: Enforcement cooperation 

This session explored the past, present and future of enforcement cooperation. The panel asked: "Where do we start with enforcement cooperation? Where are we going? What’s stopping us getting there? It touched upon foundation guidance such as the OECD Enforcement Cooperation Recommendation and APEC’s Cooperation Arrangement for Privacy Enforcement (CPEA) and practical networks and tools such as GPEN and the joint APEC-OECD-Council of Europe Enforcement Contact Directory. It also touched upon experience within economies and across regions and highlighted barriers encountered and being overcome. Current initiatives in advancing coordination were featured. 

Moderator: Jennifer Stoddart (Canada) was joined by panellists Blair Stewart (NZ), David Wright (UK) and Edith Ramirez (USA).

Panel 4:  The enforcement toolbox – Part 1: The spectrum of enforcement tools - persuasive to punitive

The panel (continued at panel 7) offered a varied selection of enforcement topics from across the region. Short presentations, many from those “at the coalface” of privacy enforcement,  offered insights into the various enforcement “tools” in the hands of authorities and offered lessons for participants to take home.

Moderator: Jacob Kohnstamm (Netherlands) was joined by five presenters:

  • Hugh Stevenson (USA): Warning letters and related approaches
  • Anthony Bendall (Victoria): The use of compliance notices
  • José Alejandro Bermúdez Durana (Colombia): Better allocation of enforcement resources
  • Katrine Evans (NZ): Exercising discretion in public interest litigation
  • Robert Gellman (USA): Privacy class actions.


Day Two 

Keynote: European experiences in enforcement cooperation

Presenter: Jacob Kohnstamm (Netherlands).

Panel 5: APEC Cross Border Privacy Rules System: How does CBPR enforcement work for consumers, businesses and privacy enforcement authorities?

This session explained and explored the CBPR system, the role of accountability agents and how they interface with privacy enforcement authorities. The session also looked at the system from the perspective of what might be experienced by consumers faced with an enforcement issue. 

Moderator: Josh Harris (USA) was joined by panellists Hugh Stevenson (USA), Nigel Waters (Australia) and J J Pan (Chinese Taipei). 

Panel 6: Breach notification

The session offered both company and enforcement authority perspectives on breach notification.  With many economies implementing or contemplating breach notification the session paid special attention to the opportunities at both company and authority level to make the process work effectively for the benefit of consumers and other stakeholders. The issue of cross-border notification was also explored.

Moderator: Colin Minihan (Australia) was joined by panellists Malcolm Crompton (Australia), Scott Taylor (USA), Olga Ganopolsky (Australia) and Blair Stewart (NZ).  See also Blair's paper on Cross-border breach notification.

Panel 7: The enforcement toolbox – Part 2: The value of publicity - cooperation, reporting and knowledge sharing

This panel continued the presentations on selected enforcement topics begun in panel 4. The session offered insights into the various enforcement “tools” available to authorities. 

Moderator: María Elena Pérez-Jaén Zermeño (Mexico) was joined by four presenters:

  • Timothy Pilgrim (Australia):  Own motion investigations and media reporting
  • Allan Chiang (HK): Maximising deterrent effect: Using publicity for enforcement
  • Mike Flahive (NZ): Experience sharing and cooperation with domestic enforcement bodies
  • Nigel Waters (Australia): Privacy case reporting.


Panel 8: Organisational accountability in privacy compliance 

The panel explored the usefulness of privacy compliance programmes as part of a system of enforcement. Presentations touched upon the multi-year “Accountability Project”, risk assessment including the recent development of a privacy risk assessment framework and the experiences of a privacy enforcement authority in encouraging comprehensive privacy management programmes. 

Moderator: Gehan Gunasekara (NZ) was joined by panellists Marty Abrams (USA) and Elizabeth Denham (Canada).

For both days, Marie Shroff (NZ) made opening remarks and David Wright (UK) was rapporteur.

Workshop Completion Report

The workshop advanced cross-border enforcement cooperation in the APEC region through information and experience sharing and capacity building amongst privacy enforcement authorities and other entities having relevant roles. The workshop also marked the third anniversary of the commencement of the APEC Cross-border Privacy Enforcement Arrangement (CPEA) and shared enforcement experiences and contributed to establishing effective enforcement arrangements for APEC Cross Border Privacy Rules system.  View the Report.