PHAEDRA · 1.1 need for improved co-operation and co-ordination A principal challenge confronting data protection authorities (DPAs) and privacy commissioners is the enforcement of

PHAEDRA IMPROVING PRACTICAL AND HELPFUL COOPERATION BETWEEN DATA PROTECTION AUTHORITIES http://www.phaedra-project.eu/

1 April 2014, revised 30 June 2014

PHAEDRA

Improving Practical and Helpful co-operAtion bEtween Data pRotection Authorities

http://www.phaedra-project.eu

Call: JUST/2011-2012/FRC/AG Agreement number: JUST/2012/FRAC/AG/2761

Co-ordination and co-operation between Data Protection

Authorities

Workstream 1 report

http://www.phaedra-project.eu/

2

A report prepared for the European Commission’s Directorate-General for Justice (DG JUST). The contents of this deliverable are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Commission.

Authors

David Barnard-Wills Trilateral Research & Consulting, UK David Wright Trilateral Research & Consulting, UK

Contributors Artemi Rallo Rosario García

Universidad Jaume I, Spain

2.1 (Google Buzz), 2.2 (Google Street view), 4.6 (IberoAmerican Data Protection Network), 4.11 (TAIEX programme)

Paul de Hert Gertjan Boulet Dariusz Kloza

Vrije Universiteit Brussel, Belgium

1.4 (Definitions and key terminology)

Paul de Hert Gertjan Boulet


2.3 (CNIL’s investigation of Google’s privacy policy), 2.4 (CBP and OPC’s investigation of WhatsApp); 3.1.2 (Working Party on Police and Justice (WPPJ)); 3.9 (Other initiatives) 4.14.2 (Communication from the Commission on fighting spam, spyware and malicious software)

Beata Batorowicz Inspector General for Personal Data Protection (GIODO), Poland

3.6 (Central and Eastern Europe Data Protection Authorities), 3.7 (Conference of Balkan Data Protection Authorities), 4.1 (International Conference of Data Protection and Privacy Commissioners).

Internal review Paul De Hert, Gertjan Boulet, Auke Willems


Artemi Rallo, Rosario García

Universidad Jaume I, Spain

Piotr Drobek Inspector General for Personal Data Protection (GIODO), Poland

3

Contents

1 Introduction ........................................................................................................................ 7

1.1 Need for improved cooperation and coordination .......................................................... 7

1.2 The PHAEDRA project ..................................................................................................... 8

1.3 Project objectives .............................................................................................................. 9

1.4 Definitions and key terminology ....................................................................................... 9

1.4.1 Co-operation .............................................................................................................. 9 1.4.2 Data protection authorities (DPAs) ......................................................................... 10

1.4.2.1 No set definition of DPA ............................................................................... 10 1.4.2.2 A functional approach: DPA as an umbrella for actors undertaking a various range of activities ......................................................................................................... 10 1.4.2.3 Independence of DPAs .................................................................................. 11 1.4.2.4 Distinction with Data Protection Officer (DPO) ........................................... 12 1.4.2.5 A better term? ‘Data Privacy Agency’ (DPA) or ‘Privacy enforcement authority’ (PEA) ........................................................................................................... 12 1.4.2.6 The doctrine about functions performed by DPAs ........................................ 13 1.4.2.7 European legislation about functions performed by DPAs ........................... 15

2 11 case studies ................................................................................................................... 17

2.1 Google Buzz .................................................................................................................... 17

2.1.1 Overview .................................................................................................................. 17 2.1.2 Key events ................................................................................................................. 17 2.1.3 Forms of co-ordination ............................................................................................ 17 2.1.4 Conclusions .............................................................................................................. 18

2.2 Google Street View ......................................................................................................... 20

2.2.1 Overview .................................................................................................................. 20 2.2.2 Sequence of key events ................................................................................................ 20 2.2.3 Reasons for investigation ......................................................................................... 22 2.2.4 Findings of investigation .......................................................................................... 22 2.2.5 Forms of co-operation .............................................................................................. 23 2.2.6 Conclusions .............................................................................................................. 24

2.3 CNIL’s investigation of Google’s privacy policy ........................................................... 25

2.3.1 Overview .................................................................................................................. 25 2.3.2 Sequence of key events ............................................................................................. 25 2.3.3 Reasons for investigation ......................................................................................... 30 2.3.4 Findings of investigation .......................................................................................... 30 2.3.5 Forms of co-operation .............................................................................................. 31 2.3.6 Conclusions .............................................................................................................. 31

2.4 CBP and OPC’s investigation of WhatsApp ................................................................... 35


2.5 Irish Office of the Data Protection Commissioner’s Audit of Facebook Ireland ............ 39

4

2.5.1 Overview .................................................................................................................. 39 2.5.2 Sequence of key events ............................................................................................. 39 2.5.3 Reasons for the investigation ................................................................................... 39 2.5.4 Findings of the investigation .................................................................................... 40 2.5.5 Forms of co-operation .............................................................................................. 41 2.5.6 Conclusions .............................................................................................................. 43

2.6 Sony PlayStation Network hacks .................................................................................... 45


2.7 SWIFT and US Treasury Terrorist Finance Tracking Program (TFTP) ......................... 51


2.8 Telecommunications Data Retention .............................................................................. 58


2.9 World AntiDoping Agency code and standard revisions .............................................. 64


2.10 Global Privacy Enforcement Network “Sweep” ........................................................... 70


2.11 Google Glass ................................................................................................................. 74

2.11.1 Overview .................................................................................................................. 74 2.11.2 Reasons for investigation ......................................................................................... 74 2.11.3 Findings of investigation .......................................................................................... 74 2.11.4 Forms of co-operation .............................................................................................. 75 2.11.5 Conclusions .............................................................................................................. 75

5

2.12 Horizontal analysis ........................................................................................................ 77

3 Co-operation and co-ordination within Europe ............................................................ 78

3.1 European Conference of Data Protection Commissioners ("Spring Conference") ......... 78

3.1.1 Case-Handling Workshop ........................................................................................ 80 3.1.2 Working Party on Police and Justice (WPPJ) ......................................................... 82

3.2 Article 29 Working Party ................................................................................................ 83

3.2.1 Organisation ............................................................................................................ 83 3.2.2 Article 29 WP subgroups ......................................................................................... 84 3.2.3 Initiatives to improve co-operation .......................................................................... 85

3.2.3.1 Binding Corporate Rules and mutual recognition ......................................... 86 3.2.3.2 Article 29 Working Party website ................................................................. 87

3.3 Council of Europe TPD ................................................................................................. 87

3.3.1 Organisation ............................................................................................................ 88 3.3.2 Co-operation and co-ordination activities ............................................................... 88

3.4 Working Party on Information Exchange and Data Protection (DAPIX) ....................... 90

3.5 International Working Group on Data Protection in Telecommunications .................... 90

3.6 Central and Eastern Europe Data Protection Authorities ................................................ 91

3.7 Conference of Balkan Data Protection Authorities ......................................................... 92

3.8 Former Third Pillar Supervisory Authorities .................................................................. 93

3.8.1 Joint Supervisory Authority of the Schengen Information System ........................... 93 3.8.2 Joint Supervisory Authority of the European Customs Information System ............ 96 3.8.3 Coordinated Data Protection Supervision Group of the European Visa Information

System (VIS)......................................................................................................... 97 3.8.4 Coordinated Data Protection Supervision Group of Eurodac ................................ 98 3.8.5 Joint Supervisory Board Europol ............................................................................. 99 3.8.6 Joint Supervisory Body Eurojust ............................................................................ 101

3.9 Other initiatives ............................................................................................................. 101

3.10 Conclusions ................................................................................................................. 103

4 Co-operation and co-ordination globally ..................................................................... 105

4.1 International Conference of Data Protection and Privacy Commissioners ................... 105

4.1.1 Organisation .......................................................................................................... 106 4.1.2 Co-operation and co-ordination activities ............................................................. 106 4.1.3 ICDPPC Resolutions .............................................................................................. 107 4.1.4 International Working Group on Coordination of Privacy Enforcement .............. 111

4.2 Organisation for Economic Cooperation and Development ........................................ 111

4.2.1 OECD Working Party on Security and Privacy in the Digital Economy (SPDE) - formerly Working Party on Information Security and Privacy (WPISP) .......... 112

4.2.2 OECD Report on the Cross-border Enforcement of Privacy Laws (2006) ........... 114 4.2.3 OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws

Protecting Privacy, 2007. .................................................................................. 115 4.2.4 Report on the Implementation of the OECD Recommendation on Cross-border Co-

operation in the Enforcement of Laws Protecting Privacy, 2011. .................... 116 4.2.5 Privacy enforcement authorities ............................................................................ 116

4.3 Global Privacy Enforcement Network (GPEN) ............................................................ 117

4.3.1 Distinguishing between co-operation and co-ordination ...................................... 120

6

4.4 AsiaPacific Economic Cooperation ............................................................................ 121

4.4.1 APEC Cross-border Privacy Enforcement Arrangement (CPEA) ......................... 121 4.4.2 Data Privacy Subgroup of the APEC Electronic Commerce Steering Group ....... 123 4.4.3 APEC – Art 29 WP Promoting Co-operation on Data Transfer Systems .............. 125

4.5 Asia Pacific Privacy Authorities (APPA) ..................................................................... 126

4.5.1 Technology Working Group ................................................................................... 128 4.5.2 Communications Working Group .......................................................................... 128

4.6 IberoAmerican Data Protection Network .................................................................... 128

4.6.1 Spanish DPA’s other outreach efforts in Latin America and East European countries ............................................................................................................ 130

4.7 Association of Francophone Data Protection Authorities ............................................. 131

4.7.1 CNIL’s outreach efforts at co-operation ................................................................ 132

4.8 British, Irish and the Islands DPAs ............................................................................... 132

4.9 EUUS ad hoc working group on data protection ......................................................... 132

4.10 Memoranda of Understanding (MOUs) ...................................................................... 132

4.11 TAIEX programme ..................................................................................................... 134

4.12 Leonardo da Vinci (LDV) Programme ....................................................................... 135

4.13 Twinning ..................................................................................................................... 136

4.14 Other initiatives ........................................................................................................... 136

4.14.1 New Zealand – Privacy (Cross-border Information) Amendment bill ................... 136 4.14.2 Communication from the Commission on fighting spam, spyware and malicious

software ............................................................................................................. 136 4.14.3 ROSKOMNADZOR Conference ............................................................................. 137

4.15 Conclusions ................................................................................................................. 137

5 PHAEDRA survey of DPAs on improved co-operation and co-ordination .............. 140

5.1 Results of the survey questionnaire ............................................................................... 140

5.2 Results of followon interviews .................................................................................... 162

6 Benefits for Europe of international co-operation and co-ordination ...................... 168

6.1 Prevent regulatory arbitrage .......................................................................................... 168

6.2 Harmonisation of privacy enforcement ......................................................................... 168

6.3 Expand European model of privacy and data protection .............................................. 168

6.4 Protect Europeans in third countries ............................................................................. 168

6.5 Raise overall standard of privacy protection ................................................................. 168

7 Findings and recommendations .................................................................................... 170

7.1 Recommendations. ........................................................................................................ 172

7

1 INTRODUCTION 1.1 NEED FOR IMPROVED CO-OPERATION AND CO-ORDINATION A principal challenge confronting data protection authorities (DPAs) and privacy commissioners is the enforcement of privacy and data protection legislation. DPAs are constrained by a shortage of resources to investigate and prosecute those who violate the legislation.1 Often, these resourceconstrained DPAs may investigate the same privacy issue, in effect, a duplication of effort. For example, several DPAs investigated the hacking of Sony PlayStation, Google Street View’s recording of WiFi addresses and Facebook’s collection of personal data for sale to thirdparty apps developers and advertisers. Given the constraints of most DPAs, it seems an inefficient use of resource to have several DPAs investigating the same issue. DPAs themselves have recognised the need to improve practical cooperation. The Organisation for Economic Cooperation and Development (OECD) adopted a Recommendation on Crossborder Cooperation in the Enforcement of Laws Protecting Privacy in 2007. The OECD said member countries should foster the establishment of an informal network of privacy enforcement authorities (PEAs) and other stakeholders to discuss the practical aspects of privacy law enforcement cooperation, share best practices and support joint enforcement initiatives and awareness raising campaigns. Such a network has been established. This is the Global Privacy Enforcement Network (GPEN). As another followup to the OECD Recommendation, the 29th International Conference of Data Protection and Privacy Commissioners (ICDPPC) adopted a “Resolution on International Cooperation” at its meeting in Montreal in 2007. The 33rd ICDPPC, held in Mexico City in 2011, adopted an even more detailed Resolution, encouraging more effective coordination of crossborder investigation and enforcement. The European Commission’s proposal for a new Data Protection Regulation explicitly mentions the OECD Recommendation of 2007. Articles 45 and 46 of the draft Regulation provide for international cooperation mechanisms. The principal element in the Commission’s conception of international cooperation in Article 45.1 relates to the enforcement of legislation for the protection of personal data. The Article 29 Working Party also has on its agenda enhancing enforcement and promoting international cooperation between privacy authorities. Article 45, as set out in the proposed Regulation of January 2012, states the following: International cooperation for the protection of personal data 1. In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to: (a) develop effective international cooperation mechanisms to facilitate the enforcement of legislation for the protection of personal data; (b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance

1 One DPA commented to the authors that “There is a solid amount of nonused resources and opportunities to improve the international and domestic work of DPAs.”

8

and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms; (c) engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data; (d) promote the exchange and documentation of personal data protection legislation and practice. 2. For the purposes of paragraph 1, the Commission shall take appropriate steps to advance the relationship with third countries or international organisations, and in particular their supervisory authorities, where the Commission has decided that they ensure an adequate level of protection within the meaning of Article 41(3). 1.2 THE PHAEDRA PROJECT The PHAEDRA project, funded by the European Commission, aims to support improved cooperation. PHAEDRA stands for “Improving Practical and Helpful cooperAtion bEtween Data pRotection Authorities”. The consortium’s key objective is to add value, complement and support the initiatives of DPAs. The consortium comprises Vrije Universiteit Brussel (Belgium), Trilateral Research & Consulting (UK), Universidad Jaume I (Spain) and the Inspector General for Personal Data Protection (GIODO), the Polish Data Protection Authority. PHAEDRA is a twoyear project which began in January 2013. This report is the deliverable of Work Stream 1 (WS1). It reviews and summarises efforts to improve practical cooperation by DPAs as well as international organisations. It includes case studies of where two or more DPAs have investigated the same privacy issue and analyses whether cooperation would have helped. It identifies and evaluates existing mechanisms for cooperation between DPAs. It specifies and characterises different forms of cooperation and coordination between DPAs. It includes the results of a survey of 79 DPAs and interviews with a subset of those.2 WS2 reviews the legislation establishing DPAs to identify whether there are provisions that act as barriers or that inhibit international cooperation and coordination and what measures could be taken to reduce such barriers. DPAs may tackle privacy conflicts with a criminal law dimension via mutual legal assistance treaties (MLATs), and some criminal law instruments is therefore discussed in Deliverable 2.1 as an illustration and as a reflection. In WS3, the PHAEDRA consortium has been in contact with DPAs to determine how our project could reinforce their efforts. The consortium aims to hold three workshops for DPAs, one in Europe, one in Latin America and one in the AsiaPacific region. The consortium will coordinate its workshops with the GPEN meetings and the International Conference of Data Protection and Privacy Commissioners. The first workshop was held in conjunction with the 35th ICDPPC in Warsaw. In WS4, the consortium will prepare its findings and recommendations for improving cooperation and coordination.

2 The survey was sent to all DPA (or equivalent authorities) that the PHAEDRA team were able to identify. The followup interviews were conducted with those DPAs who had expressed a willingness to participate in their response to the survey.

9

In addition, there are two other WSs, one devoted to project management and the other, to dissemination activities. 1.3 PROJECT OBJECTIVES The principal objective of the PHAEDRA project is to help improve practical cooperation and coordination between DPAs, privacy commissioners and privacy enforcement authorities, especially in regard to the enforcement of privacy laws. The consortium recognises that many DPAs face constraints, by way of human and/or budgetary shortages, institutional and legislative rules and other factors. Thus, the project has several subobjectives, including these:

To build on recent efforts to improve cooperation and coordination in the enforcement of privacy laws;

To offer our services in investigating two key issues of concern to DPAs as "real life" case studies in how cooperation and coordination works or could work or two other initiatives (within the same budget frame) that the GPEN and/or working group of the ICDPPC might find more useful;

To prepare a final report of our findings and recommendations and to present those at the third workshop and at the final conference.

1.4 DEFINITIONS AND KEY TERMINOLOGY 1.4.1 Co-operation By cooperation, we understand a range of activities, in different forms undertaken between DPAs for various aims pertaining to the functions distinguished by Bygrave, Raab and Bennett (see below: DPAs). Part 4 of Deliverable 2.1 distinguishes two main types of cooperation. First, cooperation aimed at the enforcement of privacy and data protection laws in crossborder cases (“hard” type of cooperation). Secondly, “soft” types of cooperation:

The setting of standards in one or more of the following fields: mutual recognition of binding corporate rules; coordination of policies in the enforcement of privacy and data protection laws, coordination of enforcement methods; sanctions;

Mutual assistance between DPAs for the purpose of the establishment of other DPAs, the institutional strengthening of other DPAs, or the support of other DPAs in the implementation of privacy and data protection laws;

Raising awareness activities, with the aim to inform the public about privacy and data protection laws.

Part 4 of Deliverable 2.1 also distinguishes following forms of cooperation that could be undertaken for both types of cooperation:

Monitoring privacy and data protection laws in other countries; Sharing of standards and information; Trainings & staff exchanges; Projects between DPAs.

As regards the specific aim of the enforcement of privacy and data protection laws, part 4 of Deliverable 2.1 distinguishes following forms of cooperation

10

Mutual legal assistance; Parallel or joint investigations; Mutual recognition.

1.4.2 Data protection authorities (DPAs) 1.4.2.1 No set definition of DPA During the first PHAEDRA workshop, held during the 35th International Conference of Data Protection and Privacy Commissioners (ICDPPC), from 23 to 26 September 2013 in Warsaw, Blair Stewart, assistant Privacy Commissioner at the Office of the Privacy Commissioner of New Zealand, said that there is no set definition of a DPA, which is “generally a multifaceted regulator with statutory independence and a range of functions including enforcement.”’3 Philip Schütz refers to DPAs as independent regulatory agencies (IRA),4 defined by Thatcher as

“a body with its own powers and responsibilities given under public law which is organisationally separated from ministries and is neither directly elected nor managed by elected officials”.5

1.4.2.2 A functional approach: DPA as an umbrella for actors undertaking a various

range of activities Bygrave recalls that

“sight should not be lost of the fact that data protection authorities are not alone in monitoring, encouraging and/or enforcing the implementation of data protection laws. A great number of other bodies are involved, to varying degrees in one or more of the same tasks, even if their participations is not always formally provided in data protection instruments.”6

“At a national level, obvious examples of bodies that play an instrumental role in monitoring or enforcing data privacy law are parliamentary committees, ombudsmen, national auditing offices, and regulatory authorities with consumer protection as part of their remit. The role that the latter may play is demonstrated by the former UK Financial Services Authority (now Financial Conduct Authority) in respect of data security breaches. It is further demonstrated by the US FTC in respect of regulating deceptive business practices involving processing of personal data, and in enforcing particular sets of data privacy rules. Indeed, the FTC is now regarded as the de facto federal DPA for the USA. Although its field of competence is more restricted than is typical for European DPAs, its data privacy remit has expanded considerably over the past 15 years. [...] Last but not least, account must be taken of the judiciary. [...] Yet a remarkable characteristic of the field of data privacy law is that many national courts’ involvement in interpreting and enforcing statutory rules has been minor if nor marginal, relative to the role played by DPAs. The same may be said with respect to development of nonstatutory rules. “7

3 Stewart, Blair, “Cooperation beyond DPAs”, presentation at the 1st PHAEDRA Workshop, Warsaw, 24 September 2013, http://www.phaedraproject.eu/wpcontent/uploads/BlairStewart_PHAEDRA.pdf 4 Schütz, Philip, “The Set Up of Data Protection Authorities as a New Regulatory Approach”, in Serge Gutwirth, Ronald Leenes, Paul De Hert & Yves Poullet (eds.), European Data Protection: In Good Health?, Springer, 2012, p. 128. 5 Thatcher, Mark, “Regulation after delegation: Independent regulatory agencies in Europe”, Journal of European Public Policy 2002, Vol. 9, No. 6, p. 956. 6 Bygrave, Lee A., Data Protection Law. Approaching Its Rationale, Logic and Limits, Kluwer Law International, The Hague / London / New York, 2002, p. 73. 7 Bygrave, Lee A., Data Privacy Law. An International Perspective, Oxford, Oxford University Press, 2014, pp. 177179.

11

Bennett and Raab, discuss seven roles of DPAs (see below: The doctrine about functions performed by DPAs) but add that:

“Not every function is played with equal weight by every commissioner. Nor are these functions the exclusive responsibility of the data protection agency; other central coordinating ministries and departments have important responsibilities for data protection policy in different states.”8

Thus, the qualification of an authority as a DPA does not depend on it being called a DPA, but rather on its powers to perform the functions distinguished by Bygrave, Raab and Bennett. 1.4.2.3 Independence of DPAs Section 62 of the preamble of Directive 95/46/EC reads as follows:

“Whereas the establishment in Member States of supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of personal data;”

Article 28(1)§2 of Directive 95/46/EC provides that the Supervisory authorities “shall act with complete independence in exercising the functions entrusted to them.” Schütz referred to the lack of independence of DPAs as one of the ‘most pressing topics for DPAs’, which has already been scrutinized by the European Court of Justice.9 The criteria of independence is indeed not always met by institutions such as the US Federal Trade Commission or ministries such as the ‘Ministry of Communications and Information Technology’ in India.10 Yet, the Indian government would have planned to set up a DPA.11 In Japan, various government ministries are responsible for the oversight of the ‘Protection of Personal Information Act’ in specific sectors, under the supervision of the Consumer Affairs Agency.12 Yet a new ‘independent’ DPA in Japan is to be established from January 2014.13 Bygrave put that its remit will initially be restricted to

“oversight of the identity number scheme set up under the 2013 Act on Use of Numbers to Identify Specific Individuals in Administrative Procedures (‘My Number’ Act). The scope of the agency’s mandate is to be reconsidered within one year after the Act’s entry into force (24

8 Bennett, Colin, J. and Charles D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective, Ashgate, 2003, p. 109. 9 Schütz, Philip, “The Set Up of Data Protection Authorities as a New Regulatory Approach”, in Serge Gutwirth, Ronald Leenes, Paul De Hert & Yves Poullet (eds.), European Data Protection: In Good Health?, Springer, 2012, p. 140; see also Lee A. Bygrave, Data Privacy Law. An International Perspective, Oxford, Oxford University Press, 2014, pp. 170172. 10 Linklaters, Data Protected. https://clientsites.linklaters.com/Clients/dataprotected/Pages/India.aspx 11 Aulakh, Gulveen, “Government to set up Data Protection Authority to safeguard privacy”, The Economic Times, 20 February 2014, http://articles.economictimes.indiatimes.com/20140220/news/47527222_1_privacybillprivacyinvasiondataprotectionauthority 12 Miyashita, Hiroshi, “The evolving concept o data privacy in Japanese law”, International Data Privacy Law 2011, Vol. 1, No. 4, p. 233; Privacy Laws & Business, “New Data Protection Authority for Japan”, International e-news, 7 October 2013, http://www.privacylaws.com/Publications/enews/InternationalEnews/Dates/2013/10/NewDataProtectionAuthorityforJapan/ 13 Horibe, Masao, “A New Data Protection Authority in Japan”, 2013, http://www.digitalenlightenment.org/sites/default/files/201312A%20New%20Data%20Protection%20Authority%20in%20Japan%20by%20Masao%20Horibe.pdf

12

May 2016).”14 1.4.2.4 Distinction with Data Protection Officer (DPO) The term DPA should be distinguished from the term ‘Data Protection Officer’ (DPO). Article 18(2) of Directive 95/46/EC empowers the Member States to introduce into their national law the appointment by the controller of a personal data protection official. Article 35 GDPR introduces a mandatory data protection officer to be designated by the controller and the processor in situations where, a) the “processing is carried out by a public authority or body”; b) “the processing is carried out by an enterprise employing 250 persons or more;” or c) “the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.” The tasks of the DPO are provided in Article 37 GDPR. Germany was the first state that introduced a DPO, in 1977.15 1.4.2.5 A better term? ‘Data Privacy Agency’ (DPA) or ‘Privacy enforcement

authority’ (PEA) Noteworthy is Bygrave’s change of terminology, from ‘Data Protection Authority’ (in 2002) to ‘Data Privacy Agency’ (in 2014).16 The OECD Recommendation on Crossborder Cooperation in the Enforcement of Laws Protecting Privacy (2007) uses the term ‘privacy enforcement authority’ (PEA), which

“means any public body, as determined by each Member country, that is responsible for enforcing Laws Protecting Privacy, and that has powers to conduct investigations or pursue enforcement proceedings.” 17

The APEC ‘Cooperation Arrangement Crossborder Privacy Enforcement’ (2010)18 and the OECD ‘Global Privacy Enforcement Network’ (GPEN)19 use the same term. During the first PHAEDRA workshop, Blair Stewart put that this definition is

“similar to the narrower enforcement oriented definition of supervisory authority in [...] [Convention 108] and [Directive] 95/46/EC”, and that “[i]n addition to specialist privacy authorities, a PEA may include a general enforcer of, say, consumer or broadcasting laws which includes a privacy law”.20

14 Bygrave, Lee A., Data Privacy Law. An International Perspective, Oxford, Oxford University Press, 2014, p. 178, referring for more information to Miyashita, Hiroshi “Japan’s new ID Number Act (2013)”, Privacy Laws & Business Intl Report 2013, nr. 124, p. 16. 15 The website of the CNIL provides an interactive map that shows which countries allow the appointment of Data Protection Officers and which gives an overview on their status, duties and powers: http://www.cnil.fr/english/topics/dpoineurope/ 16 Bygrave, Lee A., Data Privacy Law. An International Perspective, Oxford, Oxford University Press, 2014, p. 3; Bygrave, Lee A., Data Protection Law. Approaching Its Rationale, Logic and Limits, Kluwer Law International, The Hague / London / New York, 2002, pp. 7071. 17 OECD, Recommendation on Crossborder Cooperation in the Enforcement of Laws Protecting Privacy, Paris, 2007, http://www.oecd.org/internet/interneteconomy/38770483.pdf 18 APEC, Cooperation Arrangement Crossborder Privacy Enforcement, 2010/SOM1/ECSG/DPS/013, Data Privacy Subgroup Meeting Hiroshima, Japan, 28 February 2010, 2010/SOM1/ECSG/DPS/013, p. 1, http://aimp.apec.org/Documents/2010/ECSG/DPS1/10_ecsg_dps1_013.pdf 19 OECD, Global Privacy Enforcement Network, https://www.privacyenforcement.net/ 20 Stewart, Blair, “Cooperation beyond DPAs”, presentation at the 1st PHAEDRA Workshop, Warsaw, 24 September 2013, http://www.phaedraproject.eu/wpcontent/uploads/BlairStewart_PHAEDRA.pdf

13

In its reply to the first question of the first PHAEDRA questionnaire for DPAs,21 as regards areas for improved cooperation and coordination with other privacy commissioners and DPAs, the US FTC recommends

“referring to cooperation between ‘Privacy Enforcement Authorities’ as defined in the OECD Recommendation on Crossborder Cooperation in the Enforcement of Laws Protecting Privacy [...] This definition is broader than the phrase ‘Data Protection Authorities and Privacy Commissioners’ as that phrase is commonly understood. The APEC Crossborder Privacy Enforcement Arrangement (CPEA) and the Global Privacy Enforcement Network (GPEN) follow the OECD definition to facilitate privacy enforcement cooperation among all authorities involved in the protection of privacy laws, rather than among only Data Protection Authorities and Privacy Commissioners. Accordingly, we recommend a global substitution of ‘Privacy Enforcement Authorities’ for ‘Privacy Commissioners and DPAs’ or ‘Data Protection Authorities and Privacy Commissioners.”

1.4.2.6 The doctrine about functions performed by DPAs Bygrave Bygrave puts that:

“DPAs’ oversight functions typically encompass the handling of complaints by members of the public over the processing of personal data. It can also involve the auditing of the legality of dataprocessing operations independent of complaints. Additionally, the agencies are frequently expected to orient and advise governments, parliaments, private organizations, and the general public about data protection matters. Some DPAs are also responsible for oversight of FOI [Freedom of Information] regimes. DPA powers are often broad and largely discretionary. In most cases, the agencies are empowered to issue legally binding (although appealable) orders. In some jurisdictions, however, the agencies do not have such competence, or they have not had it in relation to certain sectors”.22

In that regard, Bygrave points at the numerous differences between data protection laws . “in terms of the monitoring and supervisory regimes they establish. The basis differences here relate to the powers of data protection authorities (e.g., some function as ombudsmen, others are able to issue legally binding orders) and, accordingly, the nature of the legal preconditions for processing personal data (e.g., some require mere notification, others require licensing).”23

As regards ‘Notification and Licencing Schemes’, Bygrave puts that

“Most data protection laws lay down special rules to enhance the ability of data protection authorities to monitor the practices of data controllers. There are two main categories of such rules. [...] One category requires data controllers simply to notify data protection authorities of certain planned processing of personal information. [...] The second category of control/oversight scheme requires that data controllers must apply for and receive specific authorisation (in the form of a licence) from the relevant data protection authority prior to establishing a personal data register or engaging in a

21 The two questionnaires for DPAs were developed by the consortium of the PHAEDRA project, and are available here: http://www.phaedraproject.eu/?page_id=37 22 Bygrave, Lee A., Data Privacy Law. An International Perspective, Oxford, Oxford University Press, 2014, pp. 169170. 23 Bygrave, Lee A., Data Protection Law. Approaching Its Rationale, Logic and Limits, Kluwer Law International, The Hague / London / New York, 2002, p. 78.

14

particular dataprocessing activity.”24 Next, Bygrave addresses ‘Sanctions and Remedies’, putting that

“All data protection Acts stipulate a variety of sanctions and remedies for breach of their provisions. Provision is usually made for a combination of penalties (fines and/or imprisonment), compensatory damages and, where applicable, revocation of licenses and deregistration. Sometimes, strict/objective liability for harm is stipulated. Sometimes too allowance is made for the imposition of ongoing enforcement damages during the time in which a data controller fails to comply with the orders of a data protection authority. In many cases, compensation may be awarded for noneconomic/immaterial injury (emotional distress) as well as economic loss. In a very few cases, allowance is made for class actions to be brought.”25

Bennett and Raab Bennett and Raab discuss seven roles of DPAs: ombudsmen, auditors, consultants, educators, policy advisers, negotiators and enforcers.26 “Data Protectors as Ombudsman” refers to their responsibility to receipt, investigate and resolve complaints from data subjects.27 “Data Protectors as Auditors” refers to the general audits of a particular organization or of a particular technology.28 “Data Protectors as Consultants” refers to their powers to “give advice to individual data users on how to comply with data protection norms”.29 “Data Protectors as Educators” refers to the “analysis of wider privacy and surveillance questions and the continuous education of data users and data subjects” in order to “anticipate problems and encourage citizens to protect their own privacy”.30 Bennett and Raab make the following distinctions:

“To an increasing extent, many regulatory agencies see their roles not only in relation to public policy, ‘big issues’ and ‘big events’, but also in encouraging a culture of privacy protection throughout society, the economy, and government in an era of widespread adoption of new and privacyinvasive technologies. [...] Other regulatory authorities devote considerable resources to producing guidelines and advice on paper and in electronic form, from public platforms, and through the mass media. [...] In addition, of course, commissioners are expected to give frequent speeches and presentations concerning the importance of privacy. Furthermore, some agencies

24 Ibid., p. 75. Bygrave also notes that ‘Only a minority of countries operate, or have operated, with comprehensive authorisation/licencing regimes’; and that ‘data protection regimes in which licensing is the rule rather than exception do not confirm with the Directive’ (p. 76). 25 Ibid., p. 77. 26 Bennett, Colin J., and Charles D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective, Ashgate, 2003, pp. 107116. 27 Ibid., p. 109. 28 Ibid., p. 110. 29 Ibid., p. 110. 30 Ibid., p. 111.

15

commission special studies relating to special privacy problems; other produce shorter and more frequent research publications on new technologies [...]’.31 ‘Data Protectors as Policy Advisers’ refer to their responsibility ‘to comment on the privacy implications of proposed legislation or on new automated personal record systems. [...] Commissioners also frequently give testimony on issues at hearings of legislatures, and publish their responses to government policy documents where privacy interests are affected’.32

“Data Protectors and Negotiators” refers to the negotiation of code to “enhance the understanding of the privacy problem within different sectors.”33 “Data Protectors as Enforcers” refers to their power

“to order compliance with the privacy protection principles. Here there is a clear distinction between those authorities whose powers are limited to those of investigation and recommendation, and those that can mandate changes in behaviour. [...] Ultimate redress in most countries is vested in the courts [...] some countries have established small tribunals, ad hoc groups of experts that perform a quasijudicial function.”34

1.4.2.7 European legislation about functions performed by DPAs Bygrave finds that Directive 95/46/EC provides the most detailed treatment of the competence and functions of DPAs.35Article 28§1 of Directive 95/46/EC is on ‘Supervisory authority’, and reads as follows:

‘1. Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

These authorities shall act with complete independence in exercising the functions entrusted to them.

2. Each Member State shall provide that the supervisory authorities are consulted when drawing up administrative measures or regulations relating to the protection of individuals' rights and freedoms with regard to the processing of personal data.

3. Each authority shall in particular be endowed with:

investigative powers, such as powers of access to data forming the subjectmatter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions,

the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.

31 Ibid., pp. 111112. 32 Ibid., p. 112. 33 Ibid., p. 113. 34 Ibid., pp. 113114. 35 Bygrave, Lee A., Data Protection Law. Approaching Its Rationale, Logic and Limits, Kluwer Law International, The Hague / London / New York, 2002, p. 71.

16

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

4. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place.

5. Each supervisory authority shall draw up a report on its activities at regular intervals. The report shall be made public.

6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.’

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

7. Member States shall provide that the members and staff of the supervisory authority, even after their employment has ended, are to be subject to a duty of professional secrecy with regard to confidential information to which they have access.’

Article 46 of the GDPR provides that Supervisory authorities are

“responsible for monitoring the application of this Regulation and for contributing to its consistent application throughout the Union, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the Union.” The duties and the powers of DPAs are provided in Articles 51 to 54 GDPR.

Article 1(1) of the Additional Protocol to Convention 108 is on ‘Supervisory authorities’ and provides that “Each Party shall provide for one or more authorities to be responsible for ensuring compliance with the measures in its domestic law giving effect to the principles stated in Chapters II and III of the Convention and in this Protocol.”

Article 12(1) of the Modernisation Proposals of Convention 108 reflects Article 1§1 of the Additional Protocol to Convention 108, and provides that “Each Party shall provide for one or more authorities to be responsible for ensuring compliance with the measures in its domestic law giving effect to the principles of this Convention.”

