Big year for Global Privacy Enforcement Network: GPEN releases 2014 annual report

Media release from the GPEN Committee: 1 April 2015

The Global Privacy Enforcement Network (GPEN) released its annual report for 2014 today highlighting an increased size and level of participation, and in particular:

  • Substantial enhancements to the online cooperation platform.
  • 15 additional authorities joined the network in 2014 including new members from Africa, Asia and Latin America.
  • 18 teleconferences were held in the Atlantic and Pacific regions connecting authorities to share experience and build expertise.
  • A major cooperative sweep of online mobile apps examined the privacy practices of over 1200 apps.

The annual report is set out below.

Reflections on GPEN’s year

GPEN’s governance body, the GPEN Committee, comprises the authorities from Canada, Israel, New Zealand, the UK and the USA. Reflecting upon GPEN achievements for 2014 the heads of each authority commented:

“GPEN has become a critically important platform for dialogue and collaboration that is advancing the privacy rights of people around the globe.  The GPEN Privacy Sweep has proven to be a highly effective tool for bringing enforcement authorities together to address emerging privacy threats allowing us to achieve more than we could acting individually.”

  • Daniel Therrien, Privacy Commissioner of Canada

“The global nature of the digital economy and the rapid technological developments raise data protection challenges that require global enforcement partnerships. The GPEN network was established to foster cross-border co-operation among privacy authorities.   I am proud to say that initiatives like the teleconferences, the sweep and the workshops, contribute to strengthening privacy and data protection, and I am sure that in the future the network will grow.”

  • Alon Bachar, Head of Israeli Law, Information and Technology Authority (ILITA)

“As a small authority, geographically isolated, New Zealand especially values the connections created by GPEN. In 2014 our frontline enforcement staff found real benefit in the monthly GPEN Pacific teleconferences. Similarly, the online cooperation platform and sweep seamlessly linked us into global enforcement efforts.”

  • John Edwards, New Zealand Privacy Commissioner

“In the digital world, it may truly be said that no man is an island. All of us will have personal information stored across the globe. This may be through an online transaction, the use of cloud computing, or signing up for a service delivered by a large multi-national company. This is why it is so important that global regulators work in partnership through the Global Privacy Enforcement Network (GPEN). The GPEN Annual Report provides an important snapshot of our collective enforcement work over the past year.”

  • Christopher Graham, Information Commissioner, United Kingdom

“I was pleased to participate in the GPEN workshop in Mauritius last year.  I am proud to see, as this report shows, GPEN’s continued growth and development of new initiatives.  GPEN’s practical focus on establishing and improving mechanisms for enforcement cooperation around the globe is vital to protecting consumers in our interconnected world.”

  • Chairwoman Edith Ramirez of the US Federal Trade Commission, USA

 

Background (annual report follows below)

GPEN connects privacy enforcement authorities from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy. It has more than 50 members from over 40 countries.  More details about the network available at https://www.privacyenforcement.net/about_the_network

Enquiries concerning this media release should be directed to GPEN Committee member, Sharon Azarya,  SharonAz[at]justice.gov.il

Annual report (shortened and edited in places for posting with media release, full PDF copies may be requested from GPEN Committee):

 

2014 Global Privacy Enforcement Network (GPEN)

Annual Report

March 2015

 

2014: A Year of Progress for GPEN

The GPEN Committee has decided, for the first time, to issue an annual report. The Committee decided to do this to promote a better understanding of the network and to explain the Committee’s work.

The year has proved to be a significant one with the network. GPEN has embarked upon new cooperation initiatives and consolidated and improved existing ones. Participation rates continue to grow.

A few highlights:

  • A major cooperative sweep of mobile apps examined the privacy practices of over 1200 apps and involved 26 authorities.
  • 15 additional authorities joined the network including new members from Africa, Asia and Latin America.
  •  18 teleconferences held in the Atlantic and Pacific regions to connect authorities and to build and share expertise.
  • Substantial enhancements to the online cooperation platform.

The GPEN Committee looks forward to building on these firm foundations in 2015.

Blair Stewart
Assistant Commissioner (Auckland), Office of the Privacy Commissioner, New Zealand

Michael Maguire
Senior Advisor,Office of the Privacy Commissioner of Canada

Guilherme Roschke
Counsel for International Consumer Protection, Office of International Affairs, U.S. Federal Trade Commission

Sharon Azarya
Israeli Law, Information and Technology Authority (ILITA)

Hannah McCausland
Senior Policy Officer (International), Information Commissioner's Office , United Kingdom

 

About the Global Privacy Enforcement Network (GPEN)

In 2007, OECD adopted a recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy. The recommendation called for member countries to foster the establishment of an informal network of Privacy Enforcement Authorities.

