Action Plan for the Global Privacy Enforcement Network (GPEN)

GPEN Action Plan (adopted 15 June 2012; Part E amended 22 January 2013; amended December 2022 and October 2023)

Modern commerce and consumer activity increasingly rely on the seamless flow of personal information across borders.  These global data flows occur across jurisdictions having a wide diversity of privacy laws and enforcement arrangements. This diversity continues to grow as new jurisdictions pass privacy laws and create new enforcement agencies.  The Global Privacy Enforcement Network (GPEN) was created to strengthen personal privacy protections in this global context by assisting public authorities with responsibilities for enforcing domestic privacy laws to strengthen their capacities for cross-border cooperation.

Regional and international groups such as the Asia-Pacific Privacy Authorities Forum, the European Data Protection Board, the G7 Data Protection and Privacy Authorities, the Global Privacy Assembly, and the Organization for Economic Co-operation and Development (OECD), are addressing the need for cross-border enforcement cooperation in the privacy area. 

In particular, in 2007, the OECD Council adopted a Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy (the “Recommendation”).  The Recommendation provided that “[m]ember countries should foster the establishment of an informal network of Privacy Enforcement Authorities (PEAs) and other appropriate stakeholders to discuss the practical aspects of privacy law enforcement co-operation, share best practices in addressing cross-border challenges, work to develop shared enforcement priorities, and support joint enforcement initiatives and awareness raising campaigns.”  It also provided that PEAs “should co-operate with each other, consistent with the provisions of this Recommendation and national law, to address cross-border aspects arising out of the enforcement of Laws Protecting Privacy.”

Building upon the Recommendation, eleven PEAs joined together to establish GPEN in March 2010 and to adopt an action plan. GPEN membership has since expanded to over 70 authorities that reaffirm their commitment to global cooperation and subscribe to this revised action plan:

A.    Statement of Mission

GPEN connects PEAs from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy. It aims to enable its members to:

  1. exchange information about relevant issues, trends, and experiences;
  2. build capacity, and share enforcement know-how, expertise, and good practice;
  3. support and welcome new PEAs into GPEN;
  4. engage with organizations that have a role in privacy protection and enforcement;
  5. use processes and mechanisms that help facilitate bilateral or multilateral cooperation;
  6. cooperate with other regulators across the digital economy; and
  7. coordinate with other networks of PEAs and digital regulators.

The activities set out in Section C support GPEN in achieving its mission and aims in practice.

B.    Participation:

GPEN seeks to be an inclusive cooperation network, open to any public PEA that:  (1) is responsible for enforcing laws or regulations the enforcement of which has the effect of protecting personal data; and (2) has powers to conduct investigations or pursue enforcement proceedings. 

PEAs that wish to participate may apply to the existing Participants through the GPEN Committee and endorse this Action Plan. 

More than one PEA from a single country, economy, or jurisdiction may participate in GPEN. 

Participants should designate a point of contact within their authority to facilitate GPEN-related communications and enforcement cooperation dialogue, they should also designate an internal GPEN “champion” to better connect their staff to GPEN’s work.

C.    Activities:  

Activities supporting GPEN’s mission and aims include, but are not limited to:

  • Pacific and Atlantic video conferences for presentation and discussion of enforcement issues, trends, strategies, investigative techniques and experiences [supporting aims 1, 2, 4]
  • Coordinating Global Privacy Sweeps of industry practice and compliance on specific privacy issues [supporting aims 1, 2, 3, 5, 6, 7]
  • Practitioner workshops for operational investigative staff to share good practice and build capacity [supporting aim 2]
  • A Network of Networks initiative to support engagement and cooperation - including coordinated activity, and joint actions and events - with other networks of PEAs, and networks with similar or intersecting regulatory interests (e.g., International Consumer Protection Enforcement Network) [supporting aims 6, 7]
  • The GPEN website, which enables PEAs to post relevant content, seek support from other members, coordinate and progress bilateral and multilateral collaborative actions [supporting aims 1, 2, 3, 5]
  • Cross-jurisdictional educational and research projects that address privacy and data security-related issues for business, regulators and consumers [supporting aims 1, 4]
  • Maintaining, in cooperation with international organizations, an authoritative contact point directory for enforcement purposes for countries around the world [supporting aims 3, 5]
  • Secondments and office visits between participating authorities [supporting aims 2, 3]

The list is not exhaustive; GPEN may undertake additional activities that support its mission.