17

2 11 CASE STUDIES This chapter comprises a set of case studies of where two or more DPAs have investigated the same issue (e.g., the hacking of Sony PlayStation, Google Buzz and Google Street View vehicles gathering WiFi addresses, Facebook’s collection of personal data for sale to third party apps developers and advertisers). The case studies focus not only on how improved cooperation would have been beneficial if it had occurred, but also on instances where there has been cooperation (e.g., CNIL’s investigation of Google’s amalgamation of its different privacy policies). It highlights the success of the Article 29 Working Party as a model of cooperation between DPAs, at least, in regard to some issues (but there have, of course, been calls for changes even to the Article 29 Working Party, which has led to the Commission's proposals in the proposed new Regulation for the Article 29 Working Party to be replaced by a European Data Protection Board). The case studies provide some contextual background in each case and some conclusions. In addition to the analysis contained in this report, an interactive timeline of these all these cases can be found on the PHAEDRA project website.36 2.1 GOOGLE BUZZ 2.1.1 Overview On 20 April 2010, 10 data protection authorities from around the world (Canada, Spain, Ireland, UK, Italy, Germany, New Zealand, France, the Netherlands and Israel) signed a letter to the CEO of Google, Eric Schmidt, demanding respect for the rules of protection of privacy and personal data in launching new products and services. 2.1.2 Key events This complaint was filed publicly, on behalf of the others, by the authorities from Canada, Spain and Israel at a press conference held on 20 April 2010 at the International Press Center in Washington, DC, expressing the deep concern of supervisors by the threats to the privacy of its users projected by the launching of the Google Buzz social network on 9 February 2010. 2.1.3 Forms of co-ordination Jennifer Stoddart, Privacy Commissioner of Canada, who led this initiative, pointed out that this letter was the result of an unprecedented collaboration not only of a group of authorities from a specific region of the planet but 10 authorities from four continents with very different orientations on the protection of privacy. The agreement between them was easy to reach, even though there were so many countries involved: it showed common convictions about the problems of protecting privacy related to Google Buzz and assumed, without doubt, an irreversible sign of the willingness of the authorities of data protection in the world to strengthen their international cooperation.37

36 http://www.phaedraproject.eu/?page_id=136 37 Stoddart, Jennifer, “Enforcing Privacy in the Online World”, Remarks at the IAPP Canadian Privacy Summit 2010, International Association of Privacy Professionals, 27 May 2010. http://www.priv.gc.ca/media/spd/2010/spd_20100527_e.asp

18

This joint action by authorities served to remind Google and other transnational organisations operating in the field of technology, and particularly the Internet, of the obligation to comply with relevant national laws on data protection when deploying their online products and services. Data protection and privacy authorities were shown to be singularly concerned about the fact that “too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications”. In particular, they said that the manner in which Google had carried out the deployment of Buzz “has led to a disappointing disregard for fundamental laws and regulations on privacy”.38 Data protection authorities recalled that the Gmail email service used by 146 million users – Web email service, individual and private – had merged with a new social network service (Google Buzz), automatically assigned to the users a network of "followers" from among the people with whom they corresponded most often on Gmail. The allocation of Gmail users to a network of followers was made without properly reporting on the operation of this new service and provide sufficient information to enable informed consent. It was a clear violation of the basic principle of data protection to preserve the right to maintain control over personal information. The letter signed by the data protection authorities urged Google to set an example as a leader in the Internet industry and recalled the insistent demands to guarantee the right to privacy by design and launch of new products and services according to the following rules39: (1) to collect and process only the minimum amount of data necessary to achieve the specific objectives of the product or service; (2) provide users with clear and unambiguous information about how personal information will be used for enable them adequately informed consent; (3) design products with the default privacy settings; (4) ensure easy use of the privacy control tools; (5) to ensure adequate protection of personal data; (6) and provide users with simple procedures to respond to their requests and delete user accounts. On 30 March 2011, the Federal Trade Commission said Google had agreed to settle FTC charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched Google Buzz in 2010. The FTC alleged Google practices had violated the FTC Act and proposed a settlement barring the company from future privacy misrepresentations, requiring it to implement a comprehensive privacy program, and calling for regular, independent privacy audits for the next 20 years. It was the first time an FTC settlement ordered a company to implement a comprehensive privacy program to protect the privacy of consumers’ information.40 2.1.4 Conclusions This case (and the similar case relating to Google Glass (see below) suggests that coordinated expressions of shared concern on the part of voluntary groups of DPAs are possible,

38 http://www.priv.gc.ca/media/nrc/2010/let_100420_e.asp 39 http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2010/notas_prensa/common/abril/100420_Final_joint_letter_eng.pdf 40 http://www.ftc.gov/opa/2011/03/google.shtm. On 24 Oct 2011, following a public comment period, the FTC accepted as final the proposed settlement related to the Google Buzz case. http://ftc.gov/opa/2011/10/buzz.shtm

http://www.ftc.gov/os/caselist/1023136/110330googlebuzzagreeorder.pdf

19

but that these measures do not always involve all parties that may have concerns or the potential for enforcement processes (in this case the US FTC). A collectively signed letter is a relatively minor form of cooperation, with potentially limited impact, however, it does show some agreement of key issues relating to a new service or technology.

20

2.2 GOOGLE STREET VIEW 2.2.1 Overview Street View41 is a Google service that provides panoramic images of public streets around the world obtained by Google cars photographing streets since 2008. On 22 April 2010, Hamburg Data Protection Agency found that, in addition to the cameras and antenna, Google cars carried software that collected wireless network information from WiFi routers. Initially, Google said that it only collected publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) but not payload data (information sent over the network). But, finally, Google admitted that it was “clear that we have been mistakenly collecting samples of payload data from open (i.e., nonpasswordprotected) WiFi networks”. 2.2.2 Sequence of key events 22 April 2010 The Hamburg DPA discovers that Google Street View cars carried

software that collected wireless network information. 27 April 2010

Google says that its cars only collected SSID data (i.e., the network name) and MAC address (a unique number given to a device like a WIFI router).42

5 May 2010 The Hamburg DPA asks Google to audit the WiFi data that Google Street View cars collected

14 May 2010 In its blog, Google admits that Street View cars had been collecting samples of payload data from open (i.e., nonpasswordprotected) WiFi networks.43

1416 May 2010 The Irish data protection authority asks Google to delete the collected payload data in Ireland.

19 May 2010 The Spanish data protection agency (AEPD) opens an inspection and ordered Google to block payload data collected from WiFi networks in Spain.

19 May 2010 – 21 Sept 2010

The Italian DPA starts a prosecution against Google Street View and orders Google to stop collecting WiFi data.

19 May 2010 – 17 June 2010

CNIL starts an investigation of Google and announces that Google has collected emails and passwords.

21 May 2010 – 10 Nov 2010

The Electronic Privacy Information Center (EPIC) asked the US Federal Communications Commission (FCC) to launch an investigation on Google and the FCC does so.

28 May 2010 Austria starts an investigation and bans Street View cars. 3 June 2010 The Hungarian DPA announces an investigation of Google Street View. 8 June 2010 Google delivers a written undertaking to the Hong Kong DPA

announcing that Street View cars stopped activities. 9 June 2010 Google made public a thirdparty report which confirms that it did

41 http://maps.google.es/intl/es/help/maps/streetview/ 42 http://googlepolicyeurope.blogspot.com.es/2010/04/datacollectedbygooglecars.html 43 http://googleblog.blogspot.com.es/2010/05/wifidatacollectionupdate.html

21

indeed collect and store payload data from unencrypted WiFi networks. 21 July 2010 Attorneys General from 38 US states start an investigation into Google

activities.44 11 Aug 2010 The ICO reports that there was no evidence that Google caused any

detriment to any individual.45 18 Oct 2010 …

The Spanish Data Protection Agency opens an infringement proceeding46 against Google.47

19 Oct 2010 The Canadian Privacy Commissioner determines that Google Street View cars breached Canadian privacy law and recommends stronger controls and privacy training.48

27 Oct 2010 The FTC ends its investigation of Google Street View. 3 Nov 2010 The UK Information Commissioner’s Office (ICO) concludes that

Google Street View cars breached the Data Protection Act 1998.49 13 Dec 2010 The New Zealand Privacy Commissioner announces that Google

breached NZ’s data protection law.50 21 Mar 2011 The French data protection authority, CNIL, fines Google €100,000.51 21 Mar 2011 The FCC fines Google $25,000 for lack of cooperation in Street View

investigation. 13 Apr 2012 The ICO reopens its investigation on Google Street View case. 12 June 2012 Google informs the ICO that it retained payload data and ICO decides to

examine them. 27 July 2012 Google agrees to make a $7 million payment for civil penalty and other

purposes to Attorneys General of 38 US states and the District of Columbia for its collection of personal data via Street View vehicles in the US 52

23 January 2013 Hungarian DPA delivered a final statement on Google Street View activities in Hungary outlining all the requirements to be fulfilled for the sake of legitimate and acceptable data processings.53

22 Apr 2013 Hamburg's DPA fines Google €145,000 for its data collection during

44 http://www.ct.gov/ag/cwp/view.asp?A=2341&Q=463406 45 http://www.ico.org.uk/news/latest_news/2010 46 The opening of an infringement proceeding by the Spanish Data Protection Agency (AEPD) followed the conclusion of the investigations carried out by the AEPD’s inspection, which had revealed the presence of signs of the commission of a total of five infringements – two serious and three very serious – of the Spanish Data Protection Act. Two of them were attributable to Google Inc. in its capacity as responsible for providing the service and designing the software that collects data for the Street View service. The other three were attributable to Google Spain, in its role as responsible for collecting and storing data in Spain, and for transferring them to the United States, as well as for being the representative in Spain of the company. http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2010/notas_prensa/news/2010_10_18idesidphp.php). 47 AEPD transferred to Court of Instruction No. 45 of Madrid the final inspection report and, in accordance with the Spanish Administrative Procedure law, suspended the processing of disciplinary proceedings pending the decision of the Court. http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2010/notas_prensa/news/2010_10_18idesidphp.php 48 http://www.priv.gc.ca/media/nrc/2010/nrc_101019_e.asp 49 http://www.ico.org.uk/news/latest_news/2010 50 http://privacy.org.nz/newsandpublications/statementsmediareleases/mediareleasegoogleagreestoprotectprivacybetter/ 51 http://www.cnil.fr/english/newsandevents/news/article/googlestreetviewcnilpronouncesafineof100000euros/ 52 http://www.ct.gov/ag/lib/ag/press_releases/2013/20130312_google_avc.pdf 53 http://www.naih.hu/files/AdatvedelemNAIH5711162012BGoogleSV.pdf

22

Street View operations in 20082010 through unencrypted WiFi connections.54

11 June 2013 The ICO serves Google with an enforcement notice for destroying collected payload data by Google’s Street View cars in the UK.55

2.2.3 Reasons for investigation DPAs around the world (Australia, Austria, Belgium, Canada, Czech Republic, France, Germany, Greece, Hong Kong, Ireland, Italy, Netherlands, New Zealand, Spain, Switzerland, UK, US, etc.) opened investigations against Google since 14 May 2010 on the collection and storage without consent of WiFi networks’ location data and payload data associated with them by the vehicles used to photograph streets for the Street View service.56 The main legal basis to start inspections related to the breach of the principles of processing of personal data without consent of the data subject and not covered by a law and without guarantees in international transfer of data to the United States. The opening of investigations in so large a number of countries on almost every continent was driven by the following: The vast extension of the Street View service in more than 30 countries had earlier

requested the presence of the Street View cars photographing streets and potentially storing personal information emitted by wireless networks.

The explicit acceptance of Google's collection and storage of personal information related to WiFi networks (from identification to network communications content) was an avoidable invitation to inspect.

Although Google alleged error as the cause, the need to identify effective Google willingness to collect and store information wireless networks and its final use.

2.2.4 Findings of investigation Investigations verified the collection and storage by Google vehicles of personal data of diverse nature transmitted through open WiFi networks. Among the types of personal data transmitted through these WiFi networks, it was established that Google had collected and stored email addresses, with names and surnames, addresses associated with email messages and instant messaging; access to social network accounts and websites or user names and passwords with personal data identifying owners and, in some cases, allowing access to sensitive data. Furthermore, it was established that Google had collected location and identification data of the wireless networks, as the SSID, identifiers or names of the WiFi network that, in some cases, contained the real name of the subscriber, and the MAC addresses that identifies the router and the connected devices and the geographic position in which they were collected. In addition, it was verified that Google had transferred personal data to the United States, without demonstrating compliance with guarantees in order to get DPA authorisation for such international transfers.

54 http://www.datenschutzhamburg.de/fileadmin/user_upload/documents/PressRelease_20130422_GoogleWifiScanning.pdf 55 http://www.ico.org.uk/news/latest_news/2013/googlefacesfurtheractionfromicooverwifidatacollection21062013 56 An updated explanation can be found at http://epic.org/privacy/streetview/

http://www.ico.org.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/google-inc-enforcement-notice-11062013.pdf

23

2.2.5 Forms of co-operation The Street View WiFi case is the best example of a lack of cooperation or coordination

among DPAS and offered a clear necessity to develop cooperation tools to investigate breaches of data protection law caused by Internet companies.

All DPAs who opened investigations adopted their own strategies and resolutions according only to their legal framework.

All DPAs who initiated investigations had to resolve with their particular technical criteria similar issues including the following: 1. ordering deletion or blocking of personal data stored by Google; 2. requiring Google to make a copy of the data stored on their servers; 3. analyzing technical devices of the Street View cars that collected data from wireless networks; 4. determining Google’s willingness to store data through existing software in the Street View cars.

Google facilitated investigations initiated by DPAs through remote access to its servers to analyse personal data from each country but made it difficult for each DPA to get copies of data (although finally they received requested copies). Each DPA had to conduct its own legal analysis to determine the existence of violations of national laws on data protection: determining if stored information by Google were personal data permitting identification

of natural persons – particularly, SSID information (the WiFi network name) and MAC addresses (the unique number Given to a device like a WiFi router);

determining legal relevance of the lack of protection of wireless networks due to lack of access passwords considering public that information and excluding or not Google responsibility for the collection of such information;

determining responsibilities between Google and its subsidiaries in each country that facilitated street view cars activity;

determining violation of legal guarantees to protect data transfers from each country to Google servers in USA.

The inspection cooperation between DPAs was limited to informal and bilateral contacts among some DPAs (Canada, Germany, France, Spain and the Netherlands) to share views on purely technical aspects of the investigation. These kinds of exchanges had to respect the confidentiality provisions in each national law. Informal discussions outside the Article 29 Working Party agenda to determine implications of the results of investigations in the framework of the European Directive. The lack of formal cooperation mechanisms and harmonising investigations and legal implications of the results offered a clear divergence in the DPAs actions around the world that can be categorized as follows: Inactivity of the most of DPAs that, even without starting any inspection activity, ordered

Google to delete all data collected in their country. Resolutions adopting investigations procedures but concluded with agreements with

Google on its improvements regarding future activity but without taking any sanction resolutions.

Adopting sanction procedures and fines.

24

2.2.6 Conclusions From this case study, we draw the following conclusions: There is no global system of coordination among DPAs that enables DPAs to coordinate

investigations in different countries of identical breaches. There is no global system that enables cooperation among DPAs for harmonising legal

criteria and adopting identical resolutions on identical facts against privacy. Even the current European system under the Data Protection Directive – which gives

interpretation functions to the Article 29 Working Party – does not avoid divergence among national DPAs which are able to adopt different resolutions on identical breaches as noninitiation of any investigation, agreements with controller or effective economic sanction.

Limitations set forth in national laws (e.g., confidentiality provisions) make difficult or impossible an effective coordination of investigation procedures on identical breaches.

Google benefitted from the absence of global coordination mechanisms to establish a single, direct and bilateral relationship with DPAs that generated confusion (about the possibility of obtaining a copy of data stored on Google servers in USA) and led some of them to make rash decisions (such as ordering the immediate deletion of stored data).

Plurality of enforcement boards with investigating or sanctioning powers (DPAs, prosecutors, judges, police, etc.) on Street View WiFi case weakens credibility of an effective guarantee of data protection but it shows that the DPAs have a greater technical capacity and are able sometimes to react quickly to privacy infringements.

25

2.3 CNIL’S INVESTIGATION OF GOOGLE’S PRIVACY POLICY 2.3.1 Overview The case concerns an investigation led by the Commission nationale de l'informatique et des libertés (CNIL), on behalf of the Art. 29 WP, into Google’s new privacy policy, introduced in 2012 to merge and consolidate different privacy policies into a single document. The new privacy policy would have expanded Google’s data mining activities to combine user’s personal data from different accounts and services, including Gmail, Google+ and YouTube, with no possibility to optout.57 The WP29 ended its investigation on 16 October 2012. However, Google did not sufficiently comply with the WP29’s recommendations. Therefore, on 27 February 2013, the WP29 established a taskforce of six DPAs, led by CNIL. Following unsuccessful meetings between Google and the taskforce, the members of the task force launched their own investigations on compliance of Google’s privacy policy with national legislation. 2.3.2 Sequence of key events 24 January 2012 Google announces its new privacy policy to merge and consolidate

different privacy policies into a single document. 2 February 2012 WP29 informs Google that it is preparing an analysis of the new

privacy policy under the European Data Protection Legislation, notably under the Data Protection Directive 95/46/EC and the ePrivacy Directive 2002/58/EC. The WP29 also asks Google to suspend application of the new privacy policy and informs Google that CNIL will represent the WP29. This choice can be explained by the fact that the headquarters of Google Europe are in Paris.58

3 February 2012 Google replies to the letter of 2 February 2012, rejecting to postpone the posting of the new privacy policy as DPAs have already been prebriefed and Google account holders have already been informed of its launch on 1 March 2012.59

27 February 2012 CNIL sends a letter to Google, in which it shares the preliminary findings of the investigation, and reiterates to delay the implementation of the privacy policy.60 The CNIL announces that it will send a questionnaire on the matter to Google before midMarch 2012.

28 February 2012 Google replies to the letter of CNIL of February 27, 2012, that it will maintain the implementation of the privacy policy for the

57 Cunningham, Bryan, “Google's collision course with member states”, EU Observer, 8 April 2013, http://euobserver.com/opinion/119727 58 Article 29 Data Protection Working Party, Letter to Google of 2 February 2012, http://ec.europa.eu/justice/dataprotection/article29/documentation/otherdocument/files/2012/20120202_letter_google_privacy_policy_en.pdf; 59 Google, letter to CNIL of 3 February 2012, https://docs.google.com/file/d/0B8syaai6SSfiMDEyM2Q3YmEtNWUxZi00Mzc2LTljMTktZmExYjc0M2IyZWVh/edit?hl=en_US 60 CNIL, Letter to Google of 27 February 2012, http://www.cnil.fr/fileadmin/documents/en/Courrier_Google_CE121115_27022012.pdf

26

same reasons as explained in its letter of February 3, 2012. Google also indicates that it would like to be heard by the WP29. 61 - The Asia Pacific Privacy Authorities (APPA) sends its findings to Google. 62

1 March 2012 Google's new privacy policy enters into force. 16 March 2012 CNIL sends a letter to Google with an attached questionnaire (69

questions), prepared in collaboration with all European DPAs, to obtain clarifications on the privacy policy.63 Google is asked to reply before April 5, 2012, with the promise that its responses will be kept confidential, unless Google would explicitly authorize the CNIL to do so.

5 April 2012 Google replies to questions 1 till 24 of the questionnaire sent by CNIL on March 16, 2012. 64 Google also attaches an ‘Appendix on Examples of contextual notices in Google products’,65announces to publish its replies to the questionnaire, and reiterates its wish to meet the CNIL and to be heard by the WP29.

20 April 2012 Google has now responded to all the questions of the questionnaire sent by CNIL on March 16, 2012. 66 Google asks again for a meeting with the CNIL and the WP29, and questions the legal basis for the WP29 to act as a regulatory body, or to mandate the CNIL to conduct a regulatory review on behalf of other DPAs. Google also questions the applicable law, process and ultimate goal for the review.

22 May 2012 CNIL sends a letter to Google with in annex some questions that require more precise and comprehensive answers. 67 Google is asked to reply by June 8, 2012. CNIL also says that it would be able to clarify its questions if needed during its meeting with Google on May 23, 2012.

21 June 2012 Google replies to the questions annexed to a letter from the CNIL of May 22, 2012, and questions once more the applicable law for the review, as well as the nature of the legal basis for any possible recommendations or conclusions. 68

19 September 2012 CNIL meets a representative from Google to present the evaluation of the analysis of the WP29 and the recommendations that may ensue from it.

61 Google, letter to CNIL of 28 February 2012, https://docs.google.com/file/d/0Bw8Krj_Q8UaEczVuWGEwWFhTSkdZZ0MyU0NQRGptQQ/edit?pli=1 62 APPA, Changes to Google’s Privacy Policy, Letter to Google of 28 February 2012, https://www.privacy.vic.gov.au/privacy/web2.nsf/files/appatechnologyworkinggrouplettertogoogle/$file/appa_letter_to_google_02_2012.pdf 63 CNIL, Letter to Google of 16 March 2012, http://www.cnil.fr/fileadmin/documents/La_CNIL/actualite/questionnaire_to_Google20120316.pdf 64 Google, letter to CNIL of 5 April 2012, http://rms3647.typepad.com/files/francegoogle.1.pdf 65 Google, Appendix 2, Examples of contextual notices in Google products, 5 April 2012, https://docs.google.com/file/d/0B8syaai6SSfiVDNURHBqeG1TVUNzUzlBM1czSFJYUQ/edit 66 Google, letter to CNIL of 20 April 2012, p. 4, https://docs.google.com/file/d/0B8syaai6SSfiSUhFMHVpMmhFUG8/edit 67 CNIL, letter to Google of 22 May 2012, http://www.cnil.fr/fileadmin/documents/en/Letter_CNIL_to_Google_22_May_2012.pdf 68 Google, letter to CNIL of 21 June 2012, p. 1, https://docs.google.com/file/d/0B8syaai6SSfiM2hmS2xjY2tzV0k/edit

27

12 October 2012 APPA supports the findings of the WP29.69 16 October 2012 WP29 sends a letter to Google, signed by the 27 EU MSs, with

practical recommendations in appendix, to put Google in compliance with the European Data Protection Legislation. 70 WP29 also asks Google to send a response to the CNIL about the planned timing and methods to implement the recommendations. The Office of the privacy Commissioner of Canada (OPC) sends a letter to CNIL in support of the findings of the WP29.71

21 November 2012 CNIL reminds Google to comply with the recommendations in the letter of 0ctober 16, 2012, by February 15, 2013.

13 December 2012 Google acknowledges receipt of the letter from the CNIL of November 21, 2012.

8 January 2013 Google informs the WP29 of certain observations on the letter of October 16, 2012, and asks for a meeting with the WP29.

26 February 2013 At the plenary meeting of the WP29, it is decided to establish a task force of 6 DPAs, led by CNIL, including Germany, Italy, Spain, UK and The Netherlands.72

28 February 2013 CNIL informs Google that it is still not complying, and that the task force will meet on March 19, 2013.

6 March 2013 Google asks the CNIL information about the organization and legal framework of the task force meeting of March 19, 2013.

8 March 2013 CNIL replies to Google’s letter of March 6, 2013. 19 March 2013 The task force meets with representatives from Google. However,

following the meeting, Google did not implement any significant measures.73

26 March 2013 In a letter, Google announces the implementation of certain measures to improve users’ data protection.

29 March 2013 CNIL plans an audit of Google, asks the WP29 all documents related to Google’s privacy policy, and seeks cooperation of the task force, in particular through exchanges of information under Article 28(6) of Directive 95/46/EC. Thus, CNIL plans an investigation on compliance of Google’s privacy policy with national legislation, but as “part of an international administrative cooperation.”74

2 April 2013 CNIL notifies Google that it is planning an audit of Google, and

69 APPA, Letter to WP29 of 12 October 2012, http://www.cnil.fr/fileadmin/documents/en/APPA_SUPPORT_LETTERArticle_29_Letter.pdf 70 WP29, Letter to Google of 16 October 2012, http://www.cnil.fr/fileadmin/documents/en/20121016letter_googlearticle_29FINAL.pdf ; Appendix, Google privacy policy: main findings and recommendations, 16 October 2012, http://www.cnil.fr/fileadmin/documents/en/GOOGLE_PRIVACY_POLICY_RECOMMENDATIONSFINALEN.pdf 71 OPC, Letter to the French Data Protection Authority Regarding its Review of Google's Privacy Policy, 16 October 2012, http://www.priv.gc.ca/media/nrc/2012/an_121016_e.asp 72 WP29, Google’s privacy policy: European data protection authorities are coordinating their enforcement actions, press release, Brussels, 27 February 2013, http://ec.europa.eu/justice/dataprotection/article29/pressmaterial/pressrelease/art29_press_material/20130227_pr_google_privacy_policy_en.pdf 73 CNIL, Google privacy policy: six European data protection authorities to launch coordinated and simultaneous enforcement actions, 2 April 2013, http://www.cnil.fr/english/newsandevents/news/article/googleprivacypolicysixeuropeandataprotectionauthoritiestolaunchcoordinatedandsimultaneo/ 74 CNIL, CNIL orders Google to comply with the French Data Protection Act, within three months, 20 June 2013, http://www.cnil.fr/english/newsandevents/news/article/cnilordersgoogletocomplywiththefrenchdataprotectionactwithinthreemonths/

28

that CNIL’s powers of investigation might involve exchanges with other DPAs and the WP29; The 5 other members of the task force announce to conduct their own investigations on compliance of Google’s privacy policy with national legislation.

9 April 2013 WP29 sends all documents to CNIL, as requested by CNIL on March 29, 2013; Google asks the task force if the task force would remain its point of contact.

17 April 2013 CNIL replies to Google, on behalf of the task force, that Google will also have to reply to each of the task force members in relation to their own investigations; that information might be shared between the DPAs; and that information addressed to the task force will be distributed among all WP29 Members.

10 June 2013 CNIL issues a formal notice against Google to bring its privacy policies into compliance with the French data protection Act within three months, at risk of a fine.75

13 June 2013 The executive committee of the CNIL decides to make the decision of June 10th, 2013, to issue formal notice against Google, public.76

20 June 2013 CNIL announces that “France, Spain, the U.K. at the start of next week and Germany at the end of next week will all take a formal and official decision to start repressive proceedings against Google, and a second salvo will come from Italy and the Netherlands by the end of July.”77

Google maintains that the French Data Protection Act, “was not applicable to the data processing in question and that the CNIL was therefore not competent to initiate punitive action in this case”.78

11 October 2013 The CNIL shares a report with Google in which the rapporteur of the CNIL put that Google has not satisfied the terms of the formal notice of June 10th, 2013; in which it requests the Sanctions Committee of the CNIL to impose a financial penalty of €150.000 against Google, and to make this decision public; and in which it puts that the Google case is on the agenda of the Sanctions Committee for 19 December 2013.79

28 November 2013 The Dutch Data Protection Authority publishes the findings of its investigations of Google’s privacy policy with Dutch data protection law. It finds violations, plans a hearing with Google

75 CNIL Decision of 10 June 2013, http://www.cnil.fr/fileadmin/documents/en/D2013025_10_Jun_2013_GOOGLE_INC_EN.pdf ; 76 CNIL, Deliberation No. 2013420 of the Sanctions Committee of CNIL imposing a financial penalty against Google Inc, 3 January 2014, p. 3, http://www.cnil.fr/fileadmin/documents/en/D2013420_Google_Inc_EN.pdf 77 De Beaupuy, Francois, and Stephanie Bodoni, “Google gets 3 months to fix privacy or face French fines”, Bloomberg Law, 20 June 2013, http://www.bloomberg.com/news/20130620/googletoget3monthstofixprivacypolicyorfacefrenchfine.html 78 CNIL, Deliberation No. 2013420 of the Sanctions Committee of CNIL imposing a financial penalty against Google Inc, 3 January 2014, p. 3, http://www.cnil.fr/fileadmin/documents/en/D2013420_Google_Inc_EN.pdf 79 Ibid., p. 4.

29

following which it would decide on enforcement actions including the imposition of sanctions.80

29 November 2013 Google states to Bloomberg BNA that it has “engaged fully with the Dutch DPA throughout this process and will continue to do so going forward.”81

13 December 2013 Google supplies written comments on the report of the rapporteur of the CNIL of October 11, 2013.82

19 December 2013 The Google case is on the agenda of the Sanctions Committee of the CNIL.83 During the meeting, Google reiterated its comments of December 13, 2013 on the report of the rapporteur of the CNIL of October 11, 2013. Google essentially contests the applicability of the French Data Protection Act and the competence of the CNIL to issue formal notice and initiate sanctions procedures against Google.84

19 December 2013 The Spanish DPA finds three breaches by Google’s privacy policy of the Spanish data protection law, and imposes for each breach a fine of €300.000.85

3 January 2014 CNIL’s Sanctions Committee imposes a fine of €150.000 on Google, rules that the decision will be made pubic on the website of the CNIL, and orders Google to publish a communiqué on this decision on the homepage www.google.fr for 48 hours, within 8 days of its notification86

80 The Guardian, “Google privacy changes break Dutch data protection law, says regulator”, 29 November 2013, http://www.theguardian.com/technology/2013/nov/29/dutchdataprivacygooglebreaksaccused ; Gardner, Stephen, “Dutch DPA Concludes That Google Is in Breach of Data Protection Act”, Bloomberg BNA, 2 December 2013, http://www.bna.com/dutchdpaconcludesn17179880411/ ; Dutch DPA, Dutch DPA: privacy policy Google in breach of data protection law, press release, 28 November 2013, http://www.dutchdpa.nl/Pages/pb_20131128googleprivacypolicy.aspx ; The definitive findings of the Dutch DPA are available here: http://www.dutchdpa.nl/downloads_overig/en_rap_2013googleprivacypolicy.pdf ; The annex (in Dutch) to the definitive findings of the Dutch DPA is available here: http://www.cbpweb.nl/downloads_rapporten/rap_2013googleprivacybeleid_bijlage.pdf ; An informal translation of the findings of the Dutch DPA is available here: http://www.cbpweb.nl/downloads_rapporten/rap_2013googleprivacybeleid.pdf 81 Gardner, Stephen, Dutch DPA Concludes That Google Is in Breach of Data Protection Act, Bloomberg BNA, 2 December 2013, http://www.bna.com/dutchdpaconcludesn17179880411/ 82 CNIL, Deliberation No. 2013420 of the Sanctions Committee of CNIL imposing a financial penalty against Google Inc, 3 January 2014, p. 3, http://www.cnil.fr/fileadmin/documents/en/D2013420_Google_Inc_EN.pdf , p. 4. 83 Ibid., p. 4. 84 Ibid., p. 4. 85 El País, “Sanción a Google por vulnerar derechos del ciudadano”, 19 December 2013, http://tecnologia.elpais.com/tecnologia/2013/12/19/actualidad/1387450618_053467.html ; Agencía Española de Protección de Datos, The AEPD sanctions Google for serious violation of the rights of the citizens, press release, 19 December 2013, http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2013/notas_prensa/common/diciembre/131219_PR_AEPD_PRI_POL_GOOGLE.pdf 86 Gévaudan, Camille, “Données personnelles: 150 000 euros d'amende pour Google”, Libération, 8 January 2014, http://ecrans.liberation.fr/ecrans/2014/01/08/donneespersonnelles150000eurosdamendepourgoogle_971443?xtor=rss450 ; For the French version of the press release of the CNIL, see CNIL, La formation restreinte de la CNIL prononce une sanction pécuniaire de 150 000 € à l’encontre de la société GOOGLE Inc., 8 January 2014, http://www.cnil.fr/linstitution/actualite/article/article/laformationrestreintedelacnilprononceunesanctionpecuniairede150000EURalencontre/ ; For the English version of the press release of the CNIL, see CNIL, The CNIL's Sanctions Committee issues a 150 000 € monetary penalty to GOOGLE Inc., 8 January

http://www.google.fr/

30

14 January 2014 Google requests the Conseil d’Etat to suspend the publication order issued by the CNIL’s Sanctions Committee on January 3, 2014.87

7 February 2014 In a preliminary ruling, the Conseil d’Etat rejected Google’s claim of January 14, 2014 to suspend the publication order issued by the CNIL’s Sanctions Committee on 3 January 2014.

2.3.3 Reasons for investigation CNIL, on behalf of WP29, analyzed Google’s new privacy policy under the European Data Protection Legislation, notably under the Data Protection Directive 95/46/EC and the ePrivacy Directive 2002/58/EC. The analysis focused more particularly on compliance of Google’s privacy policy with the following data protection principles:

purpose limitation; the right to information; the right to consent; data quality; data minimization; proportionality; the right to object; data retention periods.

2.3.4 Findings of investigation Considering that the case study aims to address the cooperation between DPAs, the findings below do not cover the findings of the investigations by DPAs of Google’s privacy policy with their national data protection laws, but are limited to the findings following the investigation by the CNIL on behalf of the WP29. As regards compliance of Google’s privacy policy with the data protection principles mentioned above, the investigation by the CNIL on behalf of the WP29 unveiled that Google:88

can combine almost any data from any services for any purposes; provides insufficient information to its user on the purposes and the categories of data

being processed;

2014, http://www.cnil.fr/english/newsandevents/news/article/thecnilssanctionscommitteeissuesa150000EURmonetarypenaltytogoogleinc/ ; For the French version of the Deliberation of the Sanctions Committee of the CNIL, see CNIL, Délibération Nr. 2013420 de la formation restreinte n°2013420 prononcant une sanction pécuniaire à l'encontre de la société Google Inc., January 3, 2014, http://www.cnil.fr/fileadmin/documents/approfondir/deliberations/Formation_contentieuse/D2013420_Sanction_Google.pdf ; For the English version of the Deliberation of the Sanctions Committee of the CNIL, see CNIL, Deliberation No. 2013420 of the Sanctions Committee of CNIL imposing a financial penalty against Google Inc, 3 January 2014, http://www.cnil.fr/fileadmin/documents/en/D2013420_Google_Inc_EN.pdf 87 CNIL, The Conseil d’Etat rejected Google’s request for a suspension of CNIL’s publication order, press release, 7 February 2014, http://www.cnil.fr/english/newsandevents/news/article/theconseildetatrejectedgooglesrequestforasuspensionofcnilspublicationorder/ 88 WP29, Letter to Google of 16 October 2012, http://www.cnil.fr/fileadmin/documents/en/20121016letter_googlearticle_29FINAL.pdf ; Appendix, Google privacy policy: main findings and recommendations, http://www.cnil.fr/fileadmin/documents/en/GOOGLE_PRIVACY_POLICY_RECOMMENDATIONSFINALEN.pdf

31

does not collect the unambiguous consent of the user for some of the purposes related to the combination of data;

did not set any limits to the combination of data; has not demonstrated that this collection was proportionate to the purposes for which

they are processed; did not provide clear and comprehensive tools allowing its users to control it; failed to provide retention periods for the personal data it processes.

2.3.5 Forms of co-operation The procedure for cooperation was entirely informal. The WP29 started the investigation on its own motion. Google complied on the basis of mere goodwill. The means for cooperation consisted in exchanges of letters and a questionnaire, as well as meetings between Google, CNIL and the WP29. 2.3.6 Conclusions

The CNIL started the investigation at request and on behalf of the WP29, which started the investigation on its own motion without any complaint from anyone. The investigation did not concern an individual case, but an issue of a general nature;

Investigations were led by several parties: From February 2, 2012 till October 16, 2012, the investigation was led by the CNIL on behalf of the WP29. On February 27, 2013, the WP29 established a WP29 task force, led by CNIL, including 5 other DPAs from Germany, Italy, Spain, UK and The Netherlands. Following unsuccessful meetings between Google and the taskforce, the members of the task force launched their own investigations on compliance of Google’s privacy policy with national legislation, but as “part of an international administrative cooperation.” 89 This situation confused Google. In a letter of April 9, 2013 Google asked the WP29 task force if it would remain its point of contact.

Google’s proposed privacy policy also got global attention. Different global authorities worked on different legal bases, such as the Asia Pacific Privacy Authorities (APPA), the Office of the Privacy Commissioner of Canada (OPC), the Information Commissioner’s Office (ICO) and the US. This raises the questions on duplication of efforts, and whether a single investigation would have been possible?