The Global Privacy Enforcement Network was established in 2010 by 13 privacy enforcement authorities. The informal network has grown by the end of 2014 to comprise 53 privacy enforcement authorities in 39 jurisdictions around the world. GPEN's aim is to foster cross-border cooperation among privacy authorities in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context.

GPEN connects privacy enforcement authorities from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy.

It primarily seeks to promote cooperation by: exchanging information about relevant issues, trends and experiences; encouraging training opportunities and sharing of enforcement know-how, expertise and good practice; promoting dialogue with organizations having a role in privacy enforcement; creating, maintaining and supporting processes or mechanisms useful to bilateral or multilateral cooperation; and undertaking or supporting specific activities as outlined below.

GPEN is an inclusive cooperation network, open to any public privacy enforcement authority that: (1) is responsible for enforcing laws or regulations the enforcement of which has the effect of protecting personal data; and (2) has powers to conduct investigations or pursue enforcement proceedings.

The GPEN Committee comprises 5 members from the Office of the Privacy Commissioner Canada, the Israeli Law, Information and Technology Authority, Office of the Privacy Commissioner New Zealand, Information Commissioner’s Office United Kingdom and Federal Trade Commission United States. The committee provides leadership for the network and performs various tasks.

GPEN 2014 activities

 

GPEN has increased in size and level of participation

2014 has seen a significant increase in the number of GPEN members. The number of member authorities has increased from 38 to 53. These authorities are based in 39 economies, up from 27 economies in 2013.

The number of authorities participating in the Sweep has increased from 19 in the year 2013 to 26 in 2014. There has also been an increase in the number of GPEN user accounts (from 165 to 197), and an increase of 25% in the number of discussion items in GPEN Website.

Fostering Enforcement Cooperation Discussion and Awareness

One of GPEN’s key objectives is to create opportunities for dialogue and sharing of information between privacy enforcement authorities with a view to fostering increased cooperation. In 2014, GPEN sought to achieve this objective by providing increased opportunities for member authorities to share information and ideas online, via teleconference and in person.

  GPEN Website: Consolidated List of Enforcement Contacts

GPEN added a “one-stop” list of enforcement contacts for APEC, Council of Europe and the OECD, with facility for addition of enforcement contacts from other networks in future.

GPEN Website: Gateway to International Privacy Law Library Search

The “International Privacy Law Library” (IPLL) is an online repository of thousands of privacy authority case reports and other privacy law material.  The IPLL is operated by the Australasian Legal Information Institute (AustLII) on behalf of a network of cooperating legal information institutes under the brand of World Legal Information Institute. A recent grant has enabled AustLII to significantly expand the IPLL in 2014. A gateway was added to the GPEN website to allow GPEN users to directly search thousands of reports of privacy enforcement and litigation cases hosted on the PLL.

Enhancing Committee communications

The GPEN Committee took a number of steps to improve communications with stakeholders about its various activities. For example, for the information of members, the committee began posting minutes of Committee meetings directly to the website. For the information of a wider group of stakeholders, the Committee adopted a process of issuing occasional press releases. The first such press release, reported on the GPEN workshop in Mauritius, in November 2014. An "RSS feed" was added to the website to enable interested parties to subscribe to receive GPEN Committee news releases..

GPEN Pacific and Atlantic Teleconferences

One of GPEN's most successful activities is periodic conference calls and meetings to discuss enforcement issues, trends, and experiences with its members. There are usually 2 monthly conference calls, though open to all, one series is scheduled for the Pacific group of members and one for the Atlantic group, to allow all members to participate in at least one call during office hours.

In 2014 GPEN held 8 Atlantic teleconferences and 10 Pacific teleconferences, with average participants of 25. The discussions included the following topics:

  1. IAPP and its utility for enforcement authorities in the Pacific regions;
  2. Policies and procedures for dealing with stolen and lost data;
  3. Enforcement related education;
  4. Secondment opportunities for privacy enforcement staff
  5. The "London Action Plan"  (International Network for Cybersecurity Enforcement);
  6. Responding to data breaches;
  7. The use of technologists in enforcement agencies, the intersection between privacy and big data;
  8. The "right to be forgotten";
  9. Art 29 Working Party Opinion on Anonymisation Techniques;
  10. Audit assessment best practices;
  11. Using the WorldLii International Privacy Law Library;
  12. The role of education in the enforcement toolkit;
  13. Contests for privacy protection;
  14. Executing a joint investigation into the practices of a global business;
  15. Early resolution and other complaint handling strategies;
  16. Biometrics as an emerging regulatory issue;
  17. Alternative enforcement mechanisms.
  GPEN's Workshop on Enforcement Related Publicity