GPEN members are encouraged to engage and contribute to these activities for the mutual benefit of all, but participation in these is not mandatory. Members may choose to participate as appropriate and subject to their interest, capacity, and resources.

Participants may also seek opportunities for providing assistance to one another on a bilateral basis, in appropriate privacy investigations and enforcement matters, prioritizing cases for cooperation that are the most serious in nature.

D.    Principles of Cooperation:

This Action Plan does not create any new legally binding obligations by or amongst the Participants.

Cooperation pursuant to this Action Plan remains subject to the domestic laws and international restrictions and obligations applicable to Participants.  Nothing in this Action Plan obliges Participants to provide confidential or sensitive information or cooperate in particular cases.  This Action Plan does not create a legally binding or enforceable mechanism for Participants to exchange information about specific investigations and cases.  Such cooperation remains subject to the applicable laws in the jurisdictions involved, and any enabling cooperation instrument (e.g., MOUs, network arrangements, etc.).

While this Action Plan sets out concrete steps to further international privacy enforcement cooperation, it is intended to be flexible and can be refined or changed by consensus amongst the Participants, as new issues arise.

GPEN is focused on the practical aspects of privacy enforcement cooperation and Participants do not intend for GPEN to issue public opinions, position papers, or recommendations on privacy policy. However, GPEN may develop and share consensus views with other bodies on means to advance cross-border privacy enforcement cooperation. 

Consistent with the objectives and scope of the Recommendation, the Participants intend this network to focus primarily on facilitating cooperation in the enforcement of privacy laws governing the private sector, while also recognizing that Participants may wish to cooperate on matters involving shared privacy issues faced in the public sector.  This network is not intended to interfere with governmental activities related to national sovereignty, criminal and civil law enforcement, national security, or public policy (“ordre public”).

Participation in GPEN does not preclude participation in any other cross-border privacy enforcement cooperation network, framework, agreement or arrangement, whether between GPEN Participants or between GPEN Participants and other organizations. In fact, GPEN promotes and encourages such participation, and coordinates its activities and events with other networks.

E.    GPEN Committee

Every five years, GPEN Participants intend to designate a six to eight person Committee to perform the following tasks:

  • Process applications from authorities wishing to participate in GPEN and make recommendations for membership to participating authorities.
  • Activate user accounts for access to GPEN website.
  • Edit public pages of the website.
  • Publish an annual plan and annual report of activities.
  • Help facilitate the activities in Section C.

There is no limit to how many times a person may be designated to the GPEN Committee, but the Committee aims to be culturally and linguistically diverse, with members from different geographic regions of the world.

The GPEN Committee may perform other functions that support GPEN’s mission.

As per the Principles of Cooperation, the GPEN Committee does not issue public opinions, position papers, or recommendations on behalf of the network. However, GPEN members can promote such activities amongst the membership, such as on the GPEN website. The GPEN Committee may also develop and share consensus views with other bodies on means to advance cross-border privacy enforcement cooperation.

F.    GPEN Sub-Groups

The GPEN Committee may establish sub-groups for each of the activities listed in Section C. Such sub-groups may typically comprise three to four members to coordinate and lead each activity.

Other sub-groups may also be established (such as those based on profession or language) to support a particular project, or simply to further cross-border cooperation between participants.

Membership of sub-groups is voluntary. GPEN members can submit their interest in joining or establishing a sub-group to the GPEN Committee.

G.    The GPEN Website 

In furtherance of the Recommendation, the OECD established a restricted-access website for use by PEAs.  The OECD’s support was critical to the successful launch of GPEN. The GPEN website is now maintained by a designated member of the GPEN Committee, currently the Office of the Privacy Commissioner of Canada.

This website serves as a support platform for GPEN activities, enabling participating authorities to share information, materials, and documents relevant to GPEN’s mission.  Non-public documents, and materials associated with specific bilateral cross-border investigations or enforcement matters, are not intended be shared or posted on this website, except pursuant to further agreement of the Participants.

[prepared 26 April 2012 and adopted 15 June 2012 - replaces 10 March 2010 GPEN Action Plan
[amended 22 January 2013 to expand size of GPEN Committee - see Proposal to expand size of GPEN Committee]
[amended October 2023]