The case shows that not the WP29 but the Member States have power to impose sanctions for privacy violations. Enforcement powers and powers to impose sanctions vary between Member States. For instance, the Belgium DPA has limited powers to impose fines; the Spanish DPA has broader powers to impose fines, and in reality also issues substantial fines. It referred to possible fines between 40,000 and 300,000 euros.90 Germany and France, on the other hand, use their substantial powers in widely divergent ways depending on the particular case.91

In a notice of June 10, 2013, the CNIL gave Google three months to change its privacy policies or risk a fine of up to 150,000 euros and 300,000 euros in case of a

89 CNIL, CNIL orders Google to comply with the French Data Protection Act, within three months, 20 June 2013, http://www.cnil.fr/english/newsandevents/news/article/cnilordersgoogletocomplywiththefrenchdataprotectionactwithinthreemonths/ 90 Natalie Huet and Clare Kane, “UPDATE 3France, Spain take action against Google on privacy”, Reuters, 20 June 2013, http://www.reuters.com/article/2013/06/20/googleprivacyidUSL5N0EW14X20130620 91 Cunningham, Bryan, “Google's collision course with member states”, EU Observer, 8 April 2013, http://euobserver.com/opinion/119727

32

repeated offense.92 The Information Commissioner’s Office (ICO) said that, if Google fails to comply, it would consider contempt of court, and accordingly, could issue an enforcement notice through the courts. Moreover, in case of proven individual harm to individuals caused by the privacy policy, Google could face a £500,000 fine.93 Thus, “[t]he types and severity of sanctions available to DPAs, depending upon individual national laws, can include, in increasing severity: relatively informal guidance; recommendations; investigations; formal warnings; administrative sanctions (monetary fines); public admonishment; blocking of data processing or transfers; and, finally, criminal sanctions. [...] It is at least possible that some member states will attempt to make an example of Google, and deter other companies, by imposing unusually high fines, and possibly impose injunctive remedies, such as legally prohibiting processing of data found to violate EU privacy law. Given the EU member states’ history, however, it seems highly unlikely that any Google officials will be subjected to criminal process.”94 On 13 June 2013, the executive committee of the CNIL decided to make the decision of 10 June 2013, to issue formal notice against Google to bring its privacy policies into compliance with the French data protection Act, public “on the grounds of the seriousness of the violations observed and the corresponding harm to fundamental rights of the individuals concerned. It also took into account the status and size of the company, the world leader in the market of Internet search and the provision of related services, and, therefore, the number of persons affected by its processing (several million in France).”95 Google, on the other hand, “maintained that the French law, in this instance the Data Protection Act, was not applicable to the data processing in question and that the CNIL was therefore not competent to initiate punitive action in this case; it furthermore contested each of the violations cited against it.”96 During the meeting of the Sanctions Committee of the CNIL of 19 December, Google contested again the applicability of the French Data Protection Act, and the competence of the CNIL to issue formal notice and initiate sanctions procedures against Google.97 Furthermore, on 3 January 2014, CNIL imposed not only a fine of €150.000 on Google, but also ordered Google to publish a communiqué on this decision on the homepage www.google.fr for 48 hours, within 8 days of its notification. More concretely, the CNIL ordered to “publish at its expense, on its publicly available electronic communications service accessible at the address https://www.google.fr, the following statement: ‘Communiqué: the Sanctions Committee of the French Data Protection Authority (CNIL) has ordered the Google company to pay a fine of 150,000 euros for breaching

92 CNIL Decision of 10 June 2013, http://www.cnil.fr/fileadmin/documents/en/D2013025_10_Jun_2013_GOOGLE_INC_EN.pdf ; De Beaupuy, Francois, and Stephanie Bodoni, “Google gets 3 months to fix privacy or face French fines”, Bloomberg Law, 20 June 2013, http://about.bloomberglaw.com/legalnews/googlegets3monthstofixprivacyorfacefrenchfines/ 93 Charles Arthur, “European watchdogs order Google to rewrite privacy policy or face legal action”, The Guardian, 5 July 2013, http://www.guardian.co.uk/technology/2013/jul/05/googleprivacypolicylegalaction 94 Cunningham, Bryan, “Google's collision course with member states”, EU Observer, 8 April 2013, http://euobserver.com/opinion/119727 95 CNIL, Deliberation No. 2013420 of the Sanctions Committee of CNIL imposing a financial penalty against Google Inc, 3 January 2014, p. 3, http://www.cnil.fr/fileadmin/documents/en/D2013420_Google_Inc_EN.pdf 96 Ibid., p. 3. 97 Ibid., p. 4.

http://www.google.fr/

33

the rules of personal data protection conferred by the Data Protection Act. The ruling may be read in full at the following address: http://www.cnil.fr/linstitution/missions/sanctionner/Google/.’”98 The amount of the fine is said to be the highest ever issued by the Sanctions Committee of the CNIL, justified by the number and seriousness of the breaches. The publication of the decision of the CNIL on the website of Google was “justified by the extent of Google’s data collection, as well as by the necessity to inform the persons concerned who are not in a capacity to exercise their rights.”99

In a decision of 28 November 2013, the Dutch Data Protection Authority found violations of Google’s privacy policy with Dutch data protection law, and planned a hearing with Google following which it would decide on enforcement actions including the imposition of sanctions. A spokeswoman from the Dutch DPA told Bloomberg BNA that the Dutch DPA “does not have the power to fine Google but could potentially impose an order requiring the company to amend its privacy policy, with a financial penalty if the company does not comply with the order [...] The potential financial penalty ‘depends on the kind of breach and the circumstances,’ [...] A previous CBP order issued to Google over its alleged collection of wireless Internet data could have resulted in a penalty of 1 million euros ($1.36 million), but Google complied with the order, the spokeswoman added (78 PRA, 4/22/11).”100

On 19 December 2013, the Spanish DPA found three breaches by Google’s privacy policy of the Spanish data protection law, and imposed for each breach a fine of €300.000. The Spanish DPA put that “This action is part of the coordinated effort carried out in collaboration with the authorities of data protection of Germany, France, Holland, Italy and United Kingdom, [...] [which] In April 2013 [...] launched parallel investigations and procedures pursuant to the provisions of their respective national laws, but acting in close coordination with the French CNIL acting again as leading authority. The resolution of the Agency inserts itself in the framework of this coordinated action”.101

Although the results of the investigation were nonbinding, the question raises whether it would influence any further cases on Google's privacy policy. In letter of April 20, 2012, Google questioned the legal basis for the WP29 to act as a regulatory body, or to mandate the CNIL to conduct a regulatory review on behalf of other DPAs. Google also questioned the applicable law, followed process and ultimate goal for the review.102 Moreover, on May 22, 2012, CNIL sent Google some questions that required more precise and comprehensive answers.103 Although Google was asked to

98 Ibid., p. 28. 99 CNIL, The CNIL's Sanctions Committee issues a 150 000 € monetary penalty to GOOGLE Inc., 8 January 2014, http://www.cnil.fr/english/newsandevents/news/article/thecnilssanctionscommitteeissuesa150000EURmonetarypenaltytogoogleinc/ 100 Gardner, Stephen, “Dutch DPA Concludes That Google Is in Breach of Data Protection Act”, Bloomberg BNA, 2 December 2013, http://www.bna.com/dutchdpaconcludesn17179880411/ 101 El País, “Sanción a Google por vulnerar derechos del ciudadano”, 19 December 2013, http://tecnologia.elpais.com/tecnologia/2013/12/19/actualidad/1387450618_053467.html ; Agencía Española de Protección de Datos, The AEPD sanctions Google for serious violation of the rights of the citizens, press release, 19 December 2013, http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2013/notas_prensa/common/diciembre/131219_PR_AEPD_PRI_POL_GOOGLE.pdf 102 Google, letter to CNIL of 20 April 2012, p. 4, https://docs.google.com/file/d/0B8syaai6SSfiSUhFMHVpMmhFUG8/edit 103 CNIL, letter to Google of 22 May 2012, http://www.cnil.fr/fileadmin/documents/en/Letter_CNIL_to_Google_22_May_2012.pdf

34

reply by June 8, 2012, it only replied in a letter of June 21, 2012, and in which it also questioned the legal basis for any possible recommendations or conclusions. 104

The president of the Dutch DPA told Bloomberg BNA that “European DPAs had learned from previous investigations into Google Street View that a coordinated approach was more effective for looking at Google's privacy policy (189 PRA, 9/30/13).”105

104 Google, letter to CNIL of 21 June 2012, p. 1, https://docs.google.com/file/d/0B8syaai6SSfiM2hmS2xjY2tzV0k/edit 105 Gardner, Stephen, “Dutch DPA Concludes That Google Is in Breach of Data Protection Act”, Bloomberg BNA, 2 December 2013, http://www.bna.com/dutchdpaconcludesn17179880411/

35

2.4 CBP AND OPC’S INVESTIGATION OF WHATSAPP 2.4.1 Overview The College Bescherming Persoonsgegevens (CBP; the Dutch Data Protection Authority), and the Office of the privacy Commissioner of Canada (OPC) carried out a joint investigation into the processing of personal data by WhatsApp Inc., a Californiabased developer of the ‘whatsapp’ instant messaging application that allows to send and receive messages over the Internet. 2.4.2 Sequence of key events Following is a timeline of the key events. 106 16 January 2012 Entry into force of the MoU regarding the mutual

exchange of investigation data, signed by CBP and OPC prior to their joint investigation into the processing of personal data by WhatsApp.

26 January 2012 OPC initiates a complaint against WhatsApp under the Personal Information Protection and Electronic Documents Act (PIPEDA).

16 February 2012 CBP notifies WhatsApp about the launch of the investigation.

22 March 2012 WhatsApp replies to the letter of CBP of February 16, 2012.

9 May 2012 CBP asks WhatsApp for more detailed information. 17 May 2012 WhatsApp supplies the information requested by CBP in

its letter of May 9, 2012. March & August 2012 CBP launches a digital investigation into the app. September 2012 In partial response to CBP’s investigation, WhatsApp

introduces encryption to its mobile messaging service. 15 October 2012 CBP sends its own preliminary findings report of

October 2, 2012 as well as the preliminary findings of OPC to WhatsApp, with the possibility for WhatsApp to give its views.

30 October 2012 WhatsApp asks in an email to postpone the deadline for giving its views on CBP’s preliminary findings report of October 15, 2012.

31 October 2012 CBP replies positively to WhatsApp’s email of October 30, 2012, and allows WhatsApp to postpone its views on the CPB’s preliminary findings report of October 15, 2012 until November 30, 2012.

29 November 2012 In an email, WhatsApp gives its views on CBP’s preliminary findings report of October 15, 2012.

December 2012 WhatsApp strengthens its authentication process with

106 Based on CBP’s Definitive Findings report: Dutch Data Protection Authority, Investigation into the processing of personal data for the ‘whatsapp’ mobile application by Whatsapp Inc., Z201100987, Report on the definitive findings, 15 January 2013, pp. 67. http://www.dutchdpa.nl/downloads_overig/rap_2013whatsappdutchdpafinalfindingsen.pdf

36

stronger password security in the latest version of the App.

45 December 2012 In consultation with the CBP, OPC contacts WhatsApp’s advocate delegate (by email and by telephone) to get a reaction on a problem reported in the media.

7 December 2012 WhatsApp provides an explanation by email as a reaction to CBP’s request of December 45, 2012

10 December 2012 The OPC, in consultation with CBP, poses additional questions to WhatsApp by email, and requests WhatsApp to take part, in the short term, in a video conference call.

17 December 2012 WhatsApp replies positively to OPC’s request of December 10, 2012.

18 December 2012 The OPC, in consultation with CBP, sends an email to WhatsApp to explain in more detail the additional questions of December 10, 2012.

19 December 2012 By email, WhatsApp sends two diagrams with detailed information.

20 December 2012 By email, the OPC, in consultation with CBP, asks for an explanation of the diagrams sent by WhatsApp on December 19th, 2012. WhatsApp replies on the same day.

December 2012 – January 2013

CBP conducts another digital investigation into the app.

4 January 2013 A conference call takes place between CBP, OPC, WhatsApp and its advocatedelegate.

5 January 2013 The OPC, in consultation with CBP, sends an email to WhatsApp for further information. WhatsApp replies on the same day.

15 January 2013 CBP approves the Definitive Findings report. OPC also launches its report of Findings.107

2.4.3 Reasons for investigation The joint investigation focused on the following issues:

Access to the address book of WhatsAppWhatsApp users; Data retention periods; Technical and organizational measures; Status messages.

2.4.4 Findings of investigation As regards access to the address book, the investigation revealed that, except in the latest app version on an iPhone with iOS 6, whatsapp gets access to users’ entire address book,

107 Office of the Privacy Commissioner of Canada, Report of Findings Investigation into the personal information handling practices of WhatsApp Inc., PIPEDA Report of Findings #2013001, 15 January 2013, http://www.priv.gc.ca/cfdc/2013/2013_001_0115_e.asp

37

including phone numbers of non whatsapp users. The lack of choice for users whether or not to make their contacts available to whatsapp was found to be in contravention of Dutch and Canadian privacy laws and certain international privacy principles.108 As regards data retention periods, CBP put that WhatsApp stored the personal data of inactive users for an excessive period of one year. The OPC, on the other hand, found WhatsApp’s data retention periods to be satisfactory on the whole, but put that users should be informed about the data retention policies in WhatsApp’s privacy policies or via other documentation. As regards the issue on security measures, at the time the investigation began, whatsapp messages were unencrypted, which facilitated eavesdropping or interception, especially over unprotected WiFi networks. Moreover, whatsapp used a weak authentication process, with weak password security, which created the risk of abuses by third parties. As regards status messages, all whatsapp users can read the status messages of other users. Although the CBP did not find a breach of the Dutch data protection law with respect to this point, it endorsed the recommendation of the OPC to provide realtime or active notification (e.g. popups) about status messages whenever whatsapp users change their status message.109 2.4.5 Forms of co-operation Prior to the investigation, CBP and OPC signed a MoU regarding the mutual exchange of investigation data, which came into effect on January 16, 2012. During the investigation, consultations took place between CBP and OPC. Moreover, CBP and OPC exchanged many emails and even arranged a video conference call with WhatsApp. 2.4.6 Conclusions

OPC and CBP issued separate reports, respecting each country’s data protection law. For instance, CBP and OPC took different conclusions as regards retention periods;

Unlike the CBP, the OPC does not have order making powers. The CBP has the power to impose sanctions;

On October 30, 2012, WhatsApp succesfully asked to postpone the deadline for giving its views on the preliminary findings report of the CBP. This reveals the flexible nature of the investigation;

WhatsApp took steps to implement many recommendations throughout the investigation:

o In September 2012, in partial response to CBP’s investigation, WhatsApp introduced encryption to its mobile messaging service, which aims to preclude eavesdropping or interception;

108 CBP & OPC, “Canadian and Dutch data privacy guardians release findings from investigation of popular mobile app”, Ottawa, Canada and The Hague, The Netherlands, 28 January 2013, http://www.dutchdpa.nl/Pages/en_pb_20130128whatsapp.aspx ; http://www.priv.gc.ca/media/nrc/2013/nrc_130128_e.asp 109 Dutch Data Protection Authority, Investigation into the processing of personal data for the ‘whatsapp’ mobile application by Whatsapp Inc., Z201100987, Report on the definitive findings, 15 January 2013, p. 3, http://www.dutchdpa.nl/downloads_overig/rap_2013whatsappdutchdpafinalfindingsen.pdf

38

o Moreover, WhatsApp strengthened its authentication process with stronger password security in the latest version of the App, which lowered the risk of abuses by third parties;

o In response to the investigation by the OPC and CBP, WhatsApp supplemented the information for users about the distribution of status messages;

In response to the investigation by the CBP and the OPC, WhatsApp announced following priorities on its product development agenda:

o the manual addition of contacts; o as regards retention periods, and following the OPC’s observations, an update

and expansion of its Terms of Service and Privacy Policy by March 31, 2013; o password security of inactive users; o as regards status messages: the expansion of its Terms of Service and Privacy

Policy, and the integration of realtime notification into future application releases beginning September 30, 2013.110

Following the issuance of their respective reports, OPC and CBP will pursue outstanding matters independently. CBP provides for a second phase to examine whether the breaches of law continue and to decide on further enforcement actions. The OPC will monitor the company’s progress in meeting commitments made in the course of investigation.111

The case of WP29’s & CNIL’s investigation of Google’s privacy policy and the WhatsApp case show differences. In the first case, the WP29 started the investigation on its own motion, whereas in the second case, the CBP and OPC signed a MoU. Secondly, the Google case concerns an investigation led be CNIL, on behalf of WP29, on the compliance of Google’s privacy policy with the European Data Protection Legislation, whereas the WhatsApp case concerns a joint investigation between CBP and OPC on compliance of the processing of personal data by WhatsApp Inc. with their respective data protection laws. It should be noted, however, that in the former case, following unsuccessful meetings between Google, 6 DPAs of the WP29 task force have also launched their own investigations under an international administrative enforcement procedure on compliance of Google’s privacy policy with their national data protection laws. This uncovers a third difference, that is, unlike the Google case the WhatsApp case was finished after one year. Thus, the form of investigation seems to determine the compliance of the company being investigated: unlike Google during the investigation by the CNIL on behalf of the WP29, WhatsApp took steps to implement many recommendations throughout the investigation (see above). Furthermore, on 29 November 2013, following the investigation by the Dutch DPA of Google’s privacy policy with Dutch data protection law, Google stated to Bloomberg BNA that, during the investigation it has “engaged fully with the Dutch DPA throughout this process and will continue to do so going forward.”112

110 Dutch Data Protection Authority, Investigation into the processing of personal data for the ‘whatsapp’ mobile application by Whatsapp Inc., Z201100987, Report on the definitive findings, 15 January 2013, p. 4, http://www.dutchdpa.nl/downloads_overig/rap_2013whatsappdutchdpafinalfindingsen.pdf 111 CBP & OPC, “Canadian and Dutch data privacy guardians release findings from investigation of popular mobile app”, Ottawa, Canada and The Hague, The Netherlands, 28 January 2013, http://www.dutchdpa.nl/Pages/en_pb_20130128whatsapp.aspx ; http://www.priv.gc.ca/media/nrc/2013/nrc_130128_e.asp 112 Gardner, Stephen, “Dutch DPA Concludes That Google Is in Breach of Data Protection Act”, Bloomberg BNA, 2 December 2013, http://www.bna.com/dutchdpaconcludesn17179880411/

39

2.5 IRISH OFFICE OF THE DATA PROTECTION COMMISSIONER’S AUDIT OF FACEBOOK

IRELAND 2.5.1 Overview In 2011, the Irish Office of the Data Protection Commissioner (ODPC) conducted an audit into Facebook Ireland Ltd. The case includes strong involvement by a pressure group (“europevfacebook.org”) putting forward complaints to the data protection authority outside their own country and then remaining involved in the process. The case highlights jurisdiction issues in relation to international websites, and the subsequent responsibility and leading role of the DPA of the country in which that company is legally based. Because Facebook’s international headquarters are in Dublin, Ireland, the changes made by Facebook in response to the Irish ODPC’s report will likely affect all (nonUS and Canadian) Facebook users. 2.5.2 Sequence of key events Early 2011 ODPC indicates to Facebook Ireland its intention to carry out a

general audit of its data protection practices, under Section 10 (1A) of the Data Protection Act.

18 August 2011 europevfacebook.org files 16 complaints against Facebook Ireland Ltd with the Irish ODPC.

19 September 2011 europevfacebook.org files a further six complaints with ODPC. 2526 October, 1618 November and 14 December 2011

ODPC conducts an onsite audit of Facebook Ireland Ltd over six days.

21 December 2011 ODPC produces report113 and appendix.114 January 2012 europevfacebook.org responds to the ODPC report.115 6 February 2012 europevfacebook.org meets with Facebook in Vienna with the aim

of finding an “amicable solution” as required under the Irish Data Protection Act.

May/June 2012 Facebook introduces a new privacy policy worldwide. 21 September 2012 ODPC publishes a review of Facebook’s compliance with the non

binding suggestions from the December 2011 report.116 4 December 2012 europevfacebook.org publishes its full response to the audit process

as requested by the ODPC.117 2.5.3 Reasons for the investigation Maximilian Schrems, representing the advocacy group europevfacebook.org, filed a bundle of 22 separate complaints against Facebook Ireland Ltd with the Irish Office of the Data

113Data Protection Commissioner, Facebook Ireland Ltd: Report of Audit, 21 December 2011. http://www.dataprotection.ie/documents/facebook%20report/final%20report/report.pdf 114 Data Protection Commissioner, Appendicies to Facebook Ireland Audit Report, 21 December 2011. http://dataprotection.ie/documents/facebook%20report/final%20report/Appendices.pdf 115 http://www.europevfacebook.org/ODPC_JAN_pub.pdf 116 Data Protection Commissioner, Facebook Ireland Ltd: Report of Re-Audit, 21 September 2012. http://www.dataprotection.ie/documents/press/Facebook_Ireland_Audit_Review_Report_21_Sept_2012.pdf 117 europevfacebook.org, Response to “Audit” by the Irish Office of the Data Protection Commissioner on “Facebook Ireland Ltd”, Vienna, 4 December 2012. http://www.europevfacebook.org/report.pdf

40

Protection Commissioner (ODPC). The Commissioner has investigatory powers where an individual complains that there has been a contravention of the Data Protection Act 1988.118 The complaints included: “Pokes” being kept even after a user removes them; the collection of data about people without their knowledge and the creation of “shadow” profiles of nonusers; tags are used without the consent of the subject and are optout; gathering of data without consent through iPhone app or “Friend Finder”; deleted postings present in data sets; users’ inability to see distribution settings for posts made on friends’ walls; messages being stored after user deletion; a vague, unclear and contradictory privacy policy; face recognition features as inappropriate violations of user privacy; subject access requests not being answered fully; tags “deleted” by the user instead being deactivated and stored; no guarantees of any level of data security; no guarantee that applications that do not meet European data protection standards cannot be added; deleted friends’ being stored by Facebook; Facebook’s processing of personal data as an example of excessive processing; Facebook as an optout system, rather than an optin as required by European law; the “Like” button being used to track users outside of Facebook and on other websites; Facebook not meeting its obligations as a provider of cloud services; picture privacy settings being insufficient; deleting pictures only deletes links to the picture; users can be added to groups without their consent; and finally, privacy policies are changed too infrequently, with users being improperly informed, and not asked for consent.119 This complaint, along with others by the Norwegian Consumer Council, and individual complaints arising from publicity around subject access requests aligned with the ODPC’s existing intention to conduct an audit of Facebook Ireland Ltd. The Office conducted the audit and investigation into the complaints in parallel. 2.5.4 Findings of the investigation Investigations under the Data Protection Act take the form of a privacy audit, with the general aim of improving data protection practices. The findings of the audit did not constitute a formal decision on the complaints brought to the ODPC, and did not carry an implication that Facebook Ireland’s practices were not in compliance with Irish data protection law. The results of most audits by the ODPC are only made publicly available with the permission or the agreement of the organisation concerned. The publication of the audit of Facebook Ireland is, therefore, an exception to this practice. The ODPC report produced recommendations for Facebook Ireland. These were framed in terms of “best practice” to which Facebook Ireland should adhere. The report made recommendations in the areas of privacy and data use policies, advertising use of user data, access requests, retention of data, cookies and social plugins, third party apps, disclosures to third parties, facial recognition and suggested tags, security, the deletion of accounts, the friend finder, tagging, posting on other profiles, Facebook credits, abuse reporting, and compliance management and governance. The September 2012 rereview documents the changes that Facebook Ireland has put in place in response to the initial audit, and broadly concludes that the changes have, for the most part,

118 http://www.lawreform.ie/_fileupload/Restatement/First%20Programme%20of%20Restatement/EN_ACT_1988_0025.PDF 119 Europe Vs Facebook, “Legal Procedure against “Facebook Ireland Limited”. http://europevfacebook.org/EN/Complaints/complaints.html

41

been implemented to their full satisfaction. The report found that although the Facebook facial recognition feature was not necessarily in conflict with Irish law as interpreted by the Courts, the ODPC took account of the views of the Article 29 Working Party and of German colleagues and persuaded FacebookIreland to terminate this feature for EU users and to delete the alreadycollected biometric templates of such users, an action that the ODPC subsequently verified. In some cases, Facebook Ireland went beyond the ODPC recommendations, but in the areas of new user education, deletion of social plugin data, full verification of account deletion, minimising the potential for the use of advertising that could potentially be considered sensitive, then full implementation had not yet been achieved. The ODPC considers this process to be one of ongoing engagement with Facebook Ireland Ltd.120 The improvements implemented by Facebook except in relation to facial recognition were applied to all Facebook users, including those in the US and Canada which formally come under the jurisdiction of Facebook Inc. The report was criticised by europevfacebook.org who did not see the audit as producing a final decision. In a letter to the ODPC, Schrems raised the following criticisms:

The report lists general suggestions rather than legal analysis; The legal analysis behind the outcome is not disclosed, and may not be in line with

Directive 95/46/EC; Some of the issues raised as complaints are not addressed in the report; That “best practices” identified in the report do not meet the standards of Directive

95/46/EC; The audit is too reliant on claims made by Facebook, to which the complainant does

not have access; There are contradictory findings in the report.

At the start of 2013, europevfacebook.org is considering requesting a formal binding decision on the complaints from the ODPC.121 2.5.5 Forms of co-operation The audit of Facebook Ireland Ltd was primarily conducted by the ODPC alone, with pro bono assistance from Dave O’Reilly of University College Dublin who assisted with technical issues that arose during the audit. The main 2011 report states that the audit “builds on work carried out by other regulators, notably the Canadian Privacy Commissioner, the US Federal Trade Commission and the Nordic and German Data Protection Authorities”. The report also acknowledges that it includes consideration of specific issues raised by europevfacebook.org, the Norwegian Consumer Council and individuals. 122 The ODPC also acknowledges ongoing consultation with other data protection authorities and the Article 29 Working Party’s Technology subgroup during the processing of its followup review, 123

120 Data Protection Commissioner, Facebook Ireland Ltd: Report of Re-Audit, 21 September 2012, p. 3. http://www.dataprotection.ie/documents/press/Facebook_Ireland_Audit_Review_Report_21_Sept_2012.pdf 121 europevfacebook.org, “Legal Procedure against “Facebook Ireland Limited” http://europevfacebook.org/EN/Complaints/complaints.html 122 Data Protection Commissioner, Facebook Ireland Ltd: Report of Audit, 21 December 2011, p. 3. http://www.dataprotection.ie/documents/facebook%20report/final%20report/report.pdf 123 Data Protection Commissioner, Facebook Ireland Ltd: Report of Re-Audit, 21 September 2012, p..3. http://www.dataprotection.ie/documents/press/Facebook_Ireland_Audit_Review_Report_21_Sept_2012.pdf

42

including an explicit reference to the Article 29 Working Party Opinion 02/2012 on facial recognition.124 The ODPC argues that one of the strengths of an audit with recommendations expressed as "best practice" is that it allows them to go beyond strict compliance with Irish law and to take account of the views of other DPAs on such issues. The ODPC has used the same approach with their recently completed audit of LinkedInIreland and intend to follow the same practice in their forthcoming audits of AppleIreland, AdobeIreland and YahooIreland. The Office of the Privacy Commissioner of Canada (OPC) conducted a parallel investigation into two Facebook features, the “friend finder” and “people you may know”. The ODPC report states that in order to make the best use of limited resources, the ODPC discussed the likely findings of the OPC investigation in advance of its own audit. As the ODPC concurred with the likely findings of the OPC, it decided not to focus upon these features in its audit. However, the Irish audit was able to examine the use of “friend finder” technology within Facebook, something the Canadian investigation was unable to do given the lack of the Facebook corporate presence in Canada.125 The Federal Trade Commission had charged Facebook (in this case, the Palo Altobased Facebook Inc) with deceiving customers by failing to keep privacy promises. This resulted in a settlement of 29 November 2009 in which Facebook agreed not to make misrepresentations about the privacy or security of consumers’ personal information, to obtain express affirmative consent before overriding privacy preferences, to prevent anyone accessing a user’s material 30 days after deleting his or her account, to maintain a comprehensive privacy program, and to obtain independent, thirdparty audits of its privacy programme and of the security of consumer information.126 The ODPC considered that this settlement set high standards, and therefore considered what analogous steps were required from Facebook Ireland Ltd to comply with Irish data protection law.127 The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) suspended its own investigation into the Tag Suggest function on Facebook (in which facial recognition technology is used to suggest people in uploaded photographs for a user to identify). This feature was included in the Irish audit, and the feature suspended for European users from 1 July 2012. However, the ODPC reopened its investigation in August 2012. HmbBfDI considered that the negotiated agreement between Facebook Ireland and ODPC, including Facebook’s concessions, did not comply with data protection standards, particularly

124 Article 29 Working Party, Opinion 02/2012 on facial recognition in online and mobile services, WP192, Brussels, 22 March 2012. http://ec.europa.eu/justice/dataprotection/article29/documentation/opinionrecommendation/files/2012/wp192_en.pdf 125 The Canadian investigation concluded that “friend finder” and invitation services which allowed a user to upload their email address book and then use this to send invitations to nonusers to join Facebook were not accessing the email address books of complainants. However, Facebook Inc had failed to obtain consent for the use of nonusers’ email addresses for the purpose of generating friend suggestions, had failed to inform nonusers of the proposed use of their email address, and had failed to provide a convenient procedure for opting out prior to this use. Office of the Privacy Commissioner of Canada, “Report of Findings – Facebook didn’t get nonmembers’ consent to use email addresses to suggest friends, investigation finds”, 2012. http://www.priv.gc.ca/cfdc/2012/2012_002_0208_e.asp 126 Federal Trade Commission, “Facebook Settles FTC charges that it deceived consumers by failing to keep privacy promises”, 29 November 2009. http://ftc.gov/opa/2011/11/privacysettlement.shtm. 127 Data Protection Commissioner, Facebook Ireland Ltd: Report of Audit, 21 December 2011, p. 147. http://www.dataprotection.ie/documents/facebook%20report/final%20report/report.pdf

43

in relation to consent.128 HmbBfDI then issued an administrative order against Facebook Inc., obliging the USbased parent company to change facial recognition methods to comply with European data protection law. 129 Other German authorities have also issued similar procedures. The ODPC received complaints from the Norwegian Consumer Council, regarding third party applications, Facebook’s privacy policy, and questions of jurisdiction. The ODPC used these complaints, which they regarded as well researched, as an evidence base and focus for their audit.130 These complaints had initially been made to the Norwegian Data Protection Agency (Datatilsynet) in May 2010, which concluded that Norwegian data protection law did not apply in this case and that the matter should be addressed to the Irish authorities due to Facebook Europe’s location in Dublin.131 europevfacebook.org has claimed that the ODPC stopped communicating with the group and the complainant in July 2012 after europevfacebook.org had requested access to files, evidence and arguments put forward by Facebook. 132 European Commissioner Viviane Reding described this case as an example of how crossnational DPA investigations should not be conducted in future, because of the difficulty of interaction between the Austrian complainant and the Irish DPA.133 Under the data protection reform package, she envisages a counterexample where an Austrian citizen would be able to take their complaint to the Austrian DPA, who would then liaise with their Irish counterparts, and the same rules would be applicable across the EU. In his letter to the ODPC, Schrems raises a problem with the amicable agreement approach of the ODPC. He suggests that it is inadequate and unbalanced for an individual (in this case, a student) to be negotiating unsupported with a multinational company.134 The ODPC report on the audit states that Facebook Europe cooperated fully during the audit, and during the followup review. 2.5.6 Conclusions From this case study, we draw the following conclusions:

128 Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, “Proceedings against Facebook Resumed”, Press release, Hamburg, 15 August 2012. http://www.datenschutzhamburg.de/fileadmin/user_upload/documents/PressRelease20120815Facebook_Proceedings.pdf 129 Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, “Administrative Decision against Facebook”, Press release, Hamburg, 21 September 2012. http://www.datenschutzhamburg.de/fileadmin/user_upload/documents/PressRelease20120921Facebook_AdministrativeDecision.pdf 130 Data Protection Commissioner, Facebook Ireland Ltd: Report of Audit, 21 December 2011, p. 22. http://www.dataprotection.ie/documents/facebook%20report/final%20report/report.pdf 131 Data Protection Commissioner, Appendicies to Facebook Ireland Audit Report, 21 December 2011, p. 202 http://dataprotection.ie/documents/facebook%20report/final%20report/Appendices.pdf 132 europevfacebook.org, “Legal Procedure against “Facebook Ireland Limited”, Press release, 30 July 2012. http://europevfacebook.org/EN/Complaints/complaints.html 133 Reding, Viviane, “The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age”, Speech, Munich, 24 January 2012. http://europa.eu/rapid/pressrelease_SPEECH1226_en.htm 134 Schrems, Maximillian, “Recent report on “Facebook Ireland Ltd”, Letter to Billy Hawkes, Data Protection Commissioner, 2 January, 2012. http://www.europevfacebook.org/ODPC_JAN_pub.pdf

44

Cooperation primarily took the form of building on previous investigations, audits and settlements, and of consultation with other European data protection agencies during the conduct of the audit by the single DPA with acknowledged jurisdiction over Facebook Ireland Ltd.

There has been some criticism of the effectiveness of this process, in particular, from the complainant, and subsequent investigations from other European DPAs that explicitly state that the ODPC audit is insufficient.

A European data protection investigation led to changes for all users of Facebook outside of the US and Canada.

45

2.6 SONY PLAYSTATION NETWORK HACKS 2.6.1 Overview What media reports often described as the Sony PlayStation Hack was actually a series of hacks and problems with a set of related systems over several days. The main focus of attention for data protection authorities was the potential theft of personal information of more than 70 million users of the Sony PlayStation Network. The internal investigation of this hack resulted in the PlayStation network platform being unavailable for several days. PlayStation Network (PSN) is the network that provides the online component of the popular PlayStation games console: it allows users to purchase and download games and additional content, to communicate with friends and to host online multiplayer games. Other related hacks were discovered during the investigation into the PlayStation Network hack. First, the website of Sony Online Entertainment (SOE) was compromised, with hackers potentially gaining access to personal information of 24.6 million customers.135 The SOE network was taken offline on 2 May 2011. Second, personal information on a Sony website was indexed by Google, leading to 2,500 names and partial addresses from a 2001 Sony sweepstake competition being discovered on a publicfacing website on 7 May 2011.136 Third, the Sony Pictures Entertainment website was hacked between 27 May and 2 June 2011, with the hacking group LulzSec claiming responsibility, 137 and for which several purported members of LulzSec were subsequently charged. 138 This hack resulted in the theft of confidential data relating to 100,000 users of the Sony Pictures website. Several other hacks followed through May and June 2011.139 There were several investigations into the PlayStation Network data breaches, which for the most part occurred independently of each other. Many data protection authorities rapidly stated that they would look into the breaches to ascertain the applicability of their data protection law to the case and any jurisdiction that their offices might have. The UK Information Commissioner’s Office (ICO) conducted an investigation into the PlayStation Network data breach and issued Sony with a monetary penalty of £250,000. There were also a large number of separate investigations into this data loss by various actors in the United States, including the Federal Trade Commission, the House of Representatives, numerous Attorneys General, and the FBI. 2.6.2 Sequence of key events 1719 April 2011 Sony learns that the PlayStation Network and Qriocity

135 Sony Online Entertainment, “Dear Valued Sony Online Entertainment Customer”, Sony Online Entertainment, 2 May 2011., https://www.soe.com/securityupdate/ 136 Wisniewski, Chester, “Sony succumbs to another hack leaking 2,500 ‘old records’”, Naked Security, 7 May 2011. http://nakedsecurity.sophos.com/2011/05/07/sonysuccumbstoanotherhackleaking2500oldrecords/ 137 FBI, “Member of hacking group LulzSec arrested for June 2011 intrusion of Sony Pictures computer systems”, press release, Los Angeles, 22 September 2011. http://www.fbi.gov/losangeles/pressreleases/2011/memberofhackinggrouplulzsecarrestedforjune2011intrusionofsonypicturescomputersystems 138 FBI, “Six hackers in the United States and abroad charged for crimes affecting over one million victims”, press release, New York, 6 March 2012. http://www.fbi.gov/newyork/pressreleases/2012/sixhackersintheunitedstatesandabroadchargedforcrimesaffectingoveronemillionvictims 139 Security Curmudgeon, “Absolute Sownage: a concise history of recent Sony hacks”, Attrition.org, 4 June 2011. http://attrition.org/security/rant/sony_aka_sownage.html

46

network had been hacked and begins an internal investigation. 20 April 2011 Sony PlayStation Network and Qriocity services are

suspended. 22 April 2011 Sony confirms that the PlayStation Network suspension is

due to external intrusion. 25 April 2011 Sony’s forensic teams confirm the scope of the personal data

they believe taken, but cannot rule out credit card information.

26 April 2011 Sony informs its users and the authorities about the hack on the PlayStation Network, and that personal information on customers may have been stolen 140 Sony initially blames Anonymous, who deny responsibility.141

April 2011 The Office of the Australian Information Commissioner (OAIC) conducts an investigation into Sony Computer Entertainment Australia’s role in the PSN data loss.

2 May 2011 Sony confirms that 12,000 credit card numbers and 24.7 million customers’ account information may have been stolen. The credit card numbers are apparently encrypted and do not include expiry dates.

2nd June 2011 Sony restores all PlayStation Network Services in all areas other than Japan.

29th September 2011 The OAIC publishes results of investigation of Sony Computer Entertainment Australia.142

25th July 2012 The ICO serves a Notice of Intent on Sony. 12th October 2012 The ICO receives written representation from Sony. 19th October 2012 US Federal judge rules that plaintiffs could not claim that

Sony violated US customer protection statutes because the PSN services were provided free of charge.

