The Office of the Privacy Commissioner hosted this workshop on 17 and 18 July to mark the 3rd anniversary of APEC’s Cross-border Privacy Enforcement Arrangement.
Listed below is the programme outline with links to speakers' presentations where available.
Keynote address: Strategic enforcement
Panel 1: Regulatory and enforcement approaches
Panel 2: Emerging business processes and what they mean for effective enforcement
Presentation: The human factor in compliance and enforcement
Presentation: The objectives of enforcement cooperation
Panel 3: Enforcement cooperation
Panel 4: The enforcement toolbox - Part 1: The spectrum of enforcement tools - persuasive to punitive
Keynote address: European experiences in enforcement cooperation
Panel 5: APEC Cross Border Privacy Rules System: How does CBPR enforcement work for consumers, businesses and privacy enforcement authorities?
Panel 6: Breach notification
Panel 7: The enforcement toolbox - Part 2: The value of publicity - cooperation, reporting and knowledge sharing
Panel 8: Organisational accountability in privacy compliance
Workshop Completion Report
A presentation by Edith Ramirez (USA) on the US Federal Trade Commission’s priorities in global enforcement.
This panel explored the objectives of privacy enforcement and how regulatory powers may effectively be used to achieve those objectives.
Moderator: Malcolm Crompton (Australia) was joined by panellists Robert Gellman (USA) and Amos Tan (Singapore).
The session included a pre-recorded video presentation by Rosemary Jay (UK) and Richard Thomas (UK) on “Being selective to be effective”.
This panel focused upon emerging business processes such as ‘Big data’, global research, distributed responsibility (mobile, public cloud) and observational businesses and explored the implications for enforcement. The session grappled with the challenges of how to protect privacy without stifling innovation. It looked at how privacy enforcement authorities may need to adapt to the new risks in an all-networked world – for instance by evolving their staff skill sets or sharing resources or specialist expertise. The role of corporate responsibility as an aid to enforcement was highlighted.
Moderator Marty Abrams (USA) was joined by panellists Peter Cullen (USA), Martin Cocker (NZ), Elizabeth Denham (Canada) and Hilary Wandall (USA).
Daimhin Warner (NZ) introduced the speaker, Kathleen Callaghan (NZ) who explained that ‘human factors’ present the ‘Swiss Cheese’ model and explore the use of incentives and punishments.
David Wright (UK) explained why global privacy enforcement cooperation is important and introduced the multi-year PHAEDRA Project (Improving Practical and Helpful Cooperation between Data Protection Authorities).
This session explored the past, present and future of enforcement cooperation. The panel asked: "Where do we start with enforcement cooperation? Where are we going? What’s stopping us getting there? It touched upon foundation guidance such as the OECD Enforcement Cooperation Recommendation and APEC’s Cooperation Arrangement for Privacy Enforcement (CPEA) and practical networks and tools such as GPEN and the joint APEC-OECD-Council of Europe Enforcement Contact Directory. It also touched upon experience within economies and across regions and highlighted barriers encountered and being overcome. Current initiatives in advancing coordination were featured.
The panel (continued at panel 7) offered a varied selection of enforcement topics from across the region. Short presentations, many from those “at the coalface” of privacy enforcement, offered insights into the various enforcement “tools” in the hands of authorities and offered lessons for participants to take home.
Moderator: Jacob Kohnstamm (Netherlands) was joined by five presenters:
Presenter: Jacob Kohnstamm (Netherlands).
This session explained and explored the CBPR system, the role of accountability agents and how they interface with privacy enforcement authorities. The session also looked at the system from the perspective of what might be experienced by consumers faced with an enforcement issue.
The session offered both company and enforcement authority perspectives on breach notification. With many economies implementing or contemplating breach notification the session paid special attention to the opportunities at both company and authority level to make the process work effectively for the benefit of consumers and other stakeholders. The issue of cross-border notification was also explored.
Moderator: Colin Minihan (Australia) was joined by panellists Malcolm Crompton (Australia), Scott Taylor (USA), Olga Ganopolsky (Australia) and Blair Stewart (NZ). See also Blair's paper on Cross-border breach notification.
This panel continued the presentations on selected enforcement topics begun in panel 4. The session offered insights into the various enforcement “tools” available to authorities.
Moderator: María Elena Pérez-Jaén Zermeño (Mexico) was joined by four presenters:
The panel explored the usefulness of privacy compliance programmes as part of a system of enforcement. Presentations touched upon the multi-year “Accountability Project”, risk assessment including the recent development of a privacy risk assessment framework and the experiences of a privacy enforcement authority in encouraging comprehensive privacy management programmes.
For both days, Marie Shroff (NZ) made opening remarks and David Wright (UK) was rapporteur.
The workshop advanced cross-border enforcement cooperation in the APEC region through information and experience sharing and capacity building amongst privacy enforcement authorities and other entities having relevant roles. The workshop also marked the third anniversary of the commencement of the APEC Cross-border Privacy Enforcement Arrangement (CPEA) and shared enforcement experiences and contributed to establishing effective enforcement arrangements for APEC Cross Border Privacy Rules system. View the Report.