GPEN held a workshop on the use of publicity as a regulatory compliance technique in Mauritius on 12 October 2014, during the 36th International Conference of Data Protection and Privacy Commissioners. The workshop was attended by 44 commissioners and staff from 21 privacy enforcement authorities from around the world. The workshop heard of the diverse approaches taken to enforcement publicity from presenters from 8 jurisdictions. Participants also received a presentation of the latest research on the effectiveness of monetary penalties in the enforcement of data protection laws. The event was followed by a GPEN-arranged public demonstration of the International Privacy Law Library, the largest freely accessible and searchable database of privacy law material in the world.

GPEN at the International Enforcement Coordination Annual Event

GPEN participated in the UK ICO’s 2014 International Enforcement Coordination Annual Event, held in April. The first day’s meetings included a successful GPEN member authority meeting with attendance by 25 participants from 20 privacy enforcement authorities from around the world. Members were updated on progress with the GPEN Secure Alert Tool from the FTC and on the evolving functionality of the GPEN website, getting authorities to think more deeply about what kinds of cooperation they might be willing to explore.

GPEN Alert

GPEN members made significant developments towards launching the GPEN Alert information sharing system.  GPEN Alert is intended to be a secure Internet-based platform that will allow GPEN members to alert other members about investigations and find out whether other members are investigating the same company or practice. GPEN members from British Columbia, Canada, the United Kingdom, Norway, Australia, Ireland and New Zealand pledged significant financial support to the development of the system.  GPEN members participated in several exchanges of proposed documentation, culminating in a “near final” version of the GPEN Alert documents being distributed in November of 2014.

Specific enforcement cooperation: GPEN "mobile apps" Sweep

"The Sweep" is a GPEN initiative whereby privacy enforcement authorities work together for a week, once every year, to protect the privacy rights of individuals around the world. The 2014 sweep, which took place on May 12 to 18, involved 26 privacy enforcement authorities from around the world, up from 19 international participants during last year’s inaugural event. The growth of this year’s Sweep shows privacy enforcement authorities are more committed than ever to working together to promote privacy protection. 

The GPEN initiative is aimed at encouraging organizations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities. Concerns identified during the Sweep will result in follow-up work such as outreach to organizations, deeper analysis of privacy provisions and/or enforcement action.

The theme of the 2014 Sweep was mobile privacy. In total, 1,211 apps were examined.

Participants looked at the types of permissions apps were seeking, whether those permissions exceeded what would be expected based on the apps’ functionality, and most importantly, how the apps explained to consumers why they wanted the personal information and what they planned to do with it.

One key conclusion from the 2014 Sweep was that as mobile apps explode in popularity, many of them are seeking access to large amounts of personal information without adequately explaining how that information is being used. More specifically, Sweep participants noted that three quarters of apps requested permission to access users' personal information; almost 60% offered insufficient pre-installation communications; 43% of privacy communications were difficult to read on the small screen; and over 30% of apps left sweepers wondering why the app required certain permissions.

Specific enforcement cooperation: Joint Open Letter to App Marketplace Following the Sweep

Following the sweep, 23 authorities signed a joint letter that was sent to seven major app marketplaces.

The signing authorities stated that they believe that an app marketplace operator should, acting as a responsible corporate citizen, make the basic commitment to require each app that can access or collect personal information, to provide users with timely access to the app’s privacy policy by including a link to its privacy policy in the app’s marketplace listing. The privacy authorities expressed their expectation that a marketplace operator would put in practice, if it had not already, this advice, and implement the necessary protections, to ensure the privacy practice transparency of apps offered in their stores.

 

2015 Work Plan Highlights

In 2015, GPEN intends to

  1. Further grow its membership and member engagement by continuing to improve its suite of available tools and enforcement cooperation opportunities;
  2. Conduct its third annual enforcement sweep;
  3. Finalize the secure online enforcement coordination tool and information sharing system;
  4. Subject to feasibility testing, initiate new cooperation tools to facilitating capacity building opportunities (secondments, training exchange,  employment exchange), knowledge dissemination (podcasts, enforcement questionnaire, special interest groups);
  5. Enhance links with like-minded enforcement groupings (e.g. APEC CPEA) through a ‘Network of Networks’ initiative.