14th January 2013 The ICO issues a penalty of £250,000 against Sony Computer Entertainment Europe (SCEE) Limited.143

2.6.3 Reasons for investigation Several data protection authorities undertook investigations to determine the applicability of local law to the hacks after they became public knowledge. The Office of the Australian Information Commissioner (OAIC) conducted its “own motion” investigation into the

140 Information stolen likely included: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that profile data, including purchase history and billing address (city, state, zip), and PlayStation Network/Qriocity password security answers may have been obtained. Seybold, Patrick, “Update on PlayStation Network and Qriocity”, PlayStation.Blog , 26 April 2011. http://blog.us.PlayStation.com/2011/04/26/updateonPlayStationnetworkandqriocity/ 141 Arthur, Charles, “Anoymous says Sony accusations over PlayStation Network hack are lies”, The Guardian, 5 May 2011. http://www.guardian.co.uk/technology/blog/2011/may/05/anonymousaccusessonyhackPlayStationnetwork 142 Office of the Australian Information Commissioner, Sony PlayStation Network/Qriocity: Own Motion Investigative Report, 29 September 2011. http://www.oaic.gov.au/publications/reports/own_motion_sony_sep_2011.html 143 Information Commissioner’s Office, “Sony fined £250,000 after millions of UK gamers details compromised”, Press release, 24 January 2013. http://www.ico.org.uk/news/latest_news/2013/iconewsrelease2013

47

PlayStation Network hack in April 2011. This investigation was conducted because Australian citizens had been affected by the network hack. The OAIC investigation was limited to the activities and role of Sony Computer Entertainment Australia, a subsidiary of SCEE. Similarly, the Office of the Privacy Commissioner for Personal Data in Hong Kong also conducted enquiries into Sony Computer Entertainment Hong Kong. The Office of the Privacy Commissioner of Canada announced its intention to look into the PSN data loss in late April 2011, with particular attention to its effects on Canadians, and would determine its next move once it had a better understanding of events.144 The Office does not appear to have subsequently issued a report of findings on any such investigations. Other data protection authorities, such as the New Zealand Privacy Commissioner, maintained contact with their international equivalents without conducting their own investigation.145 The PlayStation Network platform is operated by Sony Network Entertainment Europe Limited (SNEE), which is a wholly owned subsidiary of Sony Computer Entertainment Europe. SNEE is responsible for the network in Europe, the Middle East, Africa, Australia and New Zealand. The network platform, including the database of customer information, was maintained on behalf of SNEE by a US service provider, which is another part of the Sony group. SNEE is based in London and therefore comes under the purview of the ICO. The ICO described the loss of customer information by Sony as “the most serious breach reported to us”. 146 The breach was selfreported to the ICO by SNEE, and the ICO subsequently undertook an investigation. There were several overlapping investigations into the hack in the United States. Sony Computer Entertainment America (SCEA) is the US/North American equivalent to SNEE and both are part of the Sony Group, which in turn is headquartered in Japan. Sony Online Entertainment publishes online multiplayer games. The US headquarters of Sony Online Entertainment is in New York.147 The Federal Bureau of Investigation confirmed that it was investigating the hacks as a cybercrime, with the focus of its investigation being the hackers responsible, and not the involvement or conduct of Sony in regard to the breach of personal data. The FBI subsequently arrested and charged several people allegedly involved in the perpetrating the hacks. The House of Representatives subcommittee on Commerce, Manufacturing and Trade conducted a hearing on the threat of data theft to American consumers, which produced a letter to the chairman of SCEA, asking several questions about the timing and extent of the breach, when Sony became aware of the incident, when it notified customers and the authorities, and the details of any data security and retention practices.148 Sony’s response to this letter provided details about its internal investigation, and cited the complexity of the investigation as the key reason for the delay in informing customers and the authorities. 149 Twentytwo US state attorneys also demanded answers to questions from

144 Hartley, Matt, “Breach rattles watchdogs”, Financial Post, 27 April 2011. http://business.financialpost.com/2011/04/27/breachrattleswatchdogs/?__lsa=06241046 145 Privacy Commissioner, “Media Release: PlayStation data breach”, Press release, 28 April 2011. http://privacy.org.nz/newsandpublications/statementsmediareleases/mediareleasePlayStationdatabreach/ 146 BBC “Sony fined over ‘preventable’ PlayStation data hack” BBC News, 24 January 2013. http://www.bbc.co.uk/news/technology21160818 147 https://www.soe.com/ 148 House of Representatives, “The Threat of Data Theft to American Consumers: Hearing before the Subcommittee on Commerce, Manufacturing and Trade, of the Committee on Energy and Commerce, House of Representatives”, US Government Printing Office, Washington, DC, 4 May 2011. http://www.gpo.gov/fdsys/pkg/CHRG112hhrg70740/pdf/CHRG112hhrg70740.pdf 149 Hirai, Kazuo, “Letter to the Honorable Mary Bono Mack and Honorable G.K. Butterfield”, 3 May 2011. http://www.flickr.com/photos/PlayStationblog/5686965323/in/set72157626521862165/

48

SCEA.150 The Federal Trade Commission may also have had jurisdiction due to potential impacts on US consumers, but does not appear to have produced a report of any investigation. 2.6.4 Findings of investigation The Office of the Australian Information Commissioner (OAIC) investigation concluded that as SCE Australia did not hold any personal information relating to the PlayStation Network platform, it had therefore not breached Australia’s Privacy Act 1988. The OAIC report made a distinction between information disclosed to the public and information accessed as a result of “a sophisticated security cyber attack against the network platform”, and stated that a targeted attack on an organisation did not necessarily signify that the organisation had failed to take “reasonable steps” to secure personal data. 151 The Commissioner was, however, concerned about the delay between SCE Europe becoming aware of the incident and notifying both customers and the OAIC. The Privacy Commissioner for Personal Data, Hong Kong, stated on 26 July 2012 that his office would not pursue any further investigation, on the assumption that the cause of the intrusion had been identified, and that preventative measures had been taken.152 The UK Information Commissioner’s Office disagreed with the Australian conclusion, stating that the PlayStation Network hack that resulted in the loss of customers’ personal data could have been avoided. That the database had been targeted in a deliberate criminal attack did not mitigate the finding that the security in place was not sufficient to protect the personal data being held. As a data controller under the Data Protection Act 1998, SCEE had failed to ensure that the service provider maintained adequate security standards. The ICO considered the contravention of Section 4(4) of the Data Protection Act 1998 to be serious, because the measures taken by the data controller did not ensure a level of security appropriate to the harm that might result from unauthorised or unlawful access and processing of the stored information. The monetary penalty of £250,000 was therefore reasonable and proportionate, but would not impose undue financial hardship upon the data controller. The ICO could potentially have issued a fine of up to £500,000.153 Aggravating factors included serious contravention due to the nature and volume of data; placing other accounts at risk; that the data controller should have been aware of the risk; that the data controller should have acted sooner; and that the data controller is part of a multinational group with resources and expertise. Mitigating factors included the focused and determined criminal attack; the complexity of the PSN system; the fact that some steps were taken to secure the network; that there had not been a previous similar breach; that the personal data lost is unlikely to be misused and that no misuse has yet been reported; that data subjects were informed and reparations offered; that the data controller fully cooperated with the commissioner; that

150 As an example, see Jepsen, George, “Re: Sony PlayStation Breach” letter, Hartford, Connecticut, 27 April 2011. http://www.ct.gov/ag/lib/ag/press_releases/2011/sonytrettonltr042711.pdf 151 Office of the Australian Information Commissioner, Sony PlayStation Network/Qriocity: Own Motion Investigative Report, 29 September 2011. http://www.oaic.gov.au/publications/reports/own_motion_sony_sep_2011.html 152 Office of the Privacy Commissioner for Personal Data, Hong Kong, “Privacy Commissioner completes enquiries with Sony on Resumption of PlayStation Network Service in Hong Kong”, press release, 26 July 2012. http://www.pcpd.org.hk/english/infocentre/press_20120726c.html 153 Information Commissioner’s Office, Data Protection Act 1998 Monetary Penalty Notice: Sony Computer Entertainment Europe, 14 January 2013. http://www.ico.org.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/sony_monetary_penalty_notice.ashx

49

substantial remedial action has been taken; and that the breach has had a significant effect on the data controller’s reputation. The lawsuits filed against Sony (SCEA) alleging that Sony knew that its security was insufficient prior to the attack were dismissed by a judge in Southern California on the grounds that the named plaintiffs were not subscribers to the premium features of PSN, and therefore Sony had not breached California’s consumer protection laws. Judge Anthony Battaglia also stated that Sony could not be held fully responsible for the loss as there was no such thing as perfect security.154 2.6.5 Forms of co-operation In general, there is little evidence of any significant or structured cooperation between data protection authorities in the investigation of the Sony PlayStation Network data breach or other associated hacks against Sony. Rather, investigations were primarily conducted by national data protection authorities where they believed it appropriate. Where it occurred, cooperation between data protection authorities was limited to ad hoc communication between the authorities and the sharing of any findings at the conclusion of individual investigations. The OAIC investigation into SCE Australia was one of the earliest investigations. The OAIC states that it advised other privacy regulators about its findings, particularly the Asia Pacific Economic Cooperation (APEC) member countries. Many data protection authorities who issued press releases regarding the Sony PlayStation breach also noted that they would maintain communication with peers in other countries during their investigations. Details of this communication or cooperation are generally limited. The Australian Commissioner also stated that he did not intend to reopen this investigation following the ICO’s decision regarding SCE Europe.155 The OAIC did, however, note the complexity of the Sony case, and cited this as a driver towards increased international cooperation. There is evidence of collaboration between the FBI and the Department of Justice in the investigation of the criminal side of the hacks.156 This presumably builds on regular cooperation between the FBI and its overseeing Department. It appears that the 22 different state Attorneys General each wrote their own investigative letters to Sony, rather than sharing a single inquiry. Several parts of the Monetary Penalty Notice issued by the ICO have been redacted.157 It is uncertain if the redacted or unredacted version of this Notice was shared with other data protection authorities. The Notice does not give details of any collaboration between the ICO and other data protection authorities.

154 Kerr, Dana, “Sony PSN Hacking lawsuit dismissed by judge”, CNET, 23 October 2012. http://news.cnet.com/83011023_35753871693/sonypsnhackinglawsuitdismissedbyjudge/ 155 Office of the Australian Information Commissioner, “Sony PlayStation Network: Statement from the Australian Privacy Commissioner, Timothy Pilgrim”, press release, 25 January 2013. http://www.oaic.gov.au/news/statements/statement_130125sony.html 156 Li, Shan, “Justice Department probes hacker attack at Sony’s PlayStation Network”, Los Angeles Times, 5 May 2011. http://articles.latimes.com/2011/may/05/business/lafisonyprobe20110505 157 http://www.ico.org.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/sony_monetary_penalty_notice.ashx

50

Notably, the respective Sony subsidiaries seem to have cooperated with the law enforcement and data protection authorities in each instance, and alongside the voluntary reporting of the breach to the UK commissioner, this cooperation was taken into account by the ICO as a mitigating factor in determining the appropriate monetary penalty. 2.6.6 Conclusions From this case study, we draw the following conclusions:

The corporate structure of Sony’s various divisions and way that it operated services made issues of jurisdiction and responsibility potentially problematic.

Most data protection authorities that investigated the PlayStation Network hacks examined the activities of the local subsidiary of the Sony Group within their jurisdiction (for example, SCE Australia and SCE Hong Kong). Several data protection authorities therefore concluded that because those subsidiaries were not directly involved in processing data in relation to the hacked network, there was no further need for investigation.

The PlayStation breach appears to have been influential in increasing the perceived need for global cooperation between Data Protection Authorities, due to the interrelated nature of the Sony group, the complex flows of personal information involved, and the possibility of a single event affecting a large number of citizens.

51

2.7 SWIFT AND US TREASURY TERRORIST FINANCE TRACKING PROGRAM (TFTP)

2.7.1 Overview The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a memberowned cooperative of financial organisations which is headquartered in Belgium. SWIFT processes and transmits financial communications globally.158 In 2006, The New York Times revealed that SWIFT had been cooperating with a US Treasury department surveillance programme, granting the Treasury, including the U.S. Secret Service, subpoenaed search access to SWIFT transactions globally.159 The programme is known as the Terrorist Finance Tracking Program (TFTP). Subsequently, SWIFT was the subject of detailed investigations by the Belgian Commission for the Protection of Privacy 160 (the Belgian data protection authority), as well as investigations by the Article 29 Data Protection Working Party, the European Data Protection Supervisor and several other national data protection authorities. There was a relatively high level of cooperation and coordination between European data protection authorities, through the Article 29 Working Party. The case also resulted in negotiations between the US Treasury and the EU on the continuation of the TFTP programme. 2.7.2 Sequence of key events 23 June 2006 The New York Times, followed by The LA Times and The Washington

Post, reveals secret SWIFT surveillance and subpoena programme run by United States Treasury.161

27 June 2006 Privacy International files simultaneous complaints regarding SWIFT with data protection and privacy regulators in 32 countries, requesting investigations.162

6 July 2006 European Parliament Resolution on the interception of bank transfer data from the SWIFT system by the US secret services.163

17 July 2006 European Commission writes to the Belgian DPA requesting information on the case.

28 July 2006 Chairman of the Article 29 Working Party announces intent of European data protection authorities to coordinate activities in investigating the SWIFT case.

2627 Sept 2006 WP29 holds plenary discussion, agrees to continue factfinding.

158 SWIFT, “Company Information”. http://www.swift.com/about_swift/company_information/company_information 159 Lichtblau, Eric, and James Risen, “Bank Data Is Sifted by U.S. in Secret to Block Terror”, The New York Times, 23 June 2006. http://www.nytimes.com/2006/06/23/washington/23intel.html?pagewanted=all&_r=0 160 Commissie voor de bescherming von de persoonlijke levenssfeer (CBPL) in Dutch and Commission de la protection de la vie privée (CPVP) in French. http://www.privacycommission.be/ 161 Lichtblau and Risen, op. cit.; Meyer, Josh, and Greg Miller, “U.S. Secretly Tracks Global Bank Data”, The Los Angeles Times, 23 June 2006, http://articles.latimes.com/2006/jun/23/nation/naswift23; Simpson, Glenn R., “Treasury Tracks Financial Data in Secret Program”, The Washington Post, 23 June 2006. 162 Privacy International, “PI estimates over 4 million UK financial records sent each year to U.S”, press release, 6 July 2006. https://www.privacyinternational.org/pressreleases/piestimatesover4millionukfinancialrecordssenteachyeartous 163 European Parliament resolution on the interception of bank transfer data from the SWIFT system by the US secret services (P6_TAPROV(2006)0317). http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/res_060706/res_060706en.pdf

52

27 Sept 2006 Report of the Belgian Commission for the Protection of Privacy.164 4 Oct 2006 SWIFT financial officer appears before European Parliament and

strongly objects to the Belgian report. 5 Oct 2006 European Data Protection Supervisor criticises the European Central

Bank for not informing European authorities of the SWIFT transfers.165 22 Nov 2006 Article 29 Data Protection Working Party produces Opinion 10/2006 on

the processing of personal data by SWIFT.166 13 Dec 2006 Belgian public prosecutor announces that no legal action will be taken

against SWIFT. 2 April 2007 The Privacy Commissioner of Canada concludes investigation into

SWIFT.167 23 May 2007 The Belgian Privacy Commission decides to initiate a recommendation

procedure with respect to SWIFT. 24 May 2007 and 11 June 2007

SWIFT informed orally, then by letter, of Privacy Commission’s procedure.

2728 June 2007 Agreement regarding the SWIFT surveillance programme reached between the US and EU (Council and Commission) following negotiations.

4 Oct 2007 SWIFT announces plans to create “closed loop” European messaging processing zone by creating a new operations centre in Switzerland.

19 Dec 2007 to 26 Nov 2008

Privacy Commission conducts a series of hearings and requests for evidence from SWIFT.

26 Nov 2008 Privacy Commission closes its deliberations. 9 December 2008 Belgian Commission for the Protection of Privacy publishes findings of

its full investigation into SWIFT.168 Feb 2010 European Parliament rejects conclusion of agreement allowing US

authorities access to European financial transactions data. May 2010 European Commission starts negotiating new agreement. June 2010 European Parliament approves conclusion of revised agreement. 2.7.3 Reasons for investigation SWIFT previously operated two data centres, one in Belgium and the other in Cupertino, California. For data security reasons, transaction data for all international transactions made through SWIFT were mirrored across both data centres. All of the SWIFT data, comprising details of millions of financial transactions, was therefore stored in a data centre under U.S.

164 Commission de la protection de la vie privée, Avis relative à la transmission de données á caractére personnel par la SCRL SWIFT suite aux sommations de l’UST (OFAC), Brussels, 27 Sept 2006. http://www.privacycommission.be/sites/privacycommission/files/documents/avis_37_2006_0.pdf 165 European Data Protection Supervisor, EDPS Opinion on the role of the European Central Bank in the SWIFT case, Brussels, 1 Feb 2007. http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Inquiries/2007/070201_Opinion_ECB_role_SWIFT_EN.pdf 166 Article 29 Data Protection Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), Brussels, 22 Nov 2006. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp128_en.pdf 167 Office of the Privacy Commissioner of Canada, Report of Findings - Privacy Commissioner of Canada v. SWIFT, 2 April 2007. http://www.priv.gc.ca/cfdc/2007/swift_rep_070402_e.asp 168 Commission de la protection de la vie privée, Control and recommendation procedure initiated with respect to the company SWIFT scrl, 9 Dec 2008. http://www.privacycommission.be/sites/privacycommission/files/documents/swift_decision_en_09_12_2008.pdf

53

jurisdiction. Following the 11 September 2001 attacks, the U.S. Treasury department began using broad administrative subpoenas to access large amounts of data from SWIFT as part of efforts to trace terrorist financing. Given that SWIFT did not legally challenge these subpoenas, it was required to comply with this classified surveillance programme. The programme was not covered by US laws protecting private financial records as SWIFT was considered a messaging service rather than a bank or financial institution.169 SWIFT did, however, negotiate a way of complying with the subpoenas whilst, in their eyes, providing a level of data protection. This included the appointment of an auditor (Booz, Allen & Hamilton), a guarantee from the US Treasury of support in the event of censure from third party authorities, and definitions of the purposes of the searches conducted.170 Following the press revelation of the programme, the European Parliament expressed concern about the transfer of data to the US Treasury, and any secret operations on EU territory without EU citizens and their representatives being informed. The Parliament called on the European Data Protection Supervisor to ascertain if the European Central Bank had met its obligations under Regulation (EC) 45/2001,171 and demanded that Member States check for legal lacunae at local levels, and ensure that data protection legislation covers central banks. The Parliament also urged the Commission to take measures to ensure that cases like SWIFT would not occur in the future.172 In turn, the Commission requested the Belgian authorities to investigate.173 The Belgian College of Intelligence and Security174 requested an Opinion from the Belgian Commission for the Protection of Privacy, which had already made the decision to investigate the SWIFT case based on the press reporting and a complaint from Privacy International. The Article 29 Data Protection Working Party adopted an Opinion on the case on the basis of Articles 29 and 30 of the EU Data Protection Directive (95/46/EC). Other data protection authorities, including Australia, Canada, New Zealand, Switzerland and Iceland, also started their own investigations. In May 2007, the Belgian Privacy Commissioner started a recommendation procedure into the SWIFT case. This procedure, which can be initiated under the Commissioner’s own authority and results in a set of recommendations to a data controller, included a more intensive interaction with SWIFT. This was seen as necessary in order to follow up on SWIFT’s responses to previous opinions, and to clarify the concepts of data controller and processor in multiple, complex and interlocked processing systems transferring large volumes of data internationally. 2.7.4 Findings of investigation The 2006 report from the Belgian Privacy Commissioner found that SWIFT had broken Belgian law, and that there was a conflict between European and US law. This report

169 Lichtblau and Risen, op. cit., 2006. 170 Commission de la protection de la vie privée, 27 September 2006, pp.67. 171 The ECB is a member of the Central Banks of the Group of Ten (G10) countries which conduct collective oversight of SWIFT. 172 European Parliament resolution on the interception of bank transfer data from the SWIFT system by the US secret services (P6_TAPROV(2006)0317). 173 Ibid., p. 2. 174 A committee chaired by the Prime Minister, with representatives of the Belgian intelligence services, police, Ministry of Foreign Affairs, the college of Attorneys General and the National Security Authority.

54

suggested that SWIFT had made errors in judgement in responding to the subpoenas, resulting in “hidden, systematic, massive, and longterm violation of the fundamental European principles as regards data protection”.175 The Commissioner stated that SWIFT should have complied with Belgian law relating to the notification of processing and transfers of data to countries outside the EU; should have followed the principles of proportionality, limited retention period and protection levels. Whilst SWIFT had notified G10 banks of the programme, the banks had not in turn notified privacy commissioners. Following the Belgian report, the European Data Protection Supervisor (EDPS), Peter Hustinx, criticised the European Central Bank for failing to prevent the transfer of information, or to notify other parties such as European governments and authorities about the scheme.176 The ECB had been aware of the subpoena process since February 2002. The EDPS also criticised the ECB’s continuing use of the SWIFT service after becoming aware of the arrangement.177 The EDPS concurred with the Belgian Privacy Commissioner’s legal analysis and conclusions. The Article 29 Working Party Opinion 10/2006 concluded that Directive 95/46/EC was applicable to SWIFT through the national laws implementing it, and that SWIFT was required to comply with its obligations under the Directive, particularly including providing information to individuals whose data was being transferred, notifying the Belgian DPA and ensuring an adequate level of protection for international transfers of data. The Opinion also concluded that, as data controllers with joint responsibility, financial institutions in the EU had the obligation to ensure that SWIFT complied with data protection law. The Opinion called for SWIFT to take measures to remedy the illegal state of affairs and called for increased oversight of SWIFT. 178 The Canadian investigation concluded that whilst SWIFT was subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the organisation did not contravene the law when it complied with lawful subpoenas served on it in the United States. However, the Commissioner suggested that alternate information sharing approaches, with builtin protections for privacy and mechanisms for accountability, would be more desirable than the use of the subpoena route.179 The Belgian privacy commissioner continued with a longer investigation under the recommendation procedure. In contrast to the 2006 investigation, this subsequent report cleared SWIFT of breaching the Belgian Privacy Act.180 The report took into account actions taken by SWIFT with the intent of compliance with European data protection legislation, following the previous Opinion, and the Opinion of the Article 29 Working Party, in the light of better knowledge of the situation and of subsequent developments. The report highlighted SWIFT’s otherwise strong record on security and data protection and concluded that whilst the protections that SWIFT negotiated with the US Treasury were imperfect, they were perhaps better than what would have been achieved from radical opposition to legally binding subpoenas. 175 Commission de la protection de la vie privée, 26 Sept 2006. 176 European Data Protection Supervisor, op. cit., 1 Feb 2006. 177 EDRI, “SWIFT Found In Breach of Belgian Privacy Laws”, EDRI-gram, 4.19, 11 Oct 2006. http://www.edri.org/edrigram/number4.19/swift 178 Article 29 Data Protection Working Party, op. cit., 22 Nov 2006. 179 Office of the Privacy Commissioner of Canada, “Privacy Commissioner concludes investigation of SWIFT”, press release, 2 April 2007. http://www.priv.gc.ca/media/nrc/2007/nrc_070402_e.asp 180 Commission de la protection de la vie privée, 9 Dec 2006, p.74.

55

2.7.5 Forms of co-operation There was broad agreement amongst European institutions mentioned above regarding the appropriateness of delegating the initial investigation to the Belgian data protection authority, given the legal location and identity of SWIFT as a Belgian cooperative. Whilst the Belgian DPA investigated SWIFT, other national data protection authorities contacted their relevant national banking organisations, and the European Data Protection Supervisor investigated the European Central Bank. The investigation by the Office of the Privacy Commissioner of Canada was independent of other investigations, and focused solely on the applicability of PIPEDA in the Canadian context. The Article 29 Working Party acted as a point of coordination. The initial 2006 report from the Belgian DPA was presented to the Article 29 Data Protection Working Party, and the Belgian DPA consulted with the Working Party during the preparation of its Opinion.181 The EDPS stated that it received answers to its questions from SWIFT both directly and indirectly through the Working Party, and through the Belgian Privacy Commission. 182 The 2006 Article 29 Working Party Opinion stated that European DPAs “have joined forces in the investigation of the data flow and the analysis of its compliance with the European privacy principles, in particular with the Data Protection Directive”.183 The Working Party held a plenary meeting on 2627 September 2006, and the subsequent Opinion is a substantial analysis of the case from a combined European perspective. The Article 29 Working Party expressed regret that no prior consultation, formal or informal, was conducted by SWIFT or partner financial institutions with European data protection authorities regarding the processing or mirroring of personal data in the US.184 The 2006 Belgian report was a starting point for several other investigations. The EDPS Opinion drew upon (and concurred with) the first Belgian report. The EDPS stated in the conclusion of its 2006 Opinion that “the EDPS remains available to advise the ECB and other relevant institutions on all matters concerning the processing of personal data in the framework of payment systems.” 185 As a member of the Working Party, the EDPS contributed towards the drafting of its Opinion. The investigation by the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland also built strongly on the foundations of the 2006 Belgian report. Disclosures of information revealed by the Belgian investigation were also seen as infringements of Swiss data protection law. The report of this investigation notes that whilst SWIFT is covered under Belgian data protection (there was no processing of personal data by SWIFT in Switzerland), the decision of joint responsibility between SWIFT and financial services did provide grounds for FDPIC’s investigation of Swiss financial services. Additionally, the report identifies the

181 Commission de la protection de la vie privée, 27 Sept 2006, p. 3. 182 European Data Protection Supervisor, EDPS Opinion on the role of the European Central Bank in the SWIFT case, Brussels, 1 Feb 2007. http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Inquiries/2007/070201_Opinion_ECB_role_SWIFT_EN.pdf 183 Article 29 Data Protection Working Party, op. cit., 22 Nov 2006, p. 5. 184 Ibid, p. 20. 185 European Data Protection Supervisor, op. cit., 1 Feb 2007, p. 12.

56

importance of considering the broader international dimension whilst having a focus upon Switzerland.186 Despite the findings of its initial report, the Belgian DPA lacked the power to fine or censure SWIFT, which would have been the responsibility of the Belgian public prosecutor. The public prosecutor took the decision not to pursue any legal action against SWIFT despite the wishes of the Belgian DPA, and the Opinion of the Article 29 Working Group. Belgian Prime Minister Guy Verhofstadt favoured negotiation between the EU and US to achieve legal certainty for companies involved in international data transfer. The SWIFT issue did result in negotiations between the EU and the US. The US Treasury made representations to the Council in which it committed to processing personal data originating in EU Member States in compliance with specific data protection principles. The Article 29 Working Party was kept informed of these discussions, but was not a participant in them. The resulting TFTP agreement between the US and the EU entailed that information would only be obtained from SWIFT for counterterrorism purposes, and the information would not be kept longer than necessary. The Commission, in consultation with the US Treasury, the President of the Permanent Representatives Committee, and the President of the Committee of Civil Liberties, Justice and Home Affairs of the European Parliament, would have appointed an “eminent European” to independently monitor compliance with the agreement, and report to the Commission, who will in turn inform the Council and Parliament.187 Following the changes in SWIFT’s architecture to introduce the closed European processing loop, there was subsequent disagreement between the European Commission and Parliament over the details of the negotiated agreement with the US regarding access to European financial transaction data, based on privacy, proportionality and reciprocity. 188 The Commission envisaged an international agreement between the EU and the US which would require transfer to the US Treasury of relevant financial data necessary for the Treasury’s Terrorist Finance Tracking Programme. The European Parliament gave its approval for a revised agreement in July 2010. The revised agreement gives Europol the “eminent European” role and the responsibility for determining if requests from the US for SWIFT data comply with the terms of the agreement.189 The EDPS was invited to consult on the second draft agreement.190 The European Commission has produced two subsequent reports on the implementation of the agreement in 2011 and 2012.191 The first report concluded that the

186 Federal Data Protection and Information Commissioner, Access to SWIFT Transaction Data – Opinion of the Federal Data Protection and Information Commissioner, Bern, 31 October 2006. http://www.edoeb.admin.ch/datenschutz/00626/00755/00972/index.html?lang=en 187 Council of the European Union, Processing and protection of personal data subpoenaed by the Treasury Department from the US based operation centre of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), 11291/2/07 REV 2, Luxembourg, 28 June 2007. 188 European Parliament, “European Parliament votes down agreement with the US”, Press Release, 11 Feb 2010. http://www.europarl.europa.eu/sides/getDoc.do?type=IMPRESS&reference=20100209IPR68674&language=EN 189 Europol, “Europol JSB inspects for the second year the implementation of the TFTP agreement”, press release, Brussels, 14 March 2012. http://www.privacycommission.be/sites/privacycommission/files/documents/tftppublicstatement_1.pdf 190 Council of the European Union, Note from European Data Protection Supervisor to delegations, 11580/10, Brussels, 28 June 2010. http://register.consilium.europa.eu/pdf/en/10/st11/st11580.en10.pdf 191 European Commission, Report on the joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program,

57

agreement had been implemented in accordance with the provisions, but recommended greater public information about the functioning of the scheme. The second review looked in greater depth at the functioning of the agreement. The review team was satisfied that recommendation in the first review had been carried out by the time of the second, and stated that the sensitive programme is well protected and scrupulously managed. Recently, the implications for the TFTP programme arising from the revelations of NSA spying were discussed in the European Parliament. The 2008 report from the Belgian privacy commissioner highlighted the absence of a European assistance mechanism for organisations that find themselves in a position similar to that of SWIFT, having legal obligations in a third country, but also a requirement to comply with EU data protection law. The report concluded that it was unreasonable to expect such organisations to simply report to the national data protection authority or to the Article 29 Working Group, where local law requires secrecy or would criminally sanction any such disclosure. However, those organisations should be involved in regulation and guidance activity. The report identified a role in this for the EU – US Contact Group on the protection of personal data, which could examine problematic situations and assess any guarantees given to such organisations by the US.192 2.7.6 Conclusions From this case study, we draw the following conclusions:

The case at first appears to demonstrate differences between US and European law. The subpoena programme was legal in the United States, and required SWIFT to comply. This meant it was also legal in Canada, given that PIPEDA respected local law. Initial European responses were highly critical of the programme, and seemed to indicate different attitudes to this form of financial surveillance. However, later and more detailed investigations did not find a legal breach.

It is possible that even in the absence of a finding against SWIFT in the second Belgian investigation, the recommendation process itself put pressure on SWIFT to adjust its infrastructure and manner of operation, including opening a new data centre in Switzerland, so as to allow SWIFT to securely mirror transaction data without bringing that data under US jurisdiction.

The case demonstrates fairly substantial cooperation and coordination between European data protection authorities, primarily in the form of a division of responsibility between national DPAs to investigate elements of the case within their jurisdictions, coordinated through the Article 29 Working Party.

Data protection agencies were potentially sidelined during the later negotiations between the US and the EU over the continuation of the TFTP.

Brussels, 16 March 2011. http://ec.europa.eu/dgs/homeaffairs/news/intro/docs/commissionreportonthejointreviewofthetftp.pdf , European Commission, Report on the second joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of financial messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program, SWD(2012) 454 final, Brussels, 14 Dec 2012. http://ec.europa.eu/dgs/homeaffairs/pdf/20121214_joint_review_report_tftp_en.pdf 192 Commission de la protection de la vie privée, op. cit., 9 Dec 2006, p.73.

58

2.8 TELECOMMUNICATIONS DATA RETENTION 2.8.1 Overview In 2010 the Article 29 Working Party coordinated a joint enforcement action into the traffic data retention practices of major telecommunications and Internet service providers relating to the Data Retention Directive 2006/24/EC. The Directive obliges telecommunications providers to store traffic and location data for their customers’ communications for access by law enforcement agencies. The Working Party concluded that the Directive had been inconsistently implemented at the national level, with a “patchwork” of implementation measures. The European Commission also conducted an evaluation of the implementation of the Directive in 2011, and there are extant legal challenges to the Directive. 2.8.2 Sequence of key events 15 March 2006 Directive 2006/24/EC of the European

Parliament and the Council, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC adopted.193

25 March 2006 Article 29 Working Party publishes Opinion on the Directive (WP 119)194

20 June 2007 Report of Article 29 first joint enforcement action195

17 July 2008 Enforcement Task Force (ETF) mandated by Article 29 Working Party to plan and carry out enforcement action in accordance with WP152196

14 May 2009 Conference “Towards the evaluation of the Data Retention Directive” hosted by the Commission.

3 December 2010 Conference “Taking on the Data Retention Directive” hosted by the Commission

October 2009March 2010 Commission meetings with Member States and EEA countries representatives as part of evaluation.

193 http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF 194 Article 29 Data Protection Working Party, Opinion 3/2006 on the Directive 2 006/24/EC of the European Parliament and of the Council on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, Brussels, 25 March 2006. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp119_en.pdf 195 Article 29 Data Protection Working Party, Report 1/2007 on the first joint enforcement action: evaluation and future steps, WP137, Brussels, 20 June 2007. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp137_en.pdf 196 Article 29 Data Protection Working Party, Mandate to the Enforcement Subgroup to proceed to the 2nd joint investigation action, WP152, 17 July 2008. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp152_en.pdf

59

13 July 2010 Article 29 Data Protection Working Party publishes Report on second joint enforcement action.197

5 May 2010 Irish High Court ruled in favour of a request to challenge the Data Retention Directive at the EU Court of Justice.

22 June 2010 Joint letter to Cecila Malmstrom, European Commissioner for Home Affairs calling the repeal of the Directive.198

17 April 2011 European Digital Rights publishes “Shadow evaluation report” on the Data Retention Directive.199

18 April 2011 European Commission publishes Evaluation report on the Data Retention Directive200

18 December 2012 Austrian Constitutional Court submits questions to the EU Court of Justice on the interpretation of the Charter of Fundamental Rights in relation to the Data Retention Directive.

2.8.3 Reasons for investigation The European Commission generally requested the Article 29 Working Party to conduct sectorrelated investigations at EU level on implementation of the Data Protection Directive 95/46/EC.201 The Working Party itself decided to conduct an inquiry into conduct of national level telecommunications providers and Internet service providers (ISPS). The aim was to assess the compliance of telecommunications providers and ISPs with the obligations required from national traffic data retention legislation on the legal basis of articles 6 and 9 of the ePrivacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC amending the ePrivacy Directive. Directive 2006/24/EC functions to harmonise national retention obligations that apply to traffic data. This selection was supported by the criteria from the Declaration of the Article 29 Working Party on Enforcement202, and based on the specific scope of 2006/24/EC and the way that it derogates from the general principle of the eprivacy Directive 2002/58/EC that traffic data

197 Article 29 Data Protection Working Party, Report 01/2010 on the second joint enforcement action: Compliance at a national level with the obligations required from national traffic data retention legislation on the legal basis of articles 6 and 9 of the ePrivacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC amending the ePrivacy Directive, WP172, 13 July 2010. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp172_en.pdf 198 http://www.vorratsdatenspeicherung.de/images/DRletter_Malmstroem.pdf 199 European Digital Rights, Shadow evaluation report on the Data Retention Directive (2006/24/EC), Brussels, 17 April 2006. 200 European Commission, Report from the Commission to the Council and the European Parliament: Evaluation report on the Data Retention Directive (Directive 2006/24/EC), COM(2011) 225 final, Brussels, 18 April 2011. http://ec.europa.eu/commission_20102014/malmstrom/pdf/archives_2011/com2011_225_data_retention_evaluation_en.pdf 201 Commission of the European Communities, Report from the Commission: First report on the implementation of the Data Protection Directive (95/46/EC), COM(2003) 265 final, Brussels, 15 May 2003. http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2003:0265:FIN:EN:PDF 202 Article 29 Data Protection Working Party, Declaration of the Article 29 Working Party on Enforcement, WP 101, Brussels, 25 November 2004. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2004/wp101_en.pdf

60

must be erased or made anonymous when no longer required for the purposes of transmission. The Working Party was concerned about the vague definition use of “Serious Crime” as the motivation for communications traffic retention given the different interpretations of Serious Crime in national laws. The Working Party had also expressed reservations regarding the Directive in Opinions on the draft of the directive, and the Directive respectively (WP 113 and WP 119). The investigation was mandated to focus on the measures adopted by telecommunications and Internet service providers for security and the prevention of abuse, their adherence to storage limit obligations, and the type of data retained (traffic and/or content data). The Data Retention Directive itself made provisions for the Commission to conduct an evaluation of the application and the impact of the directive, and to submit the findings of this to the European Parliament and the Council. The EDRi was not satisfied with the evaluation processes being used by the Commission and therefore produced a shadow evaluation report in parallel, under its own initiative. Both the Irish High Court and the Austrian Constitutional Court had addressed the issue of the Directive’s compatibility with the European Charter of Fundamental Rights to the Court of Justice of the European Union. The court’s decision on this matter is still pending. 2.8.4 Findings of investigation The Working Party investigation involved a questionnaire and onsite inspections of the main national telecommunications operators and of a significant market share of ISPs. The questionnaire asked about the technological solutions implemented for retention purposes, such as IT security, logical and physical protection, authentication/authorisation, logs, encryption, protocols for disclosure and transmission, and backup/disaster recovery mechanisms. The Working Party concluded that the Directive had been inconsistently implemented at the national level, with a “patchwork” of implementation measures across Member States. The retention of telephone traffic data is more homogeneous than that of Internet services. A press release from the Working Party states that the current implementation of the data retention directive was found to be illegal.203 It states that the obligation to retain telecommunications and Internet traffic data has not been applied correctly in the Member States, and service providers were found to both retain and hand over data to law enforcement in ways that contradicted the Directive. Some providers were retaining content data as well as traffic data. The Working Party called for the definition of minimum security standards to be applied by providers. It also suggested that selfregulation was insufficient because of the uneven balance of power between law enforcement authorities and service providers. The Commission’s evaluation of the Directive concluded that data retention was a valuable tool for criminal justice, that the harmonisation of data retention had been limited, and that the EU should use common rules to ensure that high standards for storage, use and retrieval of traffic and communication data are maintained. The Commission state its intention to amend the Directive, based on impact assessment. The evaluation was based on stakeholder

203 Article 29 Data Protection Working Party, European Data Protection Authorities find current implementation of data retention directive unlawful, Press release, Brussels, 14 July 2010.

