GPEN Action Plan (adopted 15 June 2012; Part E amended 22 January 2013)
Modern commerce and consumer activity increasingly relies on the seamless flow of personal information across borders. These global data flows occur across jurisdictions having a wide diversity of privacy laws and enforcement arrangements. The Global Privacy Enforcement Network (GPEN) was created to strengthen personal privacy protections in this global context by assisting public authorities with responsibilities for enforcing domestic privacy laws strengthen their capacities for cross-border cooperation.
In recent years, international groups such as the Asia Pacific Economic Cooperation (APEC), the International Conference of Data Protection and Privacy Commissioners, the EU Article 29 Working Party, and the Organization for Economic Co-operation and Development (OECD), have begun to address the need for cross-border enforcement cooperation in the privacy area.
In particular, in 2007, the OECD Council adopted a Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy (the “Recommendation”). The Recommendation provided that “[m]ember countries should foster the establishment of an informal network of Privacy Enforcement Authorities and other appropriate stakeholders to discuss the practical aspects of privacy law enforcement co-operation, share best practices in addressing cross-border challenges, work to develop shared enforcement priorities, and support joint enforcement initiatives and awareness raising campaigns.” It also provided that privacy enforcement authorities “should co-operate with each other, consistent with the provisions of this Recommendation and national law, to address cross-border aspects arising out of the enforcement of Laws Protecting Privacy.”
Building upon the Recommendation, eleven privacy enforcement authorities joined together to establish GPEN in March 2010 and to adopt an action plan. Joined by an additional sixteen authorities, the 27 participating authorities listed below reaffirm their commitment to global cooperation and subscribe to this revised action plan:
A. Statement of Mission:
GPEN connects privacy enforcement authorities from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy.
It primarily seeks to promote cooperation by:
- exchanging information about relevant issues, trends and experiences;
- encouraging training opportunities and sharing of enforcement know-how, expertise and good practice;
- promoting dialogue with organizations having a role in privacy enforcement;
- creating, maintaining and supporting processes or mechanisms useful to bilateral or multilateral cooperation; and
- undertaking or supporting specific activities as outlined below.
GPEN seeks to be an inclusive cooperation network, open to any public privacy enforcement authority that: (1) is responsible for enforcing laws or regulations the enforcement of which has the effect of protecting personal data; and (2) has powers to conduct investigations or pursue enforcement proceedings.
Privacy enforcement authorities that wish to participate are expected to apply to the existing Participants through the GPEN Committee and endorse this Action Plan.
More than one privacy enforcement authority from a single country, economy, or jurisdiction may participate in GPEN.
Participants should designate a point of contact within their authority to facilitate GPEN-related communications and enforcement cooperation dialogue.
C. Specific Activities:
Activities identified as supporting GPEN’s mission include but are not necessarily limited to:
- Periodic conference calls and meetings to discuss enforcement issues, trends, and experiences.
- Presentations on effective investigative techniques and enforcement strategies and about various privacy enforcement regimes.
- Exploration of similarities and differences in procedural, substantive and evidentiary rules to address challenges to cooperation.
- Facilitation of coordination of investigations involving multiple authorities.
- Cooperation with other organizations or networks involved with related activities.
- Supporting cross-jurisdictional educational projects addressing privacy and data security-related issues for business or consumers.
- Posting relevant content to the GPEN website.
- Maintaining, in cooperation with international organizations, an authoritative contact point directory for enforcement purposes for countries around the world.
- Training sessions on privacy and data security-related matters with non-governmental advisors, such as representatives from industry, academia, international organizations and professional associations.
- Secondments and office visits between participating authorities.
Such activities may be arranged depending upon the priorities and interests of participating authorities. Activities may sometimes be arranged in conjunction with other networks or non-participants. The list is not exhaustive and GPEN may undertake additional activities that support its mission.
Participation in particular activities is not a mandatory part of GPEN participation but is up to individual participants as appropriate and subject to each participant’s jurisdiction, interest and available time and resources.
Participants may also seek opportunities for providing assistance to one another on a bilateral basis, in appropriate privacy investigations and enforcement matters, prioritizing cases for cooperation that are the most serious in nature.
D. Principles of Cooperation:
This Action Plan does not create any new legally binding obligations by or amongst the Participants.
Cooperation pursuant to this Action Plan remains subject to the domestic laws and international obligations applicable to Participants. Nothing in this Action Plan obliges Participants to provide confidential or sensitive information or cooperate in particular cases. This Action Plan does not create a legally binding mechanism for Participants to exchange information about specific investigations and cases. Such cooperation remains subject to the applicable laws in the jurisdictions involved.
While this Action Plan sets out concrete steps to further international privacy enforcement cooperation, it is intended to be flexible and expected to be refined or changed by consensus amongst the Participants, as new issues arise.
Consistent with the objectives and scope of the Recommendation, the Participants intend this network to focus primarily on facilitating cooperation in the enforcement of privacy laws governing the private sector, while also recognizing that Participants may wish to cooperate on matters involving the processing of personal data in the public sector. This network is not intended to interfere with governmental activities related to national sovereignty, criminal and civil law enforcement, national security, or public policy (“ordre public”).
Participation in this Action Plan does not preclude participation in any other cross-border privacy enforcement cooperation framework, agreement or arrangement, whether between GPEN Participants or between GPEN Participants and other organizations.
E. GPEN Committee
GPEN Participants intend periodically to designate a [four to five*] person Committee to perform the following tasks:
- Process applications from authorities wishing to participate in GPEN and make recommendations for membership to participating authorities.
- Activate user accounts for access to GPEN website.
- Edit public pages of the website.
- Facilitate arrangements for GPEN teleconferences and meetings.
- Liaise with OECD Secretariat over administration of website.
The GPEN Committee may perform other functions that support GPEN’s mission.
Wherever possible, the GPEN Committee should include members from different geographic regions of the world.
[*When a GPEN Internet Sweep is being organised, the designated Sweep Coordinator is to be a 5th member of the Committee.]
Note: The words in brackets, record a change adopted in January 2013, expanded the size of the GPEN Committee.
F. OECD Secretariat and Web Support:
In furtherance of the Recommendation, the OECD established a restricted-access website for use by privacy enforcement authorities. This website serves as a support platform for GPEN activities, enabling participating authorities to share information, materials, and documents relevant to GPEN’s mission. Non-public documents, and materials associated with specific bilateral cross-border investigations or enforcement matters, are not intended be shared or posted on this website, except pursuant to further agreement of the Participants.
The availability of OECD website support for GPEN activities is subject to oversight and approval by OECD members under its usual rules and procedures. This website can link to the websites of other privacy-related organizations and fora, such as the OECD’s Working Party on Information Security and Privacy (WPISP), International Conference of Data Protection and Privacy Commissioners and APEC.