61

consultation and meetings with representatives of Member States and EEA countries, and a survey in September 2009. The Shadow evaluation report by EDRi was strongly critical of Directive 2006/24/EC, describing it as an unnecessary and unprecedented violation of fundamental rights.204 The report was also highly critical of the evaluation methods used by the Commission. Similarly, the European Data Protection Supervisor, Peter Hustinx described the Directive as “the most privacy invasive instrument ever adopted by the EU in terms of scale and number of people it affects” and criticised its failure to harmonise national legislation.205 2.8.5 Forms of co-operation The enforcement action drew on the experience of the first Joint Enforcement Action conducted by the members of the Article 29 Working Party into the data protection practices of private health insurance companies. The investigation was coordinated by the Enforcement SubGroup of the Working party and carried out by the Data Protection Authorities of: Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Liechtenstein, Luxembourg, Lithuania, Malta, Netherlands, Poland, Romania, Slovak Republic, Slovenia, Spain, and the United Kingdom. At the time of the Action, the Enforcement subgroup was composed of the DPAs of Austria, Belgium, Cyprus, Finland, France, Germany, Greece, Ireland, Italy, Lithuania, Netherlands, Poland, Romania, Spain, Sweden and the United Kingdom. Bulgaira, Czech Republic, Denmark, Estonia, Hungary, Latvia, Liechtenstein, Luxembourg, Malta, Slovak Republic, Slovenia participated, but were not on the subgroup. Sweden was on the enforcement subgroup but does not appear to have participated in the joint action. Sweden had not at this time implemented the Data Retention Directive, but this did not prevent other countries from participating in the joint investigation (Germany and Poland). The SubGroup was to take into account previous Opinions from the Working Party on the Data Retention Directive, particularly the minimum standards proposed in Opinion 3/2006 (WP119). The Working Party adopted a standard questionnaire. Onsite inspects were conducted as required as determined by the participating Data Protection Authorities and on the basis on their inspection powers under national law (not all participants possessed such powers). Each participating DPA produced a national report, which was summarised in the Working Party report of July 2010. The Commission’s evaluation of the Data Retention Directive was intended to take account of the observations submitted by Member States and the Article 29 Working Party. The report on the second joint enforcement action should be considered the Article 29 Working Party’s contribution towards the Commission’s evaluation. The Commission was due to complete its evaluation of the Directive by September 2010. It instead published the evaluation report on the 18th of April 2011. The Report suggested that there were issues with the provision of statistical information on data retention. Under Article 10 of the Data Retention Directive Member states are to provide the Commission with yearly statistics on the use of traffic data

204 European Digital Rights, 205https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2010/101203_Data_retention_speech_PH_EN.pdf

62

retained under the provisions of the Directive. These statistics should report the cases where information was transmitted to LEAs, the time elapsed from the date on which the information was retained and the date on which LEAs requested such information, and any cases where the data requests could not be complied with. This data is to inform any future revisions to the directive. Only a few Member States did provide this data, despite repeated request from the Commission, and the Article 29 Working Party suggested that this might hinder the entire assessment exercise.206 The evaluation also drew on position papers produced by the Platform on Electronic Data Retention for the Investigation, Detection and Prosecution of Serious Crime, an expert group established under Commission Decision 2008/324/EC, containing representatives of Member States law enforcement, members of the European Parliament, associations of the electronics communication industry, representatives of DPAs, and the European Data Protection Supervisor.207 EDRi associates the seven month delay with mistakes in the evaluation process. Its other criticisms of the evaluation process include the Commission limiting the scope of the evaluation by only asking questions about the assumed value of data retention to national governments, and not collecting information from Member States that have not implemented the Directive.208 It argues that the Commission has not commissioned independent research into whether such data retention as the Directive mandates is “necessary in a democratic society”, the minimum standard for a measure to be legal under the EU Charter of Fundamental Rights and the European Convention on Human Rights.209 Further, EDRi states that the Commission’s evaluation report does not demonstrate that any benefits for crime prosecution from blanket data retention may not also be achieved through alternative targeted data preservation schemes.210 The shadow evaluation draws on some of the evidence for differential retention periods, and the inadequacy of security standards gathered by the Article 29 Working Party through its joint action, as well as on the decisions of the constitutional courts of Member States that had rejected the directive (Romania) or its national implementation (Cyprus, Czech Republic, Belgium and Germany). 2.8.6 Conclusions From this case study we draw the following conclusions:

Relatively unproblematic cooperation and coordination between the data protection authorities themselves with regard to the initiation, organisation and enactment of the joint enforcement action.

o This drew on the experience of the first joint action. o Absence of some members of the Enforcement SubGroup from the joint

action.

206 p. 16. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp172_en.pdf 207 Up to 25 members in total, with up to 10 representatives of law enforcement, up to two members of the European Parliament, up to eight representatives of associations of the electronics communication industry, and up to four representatives of DPAs. http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:111:0011:0014:EN:PDF 208 EDRi, op. cit., 17 April 2010, p. 3. 209 Ibid., p. 4. 210 Ibid., p. 7.

63

Disagreement between the Working Party and the Commission regarding the direction of the Data Retention Directive.

Strong opposition from various sources to the Data Retention Directive, including criticism of the evaluation process used by the Commission, and the data drawn upon in this process.

o Statistics on effects of data retention not provided by Member States to either the Article 29 Working Party or to the Commission.

Legal challenges to the legality of the Data Retention Directive are still outstanding.

64

2.9 WORLD ANTI-DOPING AGENCY CODE AND STANDARD REVISIONS 2.9.1 Overview The World AntiDoping Agency (WADA) is an independent foundation set up by the International Olympic Committee and headquartered in Montreal, Canada, to coordinate, promote and monitor efforts against doping in sport. Revisions to WADA’s World Anti-Doping Code and the newly created International Standard for the Protection of Privacy and Personal Information, placed requirements upon athletes to regularly communicate data, including sensitive data, to antidoping organisations (including a database hosted in Canada). The revisions also included provisions for publicly revealing the findings of doping tests in certain circumstances. The Article 29 working party considered that aspects of this code raised questions about their compatibility with European data protection standards. WADA reacted strongly to the Working Party’s Opinions. The AntiDoping Administration Management System (ADAMS) is a clearing house database for doping control data, located in Montreal Canada. The database contains the personal information of Athletes who are included in registered testing pools, including “whereabouts” information. Whereabouts information supports a requirement in the code for professional athletes to provide information on where and when they will be available for nonotice drugs testing by antidoping officials. Athletes are required to specify one hour a day, between 6am and 11pm, 90 days in advance, when they available for outofcompetition drug testing. Failure to be in this location at this time three times in an 18 month period can result in a doping offence and a related suspension from professional sport. This information may be stored in the ADAMS database and made available to relevant domestic antidoping officials (the decision to use the database is made by national AntiDoing organisations). The Code revision was intended to end inconsistencies between existing whereabouts regimes in different national antidoping organisations.211 2.9.2 Sequence of key events 2006 World AntiDoping Association opens

consultation process on new Code and International Standard

June to July 2007 3rd Phase of WADA consultation process 1517 November 2007 Adoption of amended World AntiDoping

Code April 2008 WADA met with representatives of the

Commission’s data protection unit and the Spanish Data Protection Authority in April 2008 and revised the standard to fit European concerns, citing the benefits of collaboration rather than confrontation.

May 2008 WADA executive committee approves revised version on the basis of these discussions

7 July 2008 Draft International Standard submitted to the

211 Halt, James. “Where is the Privacy in WADA’s “Whereabouts” Rule?”, Marquette Sports Law Review, Vol. 20, Issue 1, 2009. http://scholarship.law.marquette.edu/cgi/viewcontent.cgi?article=1017&context=sportslaw

65

Article 29 Working Party 1 August 2008 Article 29 Working Party publishes Opinion

3/2008 on the World AntiDoping Code Draft International Standard for the Protection of Privacy212

1 January 2009 WADA Code and Modified International Standard comes into force

January 2009 Legal challenge by the Belgian organisation Sporta and 65 Belgian athletes to the Flemish regional government on the compatibility of the Code with Article Eight of the European Convention on Human Rights.

21 February 2009 EU Sports Commissioner calls for WADA to suspend Whereabouts rule until his ruling.

6 April 2009 Article 29 Working Party publishes Second Opinion 162 on the World AntiDoping Agency (WADA) International Standard for the Protection of Privacy and Personal Information, on related provisions of the WADA Code and on other privacy issues in the context of the fight against doping in sport by WADA and (national) antidoping organizations213

9 May 2009 WADA Executive Committee adopts revised International Standard.

11 May 2009 European Commission greets the revised standard as the outcome of successful cooperation between the EU and WADA214

16 June 2009 WADA meets with Article 29 Working Party at 71st Plenary session. Working Party calls for WADA to continue to amend the standard as key issues highlighted in Second Opinion have yet to be addressed.215

28 January 2010 Spanish court rules that implementation of whereabouts programme by International Cycling Union does not breach Spanish data protection law.

7 February 2012 Article 29 Working Party writes to Commissioner for Education, Culture, Multilingualism and Youth, in advance of meeting with WADA

9 February 2012 WADA meets with European Commission

212 http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp156_en.pdf 213 http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp162_en.pdf 214 WADA, Annotated version of Second Opinion 4/2009 on the World AntiDoping Agency (WADA) International Standard for the Protection of Privacy and Personal Information. p.5 http://www.wadaama.org/Documents/World_AntiDoping_Program/WADPISPPPI/WADA_Comments_WP29_FullVersion.pdf 215 Article 29 Data Protection Working Party, Press release, Brussels, 16 June 2009. http://ec.europa.eu/justice/policies/privacy/news/docs/pr_16_06_09_en.pdf

66

2.9.3 Reasons for investigation The European Commission's Directorate for Education and Culture (DG EAC) requested an opinion from the Article 29 Working Party on the draft International Standard on the protection of privacy prepared by the World AntiDoping Agency (WADA) in 2007. After the revised WADA Code and International Standard came into force in 2009, its legality was challenged in several European jurisdictions. A group of 65 Belgian athletes raised a legal complaint with Flemish regional government on the compatibility of the Code with Article Eight of the European Convention on Human Rights in 2009, and a group of Spanish professional cyclists raised a challenge to the implementation of the Code based upon its incompatibility with Spanish data protection law. 2.9.4 Findings of investigation The Art 29 WP published two opinions, Opinion 156 and Second Opinion 162. Opinion 156 noted WADA’s initiative in seeking minimum standards of privacy and data protection for athletes and others involved in antidoping practices, and acknowledged the role that such a standard could play outside the jurisdiction of European data protection law. However, the Working Party did not believe that the standard reached the minimum standards required by European data protection law. Opinion 156 stated that there was insufficient reference to the data processing that would be conducted in the ADAMS database, and recommended greater detail be added or that WADA develop procedural policies for users of the database. It also highlighted the importance of EU law in relation to the transfer of data from the EU to Canada. Opinion 156 also raised the issue of freely given and informed consent. It considered that the processing of data collected in the context of the execution of the obligations of the World Antidoping Code was neither freely given nor informed, due to the sanctions associated with noncompliance and the processes through which a data subject is informed of such processing. The Opinion requested that WADA consider the banning of automated individual decisions, independent control over implementation of the standard, a right of remedy and compensation for processing incompatible with the standard, the applicability of national data protection laws to national antidoping organisations. Second Opinion 162 was published by the Article 29 Working Party after the revised Standard had come into force in 2009. It acknowledged that some of the Working Party’s previous remarks had been incorporated into the Standard, but maintained that there were still continuing concerns. The Opinion moved beyond commenting on the standard to include references to the Code and to the ADAMS database. The Working Party asserted the primacy of domestic law (in this case Directive 95/46/EC and Member State laws implementing it) over the international agreements providing the authority for the WADA Code and Standard, and that national data controllers must disregard the WADA Code and Standard to the extent to which they contradict domestic law. The Opinion also made further statements about data transfers to countries outside the EU (in particular to the ADAMS database), data retention periods, and sanctions (including public reports of doping violations). 2.9.5 Forms of co-operation WADA was running a consultation exercise during the revision of the Code. WADA had approached the Article 29 Data Protection Working Party for comment on the draft

67

International Standard. The Working Party reiterated at several points its support for WADA’s development of policies on data protection privacy, but also interacted with WADA in several ways. Several alterations were made to the draft International Standard on the Protection of Privacy and Personal Protection by WADA on the basis of the Article 29 Working Party’s first opinion and WADA’s meeting with representatives of the Commission's data protection unit and the Spanish Data Protection Authority in April 2008. WADA provided additional information in response to the Working Party's requests for clarification between the two Opinions, and revised the standard to fit European concerns, citing the benefits of collaboration rather than confrontation. However, WADA was “deeply disappointed” with the tone of the Second Opinion, which they described as “overtly confrontational”. WADA stated that the Opinion made requirements upon the Standard that went beyond the requirements of EU law. WADA indicated that these opinions reflected an imperfect or incomplete understanding of antidoping practices, contained various factual and legal errors and were having a negative impact upon antidoping efforts, and disagreed with the opinions. 216 WADA also expressed disapproval for the way in which the Article 29 Working party used references in the Standard to the Code and the ADAMS database to go beyond the scope of WADA’s initial request for comment.217 WADA argued that the Standard was a minimal standard, and that rather than conflict with European law, the data protection and privacy requirements in the standard could be built upon by stronger EU legislation. The same response accuses the Working Party of “legislative imperialism” and of lacking the legal competence to determine if antidoping efforts do or do not serve an important public interest. WADA states its requests to meet with the Working Party subgroup communicated both in February and March 2009 were denied by the Commission Secretariat.218 WADA provided a submission to the European Commission’s consultation on the legal framework for the fundamental right of personal data and the effectiveness of EC Directive 95/46/EC. In this submission WADA states that it has regular interaction with various European data protection bodies including the Council of Europe, the Article 29 Working Party and the national data protection authorities. WADA expressed fears that “some regulators are engaging in an overly restrictive interpretation and application of EU data protection rules and thereby threatening to undermine the very antidoping programs that Europe, both at the community and local level has been promoting and supporting around the world for many years.”219 This submission suggested amendments to the Directive to provide an explicit legal basis for the processing of sensitive data by antidoping organisations and to allow antidoping organisations to transfer personal data where necessary in connection with their legitimate activities.

216 WADA, Annotated version of Second Opinion 4/2009 on the World AntiDoping Agency (WADA) International Standard for the Protection of Privacy and Personal Information. http://www.wadaama.org/Documents/World_AntiDoping_Program/WADPISPPPI/WADA_Comments_WP29_FullVersion.pdf 217 http://www.wadaama.org/Documents/World_AntiDoping_Program/WADPISPPPI/WADA_Comments_WP29_FullVersion.pdf 218 WADA, Annotated version of Second Opinion 4/2009 on the World AntiDoping Agency (WADA) International Standard for the Protection of Privacy and Personal Information. Pg.5 http://www.wadaama.org/Documents/World_AntiDoping_Program/WADPISPPPI/WADA_Comments_WP29_FullVersion.pdf 219 World AntiDoping Agency, European Commission Consultation: the legal framework for the fundamental right of personal data, undated. http://ec.europa.eu/justice/news/consulting_public/0003/contributions/organisations_not_registered/wada_en.pdf

68

The EU Commission, the Council of Europe and WADA reached agreement on the International Standard in 2009, apparently including solutions to issues raised by the Article 29 Working Party. The Commission welcomed the adoption of the revised International Standard in May 2009, and stated that it looked forward to further cooperation on data protection matters which could not be addressed in the standard.220 The Article 29 Working Party hosting a hearing with WADA representatives at its plenary meeting in 2009, where it discussed the issues raised in the Second Opinion. Following the hearing the Working Party maintained that whilst the Standard had been slightly amended, key issues still needed to be addressed.221 Additionally, in advance of a meeting between WADA and the European Commission in 2012, the Article 29 Working party wrote to the Commission to reiterate that there remained suggested modifications to the Standard from the Second Opinion that had still not yet been implemented.222 The Working Party last discussed the WADA case at a meeting in February 2013223 and wrote to WADA in March 2013. Whilst this letter thanked WADA representatives who had attended a subgroup meeting and had contributed to a better understanding of the situation, the letter again reiterated that data protection is a fundamental right, and again called upon WADA to take the Article 29 Working Party’s previous comments into account. 224 In addition to the two published Opinions previously mentioned, the Working Party also made a contribution to the public consultation.225 The Article 29 Working Party consulted with the Canadian Privacy Commissioner, who provided information in a letter dated 10th November 2008 on the applicability of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) to WADA and ADAMS. Similar information was also provided by the Montreal Privacy Commissioner. Several sportsrelated bodies (Antidoping Denmark, Canadian Heritage, AntiDoping Norway, Royal Ministry of Culture and Church Affairs (Norway), Federal Office of Sport FOSPO (Switzerland), Canadian Centre for Ethics in Sport, Danish sport community) also raised issues of data protection in their general submissions to the initial WADA consultation

220 European Commission, World Anti-Doping Agency adopts revised data protection standards and continues successful dialogue with the EU. Press Release IP/09/733, Brussels, 11 May 2009. http://europa.eu/rapid/pressrelease_IP09733_en.htm?locale=en 221 http://ec.europa.eu/justice/policies/privacy/news/docs/pr_16_06_09_en.pdf 222 http://ec.europa.eu/justice/dataprotection/article29/documentation/otherdocument/files/2012/20120207_letter_to_comm_vassiliou_re_wada_en.pdf 223Article 29 Data Protection Working Party, Draft Agenda, 2627 February 2013. http://ec.europa.eu/justice/dataprotection/article29/pressmaterial/agenda/files/public_agenda_2013022627_en.pdf 224Article 29 Data Protection Working Party, Letter to World AntiDoping Agency, Brussels, 5 March 2013. http://ec.europa.eu/justice/dataprotection/article29/documentation/otherdocument/files/2013/20130305_lettertowada_en.pdf 225 http://ec.europa.eu/justice/dataprotection/article29/documentation/otherdocument/files/2013/20130305_lettertowada_annex_en.pdf

69

exercise (amongst other nonDP issues).226 Several more organisations raised data protection issues of various sorts in their specific submissions in relation to Article 14 of the Code.227 WADA had conducted an earlier consultation exercise on its standards in 2002 which had received little attention from data protection authorities, with the exception of the Privacy Commissioner of New Zealand. A proposed resolution on Data Protection and International Resolutions, which specifically mentions these WADA standards, was put before the 25th International Conference of Data Protection and Privacy Commissioners in 2003.228 Greater engagement at this point between DPAs and WADA may have been able to avoid some of the more “confrontational” tone of later discussions. 2.9.6 Conclusions From this case study, we draw the following conclusions:

The Article 29 Working Party adopted and consistently maintained the collective position that the draft and subsequently adopted WADA Code and International Standard did not comply with European privacy and data protection law.

The interaction between the Article 29 Working Party and WADA is an ongoing process, which has remained relatively stable since 2009, with the Working Party still requesting that WADA revise its Code and Standard in line with European data protection law. Parts of this interaction have been conducted in a fairly intemperate manner. Since 2009 this position appears to have reached a stalemate.

The European Commission and Council of Europe seem more satisfied with the existing revisions to the WADA Code and Standard than the Article 29 Working Party.

226 WADA, Feedback on Code 2007: Draft Version 2.0 General, 01 October 2007. http://www.wadaama.org/Documents/World_AntiDoping_Program/WADPTheCode/Code_Review/3rd_Consultation/WADA_Code_2007_V2.0_GeneralComments_EN.pdf 227 WADA, Feedback on Code 2007: Draft Version 2.0 – Article 14, 1 October 2007. http://www.wadaama.org/Documents/World_AntiDoping_Program/WADPTheCode/Code_Review/3rd_Consultation/Part_I/3rd_Part_1_Article14.pdf 228 http://www.worldlii.org/int/other/ICDPPCRD/2003/2.html

70

2.10 GLOBAL PRIVACY ENFORCEMENT NETWORK “SWEEP” 2.10.1 Overview 19 privacy regulatory authorities participated in the Global Privacy Enforcement Network (GPEN)’s first annual “Privacy Sweep” in 2013. The authorities designated representatives of their organisations to search the Internet and assess privacy issues on websites. 2.10.2 Sequence of key events 12 June 2007 OECD Recommendation on CrossBorder

Cooperation in the Enforcement of the Laws Protecting Privacy.229

Summer 2008 Privacy regulatory authorities start exchanging information via a web utility

March 2010 GPEN established by eleven privacy enforcement authorities

15 June 2012 Action Plan for the Global Privacy Enforcement Network adopted

612 May 2013 First annual privacy sweep 6 May 2013 Office of the Privacy Commissioner of

Canada, CNIL, conduct sweep 7 May 2013 Privacy Commissioner for Personal Data,

Hong Kong, conducts sweep 13 August 2013 Initial findings of sweep published by Privacy

Commissioner of Canada230. 2.10.3 Reasons for investigation The sweep was selfinitiated by the GPEN. Stated goals of the sweep include increasing public and business awareness of privacy rights and responsibilities; encouraging compliance with privacy legislation; identifying concerns which may result in follow up action (such as education or enforcement), and enhancing cooperation amongst privacy enforcement authorities. The theme of the 2013 sweep was privacy practice transparency. The Office of the Privacy Commissioner of Canada stated that it would be examining websites for the presence of a privacy policy, the difficulty of finding information on a sites privacy practices, the ready availability of contact information for privacy questions, and the readability of the information on privacy practices.231 The Commission Nationale de l’Information et des Libertés saw the purpose of the sweep as reviewing if Internet users were properly informed of the types of personal data collected, the

229 OECD, Recommendation on CrossBorder Cooperation in the Enforcement of Privacy Laws, 2007 http://www.oecd.org/internet/ieconomy/38770483.pdf 230 Office of the Privacy Commissioner of Canada, “Results of the 2013 Global Privacy Enforcement Network Internet Privacy Sweep”, Ottawa, 13 August 2012. http://www.priv.gc.ca/media/nrc/2013/bg_130813_e.asp 231 Office of the Privacy Commissioner of Canada, “Privacy enforcement authorities launch firstever international Internet privacy sweep”, Press Release, Ottawa, 6 May 2013. http://www.priv.gc.ca/media/nrc/2013/nrc_130506_e.asp

71

purposes of the collection, whether personal data are transferred to third parties, and whether web users can object to the transfer of their personal data to third parties.232 2.10.4 Findings of investigation The sweep was not an indepth investigation, but aimed to replicate the consumer experience by checking each site briefly against a set of common indicators. The sweep was intended to provide additional information on trends which might guide future education and outreach. The full collated findings of the sweep have not yet been made public, but will be published by the Office of the Privacy Commissioner of Canada, who intends to publish a report in Autumn 2013.233 Some participants released limited findings in press releases relating to the sweep. For example, the Office of the Privacy Commissioner of New Zealand stated that many New Zealand schools lacked a privacy policy, whilst the majority of games websites targeted at children did have detailed privacy policies, but that these were based upon U.S. or European law. The US Federal Trade Commission sent warning letters to ten data brokers immediately following its sweep.234 The Canadian OPC released some initial findings relating in August 2013. These suggested that participants found too many websites with no privacy policy available, one third of policies raised concerns with respect to the information provided, one third of policies raised concerns about readability, and mobile app privacy policies lagged behind websites. The findings did also include some of the best practices observed.235 2.10.5 Forms of co-operation The sweep was an initiative of Global Privacy Enforcement Network and coordinated by Canadian Privacy Commissioner. The Network is the result of a 2007 OECD Recommendation on CrossBorder Cooperation in the Enforcement of the Laws Protecting Privacy, 236 and was launched at an OECD meeting. GPEN’s statement of mission mirrors the Recommendation and states that GPEN “connects privacy enforcement authorities from around the world to promote and support cooperation in crossborder enforcement of laws protecting privacy.”237 This is to be achieved through exchanging information, encouraging training opportunities and sharing of enforcement expertise and good practice, promoting dialogue between organisations with privacy enforcement roles, and creating and maintaining processes that support cooperation. GPEN has 26 Members, who are national Data Protection or Information Commissioners. GPEN collaboration builds upon a mechanism started in Summer 2008, via a web utility.238 The GPEN action plan is not legally binding, and co

232 Commissioner Nationale de l’Information et des Libertes , “Journée d'audit en ligne à la CNIL : les 250 principaux sites informentils suffisamment les internautes?”, Press release, 6 May 2013. http://www.cnil.fr/linstitution/actualite/article/article/journeedauditenlignealacnilles250principauxsitesinformentilssuffisammentlesinte/ 233 Williams, Ian, “Blog: ICO joins global sweep to improve website privacy policies” Information Commissioner’s Office, 10 May 2013. http://www.ico.org.uk/news/blog/2013/icojoinsglobalsweeptoimprovewebsiteprivacypolicies 234 Federal Trade Commission, “FTC Warns Data Broker Operations of Possible Privacy Violations”, Press release, 7 May 2013. http://www.ftc.gov/opa/2013/05/databroker.shtm 235 Office of the Privacy Commissioner of Canada, “Results of the 2013 Global Privacy Enforcement Network Internet Privacy Sweep”, Ottawa, 13 August 2012. http://www.priv.gc.ca/media/nrc/2013/bg_130813_e.asp 236 OECD, Recommendation on CrossBorder Cooperation in the Enforcement of Privacy Laws, 2007 http://www.oecd.org/internet/ieconomy/38770483.pdf 237 https://www.privacyenforcement.net/public/activities 238 https://www.privacyenforcement.net/

72

operation is subject to applicable laws in the jurisdictions involved. New participants apply to the existing members, and are expected to endorse the Action Plan.239 According to the OECD, and in line with the Recommendation, the focus of GPEN is primarily on facilitating cooperation in the enforcement of privacy laws governing the private sector. That however does not exclude cooperation on matters involving the processing of personal data in the public sector.240 The OECD also hosts www.privacyenforcement.net, a web platform for GPEN. This site provides a restrictedaccess platform for sharing of documents and news. It also includes collaboration tools such as discussion forums, an events calendar and other functionalities. Each participating regulatory authority selected a specific day within the week of 612 May 2013. Participants included Australia (Office of the Australian Information Commissioner), Canada (both the Office of the Privacy Commissioner of Canada, and the Information and Privacy Commissioner of British Columbia), Estonia (Estonian Data Protection Inspectorate), Finland (Office of the Data Protection Ombudsman), France (Commission Nationale de l’Information et des Libertes), Germany (four regional data protection authorities and the Federal Data Protection Commission), Hong Kong (Office of the Privacy Commissioner for Personal Data), Ireland (Office of the Data Protection Commissioner), Macao (Office for Personal Data Protection, Government of Macao), Macedonia (Directorate for Personal Data Protection), New Zealand (Office of the Privacy Commissioner), Norway (Data Protection Authority), United Kingdom (Information Commissioner’s Office) and the United States (Federal Trade Commission). The participating authorities used a common analytical framework to establish a global overview of the practices of major websites.241 GPEN agreed a focus upon key indicators of availability, findability, contactability, Readability and relevance. However, the common theme (privacy practice transparency) was chosen in order to allow individual participants to tailor their sweep to particular legislation or strategic priorities. Each individual participant also determined which websites it would investigate. 242 As an example, the Privacy Commissioner for Personal Data of Hong Kong selected to focus upon the privacy statements and information on local smart phone applications.243 The numbers of sites also varied. The UK Information Commission’s Office examined 250 UK based sites, whilst the US Federal Trade Commission acted as a testshopper, contacting 45 US companies.

239 GPEN, Action Plan for the Global Privacy Enforcement Network, 15 June 2012. https://www.privacyenforcement.net/public/activities 240 OECD, “Report on the Implementation of the OECD Recommednations on the Crossborder Cooperation in the Enforcemnet of Laws Protecitng Privacy” OECD Digital Economy Papers, No.178, 2011. 241Commissioner Nationale de l’Information et des Libertes , “Journée d'audit en ligne à la CNIL : les 250 principaux sites informentils suffisamment les internautes?”, Press release, 6 May 2013. http://www.cnil.fr/linstitution/actualite/article/article/journeedauditenlignealacnilles250principauxsitesinformentilssuffisammentlesinte/ 242 Office of the Privacy Commissioner of Canada, Global Privacy Enforcement Network Internet Privacy Sweep Questions and Answers, Ottawa, 6 May 2013. http://www.priv.gc.ca/media/nrc/2013/nrc_130506_qa_e.asp 243 Office of the Privacy Commissioner for Personal Data, Hong Kong, The PCPD Commences to Study Privacy Policies of Local Smartphone Apps, Press Release, 7 May 2013, https://www.pcpd.org.hk/english/infocentre/press_20130507.htm

http://www.privacyenforcement.net/

73

2.10.6 Conclusions From this case study, we draw the following conclusions:

Large number of participating organisations across a diverse range of jurisdictions, with relatively high public profile.

Strong cooperation associated with a proactive mode, with time for planning and execution, rather than in response to specific trigger event.

Depth of cooperation may be limited as there was significant local variation in what was “swept” for.

High publicity value of global cooperation between regulatory authorities, with encouraging cooperation as a specific stated goal.

74

2.11 GOOGLE GLASS 2.11.1 Overview In June 2013, Canadian Privacy Commissioner Jennifer Stoddart and 36 of her provincial and international counterparts collaborated in the issue of a joint letter to Google Chief Executive Officer Larry Page seeking responses to questions and concerns related to Google Glass, the company’s new Internetconnected glasses.244 Commissioner Stoddart said, “Google Glass raises significant privacy issues and it is disappointing that Google has not engaged more meaningfully with data protection authorities about this technology.” 2.11.2 Reasons for investigation The letter notes that Google Glass has been the subject of many articles that have raised concerns about the privacy implications of a device that can be worn by an individual and used to film and record audio of other people. Data protection authorities have emphasised the need for organisations to build privacy into the development of products and services before they are launched and to consult in a meaningful way with DPAs, which has not happened regarding Google Glass. Among the questions asked by the DPAs are the following:

How does Google Glass comply with data protection laws? What are the privacy safeguards Google and application developers are putting in

place? What information does Google collect via Glass and what information is shared with

third parties, including application developers? How does Google intend to use this information? Although Google has decided not to include facial recognition in Glass, how does

Google intend to address the specific issues around facial recognition in the future? Is Google doing anything about the broader social and ethical issues raised by such a

product, for example, the surreptitious collection of information about other individuals?

Has Google undertaken any privacy risk assessment the outcomes of which it would be willing to share?

Would Google be willing to demonstrate the device to our offices and allow any interested data protection authorities to test it?

2.11.3 Findings of investigation Google Inc. provided a letter in response to the inquiry from the data protection authorities on 27 June 2013.245 Google’s response, from Peter Fleischer, Google’s Global Privacy Counsel, focused upon the preliminary, exploratory nature of its initial release of Google Glass, and attempted to demonstrate that privacy was a concern for the company. The response highlighted the controls that the Google Glass user has over the technology in terms of 244 Office of the Privacy Commissioner of Canada, “Data protection authorities urge Google to address Google Glass concerns”, News release, 18 June 2013. http://www.priv.gc.ca/media/nrc/2013/nrc_130618_e.asp 245 Office of the Privacy Commissioner of Canada, “Response from Google to data protection authorities regarding Google Glass” News release, 25 July 2013. https://www.priv.gc.ca/media/nrc/2013/let_130627_google_e.asp

75

activating functionality, installing and removing applications, deletion of content from the device, and the limitations placed upon application developers. The response letter did not appear to answer many of the the questions that the DPA’s had put forward in their initial letter. Additionally, the response identified local privacy, legal and policy experts who would “serve as your points of liaison going forwad”, which may represent an effort on the part of Google not to engage with data protection authorities collectively, but rather through national channels. The Office of the Canadian Privacy Commissioner acknowledged the response from Google, but identified that the next step was to established meaningful discussion with Google Canada.246 2.11.4 Forms of co-operation This investigation was conducted through a coordinated letter cosigned by the DPAs involved. Signatories were:

Jennifer Stoddart, Privacy Commissioner of Canada Jacob Kohnstamm, Chairman of the Article 29 Working Party, on behalf of the

members of the working party247 Timothy Pilgrim, Privacy Commissioner of Australia Marie Shroff, Privacy Commissioner, New Zealand Alfonso Orñate Laborde, Secretary for Data Protection, Federal Institute for Access to

Information and Data Protection, Mexico Rivki Dvash, Head of the Israeli Law, Information and Technology Authority Hanspeter Thür, Swiss Federal Data Protection and Information Commissioner Jill Clayton, Information and Privacy Commissioner of Alberta Jean Chartier, President, Commission d’accéss à l’information du Québec Elizabeth Denham, Information and Privacy Commissioner of British Columbia

This letter was independent of a similar letter sent to Google by the members of the US Congressional Bipartisan Privacy Caucus on 16 May248, although there was some overlap between the question sets. Congressman Joe Barton, a member of the Caucus, stated that he was disappointed with the responses received from Google.249 2.11.5 Conclusions This comparatively small investigation, conducted on the basis of a letter inquiring about an area of potential concern shows how investigative factfinding at an early stage of a technology development can be coordinated between data protection authorities. The investigation itself is not rigorous (being based upon a set of questions and a voluntary response) and did not include any inspection or verification, but it did minimise the duplication of effort in an inquiry about a technology which was of potential concern to

246 Taddese, Yamri, “Stoddart to meet Google officials about concerns with Glass product”, Legal Feeds, 02 August 2013. http://www.canadianlawyermag.com/legalfeeds/1607/stoddarttomeetgoogleofficialsaboutconcernswithglassproduct.html 247 The figure of 36 signatories is achieved by the inclusion of all European DPAs as part of the Article 29 working party. 248 EPIC.org, “Congress investigates Glass Privacy Risk”, Undated, https://epic.org/privacy/google/glass/default.html 249 Collins, Katie, “Google tells Congress it won’t change privacy policy for Glass”, Wired, 2 July 2013, http://www.wired.co.uk/news/archive/201307/02/googleglassprivacypolicywontchange

76

several DPAs. The difference between this case and the Google Buzz case is that in the case the coordinated letter was an investigative inquiry, whereas in the Google Buzz case, the letter was more critical and normative, informing Google of the position of the cosignatories.

77

2.12 HORIZONTAL ANALYSIS Considering these eleven case studies together provides a range of insights. Over the time period analysed, we can identify an increasing number of mechanisms for international collaboration between data protection authorities (for example the development of GPEN). There is also good evidence of and a clear desire for information sharing between DPAs, even on unrelated cases. DPAs generally appear interested in learning from the experiences of other DPAs and engage in informal adhoc consultation and “watching with interest”. Coordination appears to be easier and occur more smoothly in active modes, when coordination has been planned and agreed upon in advance of an action, rather than reactive, where DPAs attempt to coordinate in response to a complaint or an unanticipated issue. The case studies demonstrate a strong central role of the Article 29 Data Protection Working party in European collaboration. The SWIFT, data retention and WADA case studies suggest that the Working Party is not always supported by other European institutions, but that it can be quite influential when it is supported. Opinions from the Working Party are regularly cited in other European documents and texts. The Working Party has also engaged in some cooperation (information sharing and parallel investigations) outside Europe. Several of the case studies demonstrated a perceived need among data protection authorities for collaboration driven by international dataprotection incidents and uneven responses to these. Decentralisation and coordination has arisen in response to an international data protection and privacy environment typified by different national jurisdictions, legal frameworks and particular contexts, and to data protection issues that are large and cross multiple jurisdictions. One of the most common reactive modes of coordination is the collective identification of the data protection authority that has local jurisdiction over an issue and then delegating to them, allowing them to have a strong role in any collective response. A second common mode of coordination is decentralised information gathering combined with centralised reporting or sharing of that information. This appears an effective response to multinational issues (for example, national data protection authorities contacting national central banks for information in the SWIFT case). Problems potentially arise when individual DPAs do not have investigation or audit powers, or have weaker sanctions than other DPAs. They may therefore not be able to carry their weight in a delegated, multinational investigation.

78

3 CO-OPERATION AND CO-ORDINATION WITHIN EUROPE In this chapter and the following one, the PHAEDRA partners identify and evaluate existing mechanisms for cooperation and coordination in enforcement. Chapter three focuses upon cooperation and coordination within Europe, whilst Chapter four expands this perspective to examine cooperation and coordination internationally, including cooperation and coordination between the EU and third countries. This section includes the European Conference of Data Protection Commissioners (the “Spring Conference”), the Article 29 Data Protection Working Party, the Council of Europe TPD, DAPIX, the International Working Group on Data Protection in Telecommunications, the Working Party on Police and Justice, the Central and Eastern Europe Data Protection Authorities, the Conference of Balkan Data Protection Authorities, the Coordinated Data Protection Supervision Groups of both Eurodac and the European Visa Information System, the Joint Supervisory Board Europol, the Joint Supervisory Authorities of the Schengen Information System and the European Customs Information System and other initiatives. 3.1 EUROPEAN CONFERENCE OF DATA PROTECTION COMMISSIONERS ("SPRING

CONFERENCE") The data protection authorities from Member States of the EU and of the Council of Europe meet annually for the European Conference of Data Protection Commissioners (also known as the “Spring Conference” 250 ) to discuss matters of common interest and to exchange information and experiences on different topics. The European Data Protection Supervisor also actively contributes to the discussions. The one and half to twoday conference usually ends with the adoption of a number of important documents. Members include European national DPAs, European subnational DPAs, European DPAs within an international or supranational body, and supranational or international bodies that play a role in the European data protection context (such as the European Commission and the Council of Europe). Participants should be European, and have independent status, and adequate functions and powers.251 Nonaccredited data protection authorities that wish to join the conference have to be accredited by members of the conference by completing an application based upon guidelines for admission. The decision upon acceptance or refusal of accreditation is taken at the conference. Until the Seville conference in 2005, attendance was based upon invitation from the organising authority. The Guidelines for admission to the Conference of European Data Protection Authorities were adopted by the conference in Rotterdam in 2004, based upon a desire to formalise admission criteria.252 European Data Protection authorities that had already been accredited as DPAs for the International Conference of Data Protection and Privacy Commissioners did not have to apply, and could gain membership of the Conference upon request. Applicants complete a form which asks

250 The Conference should not be confused with the Annual European Data Protection & Privacy Conference, organised by Forum Europe. 251 Conference of European Data Protection Authorities, “Guidelines for the admission to the Conference of European Data Protection Authorities”, Final, 25 March 2004. http://springconference2013.cnpd.pt/wpcontent/uploads/GuidelinesforadmissiontotheSpringConference.pdf 252Conference of European Data Protection Authorities, “Guidelines for the admission to the Conference of European Data Protection Authorities”, Final, 25 March 2004. http://springconference2013.cnpd.pt/wpcontent/uploads/GuidelinesforadmissiontotheSpringConference.pdf

79

questions about the status of the applicant authority, its independence, legal basis, and appropriate functions.253 Inclusion of newly established data protection authorities as equals with more established authorities is seen by the conference as a positive way to integrate the latter into the European data protection community.254 However, The Conference members in 2004 determined that there was a need to retain coherence amongst the membership, in order to retain the ability to make clear statements. Subnational DPAs are allowed to participate as full members of the conference, however, the decision making operates on a “onestate, onevote” system so as to avoid an unbalanced increase in the weight of some countries in the decision making process. European DPAs within an international or supranational body have full voting rights, but DPAS within an international or supranational body that is composed of representatives of national DPAs will only have voting rights on issues within their areas of competence. The European Commission and Council of Europe have observer status at the Conference, and the possibility exists to exclude then from areas of discussion, to be notified in advance. The following table shows the locations of the previous spring conferences.

December 1991 The Hague December 1992 Dublin February 1993 Boppard, Germany April 1993 Paris 1994 Madrid 1995 Lisbon 1996 Manchester 1997 Vienna 1998 Dublin 1999 Helsinki 2000 Stockholm 2003 Athens 2004 Bonn 2005 Seville 2006 Budapest 2007 Lanarka, Cyprus 2008 Rome 2009 Edinburgh 2010 Prague 2011 Brussels 2012 Luxembourg 2013 Lisbon

253 Conference of European Data Protection Authorities, “Application form for accreditation as a member of the Conference of European Data Protection Authorities”, Lisbon, undated. http://springconference2013.cnpd.pt/wpcontent/uploads/Applicationformforaccreditation2013.pdf 254Conference of European Data Protection Authorities, “Application form for accreditation as a member of the Conference of European Data Protection Authorities”, Lisbon, undated. http://springconference2013.cnpd.pt/wpcontent/uploads/Applicationformforaccreditation2013.pdf

80

The participants in the first conference were the Data Protection Commissioners from Belgium, Denmark, France, Germany, Ireland, Luxembourg, the Netherlands and the United Kingdom. A certain amount of time at the conference is reserved by the organising DPA for a closed session for the EU national DPAs to discuss specifically EU topics. Where meetings of European Data Protection Authorities occur in the closed sessions of other international conferences, these meetings are usually chaired by the host of the previous Spring Conference. Cooperation between data protection authorities has been a relatively frequent topic of discussion at recent Spring Conferences. 255 Based upon the programmes for previous Conferences, the twoday event is based around a series of themed panel sessions with speakers. Participating Data Protection Authorities tend to be represented by senior members of staff of their respective authorities. The final session is generally devoted to reports and resolutions. The 2013 conference, hosted by the Portuguese data protection authority (DPA), addressed issues related to the way DPAs are collaborating to ensure an efficient implementation of data protection rules against the background of rapidly developing technologies. The participants also discussed the modernisation of the Council of Europe data protection convention and the data protection reform package currently being discussed at EU level. Each Conference produces Resolutions, issued with a collective voice on behalf of the Conference. Resolutions discussed at the 2013 Conference included a Resolution on the future of data protection in Europe, a resolution on to ensure data protection in a transatlantic freetrade area, a resolution on Europol, an accreditation resolution, and a resolution on procedural rule concerning draft resolutions. The 2012 Conference in Luxembourg produced a single resolution on European data protection reform. From 2013, the texts of draft resolutions are to be made available to members two weeks prior to the Conference. The Conference previously had a working group on ex“Third Pillar” policing issues. When the Article 29 Working Party decided to engage with exThird Pillar issues in 2011, the Spring Conference working group was dissolved. In comparing the Spring Conference with the Article 29 Working Party, Clara Guerra of the Comissão Nacional de Protecção de Dados, Portugal, suggested that the Conference predated the Working party, was a more expanded forum, and was more focused upon practical issues rather than the policyfocused Working Party. The host DPA is responsible for creating and maintaining the website for that year’s Conference. The Spring Conference also has access to an interest group contact list through the CIRCA network provided by the European Commission. 3.1.1 Case-Handling Workshop The CaseHandling Workshop, previously held twice a year in spring and autumn, but now held onceyearly, is a series of events organised by a different data protection authority each

255 Buttarelli, Giovanni, “How could DPAs better cooperate and provide leadership for the future”, Spring Conference, Data Protection, Lisbon, 17 May 2013. http://springconference2013.cnpd.pt/wpcontent/uploads/GiovanniButtarelliAssistantEDPS%E2%80%93HowcouldDPAsbettercooperateandprovideleadershipforthefuture.pdf

81

time to help promote the exchange of information on case studies and practical issues at the operational level (“staff level”), as well as increasing general contacts between employees. The Workshop is a subgrouping of the European Conference of Data Protection Commissioners, with overlapping participants drawn from the accredited membership of the Conference. It is not a policymaking workshop. Initially named the Complaints Handling Workshop, one of the aims of the Workshop was the use of a common procedure for handling international complaints. The initiative for the Workshop comes from the Spring Conference held in Helsinki in 1999 in pursuit of Article 28(6) Directive 95/46/EC requiring supervisory authorities to collaborate with each other. A revised Framework for activities document for the Workshop was adopted in 2005256 and a paper on the future of case handling workings in 2009.257 The Workshop generally lasts two full days. The Conference suggests the alternation between large and small authorities and supports the concept of joint hosting. It also suggests a “friends of the host” group comprising previous and future organisers to support the host. Topics for discussion are chosen in advance by the host DPA, although the Conference suggests a questionnaire for participants to advise this choice and to identify topics of highest relevancy. The Conference also suggests at least one session dedicated to operational challenges of case handling. Case studies (potentially drawn from the experience of the hosting DPA) are seen by the Conference as a useful method for achieving useful discussion and interaction. The workshops are aimed mainly at data protection authority employees whose role is case handling and who deal with complaints. Staff from other parts of the office may attend depending on relevant agenda items. The 2005 Framework for activities suggest that one participant from each DPA is a regular attendee in order to increase consistency. The workshops are not seen as appropriate for very senior staff and Commissioners, who have access to other discussion forums such as the Spring Conference. Papers from the previous two Workshops are occasionally discussed at the Spring Conference. The Workshop also reports to the Article 29 Data Protection Working Party. Decisions on the structure of the Workshop are made at the Conference. A report on the Workshop presented to the Conference in 2004 stated that:

the Workshop has been a success in facilitating mutual daytoday cooperation by the creation of a network of contacts between Data Protection Authorities at staff level. Also the website and related mailing list are regularly used for fast information requests to colleagues, information exchange and cooperation in the contexts of international complaints.258

256 European Privacy and Data Protection Commissioners’ Conference, “Case Handling Workshop – Framework of activities”, March 2005. www.giodo.gov.pl/data/filemanager_pl/665.pdf 257 European Privacy and Data Protection Commissioner’ Conference, “The future of the case handling workshops”, Edinburgh, 234 April 2009. https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Cooperation/Conference_EU/090423_Edinburgh_case_handling_wk_EN.pdf 258 The International Complaints Handling Workshop, “The International Complaints Handling Workshop: Evolution & Consolidation” Presented to the Spring Conference of European Data Protection Authorities, Rotterdam, 2004. http://www.giodo.gov.pl/data/filemanager_pl/667.pdf

82

3.1.2 Working Party on Police and Justice (WPPJ) The Working Party of Police and Justice was set up as a working group of the Conference of the European Data Protection Authorities (“Spring conference”) in 2007. It was mandated to monitor and examine the developments in the area of police and law enforcement to face the growing challenges for the protection of individuals with regard to the processing of their personal data. The Working Party was a development of the Police Working Party, which had the task of preparing the introduction of Schengen, Europol and Customs supervisory arrangements. The PWP was reorientated to ensure greater continuity with a permanent secretariat and a longer duration for the chair. The renamed WPPJ was granted the authority to represent the Spring Conference if a quick reaction was urgently needed in this area. Due to a lack of independent budget, meetings were often convened alongside meetings of the various supervisory authorities. The WPPJ had three sub groups, one on technological development, the second on the Prüm Treaty and a third on supervisory policies. The WPPJ focused on the following activities:

monitoring the implementation of the Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters;

developing new, more systematic measures for cooperation with Article 29 Working Party and other entities dealing with personal data protection on supranational level, including exthird pillar supervisory authorities (JSB Europol, JSA Schengen, etc.);

monitoring the relevant developments in relation with Eurodac; issues concerning the transposition of the Prüm Treaty implementing decisions ; issues related to crossborder flows of information for law enforcement purposes, in

particular towards the USA; issues related to SWIFT case and the transfer of bank transaction data to the USA

from European countries of countering terrorism and serious crime.259

The Foreword to the 2007-2008 Annual Activity Report of the WPPJ provides that: though acknowledging the significance of the instrument in question [the draft framework decision on data protection in the III pillar], which is expected to enhance data protection in an area where data are increasingly exchanged, we stressed that a major shortcoming of the draft decision consisted in its failure to envisage the coordination between national data protection authorities and joint supervisory authorities”, and refers to “the increasing trend to provide crossborder exchange of enforcement data under the availability principle, which undoubtedly creates an extra burden for the data subject in the exercise of his fundamental rights. The search for enhanced cooperation between national data protection authorities is, therefore, on the WPPJ's agenda. A questionnaire was developed to collect information concerning the competences of data protection authorities in their Member States concerning the supervision of law enforcement entities. Based on the answers similarities and differences will be mapped and a common ground will be sought to arrive at a policy on supervising as a logical data protection answer to the increasing exchange of information within the EU. The answers will also help the WPPJ to develop rules for cooperation between authorities, helping

259 Information Commissioner, Republic of Slovenia, “Working Party on Police and Justice (WPPJ)”, Online, Undated. https://www.iprs.si/index.php?id=601

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:350:0060:01:en:HTML



83

data subjects to use their rights in case their data are processed in another European State (italics added).260

The activity also report also highlighted the issue that the WPPJ was set up on a voluntary basis, and that it was inadequately supported by European institutions. In 2007, the WPPJ began to explore ways to increase the effectiveness of supervision (inspections and interventions) and to develop a common policy on supervision for European DPAs. The WPPJ saw enhanced cooperation between data protection authorities as important in the context of increased cooperation between law enforcement authorities and the extra burden this could place upon data subjects in the exercise of their fundamental rights. The WPPJ examined the mandates of national DPAs, finding that all European DPAs have competencies in this area, and that most had specific strategies for law enforcement supervision and inspection. Further the WPPJ developed the basis for a common approach to risk assessment and an approach to harmonising inspection methods.261 In 2009 the WPPJ and the Article 29 Data Protection working party provided a joint response to the Commission’s consultation on the legal framework for the fundamental right to the protection of personal data. This response highlighted the unsatisfactory nature of personal data protection in relation to former third pillar operations, and the need for a comprehensive and consistent data protection framework.262 The role of the WPPJ has since been taken over by the Article 29 Data Protection Working Party. 3.2 ARTICLE 29 WORKING PARTY 3.2.1 Organisation The Article 29 Working Party was set up under Directive 95/46/EC and is composed of the representatives of the supervisory authorities of EU Member States, the supervisory authorities set up within the EU institutions and bodies, and a representative of the European Commission. Adopted in October 1995, the Directive established the requirement for the European data protection supervisory authorities, and at the same time established a coordination body, and the duty of the authorities to participate in it. 263 The name “Article 29” derives from Article 29 of Directive 95/46/EC. Of particular interest in the current context, are the elements of the Directive providing that authorities can be asked to exercise their

260 Pizzetti, Francesco, Foreword to the 2007-2008 Annual Activity Report of the Working Party on Police and Justice, Brussels, 16 December 2008, available at the website of the Belgian DPA, Category “About the CPP” > International > Working Party on Police and Justice, pp. 1 and 3. http://www.privacycommission.be/sites/privacycommission/files/documents/05.02.02%20wppjactivityreport20072008.pdf 261 Working Party on Police and Justice, A Data Protection Catalogue on Cooperation and Supervision in the area of Law Enforcement in Europe, 24 March 2009. https://www.ada.lt/images/cms/File/Tarptautinis_bendradarbiavimas/Wppj_coordination_and_joint_activities_200904%20Edinburgas.pdf 262 Article 29 Data Protection Working Party & Working Party on Police and Justice, The Future of Privacy: joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to the protection of personal data, WP168, Brussels, 1 December 2009. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp168_en.pdf 263 OECD, Report on the CrossBorder Enforcement of Privacy Laws, Paris, October 2006, p. 22.

84

powers by authorities in other EEA states, and the requirement that authorities shall cooperate with one another. The Opinions of the Working Party are not legally binding, and the Working Party has no independent enforcement powers. The role of the Working Party is largely to advise the European Commission, but it has become a principal means of establishing both common views between European data protection authorities and more recently joint enforcement operations.264The primary objectives of the Working Party are to:

To provide expert opinion from Member State level to the Commission on questions of data protection.

To promote the uniform application of the general principles of the Directives in all Member States through cooperation between data protection supervisory authorities.

To advise the Commission on any Community measures affecting the rights and freedoms of natural persons with regard to the processing of personal data and privacy.

To make recommendations to the public at large, and in particular to the Community institutions on matters relating to the protection of persons with regard to the processing of personal data and privacy in the European Community.265

Part of the Working Party role is to provide the European Commission with an Opinion on the level of data protection in the Community and Third Countries. Article 15 of the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) also gives a role to the Working Party in performing its Directive 95/46/EC tasks in relation to the protection of fundamental rights and freedoms and of legitimate interests in the electronic communication sector.266 The Working Party’s secretariat is located in Brussels and is provided by the Commission. The Working Party elects a chairman and two vicechairmen from its members with a twoyear term. The Working Party can be convened at the initiative of the chair, on request of onethird of its membership or at the request of the European Commission. The normal timeframe for inviting participants to a meeting is three weeks, but can be two weeks in emergency situations. Agendas for meetings of the Working Party are publicly available, whilst minutes and draft documents are restricted.267 3.2.2 Article 29 WP subgroups

264 OECD, Report on the CrossBorder Enforcement of Privacy Laws, Paris, October 2006, p. 23. 265 Article 29 Working Party, “Tasks of the Article 29 Data Protection Working Party”, Undated. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/tasksart29_en.pdf 266 European Parliament and the Council, Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31 July 2002. http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML 267 Article 29 Data Protection Working Party, Working Party on the protection of individuals with regard to the processing of personal data: Rules of procedure, Brussels, 15 February 2010. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/rulesart29_en.pdf

85

The Article 29 Working Party frequently delegates particular tasks to subgroups. Subgroups have included:

Technology Subgroup Borders Travel Law Enforcement Subgroup, WADA Subgroup SG Future of Privacy, SG Key Provisions, SG EGovernment, SG International Transfers, SG Financial Matters

3.2.3 Initiatives to improve co-operation The Article 29 Data Protection Working Party is a cooperative forum for European Data Protection Authorities. As such, regular meetings between European DPAs under the context of the Article 29 Working Party can create opportunities for formal and informal exchanges as well as developing habits of cooperation and mutual understanding. 268 Participants at meetings typically present a short overview of significant data protection events and issues in their own countries. Several of the case studies in Section 2 of this report reveal that the Article 29 Data Protection Working Party has been involved in several key incidents of cooperation between European Data Protection Authorities. The Working party was involved in cooperative activities in the Google privacy policy, SWIFT, telecommunications dataretention and WADA cases. CNIL investigated Google’s new privacy policy on behalf of the Working Party, and the Working Party hosted meetings and coordinated collective letter writing. In the investigation of SWIFT, the Working Party coordinated the investigation by national DPAs of the related activities and knowledge of their respective national banks, produced Opinion 10/2006 and hosted a plenary meeting. The Telecommunications data retention investigation was coordinated by the Working Party’s Enforcement subgroup, at the request of the Commission. The participating DPAs used a coordinated questionnaire and conducted onsite inspections. The Working Party was involved in a series of disagreements with the World AntiDoping Agency (WADA) over the revision of the WADA code. The Working Party contributed to WADA’s consultation, published Opinion 3/2008, and hosted meetings with WADA. WADA described the Working Party as “confrontational” and engaged in “legislative imperialism”.269 An analysis by Linklaters assessed the impact of the soft law Opinions of the Working Party. It found that Working Party Opinions were only rarely referred to by the European Court of Justice (but that this might be due to the limited number of ECJ decisions on data protection issues). It found that that the Opinions exercised a strong influence on the positions of European Data Protection Authorities, but were only rarely referenced directly by European

268 Poullet, Yves, and Serge Gutwirth, “The contribution of the Article 29 Working Party to the construction of a harmonised European Data Protection system: an illustration of “Reflexive Government”, in Maria Veronica Perez Asinari and Pablo Palazzi (eds.), Challenges of Data Protection and Privacy Law, Brussels, Bruylant, 2008, p. 183. 269 WADA, Annotated version of Second Opinion 4/2009 on the World AntiDoping Agency (WADA) International Standard for the Protection of Privacy and Personal Information. Pg.5 http://www.wadaama.org/Documents/World_AntiDoping_Program/WADPISPPPI/WADA_Comments_WP29_FullVersion.pdf

86

courts. The analysis concluded that Working Party Opinions were a “classic example of soft law” allowing flexibility, experimentation, adjustment and national variation on issues that would otherwise block soft law, but drew attention to a potential lack of democratic mandate.270 This analysis does not take into account that Working Party Opinions are directly transmitted to the European Commission, Parliament and the Article 31 Committee, and that the Directive obliges the Commission to inform the Working Party about any followup to its Opinions.271 In their analysis of the Working Party’s contribution to the creation of a harmonised European Data Protection system, Poullet and Gutwirth identify harmonisation as a major concern of the Working Party.272 The Working Party is seen as a unique organisation with no European parallel; a “privacy lobby group” within the European institutions.273 The authors see the Working Party as having adopted a range of collaborative strategies including forming alliance with other EU actors (including positive examples of cooperation with the Commission, common positions adopted with the European Parliament, and a position of noncompetition with the European Data Protection Supervisor), enlarging its competences (including cooperation with the Schengen Data Protection Joint Supervisory Authority on data protection issues in the Third Pillar) and increasing its own visibility (transparency, a detailed website, and consultation activities) They identify a limited engagement by the Working Party with other stakeholders as the result of limited organisational resources. Their concluding analysis is broadly supportive of the cooperative nature of the Working Party:

Our analysis of the work, working methods, strategies and achievements of the Working Party do effectively show a continuous, pragmatic and constructivist learning process by all the protagonists involved. It is by learning from the others, both externally and internally, by taking into account inputs from key players (such as European Commission and Parliament, he European Court of Human Rights, etc.), that questions are framed and answered in such way that they fit in the very complex cobweb that makes data protection exist as a dynamic fundamental right. This is no minor task since the Art. 29 W.P. has a double role to play as a ‘watchdog’ denunciating privacy threats and having a non neutral position in favour of privacy and data protection interests, and simultaneously, as independent authority in charge of administrative tasks and searching for compromises and consensus. Such a double role can only be successfully played through a precautious step by step and case by case approach, in which listening to concerns and carefully articulating them is quintessential.274

3.2.3.1 Binding Corporate Rules and mutual recognition The Working Party has been involved in the establishment of the Binding Corporate Rules system (BCR). This allows multinational corporations to legally transfer personal data from the EEA to group members or affiliates outside the EEA. Applicants adopt a draft set of BCRs, and select a Data Protection Authority to act as lead authority. This choice is dependent upon the location of the corporate headquarters, or the location of the branch of the corporation responsible for data protection oversight. If the lead authority is satisfied that the adopted BCRs provide adequate safeguards, then it circulates the draft BCRS to the DPAs of 270 Church, Peter, “Should you care what the Article 29 Working Party says?” Linklaters, Technology, Media and Telecommunications News, 20 September 2011. http://www.linklaters.com/Publications/Publication1403Newsletter/TMTnewsletterSeptember2011/Pages/Article29workingparty.aspx 271 Poullet, Yves and Serge Gutwirth, op. cit., p. 577. 272 Poullet and Gutwirth, op. cit., p.575 273 Ibid, p. 572. 274 Ibid., p. 597

87

the other countries where company collects or processes personal data. The lead authority collates feedback and coordinates the response to the applicant, and any changes the applicant needs to make. The processes for BCR were first set out in 2003 in WP74275 and the cooperation procedure for issuing common opinions was set out in 2005 in WP107.276 The Working party has also produced a number of sample forms, checklists and FAQs in relation to BCRS.277 The Linklaters analysis describes the Working Party as having been responsible for creating a “detailed framework including criteria for determining a lead regulator, standard application forms, and a summary of national filing requirements for binding corporate rules” and that this has had “real practical effect”.278 Currently, 21 countries participate in the mutual recognition procedure in relation to BCR: Austria , Belgium, Bulgaria, Cyprus, Czech Republic, , France, Germany, Iceland, Ireland, Italy, Latvia, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Slovakia, Slovenia, Spain, and the United Kingdom.279 Mutual recognition means that if a lead authority is satisfied with a BCR application, other involved authorities should follow the lead authority and accept its findings without further scrutiny. 3.2.3.2 Article 29 Working Party website The Article 29 Data Protection Working Party maintains a website280 with the support of he European Commission Directorate General Justice. Located under the broader heading of Data Protection on the DG website, the Article 29 pages contain opinions, working documents, recommendations, letters, and other material produced by the Working Party as well as administrative material such as meeting agendas, and correspondence received by the Working Party. The website also provides information on the structure of the Working Party and also allows users to register for a mailing list. 3.3 COUNCIL OF EUROPE T-PD The Council of Europe Consultative Committee on the protection of personal data (the TPD, which stands for traité protection de données) acts as a forum for exchanges on privacy challenges and developments. It was established in Chapter V of the Council of Europe Convention 108 on the protection of personal data.

275 Article 29 Data Protection Working Party, Working Document: Transfers of personal data to third countries: Applying article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers, WP74, 3 June 2003. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp74_en.pdf 276 Article 29 Data Protection Working Party, Working Document Setting Forth a CoOperation Procedure for Issuing Common Opinions on Adequate Safeguards Resulting from “Binding Corporate Rules”, WP107, 14 April 2005. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2005/wp107_en.pdf 277 See Article 29 Data Protection Working Party, Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, WP153, 24 June 2008. http://www.ico.org.uk/for_organisations/data_protection/overseas/~/media/documents/library/Data_Protection/Detailed_specialist_guides/BCR_TABLE_WP153.ashx; Article 29 Data Protection Working Party, Working Document setting up a framework for the structure of Binding Corporate Rules, WP154, 24 June 2008. http://www.ico.org.uk/for_organisations/data_protection/overseas/~/media/documents/library/Data_Protection/Detailed_specialist_guides/BCR_FRAMEWORK_WP154.ashx; Article 29 Data Protection Working Party, Working Document on Frequently Asked Questions (FAQs) related to Binding Corporate Rules, WP155 rev.04, 24 June 2008. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp155_rev.04_en.pdf 278 Church, op. cit. 279 European Commission, “What is mutual recognition?” 16 July 2013. http://ec.europa.eu/justice/dataprotection/document/internationaltransfers/bindingcorporaterules/mutual_recognition/index_en.htm 280 http://ec.europa.eu/justice/dataprotection/article29/index_en.htm

88

In January 1981, the Council of Europe opened for signature its Convention 108 on the protection of personal data. The Convention proved to be the principal international driving force for data protection in Europe throughout the 1980s and early 90s.281 The convention was the first legally binding international instrument with worldwide significance on data protection. It currently applies to 46 State parties, with the recent accession of Uruguay, and has been ratified by 45 of the 47 members of the Council. There is also an Additional Protocol to the Convention regarding supervisory authorities and transborder data flows.282

3.3.1 Organisation The Consultative Committee is composed of representatives of the contracting parties, as notified to the Secretary General of the Council of Europe, observers from Council of Europe member states who are not party to the Convention, delegates from Council of Europe bodies and invited experts or representatives of international institutions and organisations. The Committee meets at least every two years, and are generally held in Strasbourg or Paris. After each meeting the Committee is to submit a report on its work and the functioning of the convention to the Council of Ministers of the Council of Europe. The work of the Committee between meetings is coordinated by a Bureau composed of the Chair, two ViceChairs of the Committee, four elected members (on two year terms), and (de jure) the outgoing Chair.283. The functions of the Committee are set out in Articles 19 and 20 of the Convention. Article 19 states that the Consultative Committee:

a. may make proposals with a view to facilitating or improving the application of the convention; b. may make proposals for amendment of this convention in accordance with Article 21; c. shall formulate its opinion on any proposal for amendment of this convention which is

referred to it in accordance with Article 21, paragraph 3; d. may, at the request of a Party, express an opinion on any question concerning the application

of this convention.284 3.3.2 Co-operation and co-ordination activities The Chair of the Committee has stated that:

This committee has been instrumental in the development of the Council of Europe’s data protection standards and has offered since its creation a unique forum of discussion for its members. It currently enables over 60 specialists (members and observers participating in discussions in a spirit of equality) from over the world to meet on a regular basis to address common data protection challenges, provide regulatory guidance as well technical expertise

281 OECD, Report on the CrossBorder Enforcement of Privacy Laws, Paris, October 2006, p. 22. 282 Council of Europe, Additional Protocol to the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows, Strasbourg, 8 November 2001. http://conventions.coe.int/Treaty/en/Treaties/Html/181.htm 283 Council of Europe Consultative Committee on the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data. 284 Council of Europe, Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data, Stasbourg, 28 January 1981. http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm

89

on some particular aspects of a domestic system and discuss means to tackle differences in countries.285

Chapter IV of Convention 108 includes extensive provisions on Mutual Assistance and for ease of reference they are set out in Annex D. Article 13 contains the general duty to render mutual assistance including the requirement to nominate at least one authority for these cooperative purposes. It need not be a special data protection authority. The primary duty is to provide information on law and administrative practice in the field of data protection. Article 14 requires the provision of assistance to foreign data subjects. Article 15 imposes restrictions on the use to be made of information obtained in the course of rendering assistance (that the authority will not use the information received for purposes other than the assistance request, that the persons handling the request will be bound by appropriate obligations of secrecy and confidentiality, and that requests for assistance on behalf of a data subject can only be made with the consent of the person concerned286) and Article 16 provides an exhaustive set of grounds on which assistance can be refused (the request is not compatible with the powers of agency to which it is made, that it does not comply with the Convention, or that it is incompatible with sovereignty, security or public policy of the requested party, or with the fundamental rights and freedoms of persons under the jurisdiction of that party). Article 17 makes provision for the costs and procedures of rendering assistance. In addition, although not well recorded in public documents, the experience of regulators is that these provisions have been used, perhaps not extensively and frequently, but regularly over the years. 287 Chapter V of the Convention was the basis for cooperation between many European States until the adoption of Directive 95/46/EC by the European Union. It still provides for cooperation in areas outside the scope of the Directive, such as policing, and in cases where one country is outside the European Economic Area (EEA), but has ratified the Convention.288 The Additional Protocol also acknowledges the central role of Data Protection Authorities in international cooperation.289 Parties to the protocol shall provide independent authorities responsible for ensuring compliance with domestic law giving effect to the principles in Chapters II and III of the Convention, and that these authorities will have powers of investigation and intervention, and that they will cooperate with one another, in particular by sharing information. The Council of Europe has taken up since 2010 the double challenge of modernising and strengthening Convention 108, as well as promoting its implementation worldwide. The Consultative Committee worked intensively on the modernisation of Convention 108 and reached consensus on the modernisation proposals which were adopted at its 29th plenary in November 2012. The TPD identified key objectives in the modernisation effort; that the convention’s provisions must remain technologically neutral, that coherence with other legal frameworks (in particular the EU data protection framework) must be maintained, and that the Convention must remain its open character. Part of the proposed modernisation effort is an

285 Walter, JeanPhillipe., “The role of Convention 108 in the international cooperation” PHAEDRA workshop, Warsaw, 24 September 2013. http://www.coe.int/t/dghl/standardsetting/DataProtection/Articles/Phaedra%20workshop%20varsovie,%20JPh%20W.pdf 286 Ibid. 287 OECD, Report on the CrossBorder Enforcement of Privacy Laws, Paris, October 2006, p. 22. 288 Ibid. 289 Walter, op. cit.

90

attempt to encourage international cooperation, to strengthen the competence and independence of DPAs and strengthen the functions and powers of the Consultative Committee. The draft proposes a conference or network of supervisory authorities to organise their cooperation on the exchange of information, coordination of investigations, interventions and actions, and provision of information on law and practice. 290 The Council of Europe Committee of Ministers decided on 10 July 2013 to set up an ad hoc Committee on data protection (CAHDATA), bringing together representatives of all Council of Europe member States, other Parties to the Convention as well as other nonEuropean States and entrusted with the task of finalising the modernisation work started by the TPD by formally negotiating an Amending Protocol to Convention 108. 291 The Committee has also recommended that its delegates join the list of enforcement contact points maintained by the Global Privacy Enforcement Network (GPEN, see section 4.3). In 2010 it requested that the secretariat set up a collaborative space within an updated website on data protection that was being developed.292 It is unclear if this has been developed, and if it has some DPAs are unaware of it. 3.4 WORKING PARTY ON INFORMATION EXCHANGE AND DATA PROTECTION (DAPIX)

The DAPIX working party is one of more than 150 working parties and committees supporting the EU Council of Ministers. It comprises officials from the 28 Member States. DAPIX addresses issues relating to information exchange and data protection. On the information exchange side, this working party draws up EU strategies for ensuring the exchange of information between the law enforcement authorities of the Member States. In the area of data protection, the working party helps to ensure that data are exchanged in compliance with current principles and rules on personal data protection. The DAPIX working party discussed and produced a revised version of the draft General Data Protection Regulation under the Lithuanian Presidency.293 3.5 INTERNATIONAL WORKING GROUP ON DATA PROTECTION IN

TELECOMMUNICATIONS The International Working Group on Data Protection in Telecommunications has been called the Berlin Group, as it has been chaired by the Berlin Data Protection and Freedom of Information Commissioner since its creation in 1983. The Group is composed of experts in 290 The consultative committee of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data [ETS No.108], Propositions of Modernisation, TPD 2012 04Rev4, Strasbourg, 18 December 2012. http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/TPD%282012%2904Rev4_E_Convention%20108%20modernised%20version.pdf 291 Council of Europe Ad Hoc Committee on Data Protection (CAHDATA), Information Document, CAHDATA(2013)Inf, Strasbourg, 17 September 2013. http://www.coe.int/t/dghl/standardsetting/dataprotection/CAHDATA/CAHDATA%282013%2901_En_Information%20document.pdf 292 Consultative Committee of the Convention for the Protection of individuals with regard to automatic processing of personal data (TPD), 26th Plenary Meeting, Stasbourg, 4 June 2010. http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD%20_2010_%20RAP%2026%20Abr_eng.pdf 293 The DAPIX version is dated 16 Dec 2013. See http://register.consilium.europa.eu/doc/srv?l=EN&t=PDF&gc=true&sc=false&f=ST%2017831%202013%20INIT

91

communication and information technologies and in personal data protection. It was formed on the initiative of national data protection authorities, under the framework of the International Conference of Data Protection and Privacy Commissioners, but its membership is not restricted to data protection authorities, also including representatives of private sector and NGO organisations. Secretariat services and a web page for the group are provided by the data protection authority of Berlin. Since the mid1990s its work has focused upon data protection and privacy matters on the Internet. The IWGDPT meets biannually. The Group’s work results in common positions and working papers on requirements and conditions which should be met both by products created by technology providers and by the entities using these products, e.g., telecommunications operators, web services and end users of the products294, in order to improve the protection of privacy. Recent Working Papers have included web tracking and privacy; cloud computing; privacy by design and smart metering; privacy and electronic micropayments; event data recorders on vehicles; and mobile processing of personal data. Working papers are available in both English and German.295 The 51st meeting of the International Working Group on Data Protection in Telecommunications, was held on 2324 April 2012 in Sopot, Poland. It concentrated on data processing in cloud computing solutions, execution of the right to be forgotten and profiling of the Internet users by marketing companies using special analysis tools. The meeting saw the adoption of a working document comprising the common position of the Group on the principles of privacy protection in data processing with the use of cloud computing, called the Sopot Memorandum.296 There were two meetings of the group in 2013. The 53nd meeting in Prague in April 2013 produced working papers on the publication of personal data on the web and on web tracking and privacy. The 54rd meeting in Berlin in September produced working papers on privacy and aerial surveillance, and the human right to telecommunications secrecy. 3.6 CENTRAL AND EASTERN EUROPE DATA PROTECTION AUTHORITIES The first Meeting of Central and Eastern European Data Protection Commissioners took place in Warsaw on 17 December 2001. Since then, the group has met 14 times. In a declaration on new members emanating from its 14th Meeting held in Kiev on 2122 May 2012, the group expressed “the need to continue our cooperation and exchange of experiences in the field of personal data and privacy protection”. 297 It confirmed the provisions contained in the Declaration on future cooperation adopted in Smolenice on 24 May 2005 and further specified in the Declaration on cooperation adopted in Kazimierz Dolny on 3 June 2008. It acknowledged “that in the age of global economy and development of IT technologies, the cooperation between data protection commissioners from various countries plays an essential role in ensuring the efficiency of data protection systems”. It also said that “the unique experiences of the members of the group of Central and Eastern European Data Protection 294 GIODO, “Meeting of the Berlin Group, 2324 April 2012” http://www.giodo.gov.pl/259/id_art/736/j/en/ 295 The archive of working papers is available at: http://www.datenschutzberlin.de/content/europainternational/internationalworkinggroupondataprotectionintelecommunicationsiwgdpt/workingpapersandcommonpositionsadoptedbytheworkinggroup 296 International Working Group on Data Protection in Telecommunications, Working Paper on Cloud Computing – Privacy and Data protection issues- “Sopot Memorandum”, Sopot, 24 April 2012. http://www.giodo.gov.pl/data/filemanager_pl/dif/Sopot_Memorandum.pdf 297 A copy of the Declaration can be found here: http://www.giodo.gov.pl/259/id_art/741/j/en/

92

Commissioners in the field of implementation of data protection legislation… may be useful to the countries where data protection legislation has recently been adopted”. The host of the Meeting in Kiev in May 2012 was the State Service of Ukraine on Personal Data Protection. The meeting was attended by representatives of Data Protection Authorities from Poland, Ukraine, Czech Republic, Serbia, Macedonia, Slovenia, Estonia, Montenegro, Russia, Hungary, Moldova, Bulgaria and Albania. 298 Two declarations were adopted by CEEDPA members. The first one was the Declaration on the new members of the group of Central and Eastern European Data Protection Commissioners under which the data protection commissioners of Bosnia and Herzegovina as well as Montenegro were accepted as members of CEEDPA. In the second declaration, proposed by the Polish DPA and not formally discussed in the official conference, the Central and Eastern Europe Data Protection Commissioners (with the exception of Estonia) declared their support for the European data protection reform. The 15th CEEDPA meeting was held on the 1012 June 2013 in Serbia. Participants from 14 DPAs discussed issues relating to data safety, data processing in the field of employment, and the independence of data protection authorities. The meeting identified similarities in personal data breaches across Eastern Europe. The third session focused upon the challenges that DPAs face, including to their independence. Other challenges discussed included transborder transfers of data, video surveillance of public areas and hate speech. 299 The Russian Federation, which previously held observer status was admitted to full membership at this meeting. The 16th meeting will be organised in 2014 in Macedonia. Both the representatives of the data protection authorities of Hungary, and of Bosnia and Herzegovina have expressed their willingness to host the 17th meeting in 2015. More information on CEEDPA is available at http://www.giodo.gov.pl/272/j/en/ as well as at http://www.ceecprivacy.org. 3.7 CONFERENCE OF BALKAN DATA PROTECTION AUTHORITIES The first Balkan Conference of personal data protection authorities was held on 1718 December 2012 in Skopje by the Directorate for Personal Data Protection, Republic of Macedonia in cooperation with TAIEX (the Technical Assistance and Information Exchange instrument managed by the DirectorateGeneral Enlargement of the European Commission 300 ). The conference resulted from the meeting of personal data protection regulatory authorities as part of the Conference on the Modernization of EU legislation on the protection of personal data, also held by the Directorate, in May 2012. The intent was to start a series of conferences to support information and experience exchange between Western Balkan data protection authorities and cooperation with European data protection authorities. Participants have signed a Declaration of Cooperation. Participating countries included the 298 The information in this section comes from GIODO’s website: http://www.giodo.gov.pl/259/id_art/741/j/en/ 299 Central and Eastern Europe Data Protection Authorities, “15th Meeting of the Central and Eastern European Data Protection Authorities”, CEEDPA News and Events, 1012 June 2013. http://www.ceecprivacy.org/main.php?s=5 300 TAIEX supports partner countries with regard to the approximation, application and enforcement of EU legislation. It is largely demand driven and facilitates the delivery of appropriate tailormade expertise to address issues at short notice. See TAIEX, “What is TAIEX?”, 1 July 2013. http://ec.europa.eu/enlargement/taiex/whatistaiex/index_en.htm

http://www.giodo.gov.pl/272/j/en/

http://www.ceecprivacy.org/

93

Czech Republic, Slovenia, Albania, Bosnia and Herzegovina, Croatia, Kosovo, Montenegro and the former Yugoslav Republic of Macedonia. The 2012 conference was subtitled “Joint aspirations and cooperation”, and focused upon the transfer of personal data to third countries, supervision of transmission, cooperation with Eurojust, the balance between the right to protection of personal data and the fight of free access to public information, and ISO standardisation of employees in privacy protection organisations. The conference also involved work on the joint application by the Balkan data protection authorities to use support from the EU’s Instrument for PreAccession Assistance (IPA) funds.301 There are also a number of bilateral collaboration agreements between Balkan Countries. For example, the National Agency for Personal Data Protection Kosovo has signed Declarations on further collaboration with the Agency for Personal Data Protection, Republic of Montenegro, the Directorate for Personal Data Protection, Republic of Macedonia, and the Information Commissioner, Republic of Slovenia.302 3.8 FORMER THIRD PILLAR SUPERVISORY AUTHORITIES 3.8.1 Joint Supervisory Authority of the Schengen Information System The Schengen Agreement, signed in 1985 and supplemented by the Schengen Convention in 1990, created the Schengen area in Europe in 1995. The Schengen area abolishes internal border controls and implements a common visa policy. The Schengen Information System (SIS) is a database which allows the participating states to share information for border control, national security and law enforcement purposes. The data protection elements of the SIS were supervised by the Schengen Joint Supervisory Authority (JSA). With the current shift to the expanded SIS II system, the JSA has been dissolved as of April 2013 and replaced by coordinated supervision between national data protection authorities and the European Data Protection Supervisor. The JSA was the first EU supervisory authority which promoted joint coordinated supervisory activities in the law enforcement area as regards the inspection of largescale databases. This approach to the supervisory role was apparently successful, being influential on future coordinated supervision efforts such as the Eurodac, VIS and Customs supervisory bodies.303 The Schengen Convention304 established the Joint Supervisory Authority. Article 115(3) of the Schengen Convention stipulates that the JSA was responsible for:

301 Directorate for Personal Data Protection, Personal Data Protection Directorate 2012 Annual Report, Skopje, March 2013, pp.4344. http://www.dzlp.mk/sites/default/files/DPDP_%20Annual_Report_2012.pdf 302 National Agency for Protection of Personal Data, Republic of Kosovo, “International Agreements”, Undated. http://www.amdprks.org/web/?page=2,53 303 Schengen Joint Supervisory Authority, Activity Report – December 2005 - December 2008, 2008, p. 11. http://www.llv.li/pdfllvdssjsa_sch.act.rep.en.pdf 304 Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic, 304 The Schengen acquis Convention implementing the Schengen Agreement of 14 June 1985 between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders. Official Journal L 239 , 22 Sept 2000, pp. 1962. http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:42000A0922%2802%29:en:HTML

94

checking the implementation of the provisions of the Schengen Convention, as regards the technical support function of the Schengen Information System,

examining any difficulties of application or interpretation that may arise during the operation of the Schengen Information System,

for studying any problems that may occur with the exercise of independent supervision by the national supervisory authorities of the Contracting Parties or in the exercise of the right of access to the system,

drawing up harmonised proposals for joint solutions to existing problems. In implementing the Convention, the JSA conducted inspections at national level, with the intent of understanding how the Schengen States were implementing and using the Articles of the Schengen Convention, and an overview of practical problems that may occur with implementation. The JSA conducted its task through regular plenary meetings in Brussels, issuing opinions, conducting surveys and inspections at national level, inspections at central level and monitoring technical and legal developments. The Authority could intervene on its own initiative or at the request of the national supervisory authority of a Schengen Member State, a Contracting Party or a body of the Schengen System in compliance with the provisions of the Convention. The Schengen JSA was composed of national data protection authorities from the contracting parties to the Schengen Convention. Each authority had one vote. The meetings were not public, and the JSA itself decided which of its acts and reports were to be made public. The JSA could appoint working groups as it required and could invite external experts. The authority could designate one or more members to conduct onsite verifications. The JSA budget came from the wider Schengen budget. The membership of the Schengen JSA strongly overlaps with the membership of the Europol JSB. The rules of procedure were approved by the JSA on 2 February 1996, amended on 4 July 1997 and 27 April 1998.305 The enlargement of the Schengen area on 21 December 2007 with the addition of 9 new members also saw the enlargement of the JSA. The new members had previously been participating as observers. The JSA believes that this observer status was useful for both old and new members.306 Several Member States did not attend JSA meetings, citing financial difficulties. In 2010, the JSA wrote to the relevant government departments of the Slovak Republic to highlight the fact that Member States are legally obliged to carry out their supervisory responsibilities with regard to the SIS, including regular attendance at JSA meetings. 307 SIS includes some members that are not Member States of the EU. Therefore the requirement for adequate safeguards for the transmission of personal data applies. In the period December 2005 to December 2008, the Schengen JSA focused upon the correct interpretation of the Schengen Convention and assessing if Schengen member states had implemented the legal framework in a harmonised and appropriate manner.308 From 2004 the

305 Joint Supervisory Authority, Rules of Procedure of the Joint Supervisory Authority. 27 April 1998. http://schengen.consilium.europa.eu/media/158305/schautcont%20%2895%29%2025%20rev.%205%20schengen%20jsa%20rules%20of%20procedure,%20with%20amendment.pdf 306 Schengen Joint Supervisory Authority, Activity Report – December 2005 - December 2008 [undated, no location], p. 10. http://www.llv.li/pdfllvdssjsa_sch.act.rep.en.pdf 307 Schengen Joint Supervisory Authority, Ninth Activity Report: January 2009 – April 2013: Crossing Borders, Brussels, 1 April 2013, p. 5. http://schengen.consilium.europa.eu/media/251646/schengen%20activity%20report%202008%20%202013%20final.3.pdf 308 Schengen Joint Supervisory Authority, Activity Report – Decemebr 2005 – December 2008, op. cit.

95

JSA has also been involved in the development of the second generation of the Schengen Information System (SIS II). This involved providing advice and assistance to involved EU institutions. It issued an Opinion on the legal basis for SIS II in September 2006. The Chair and members of the JSA were also part of an expert working group set up during the 2011 European Privacy and Data Protection Commissioners' Conference to focus on the future of supervision in the freedom, security and justice area, particularly with regard to what makes supervision effective. The group held its first meeting in June 2011 then continued to meet quarterly. In early 2013, the group finalised a report on the future of data protection supervision in the area of law enforcement, which explains its vision for the future.309 The application of Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (the Council Decision) and Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (the Regulation), will change the future joint supervisory framework for the SIS II. 310 On 9 April 2013, the secondgeneration Schengen Information System II (SIS II) is expected to take over from SIS. The data protection supervision of SIS II becomes the responsibility of the national data protection authorities and the European Data Protection Supervisor in a coordinated structure.311 The Decision created a new legal framework for cooperation between EDPS and the national DPAs to ensure coordinated supervision of SIS II. The national supervisory authorities and the European Data Protection Supervisor, will each act within the scope of its respective competences, and are to:

to exchange relevant information, assist each other in carrying out audits and inspections, examine difficulties of

interpretation or application of the Council Decision (the Regulation), study problems with the exercise of independent supervision or in the exercise of the

rights of data subjects, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.

European Data Protection Supervisor and the national supervisory authorities are to meet at least twice a year.312 SIS II will comprise a central system, EU States’ national systems and a communication network between the central and the national systems. The European Commission is responsible for the development of the SIS II central system, while SIS II national systems are developed by the Schengen States. SIS II will be managed by the independent European Agency for the operational management of largescale IT systems in the area of freedom, security and justice. This Agency will also be tasked with managing EURODAC and the Visa

309 Schengen Joint Supervisory Authority, Ninth Activity Report: January 2009 – April 2013: Crossing Borders, Brussels, 1 April 2013. http://schengen.consilium.europa.eu/media/251646/schengen%20activity%20report%202008%20%202013%20final.3.pdf 310 Schengen Joint Supervisory Authority, Activity Report – Decemebr 2005 – December 2008, op. cit. 311 Schengen Joint Supervisory Authority, 1 April 2013, op. cit. 312 Schengen Joint Supervisory Authority, Activity Report – December 2005 - December 2008 , op.cit.

96

Information System313 The SIS database was physically located in France, and the SIS II database is located in France with a backup centre in Austria. Moves towards interoperability between Schengen, VIS and Eurodac may have implications for coordinated supervision. 3.8.2 Joint Supervisory Authority of the European Customs Information System The Customs Information System (CIS) was established under the 1995 Convention on the use of information technology for customs purposes and Council Regulation (EC) No515/97 of 13 March 1997 on mutual assistance between the administrative authorities of the Member States and cooperation between the latter and the Commission to ensure the correct application of the law on customs and agricultural matters.314 The aim of the CIS is to assist in combating customs related crime by facilitating cooperation between European customs authorities. CIS stores information on commodities, means of transport, persons and companies in order to assist in preventing, investigating and prosecuting actions in breach of customs and agricultural legislation or serious contraventions of national customs laws. There are two CIS databases, one relating to national law and other to European law. The central database can be accessed by member states and the European Commission and went live on 24 March 2003. The CIS Convention divides the data protection of CIS between national data protection authorities and the Joint Supervisory Authority for the Customs Information Service (JSA). The Member States are responsible for the processing of personal data in the CIS according to the CIS Convention and they are supervised by the national Data Protection Authorities. The Joint Supervisory Authority for the Customs Information Service was established in the Article 18 of Convention on the use of information technology for customs purposes. The JSA has the overall task to supervise the technical support function of the CIS. This function is responsible for distributing the data entered in the CIS to all Member States. JSA is an independent authority composed of two representatives of the data protection authorities of each Member State that signed this CIS convention.315 The JSA has a secretariat located in Brussels. JSA is responsible for supervising the operation of the CIS and to:

examine any difficulties of application or interpretation which may arise during the system’s operation;

study problems that may arise when the system is in operation; study problems which may arise with regard to the exercise of independent

supervision by the national supervisory authorities of the Member States, or in the exercise of rights of access by individuals to the System and draw up proposals for the purpose of finding joint solutions to problems.316

to draw up proposals for the purpose of finding joint solutions to problems; to draw up opinions on the satisfactory nature of the measure for data protection.

313 Schengen Joint Supervisory Authority, 1 April 2013, op. cit, p. 13. http://schengen.consilium.europa.eu/media/251646/schengen%20activity%20report%202008%20%202013%20final.3.pdf 314 Council Regulation, On mutual assistance between the administrative authorities of the Member States and cooperation between the latter and the Commission to ensure the correct application of the law on customs and agricultural matters, (EC) No515/97, OJ L 83, 13 March 1997. http://ec.europa.eu/anti_fraud/documents/eurevenue/consolidated_r515_97_en.pdf 315 http://www.privacycommission.be/en/jsacustomsinformationsystem 316 Ibid.

97

The JSA can inspect the central CIS database, located in Brussels. National supervisory authorities must also supervise the national use of the CIS database. Any individual may ask any national supervisory authority to check the personal data related to them contained and process by CIS, subject to national subject access request laws. If the data were inputted to the system by another Member State, the inspection should be carried out in collaboration with national supervisory authority of this Member State. 3.8.3 Coordinated Data Protection Supervision Group of the European Visa

Information System (VIS) The European Visa Information System (VIS) is a database of information on visa applications from third country nationals. It includes personal and biometric data. This information is collected by national consulates and then transferred to a central database, where it becomes accessible to all Member States. One intended purpose is preventing failed applicants for visas making repeated applications to different EU Member States. Rollout of VIS started in 2009. The Visa Information System Supervision Coordination Group was set up by Article 43 of the VIS Regulation.317 It is a coordination platform for those data protection authorities with responsibilities for supervision of the European Visa Information System. Supervision of the central unit of VIS is the responsibility of the European Data Protection Supervisor, whilst supervision of its operation and use at the national level is the responsibility of the respective Member State’s Data Protection Authorities. The Group will:

endeavour to enhance cooperation between the supervisory authorities and shall ensure coordinated supervision of VIS and the national systems;

exchange relevant information; assist the supervisory authorities in carrying out audits and inspections, as necessary,

each acting within the scope of their respective competences; examine difficulties of interpretation or application of the VIS Regulation; study problems with the exercise of independent supervision or with the exercise of

the rights of data subjects; draw up harmonised proposals for joint solutions to any problems; promote awareness of data protection rights, as necessary.318

The group is composed of one representative from each of the national supervisory authorities, and the European Data Protection Supervisor. Each delegation has one vote. A chairperson is selected by the group for a twoyear term. The VIS supervision group held its first meeting in November 2012. The meeting was primarily concerned with the rollout of VIS and discussion of a work programme for the

317 European Parliament and the Council, Regulation (EC) No 767/2008 Concerning the Visa Information System (VIS) and the exchange of data between Member States on shortstay visas (VIS Regulation), 9 July 2008. OJ L 218/60. http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:218:0060:0081:EN:PDF 318 Visa Information System (VIS) Supervision Coordination Group, “Rules of Procedure”, Brussels, April 2013. https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/VIS/130411_VIS_Supervision_Coordination_Group_RoP_EN.pdf

98

group. Rules of Procedure were adopted in April 2013. The group meets twice a year (normally in Brussels), with additional meetings at the request of twothirds of the membership. The group is to draw up an activity report every two years. Minutes and internal documentation (including drafts of reports) will not be made public, but reports and opinions will be publicly available, unless the group determines otherwise. The budget for the meetings comes from the EDPS. EDPS conducted a security audit at VIS in November 2011.319 EDPS also provides secretariat services to the Supervision Group. 3.8.4 Coordinated Data Protection Supervision Group of Eurodac EURODAC is a fingerprint database of applicants for asylum and illegal immigrants found within the EU. The system has been operational since 15 January 2003 and is currently used by the 27 EU Member States as well as Iceland, Liechtenstein, Norway and Switzerland. EURODAC consists of a Central Unit, operating the system’s central database and National Access Points which transmit data between the Member States and the central database. The supervision of the processing of personal data in the central database was previously conducted by a provisional Joint Supervisory Authority. However, this was replaced by the European Data Protection Supervisor (EDPS) in early 2004. In order to ensure a coordinated approach between EPDS and the national data protection authorities in EU Member States that supervise the processing of data by national authorities and transmission to the central EURODAC unit, the authorities meet regularly as the EURODAC Supervision Coordination Group to discuss common problems, and seek common solutions. 320 The EURODAC Supervision Coordination Group is therefore a cooperation platform for the data protection authorities responsible for the supervision of EURODAC. The Group will:

examine implementation problems in connection with the operation of Eurodac; examine difficulties experienced during checks by the supervisory authorities; examine difficulties of interpretation or application of the Eurodac Regulation; draw up recommendations for common solutions to existing problems, and endeavour to enhance cooperation between the supervisory authorities. 321

The coordinated EURODAC supervision group issued its first coordinated inspection reports in 2007.322 Formal Rules of Procedure for the group were adopted on 19 December 2007 and amended on 17 December 2008.323

319 European Data Protection Supervisor, Annual Report 2012, Publications Office of the European Union, Luxembourg, 2013. https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Annualreport/2012/AR2012_EN.pdf 320 EDPS, “EURODAC”. https://secure.edps.europa.eu/EDPSWEB/edps/Home/Supervision/EURODAC 321 EURODAC Supervision Coordination Group, “Rules of Procedure for the Eurodac Supervision Coordination Group” Brussels, 17 December 2008. https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Eurodac/081217_Eurodac_rulesofprocedure_EN.pdf 322 EURODAC Supervision Coordination Group, “Report of the first coordinated inspection”, Secretariat of the Eurodac Supervision Coordination Group, EDPS, Brussels, 17 July 2007. https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Eurodac/070717_Eurodac_report_EN.pdf 323 EURODAC Supervision Coordination Group, 17 December 2008, op. cit. https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Eurodac/081217_Eurodac_rulesofprocedure_EN.pdf

99

The EDPS performed its first inspection of the EURODAC central unit in 2006, followed by a security audit in 2007. A second inspection in 2011 assessed the implementation of the recommendations from the first report. The onsite audit was conducted by four representatives of the EDPS and one representative of the Spanish Data Protection Authority. The report of the second inspection found that generally, the overall level of data protection and security of the EURODAC central unit was high, and that most of the previous recommendations had been taken into account. However the EDPS raised issues relating to the operation of the archiving system, business continuity, some inadequate technical security measures relating to patch management, user management, log files and backups, and some organisation security inadequacies relating to personal data breach handling, audit, data destruction, change management, and removable media policy.324 The secretariat of the EURODAC Supervision Coordination Group is provided by and located at the EDPS in Brussels. Meetings are often held after or before meetings of other Joint Supervisory Groups (Schengen, Europol or Customs Information Systems). Meetings often include a presentation on the management of EURODAC from the Commission representatives, and then discussion between DPAs. Recent topics discussed have included the annual inspect reports, programmes of work, legislative reform proposals (including reform of the EURODAC Regulation), advance deletion, stakeholder engagement, developments at national level, the development of common assessment methodologies for EURODAC national contact points, and a security audit methodology. On this latter point, a subgroup drafted a questionnaire that can serve as the basis for a common baseline for inspections at the national level.325 The EURODAC Supervision Coordination Group was consulted on the supervision process for European Visa Information System, as the legal basis for VIS envisages a coordinated supervision group similar to that operated for EURODAC. 3.8.5 Joint Supervisory Board Europol Europol was established in 1999 as an intelligence broker for coordinated police work in Europe. The Joint Supervisory Board is Europol’s independent data protection supervisor.326 In the European Council Decision of 6 April 2009 the Member States recognised the need to provide special, tailormade data protection rules for Europol. To stress this point, the legislator emphasised that “specific provisions on the protection of personal data” were essential “because of the particular nature, functions and competences of Europol”. 327 Consequently, while the Decision reflects the same values as Directive 95/46/EC, it contains detailed Europolspecific and unique provisions. Several entities monitor and ensure compliance with the data protection rules at Europol. These include the Data Protection Officer, the Joint Supervisory Body and National Supervisory Bodies.

324 EDPS, “EURODAC Central Unit Inspection Report” Case File 20111103. Brussels, June 1012. https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/EURODAC/120614_EURODAC_inspection_report_EN.pdf 325 https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/EURODAC/120704_EURODAC_Activity_Report_EN.pdf 326 Information on the activities of the JSB can be found at http://europoljsb.consilium.europa.eu/about.aspx 327 Council of the European Union, Council Decision of 6 April 2009 establishing the European Police Office (Europol), 2009/371/JHA. OJ. L 121/37, Brussels, 15.5.2009. https://www.europol.europa.eu/sites/default/files/council_decision.pdf

100

The Joint Supervisory Body (JSB) is independent entity set up to review the activities of Europol in order to ensure that the rights of the individual are safeguarded during the storage, processing and utilisation of personal data held by Europol. The JSB is the external counterpart to the DPO’s internal perspective. The Rules of Procedure for the JSB, adopted 22 June 2009 and approved by the Council on 20 November 2010, state that the tasks of the JSB are:

reviewing and inspecting, in accordance with the Europol Decision, the activities of Europol in order to ensure that the rights of the individual are not violated by the storage, processing and use of personal data held by Europol. In addition, it shall monitor the permissibility of the transmission of data originating from Europol.328

The JSB therefore issues opinions on draft data sharing agreements between Europol and third countries, the legal basis for data processing by Europol and implementation of data processing rules. The JSB produces an activity report. These reports were previously every two years, but the fifth report covered the period 20082012.329 This body is composed of two representatives of the independent national data protection authority of each EU Member State, selected internally, who are appointed for a period of five years. Each delegation is entitled to one vote for decisionmaking purposes. It meets at least four times a year, and at the initiative of the Chairman. The Director of Europol can also propose that the Body be convened. The meetings are not public, but the documents of the Body are publicly available (except the results of the annual inspection reports). The JSB has an independent secretariat, located in Brussels. The Joint Supervisory Body also monitors the permissibility of the transmission of data originating from Europol. It is under this capacity that the JSB inspected Europol’s implementation of the TFTP Agreement (see section 4.7). Any individual has the right to request the Joint Supervisory Body to ensure that the manner in which his or her personal data have been collected, stored, processed and utilised by Europol is lawful and accurate.330 The JSB appeals committee is also responsible for managing appeals against Europol’s handling of the exercise of rights of access and correction. The JSB has the power to inspect any and all Europol files, and conducts an inspection visit of Europol premises at least once a year. This inspection results in a report.331 The chairman of the Body can request the attendance of the Europol Director. The JSB is also tasked with cooperation, as necessary, with other supervisory authorities for the fulfilment of its tasks and to contribute to the improvement of consistency in the application of data processing rules and procedures. The JSB states in its most recent activity report that it works closely with Europol, often in the early stages of projects to attempt to put data protection standards in place prior to operation. 332 The JSB has jointly organised and

328 Council, Act No 29/2009 of the Joint Supervisory Body of Europol of 22 June 2009 laying down its procedure, OJ 2010/C 45/02. http://europoljsb.consilium.europa.eu/media/63193/lexuriserv.en.pdf 329 Europolo Joint Supervisory Body, “Activity Report, October 2008 – October 2012: Converging Paths. Brussels, 24 April 2013. http://register.consilium.europa.eu/pdf/en/13/st08/st08659.en13.pdf 330 Europol, “Management and Control” https://www.europol.europa.eu/content/page/management147 331 Data Protection Office, Data Protection at Europol, Europol, The Hague, 2012. https://www.europol.europa.eu/sites/default/files/publications/europol_dpo_booklet_0.pdf 332 Europol Joint Supervisory Body, “Activity Report, October 2008 – October 2012: Converging Paths. Brussels, 24 April 2013. p.8. http://register.consilium.europa.eu/pdf/en/13/st08/st08659.en13.pdf

101

participated in plenary meetings with the joint supervisory authorities of the Schengen and Customs Information Systems and the Eurojust Joint Supervisory Body, to specifically discuss the future of supervision in the police and judicial cooperation area. The JSB Chair and Secretariat are also part of an expert working group set up during the 2011 European Privacy and Data Protection Commissioners' Conference to focus on the future of supervision in the freedom, security and justice area. The JSB believes that its work has a positive impact upon data protection at national levels. Experience gained by national representatives working as part of the JSB on joint onsite inspections contributes to harmonisation of national practices. Joint decisions of the JSB are also applied at national levels. The JSB has also collaborated with the former Working Party on Police and Justice (under the mandate of the European Privacy and Data Protection Commissioners’ Conference), and has adopted joint opinions on the TFTP Agreement with the Article 29 Working Party. The JSB is an accredited member of the Spring Conference and the International Conference of Data Protection and Privacy Commissioners. The National Supervisory Bodies are national authorities that monitor the communication of personal data to and from Europol, in line with their respective national laws. These bodies have access to the documents and premises of their national Liaison Officers at Europol. 3.8.6 Joint Supervisory Body Eurojust Formally established in 2002, Eurojust, the European Union’s judicial cooperation unit, is responsible for encouraging and facilitating coordination of investigations and prosecutions between competent authorities in the Member States, making these more effective in dealing with crossborder crime. Eurojust’s competencies match those of Europol. As part of this role, Eurojust may process significant amounts of information, including personal data. The Joint Supervisory Body (JSB is an independent external supervisor of Eurojust in the area of data protection. Its role is to monitor. The JSB discusses compliance with the Eurojust data protection officer and can undertake spot inspections. Eurojust JSB was accredited as an independent supervisory authority member of the International Conference of Data Protection and Privacy Commissioners in 2010, and by the European Data Protection Commissioner’s Conference in October 2011, and has a secretariat based in the Hague. Unlike the other EU JSBs discussed in this section, the Eurojust JSB is not is necessarily composed of representatives of national Data Protection Authorities (although several are members), but can also include judges and other similarly independent roles. The JSB was heavily involved in the drafting of the Rules of Procedure on Data Protection which were adopted by the College of Eurojust in October 2004, and played a role in the development of Eurojust’s case management system, which the JSB considers to be a good example of privacy by design.333 3.9 OTHER INITIATIVES

333 Joint Supervisory Body of Eurojust, Activity Report of the Joint Supervisory Body of Eurojust 2012, The Hague, 2012, p. 6 http://www.eurojust.europa.eu/doclibrary/Eurojustframework/jsb/JSBAnnualActivityReport/Activity%20Report%202012/JSBActivityReport2012EN.pdf

102

The data protection authorities of the Nordic countries (Denmark, Finland, Iceland, Norway, Sweden) collaborate at the regional level.334 This includes meetings every one or two years between the authorities looking at planning, benchmarking and management, as well as more regular cooperation on case handling and media relations. Cooperation arrangements also include a staff exchange programme, although not all authorities have participated in this. The group produced a joint set of questions to Facebook and a joint report.335 The group has the following meetings:

Nordic data manager meeting - fællesnordiske datachefmøde Nordic caseworker meeting - årlige fællesnordiske sagsbehandlermøde for

sagsbehandlere – fortrinsvis jurister – fra de nordiske datatilsynsmyndigheder: annual joint for practitioners mostly lawyers from the Nordic Data Protection Authorities

Nordic technician meeting - Nordisk Teknikermøde The Visegrad Group, consisting of the Czech Republic, Hungary, Poland and Slovakia works together on a number of areas of common interest within European integration. The group is not institutionalised, but consists of meetings of its representatives at various levels, including ministerial cooperation. Areas of cooperation include the area of Justice and Home Affairs, Schengen cooperation, including protection and management of the EU external borders, visa policy. The Isle of Man mentioned regular informal communication and exchange of views between its Office, the UK, Ireland, Jersey, Guernsey and Gibraltar. The German DPA said it provides cooperation and support on request or on a casebycase basis, and has done so in the instances of, inter alia, the DPAs from Bulgaria, Macedonia and Moldova. GIODO said it was also participating in some international projects: the Leonardo da Vinci (LDV) mobility projects, LDV partnership projects, study visits, twinning projects.

334 Data Inspection Board, “International cooperation”. http://www.datainspektionen.se/inenglish/internationalcooperation/ 335 Jonasson, David, “Facebook’s data protection questioned by Nordic authorities”, Stockholm News, Stockholm, 12 June 2011. http://www.stockholmnews.com/more.aspx?NID=7485

103

3.10 CONCLUSIONS

Figure 2: European DPA coordination and coordination mechanisms The above figure visualises the overlapping membership of the various European collaboration arrangements (Countries in white text are also OECD member countries). This visualisation shows that there is a core group of DPAs who are involved in the full range of cooperation and coordination mechanisms, with a number of other DPAs who are not involved in particular mechanisms. Within the EU, these exclusions are primarily a result of other political decisions by the countries involved (such as nonparticipation of the United Kingdom in the Schengen acquis) rather than the activities of the DPAs themselves. The preceding overview of cooperation and coordination in Europe supports the following observations. There are multiple levels of cooperation and coordination in Europe. There are mechanisms at the level of senior representatives, privacy commissioners and heads of DPAs, such as the Spring Conference and the Article 29 Working Party. These mechanisms are important for high level discussion and agreement, the development of shared positions and the expression of collective voice. This interaction often occurs through relatively short one or two day conference or workshops. There are cooperation mechanisms at the operational level, such as the Case Handling Workshop associated with the Spring Conference. There may be an opportunity to develop these mechanisms to encompass nonenforcement issues such as media and public communication or technology watch functions. Thirdly, there are coordination mechanisms for the representatives of Member States other than DPAs (DAPIX)

104

and finally, there are mechanisms which include representatives from the private sector and NGOS (the Berlin group). There are also a range of cooperation and coordination mechanisms in Europe operating at different scales, ranging from bilateral agreements between two DPAs to regional organisations (such as the Balkan DPAs and the Easter European DPAs), subEuropean groupings around particular organisational structures (such as the supervisory groups of Schengen and VIS), the core grouping of all European Member State DPAs in the Article 29 Data Protection working party, up to the broader European memberships of the Spring Conference and Council of Europe. This European network of overlapping mechanisms for cooperation provides a range of options for collaboration and the building of consensus at different levels and to different purposes. It provides European DPAs with a degree of flexibility in forming different coalitions. Regular interaction may be supportive of developing habits of communication, cooperation and coordination. The organisations are frequently interlinked by more than overlapping membership (for example, the Case Handling Workshop reporting to the Article 29 Working Group, or the Europol JSB attending the Spring Conference). The statutory requirement for European DPAs to collaborate in the Article 29 working party (arising from Directive 95/46/EC) is an important element of European cooperation and coordination, and the working party has been influential, including expanding its mandate to incorporate the work of the WPPJ. It has utilised a range of cooperative strategies, soft law and learning from experience. The Article 29 Working Party has become a key vehicle for the expression of collective views. The Council of Europe Convention 108 requirement for mutual assistance (primarily in the form of the provision of information) is also important in ensuring the drive towards cooperation. There is also cooperation in regard to “European surveillance infrastructure” such as the Schengen, VISA and customs database, which may increase the habitual working together of DPAs. For their particular task – oversight of multistate information systems this collaboration is vitally important. The functional model of Schengen and EURODAC acted as an inspiration for subsequent supervisory groups for VIS, Europol, and customs. However, these mechanisms cannot really be repurposed for other coordination tasks, given their focus upon a particular task or system. These groups have however had plenary meetings between themselves, and acted as a source of expertise on these topics for Art 29 and expert groups at the Spring Conference. Finally, European DPAs do have access to a small number of communication tools and platforms (such as the GPEN list of contact points, the Council of Europe TPD website, and the Case Handling Workshop mailing list) that can be used for more frequent coordination (including at operational level) than that allowed by infrequent formal meetings.

105

4 CO-OPERATION AND CO-ORDINATION GLOBALLY Mechanisms for international cooperation and coordination analysed in this chapter include are the following: the International Conference of Data Protection and Privacy Commissioners (ICDPPC), the Council of Europe TPD, the OECD WPISP, APEC ECSG DPS, the Asia Pacific Privacy Authorities (APPA), the IberoAmerican Data Protection Network, the Association of Francophone Data Protection Authorities, the Article 29 Working Party, GPEN, International Working Group on Data Protection in Telecommunications (IWGDPT) and CPEA. In examining these existing mechanisms, the partners have contacted DPAs and privacy commissioners to elicit their views on how existing mechanisms could improve practical cooperation and in what areas such cooperation could be improved. The partners particularly focus on the GPEN and the working group of the ICDPPC which are the only two global mechanisms. The PHAEDRA partners also explore networks established by action of national governments acting collectively (Art.29 WP, CPEA); mandates exclusively focused upon enforcement cooperation (GPEN, CPEA) and the track record of enforcement cooperation work (Art. 29 WP, APPA, CPEA). This chapter describes efforts to improve practical cooperation between DPAs, privacy commissioners and privacy enforcement authorities including the Article 29 Working Party’s efforts to improve cooperation, the APEC Crossborder Privacy Enforcement Arrangement (CPEA) and the subsequent developments in CPEA, the creation of the Global Privacy Enforcement Network (GPEN) and its Action Plan, the creation of a working group as a result of the Resolution of the 33rd International Conference which met in Montreal in May 2012 and which reported back to the 34th International Conference in Uruguay in October 2012. It refers to Blair Stewart’s paper on improved coordination which was submitted to the November 2011 meeting of the GPEN. This chapter refers to the outreach efforts at cooperation by, for example, the French and Spanish DPAs. For example, France promotes data protection in francophone countries, while Spain does the same in Latin America (this is normal, because many services, e.g., call centres, are provided from those countries.). Europe’s supporting improved cooperation with third countries yields benefits for Europe, e.g., in encouraging third countries to adopt our approach to privacy and data protection. This section also examines existing cooperation efforts between the European Commission and Data Protection Authorities both inside and outside of the EU. These measures include the TAIEX instrument, the Leonardo Da Vinci funding programme, and twinning projects. 4.1 INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY

COMMISSIONERS The International Conference of Data Protection and Privacy Commissioners has been meeting annually since the Conference was established in 1979. The purposes of the conference are:

To promote and enhance internationally personal data protection and convenes once a year. In the last few years, the Conference has grown into a oneweek event, encompassing an Open Session accessible to all professionals involved in privacy rights.

To draft and adopt joint resolutions To be a meeting point between accredited members and other international

fora or organisations that share common objectives.

106

To encourage and facilitate cooperation and the exchange of information among accredited members, in particular regarding enforcement actions.

To promote the development of international standards in the field of protection of personal data.336

In the course of the International Conference, all issues related to data protection and privacy may be discussed. Generally, the Open Session of the Conference embraces two days of meetings, both in plenary and breakout sessions, on a number of topics related to the main theme. In 2011, it was decided that in order to encourage dialogue, cooperation and information sharing the Closed Session would form the main part of the Conference. It is left up to the discretion of the Hosting Authority – elected in the previous year by the membership of the Conference – to organize an Open Session as well as several side meetings to provide a forum for international and nongovernmental organizations. Since 2012, the Closed Session comprises one and a half days of meetings. All along this period of time, a full day is devoted to an internal discussion and declarations on subjects that warrant the common interest or concern of the accredited members, and promote their implementation. 4.1.1 Organisation The conference is governed by an Executive Committee, consisting of three representatives of national authorities, elected on twoyear terms, the immediate previous hosting authority and the next hosting authority. One of these members will be elected to chair the committee by the closed session. The conference is hosted by a different Data Protection or Privacy authority each year. The intention is to vary the geographical, cultural and legal backgrounds of the host country. The conference now runs for a week, with a combination of open sessions for general privacy experts, including industry and academia, closed sessions for data protection and privacy authorities, and side sessions hosted by other organisations and institutions. The closed sessions are the core of the conference, with details of the open sessions left to the discretion of the host authority, but often based around topics related to a central theme. The closed session lasts for one and half days.337 For both the open and the closed Session, expert speakers are invited by the Conference organization and/or the Executive Committee. In order to become members of the Conference, supervisory authorities must be public entities created by appropriate legal instruments for their country, compatible with international legislation and instruments on data protection, with legal powers appropriate to their functions, and that have appropriate autonomy and independence. Public entities that do not meet these criteria but are involved with privacy and data protection can apply for Observer status. 4.1.2 Co-operation and co-ordination activities Being an International Conference, the Conference has no geographical limitations upon membership and is therefore the data protection forum with the widest possible membership.

336 Executive Committee of the Conference of Data Protection and Privacy Commissioners, Rules and Procedures, undated. https://privacyconference2013.org/web/pageFiles/kcfinder/files/RULES_AND_PROCEDURES2.pdf 337 GIODO, “Conference” undated, https://privacyconference2013.org/About_the_Conference_

107

The Conference regularly issues a number of resolutions. Decisionmaking in the closed session is based upon consensus when possible or by majority vote. The Conference convened in Warsaw in September 2013 issued a Resolution on International Enforcement Coordination.338 The resolution built on previous resolutions encouraging cooperation in crossborder privacy enforcement. 4.1.3 ICDPPC Resolutions In this section, we present a selection of resolutions from recent International Conferences. We especially draw attention to the resolutions dealing with international cooperation. 35th International Conference, Warsaw, 23-26 September 2013339 The 35th International conference, themed “Privacy: A compass in a turbulent world” adopted several resolutions. The resolutions are typically short documents, written in a relatively accessible format, that present common positions and shared perspectives from the attendees at the conference. The host DPA, GIODO, stated that

We do believe that the conference contributed to better understanding of data protection issues around the world as well as gave the ground for exchanging the experiences and views in this field and benefited to better explanation of the problems related to data protection.340

Warsaw declaration on the “appification” of society341 Accreditation resolution Profiling resolution Strategic direction resolution Enforcement coordination resolution International Enforcement Coordination law resolution Openness resolution Digital education resolution Webtracking Resolution

The Resolution on international enforcement coordination resolved to further encourage efforts to bring about more effective coordination of crossborder investigation and enforcement. It mandated the International Enforcement Coordination Working Group to work with other networks to develop a common approach to cross border enforcement and case handling expressed in a multilateral framework document. This approach will build upon the work of GPEN and will address sharing of information. The resolution also encouraged DPAs to seek out opportunities to cooperate, and supported the development of a secure information platform.342

338 http://www.priv.gc.ca/information/conf2013/res_04_coordination_e.asp 339 https://privacyconference2013.org/Declaration_and_Resolutions_adopted_at_35th_International_Conference 340 https://privacyconference2013.org/ 341 Wiewiorowski, Wojciech Rafal, and Jacob Kohnstamm, Warsaw declaration on the “appification” of society, 35th International Conference of Data Protection and Privacy Commissioners, Warsaw, 2326 September 2012. https://privacyconference2013.org/web/pageFiles/kcfinder/files/ATT29312.pdf 342 https://privacyconference2013.org/web/pageFiles/kcfinder/files/4.%20Enforcement%20coordination%20resolution%20EN%20.pdf

108

34th International Conference, Punta del Este, Uruguay, 23-24 October 2012: “Privacy and Technology in balance”343 This Conference dealt with the balance between technology and privacy. In addition, new opportunities and problems were analyzed, trying to outline the path that our civilization would go through in the coming years. More than 90 speakers represented 40 countries. The 34th conference of data protection control commissioners ended successfully and the following resolutions were adopted out of it:

Resolution on Cloud Computing Resolution on the future of privacy Uruguay Declaration on profiling

33rd International Conference, Mexico City, 2-3 November 2011: “Privacy: The Global Age”344 This International Conference was focused on the challenges associated with managing and protecting personal data in an era characterized by the constant, instantaneous transfer of information across the globe. Content:

Big Data. Databases and Technology in the New Economic Era The Factors Driving New Data Protection Laws Security Risks in the Modern World Mechanisms of Organizations Used to Identify and Mitigate Risks to Individuals

Resolutions adopted:

Data Protection and Major Natural Disasters

Privacy Enforcement and Coordination at the International Level The Use of Unique Identifiers in the Deployment of Internet Protocol Version 6

32nd International Conference, Jerusalem, 27-29 October 2009: “Privacy: Generations”345 The conference was organized by the Israeli Law, Information and Technology Authority (ILITA), which was established by the Ministry of Justice of Israel in September 2006 to become Israel's data protection authority. The mission of ILITA was to reinforce personal data protection with a view to regulate the use of electronic signatures and at the same time to increase the enforcement of privacy and ITrelated offenses. ILITA also acted as a central knowledgebased within the Government for technologyrelated legislation and large governmental IT projects. Resolutions adopted:

Resolution on Improvement of the Conference Organizational Set up

343 https://www.http://privacyconference2012.org/english/sobrelaconferencia/noticias/Resoluciones+y+declaraciones+adoptadas 344 http://privacyconference2011.org/index.php?lang=Eng 345 http://www.justice.gov.il/PrivacyGenerations

109

Resolution on Privacy by Design

31st International Conference, Madrid, 4-6 November 2009: "Privacy: Today is Tomorrow" 346 This conference was a review of some of the issues currently discussed not only by the guarantors of privacy and data protection but by society in general, given the relevance of the decisions that are taken in this field for citizens. In accordance with this, one of the main issues that was thoroughly analysed was the relentless development of information technology, especially on the Internet, an essential tool in presentday society which required a great deal of reflection in the light of the proliferation of new services due to their impact in terms of data protection and privacy. Without disregarding the influence of new technologies, one of the core subjects at the conference was education of minors, challenges in the digital world in addition to data protection as an element of strategy in the scope of business and international data transfers in the frame of a globalized world. Apart from that, it was also discussed the new advertising models and new sales techniques and their incidences in the field of data protection and the security, specially in relation to systems that caused an important degree of controversy, or those which used the human body as their support. Resolutions:

International Standards on the Protection of Personal Data and Privacy

Industry Statement on the Necessity of International Frameworks in Support of The Protection of Privacy and Personal Data

Global Privacy Standards for a Global World. The Civil Society Declaration Following is a list of several previous conferences and the titles of their principal resolutions. 30th International Conference, Strasbourg, 15-17 October 2008

Resolution on the Urgent Need for Protecting Privacy in a Borderless World, and for Reaching a Joint Proposal for Setting International Standards on Privacy and Personal Data Protection

Resolution Concerning the Establishment of a Steering Group on Representation at Meetings of International Organisations

Resolution on Children's Online Privacy Resolution on Privacy Protection in Social Network Services Resolution of the Website Working Group Resolution to Explore Establishing an International Privacy/Data Protection Day or

Week 29th International Conference, Montreal, 25-28, September 2007347

346 http://www.privacyconference2009.org/home/indexidenidweb.html 347 http://www.privacyconference2007.gc.ca/terra_incognita_home_e.html

110

Resolution on International Cooperation Resolution on the Urgent Need for Global Standards for Safeguarding Passenger Data

to be Used by Governments for Law Enforcement and Border Security Purposes Resolution on Development of International Standards

28th International Conference, London, 2-3 November 2006348

London Declaration Resolution on Privacy Protection and Search Engines

27th International Conference, Montreux, 14-16 September 2005349

Declaration of Montreux: “The Protection of Personal Data and Privacy in a Globalised World : A Universal Right Respecting Diversities”

Resolution on the Use of Personal Data for Political Communication Resolution on the Use of Biometrics in Passports, Identity Cards and Travel

Documents 26th International Conference, Wroclaw, 14-16 September 2004350

Amendment to 2003 Conference Resolution on Automatic Software Updates Resolution on a Draft ISO Privacy Framework Standard

25th International Conference, Sydney, 10-12 September 2003

Resolution Concerning the Transfer of Passengers' Data Resolution on RadioFrequency Identification Resolution on Data Protection And International Organisations Resolution on Automatic Software Updates Resolution on Improving the Communication of Data Protection and Privacy

Information Practices 24th International Conference, Cardiff, 9-11 September 2002

Statement of the European Data Protection Commissioners at the International Conference in Cardiff on mandatory systematic retention of telecommunication traffic data

Previous conferences were hosted in the following countries:

23rd Conference Paris, (2426 September 2001) 22nd Conference – Venice, Italy (2830 September 2000) 21st Conference – Hong Kong (1999) 20th Conference – Santiago de Compostella – Spain (1998) 19th Conference – Brussels – Belgium (1997) 18th Conference – Ottawa – Canada (1996)

348 http://www.privacyconference2006.co.uk/ 349 http://www.privacyconference2005.org/ 350 http://26konferencja.giodo.gov.pl/

111

17th Conference – Copenhagen – Denmark (1995) 16th Conference – The Hague – The Netherlands (1994) 15th Conference – Manchester – United Kingdom (1993) 14th Conference – Sydney – Australia (1992) 13th Conference – Strasbourg – Council of Europe (1991) 12th Conference – Paris – France (1990) 11th Conference – Berlin – F.R.Germany (1989) 10th Conference – Oslo – Norway (1988) 9th Conference – Quebec – Canada (1987) 8th Conference – Lisbon – Portugal (1986) 7th Conference – Luxembourg (1985) 6th Conference – Vienna – Austria (1984) 5th Conference – Stockholm – Sweden (1983) 4th Conference – London – United Kingdom (1982) 3rd Conference – Paris – France (1981) 2nd Conference – Ottawa – Canada (1980) 1st Conference – Bonn – F.R.Germany (1979)351

4.1.4 International Working Group on Coordination of Privacy Enforcement The International Conference can form Working Groups composed of members of the conference. These groups derive their mandate from and report to the closed session of the Conference. The participation in these groups is voluntary. 4.2 ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT The Parisbased Organisation for Economic Cooperation and Development (OECD) was on to the issue of privacy cooperation and coordination early on. The OECD saw it as an important policy issue, and recognised the need for an interoperable approach to privacy and the need to establish common objectives and understanding regarding privacy and enforcing laws. Also relevant to protecting privacy, the OECD produced security guidelines in 2002. OECD has adopted a riskbased approach to security. The UN Resolution on security in 2002 was largely based on OECD work. The OECD has been studying national cyber security strategies for some years. The OECD is currently reviewing its security guidelines and to develop a set of security indicators. The OECD has also looked at identity management and the protection of children in an online environment. In July 2013, the OECD produced a revision of its influential 1980 privacy guidelines.352 The revisions include:

A Recommendation of the OECD Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (July 2013); and

A new explanatory memorandum providing context and rationale for the July 2013 revisions.

351 GIODO, “Conferences”, 2013, https://privacyconference2013.org/Conferences 352 Organisation for Economic Cooperation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Paris, 23 Sept 1980. http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm. The revised guidelines can be found here: http://www.oecd.org/sti/ieconomy/privacy.htm

112

The process to revise the Guidelines was led by the OECD’s Working Party on Information Security and Privacy (WPISP) working from terms of reference released at an OECD conference on global interoperability in Mexico City in November 2011. In accordance with the terms of reference, the WPISP convened a multistakeholder group of experts from governments, privacy enforcement authorities, academia, business, civil society and the Internet technical community. This expert group was chaired by Jennifer Stoddart, Privacy Commissioner of Canada. Omer Tene, consultant to the OECD, served as rapporteur. On the basis of the work by the expert group, proposed revisions were developed by the WPISP and approved by the Committee for Information, Computer and Communications Policy (ICCP), before final adoption by the OECD Council in July 2013. 4.2.1 OECD Working Party on Security and Privacy in the Digital Economy (SPDE) -

formerly Working Party on Information Security and Privacy (WPISP) The Working Party on Information Security and Privacy (WPISP) is part of the Organisation for Economic Cooperation and Development (OECD) Directorate for Science, Technology and Industry. It reports to the Committee for Information, Computers and Communications Policy (ICCP), which in turn reports to the OECD Council. WPISP is an intergovernmental forum that focuses upon the economic and social aspects of cyber security and privacy. It develops public policy analysis and recommendations intended for governments and other stakeholders to ensure that security and privacy protection contribute to the development of the information economy. The information economy is seen by the OECD as a platform for economic and social prosperity. WPISP’s conducts policy development, monitors trends, allows policy makers to share experiences, and analyses the impact of technology on information security and privacy policy making. It also maintains a network of experts from government, business, civil society and the Internet technical community. WPISP meets two times per year in Paris, and organises expert forums. Its activities are supported by the OECD secretariat. All OECD members can be members of the WPISP. About 34 countries participate but they vary. Also the agencies who participate in the WPISP meetings vary in some cases. According to WPISP, its work:

Serves as a foundation for developing national coordinated policies. Is balanced and pragmatic, respects cultural, legal and social differences. Benefits the broader international community through OECD’s cooperation with non

members and other international and regional organisations (such as Council of Europe and APEC).

Supports OECD’s core values.353 WPISP has been involved in developing the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data354, the report “Privacy Online: OECD Guidance on

353 OECD, “What is the Working Party on Information Security and Privacy (WPISP), undated. http://www.oecd.org/sti/whatistheoecdworkingpartyoninformationsecurityandprivacywpisp.htm 354 OECD, “OECD Guidelines on the Protection of Privacy and Trasnborder Flows of Personal Data”, undated. http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm

113

Policy and Practice”, and the OECD privacy policy generator.355 It is also involved in ongoing cooperation on privacy law enforcement. In addition to work on privacy, WPISP is also involved in work on information security, primarily towards the development of a “culture of security” which promotes security in the design and use of ICT, and also helps various participants become aware of risks and assume responsibility for enhancing the security of information systems and networks. WPISP’s direction has been influenced by the Ottawa Ministerial Declaration 1998356, which charged the OECD with providing practical guidance to member countries on the implementation of the OECD privacy guidelines, and by the integration of the action items in the Declaration into the OECD Action Plan. This direction includes:

Encouraging the adoption of privacy policies; Encouraging the online notification of privacy policies to users; Ensuring that enforcement and redress mechanisms are available in cases of non

compliance; Promoting user education and awareness about online privacy and the means at their

disposal for protecting privacy; Encouraging the use of privacyenhancing technologies; and Encouraging the use and development of contractual solutions for online transborder

data flows. The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data were a response to both the development of the automatic processing of personal data, and to the potential for disparities in national legislation to impede the free flow of data across borders. The OECD guidelines were therefore intended to harmonise national legislation. The OECD issued a Recommendation on the 23 September 1980. The OECD Recommended:

that Member countries take into account in their domestic legislation the principles concerning the protection of privacy and individual liberties set forth in the Guidelines;

that Member countries endeavour to remove or avoid creating, in the name of privacy protection, unjustified obstacles to transborder flows of personal data;

that Member countries cooperate in the implementation of the Guidelines set forth in the Annex;

that Member countries agree as soon as possible on specific procedures of consultation and cooperation for the application of these Guidelines.357

Section Five of the Annex to the Recommendation deals with international cooperation. This requests that member countries make known to other members the details of the observance of the principles in the guidelines, and ensure that processes for transborder flow of information and the protection of privacy and other liberties are both simple and compatible with those of other members also in compliance. Member countries should establish procedures to facilitate information exchange and mutual assistance in procedural and investigative efforts. A report by WPISP on the 30year anniversary of the Guidelines found

355 OECD, “OECD Privacy Statement Generator”, undated. http://www.oecd.org/sti/ieconomy/oecdprivacystatementgenerator.htm 356 Working Party on Information Security and Privacy, “Ministerial declaration on the protection of privacy in global networks”, Ottawa, 79 October 1998. http://www.oecd.org/sti/ieconomy/1840065.pdf 357 OECD , “OECD Guidelines on the Protection of Privacy and Trasnborder Flows of Personal Data”, undated. http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm

114

that: “The Guidelines have been a remarkable success. They represent an international consensus on personal data protection in the public and private sectors. They have influenced the development of national legislation and model codes within OECD member countries, and beyond.”358 Privacy Online: OECD Guidance on Policy and Practice359 focuses upon the implementation of the OECD privacy guidelines online and offers policy and practical guidance. It also collates the activities of WPISP up to 2003. The OECD privacy policy generator was an online educational tool to support the conduct of an internal review of personal data practices and the development of privacy policies. The tool was created in support of encouraging the adoption and posting of consistent privacy policies, and lasted for ten years from 2000 before being retired.360 OECD work on privacy also included research into alternative dispute resolution methods and an inventory of Privacy Enhancing Technologies.361 WPISP was involved in the review of the OECD privacy guidelines, which was completed in 2013.362 Following initial workshops and a questionnaire circulated to stakeholders, OECD members agreed terms of reference363 which were published in November 2011. WPISP has expressed the intent to hold multistakeholder expert discussion on the OECD framework, which would encompass the roles and responsibilities of key actors, geographic restrictions on data flows, and proactive implementation and enforcement. The discussions were intended to include experts from governments, international organisations, privacy enforcement authorities, academics, business, civil society, and the Internet technical community. The invited experts’ recommendations for consideration were presented to OECD members by October 2012. The aim of these discussions was to advise the OECD membership on keeping the OECD privacy guidelines relevant. The revised guidelines include the OECD encouraging member countries to enter into international agreements that give practical effects to the revised guidelines, with the aim of improving the interoperability of privacy frameworks. WPISP recently changed its name to the OECD Working Party on Security and Privacy in the Digital Economy (SPDE). 4.2.2 OECD Report on the Cross-border Enforcement of Privacy Laws (2006) In October 2006 the OECD published a Report on the Crossborder Enforcement of Privacy Laws.364 The report was based upon a questionnaire of OECD governments conducted by

358 Working Party on Information Security and Privacy, “The evolving privacy landscape: 30 years after the OECD privacy guidelines”, DSTI/ICCP/REG(2010)6/ final, Paris, 6 April 2011. http://www.oecd.org/sti/ieconomy/47683378.pdf 359 OECD, “Privacy Online: OECD guidance on policy and practice, Paris, 2003. 360 OECD, “OECD Privacy Statement Generator”, undated. http://www.oecd.org/sti/ieconomy/oecdprivacystatementgenerator.htm 361 OECD, “Privacy Online: OECD guidance on policy and practice”, Paris, 2003, pp. 1612. 362 OECD, “OECD Guidelines governing the protection of privacy and transborder flows of personal data”, https://www.huntonprivacyblog.com/wpcontent/files/2013/09/2013oecdprivacyguidelines.pdf 363 Working Party on Information Security and Privacy, “Terms of reference for the review of the OECD guidelines governing the protection of privacy and transborder flows of personal data”. DTSI/ICCP(2011)4/FINAL, OECD, 31 October 2011. 364 OECD, “OECD Recommendation on the Crossborder Cooperation in the Enforcement of Privacy Laws”, OECD, 2007. http://www.oecd.org/sti/ieconomy/37558845.pdf

115

WPISP.365 The findings in this report suggest a number of possible topics for further study and consideration, including:

Examination of approaches to handling and classifying crossborder complaints. Work towards identifying common priorities for enforcement cooperation. Ways to improve cooperation between authorities with respect to notifications,

information sharing, and investigative assistance. Consideration of the adequacy of sanctions and remedies available to privacy

enforcement authorities in the context of crossborder cases. Work towards improving the prospects of international judgment recognition and

enforcement of orders for monetary redress for individuals who suffer privacy breaches.

Examination of informal methods of international cooperation – often through regional networks – that allow for information exchange on current issues and best practices.

Consideration of the need for practical tools, like contact lists, forms to request assistance from another authority, crossborder complaint forms, common approaches to reporting case results, etc.

Work towards establishing a more complete and robust set of indicators about the dimensions of crossborder privacy problems.366

4.2.3 OECD Recommendation on Cross-border Co-operation in the Enforcement of

Laws Protecting Privacy, 2007. Following on from the Report, the OECD published a Recommendation on Crossborder Cooperation in the Enforcement of Laws Protecting Privacy in 2007. 367 This set forth a framework for cooperation on the enforcement of privacy laws. The WPISP work on the Recommendation was led by Jennifer Stoddart, Privacy Commissioner of Canada. The OECD recommended that member countries cooperate across borders in the enforcement of laws protecting privacy, taking appropriate steps to:

Improve their domestic frameworks for privacy law enforcement to better enable their authorities to cooperate with foreign authorities.

Develop effective international mechanisms to facilitate crossborder privacy law enforcement cooperation.

Provide mutual assistance to one another in the enforcement of laws protecting privacy, including through notification, complaint referral, investigative assistance and information sharing, subject to appropriate safeguards.

Engage relevant stakeholders in discussion and activities aimed at further cooperation in the enforcement of laws protecting privacy.368

The Recommendation identified the need to develop domestic measures in order to improve crossborder privacy cooperation. Such measures included ensuring that privacy enforcement

365 OECD, “OECD Questionnaire on the crossborder enforcement of privacy laws”, DSTI/ICCP/REG(2006)1, 2006. http://www.oecd.org/sti/ieconomy/37572050.pdf 366 OECD, Report on the Cross-Border Enforcement of Privacy Laws, Paris, October 2006, p. 26. 367 OECD, Recommendation on Crossborder Cooperation in the Enforcement of Laws Protecting Privacy, Paris, 2006. http://www.oecd.org/sti/ieconomy/38770483.pdf 368 OECD, Report on the Cross-Border Enforcement of Privacy Laws, Paris, October 2006. http://www.oecd.org/sti/ieconomy/37558845.pdf

116

authorities have the necessary powers and authority, including significant sanctions, and clarifying or removing legislation that might prevent the exchange of information on cases between different privacy authorities. It also identified barriers to cooperation arising from the inability of some authorities to determine their own investigative priorities and from resource constraints. The Recommendation calls upon OECD members to share information on enforcement outcomes. It also identifies multilateral or bilateral memoranda of understanding as a useful tool for improving crossborder cooperation. Whilst most of the responsibility for implementing the Recommendation sits with member governments, the OECD also works to facilitate some elements, particularly in relation to international cooperation (see below). 4.2.4 Report on the Implementation of the OECD Recommendation on Cross-border

Co-operation in the Enforcement of Laws Protecting Privacy, 2011. The OECD digital economy paper 178 was a report by WPISP on the implementation of the 2007 Recommendation.369 This report was also included in the document Thirty Years After the OECD Privacy Guidelines.370 The report sets out WPISP activities (detailed below) and concludes that the Recommendation is stimulating improvements in members to cooperate across borders in the enforcement of privacy laws. It does not identify and adverse effects of increased cooperation, and whilst there is general willingness to cooperate amongst privacy enforcement authorities, actual instances of cooperate are limited. The report suggests that members should:

Designate a contact point in order to be able to be contacted for crossborder issues Share case related information in individual crossborder cases and information on

technical expertise and investigation methods Share information on enforcement outcomes by publishing case reports, possibly in a

common format that would make comparisons easier. Consult with other types of criminal law enforcement authorities, private sector groups

and civil society. Consider becoming a member of regional or global enforcement arrangements or

develop memoranda of understanding with other authorities.371 4.2.5 Privacy enforcement authorities Currently, nearly all OECD members have laws that established authorities with privacy enforcement authorities. The OECD sees this as an improvement over the third of members that had such authorities when the Privacy Guidelines were adopted in 1980. However, the OECD notes the variance between the scope of laws, regulatory models, complaint handling processes, and investigation and audit powers in different member states.

369 OECD, Report on the Implementation of the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, OECD Digital Economy Papers, No.178, 2011. http://www.oecdilibrary.org/scienceandtechnology/reportontheimplementationoftheoecdrecommendationoncrossbordercooperationintheenforcementoflawsprotectingprivacy_5kgdpm9wg9xsen 370 OECD, Thirty years after the OECD Privacy Guidelines, Paris, 2011. http://www.oecd.org/sti/ieconomy/49710223.pdf 371 OECD, Report on the Implementation of the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, OECD Digital Economy Papers, No.178, 2011. http://www.oecdilibrary.org/scienceandtechnology/reportontheimplementationoftheoecdrecommendationoncrossbordercooperationintheenforcementoflawsprotectingprivacy_5kgdpm9wg9xsen

117

Following on from the 2007 Recommendation, the OECD conducted work to support international cooperation between privacy enforcement authorities. The OECD hosts the website and online platform for the Global Privacy Enforcement Network (GPEN). The OECD also maintains a list of national contact points for cooperation and mutual assistance under the 2007 Recommendation. 23 member countries had designated a contact point to the OECD by 2011 and this is seen by WPISP as an area in need of improvement and of coordination with other lists of contact points (such as maintained by the Article 29 Working Party or APEC). This contact list has been shared with privacy enforcement authorities outside of the OECD membership. WPISP developed a Request for Assistance form372 to standardise the categories of information presented to an authority receiving a request for assistance. The OECD form has also been adopted by APEC.373 The WPISP receives reports on the progress of GPEN work. It also collects contact point information from the authorities for enforcement actions, which was also part of the Recommendation. Cooperation between privacy enforcement authorities can also potentially occur under the OECD Recommendation on antispam law enforcement cooperation.374 4.3 GLOBAL PRIVACY ENFORCEMENT NETWORK (GPEN) The origins of the Global Privacy Enforcement Network (GPEN) came out of the OECD work on crossborder cooperation in 2006. The OECD secretariat sent a questionnaire to OECD members on how OECD members enforce privacy, which led to a highlevel,nonbinding Council Recommendation. One of the items in the Recommendation concerned establishment of GPENlike mechanism, structured like some consumer actions. GPEN was set up by the authorities who participate in it. Founded in September 2010, GPEN aims to facilitate crossborder cooperation in the enforcement of privacy laws. 375 Membership in GPEN enables privacy regulators from around the world to work more closely as they address risks to the personal information of their citizens. Taking into consideration the initiatives of international groups such as the Asia Pacific Economic Cooperation forum (“APEC”), the International Conference of Data Protection and Privacy Commissioners (“ICDPPC”), the Article 29 Working Party, and the Organization for Economic CoOperation and Development (“OECD”), 13 authorities responsible for privacy enforcement formed an international Global Privacy Enforcement Network (GPEN) on 10 March 2010 in order to support data protection and the right to privacy on a global level.376

372 OECD, Request for Assistance Form v-1.0. http://www.oecd.org/sti/ieconomy/38772442.doc 373 OECD, Thirty years after the OECD Privacy Guidelines, Paris, 2011. http://www.oecd.org/sti/ieconomy/49710223.pdf 374 OECD, Recommendation on Cross-Border Co-operation in the Enforcement of Laws against Spam, Paris, 13 April 2006. 375 www.privacyenforcement.net 376 The information in this section has been extracted from a GIODOL news release found at: http://www.giodo.gov.pl/259/id_art/679/j/en/

118

The Network is the result of a June 2007 OECD Recommendation on CrossBorder Cooperation in the Enforcement of the Laws Protecting Privacy, 377 and was launched at an OECD meeting. The Recommendation called for member countries to foster the establishment of an informal network of Privacy Enforcement Authorities [para. 21]. It further specified a number of tasks for the network:

Discuss the practical aspects of privacy law enforcement cooperation; Share best practices in addressing crossborder challenges; Work to develop shared enforcement priorities; and Support joint enforcement initiatives and awareness campaigns.

GPEN’s statement of mission mirrors the Recommendation and states that GPEN “connects privacy enforcement authorities from around the world to promote and support cooperation in crossborder enforcement of laws protecting privacy.” 378 This is to be achieved through exchanging information, encouraging training opportunities, sharing of enforcement expertise and good practice, promoting dialogue between organisations with privacy enforcement roles, and creating and maintaining processes that support cooperation. In the summer of 2008, privacy authorities began to exchange experiences and discuss the practical aspects of enforcement cooperation via a Web utility. 379 The OECD hosts www.privacyenforcement.net, a web platform for GPEN. This site provides a restrictedaccess platform for sharing of documents and news. It also includes collaboration tools such as discussion forums, an events calendar and other functionalities. The mission of this organisation, as specified in the “Action Plan” setting up GPEN is, among other things, sharing information about privacy enforcement issues, trends and experiences; participating in relevant training; cooperating on outreach activities; engaging in dialogue with relevant private sector organizations on privacy enforcement and outreach issues; and facilitating effective crossborder privacy enforcement in specific matters by creating a contact list of privacy enforcement authorities interested in bilateral cooperation in crossborder investigations and enforcement matters. The GPEN action plan is not legally binding, and cooperation is subject to applicable laws in the jurisdictions involved. The action plan states that GPEN is focused on the practical aspects of privacy enforcement cooperation and Participants do not intend for GPEN to issue public opinions, position papers, or recommendations on privacy policy. However, GPEN may develop and share consensus views with other bodies on means to advance crossborder privacy enforcement cooperation. GPEN has 46 Members, who are national Data Protection authorities or Information Commissioners. More than one privacy enforcement authority from a single country, economy or jurisdiction can participate in GPEN. Membership requirements include responsibility for enforcing laws or regulations on personal data, and powers to conduct investigations or enforcement actions.

377 OECD, Recommendation on Cross-Border Co-operation in the Enforcement of Privacy Laws, OECD, Paris, 2007. http://www.oecd.org/internet/ieconomy/38770483.pdf 378 Global Privacy Enforcement Network, Action Plan for the Global Privacy Enforcement Network, 15 June 2012; Part E amended 22 January 2013, https://www.privacyenforcement.net/public/activities 379 Global Privacy Enforcement Network, http://www.privacyenforcement.net/

http://www.privacyenforcement.net/

119

Country GPEN Member380 Albania Commissioner for Personal Data Protection (KMDP) of the Republic

of Albania Australia Office of the Australian Information Commissioner;

Office of the Victorian Privacy Commissioner; Office of the Information Commissioner, Queensland Information and Privacy Commission, New South Wales Northern Territory Information Commissioner

Belgium Data Protection Commission Bulgaria Bulgarian Commission for Personal Data Protection Canada Office of the Privacy Commissioner of Canada;

Information and Privacy Commissioner of British Columbia; Information and Privacy Commissioner, Ontario; Information and Privacy Commissioner of Alberta

China (Special Administrative Regions)

Office for Personal Data Protection, Macau SAR, China

Colombia Superintendencia de Industria y Comercio (SIC) Czech Republic Office for Personal Data Protection of the Czech Republic European Union European Data Protection Supervisor Estonia Estonian Data Protection Inspectorate France Commission Nationale de l’Informatique et des Libertés Gibraltar Gibraltar Regulatory Authority Germany Federal Data Protection Commission;

Berlin Commissioner for Data Protection and Freedom of Information Guernsey Data Protection Office Hungary National Authority for Data Protection and Freedom of Information

(NAIH) Ireland Office of the Data Protection Commissioner Isle of Man Data Protection Commissioner Israel The Israeli Law, Information and Technology Authority Italy Garante Per La Protezione Dei Dati Personali Korea Ministry of Public Administration and Security;

Korea Internet Security Agency; Personal Information Protection Commission

Lithuania The State Data Protection Inspectorate Luxembourg Commission nationale pour la protection des données (CNPD) Mauritius Data Protection Office of the Republic of Mauritius Mexico Federal Institute for Access to Information and Data Protection (IFAI) Moldova Moldova Data Protection Authority Monaco The Commission de Contre le des Informations Nominatives (personal

data supervisory commission) of Monaco Netherlands Dutch Data Protection Authority New Zealand Office of the Privacy Commissioner Norway Data Protection Authority Poland Office of the Inspector General for the Protection of Personal Data

(GIODO)

380 Global Privacy Enforcement Network http://www.privacyenforcement.net/

120

Slovenia Information Commissioner Spain Agencia Española de Protección de Datos Switzerland Federal Data Protection and Information Commissioner Ukraine State Service of Ukraine on Personal Data Protection United Kingdom Information Commissioner’s Office United States Federal Trade Commission The founding authorities of the Global Privacy Enforcement Network (GPEN) were:

U.S. Federal Trade Commission Office of the Privacy Commissioner of Canada Commission Nationale de l’Informatique et des Libertés (France) Office of the Privacy Commissioner, New Zealand Israeli Law, Information and Technology Authority Office of the Privacy Commissioner, Australia Office of the Data Protection Commissioner, Ireland Agencia Española de Protección de Datos (Spain) Information Commissioner’s Office (United Kingdom) Garante Per La Protezione Dei Dati Personali (Italy) Dutch Data Protection Authority (the Netherlands) Federal Commissioner for Data Protection and Freedom of Information (Germany) Office of the Victorian Privacy Commissioner, (Victoria, Australia)

New participants apply to the existing members, and are expected to endorse the Action Plan.381 More information can be found at: www.privacyenforcement.net 4.3.1 Distinguishing between co-operation and co-ordination Blair Stewart (Office of the Privacy Commissioner, New Zealand) presented a paper at the November 2011 meeting of the GPEN on the subject of global privacy enforcement coordination as an adjunct to ongoing efforts in privacy enforcement cooperation. Coordination is absent from the OECD Recommendation that serves as the basis for GPEN, but the paper argues that an increasing number of cases in which multiple privacy enforcement authorities have investigated the same case across multiple jurisdictions suggests an increased need for coordination. The paper argues that parallel investigations, where even the investigators do not know who else is investigating, or what, will lead to wasted resources, duplicated effort, to poorer and slower results than coordinated investigations, and even allow uncooperative investigation subjects to playoff different investigators against each other. Further, Stewart suggests that the need for global coordination is most apparent where there is a single incident warranting investigation that affects individuals across numerous jurisdictions. However, other scenarios also benefit from coordination The paper draws together definitions of coordination in the context of multilateral privacy enforcement, to suggest combining, synchronising and integrating the efforts and resources of privacy enforcement authorities involved in investigating an incident to produce harmonious results. This suggests the requirements for mechanisms for the combination of efforts, the establishment of common objectives, the identification of incidents liable to lead to co

381 Global Privacy Enforcement Network, Action Plan for the Global Privacy Enforcement Network, 15 June 2012; Part E amended 22 January 2013. https://www.privacyenforcement.net/public/activities

121

ordinated investigation, agreement on desirable outcomes, synchronisation methods, and the identification of collective resources. The paper presents a range of forms of coordination ranging from no coordination, through light, moderate and strong informal coordination, to formal coordination based upon some kind of formal treaty or legal basis. Light informal coordination involves the sharing of information, much of which is already public. Moderate information coordination adds sharing of nonpublic information, for example, the names of assigned investigators, and information on the stages on an investigation, as well as forum for adhoc coordination efforts aside from the main cooperation structures. Strong cooperation also adds central leadership elements to coordinate the timing of investigations. The paper also identifies potential barriers to coordination, including domestic law and particularly prohibitions and restrictions on the sharing of information. After briefly examining alternate venues, the paper identifies GPEN, and the password protected website, as a suitable vehicle for increased coordination efforts at the global level, although this would require changes to the current GPEN action plan. It envisages coordination on particular investigation actions on an optin basis, with potential efforts identified through GPEN teleconferences. The paper suggests increased security measures for the website in response to concerns from member over the secure sharing of sensitive information. 4.4 ASIA-PACIFIC ECONOMIC CO-OPERATION AsiaPacific Economic Cooperation (APEC) is a forum for 21 Pacific Rim countries that seeks to promote free trade and economic cooperation throughout the AsiaPacific region.382 It was established in 1989 in response to the growing interdependence of AsiaPacific economies and the advent of regional trade blocs in other parts of the world. APEC works to raise living standards and education levels through sustainable economic growth and to foster a sense of community and an appreciation of shared interests among AsiaPacific countries. APEC includes newly industrialised economies (NIEs), although the agenda of free trade was a sensitive issue for the developing NIEs at the time APEC founded, and aims to enable ASEAN economies to explore new export market opportunities for natural resources such as natural gas, as well as to seek regional economic integration (industrial integration) by means of foreign direct investment. Members account for approximately 40% of the world's population, approximately 54% of the world's gross domestic product and about 44% of world trade. 4.4.1 APEC Cross-border Privacy Enforcement Arrangement (CPEA) The APEC Privacy Framework was endorsed by APEC ministers in 2004 and published in 2005. The Framework aims to improve information sharing among government agencies and regulators, facilitate the safe transfer of information between economies, establish a common set of privacy principles, encourage the use of electronic data as a means to enhance and expand business, and provide technical assistance to APEC economies that have yet to address privacy regulation or policy. Encouraging the flow of data is seen by APEC as a component part of facilitating free trade in the AsiaPacific region.

382 www.apec.org. See also http://en.wikipedia.org/wiki/APEC

122

APEC created a Crossborder Privacy Enforcement Arrangement (CPEA) as a framework for regional cooperation on privacy enforcement. CPEA emerged from the Data Privacy Pathfinder initiative, and focuses upon the particular Framework objective to facilitate domestic and international efforts to promote and enforce privacy protections. The CPEA was endorsed by APEC Ministers in November 2009 and commenced on 16 July 2010. CPEA establishes a protocol under which participating authorities may contact each other for assistance in collecting evidence, share information during investigations, and liaise with one another for enforcement actions. The aims of CPEA are to facilitate information sharing between APEC privacy enforcement authorities, provide mechanisms for effective crossborder cooperation in the enforcement of privacy law, and to encourage information sharing and cooperation with privacy enforcement agencies outside of APEC. Participation in CPEA is required in order to also participate in the CrossBorder Privacy Rules (CBPR) system. More than one privacy enforcement authority from each member economy can participate. CPEA participation establishes networks of voluntary cooperation seen as necessary for effective international privacy protection.383 The CPEA network may contribute to the crossborder enforcement of the APEC CrossBorder Privacy Rules system.384 CPEA membership includes:

the Office of the Australian Information Commissioner (OAIC) New Zealand Office of the Privacy Commissioner (NZOPC) the United States Federal Trade Commission (FTC) Office of the Privacy Commissioner for Personal Data, Hong Kong, China (PCPD) Office of the Privacy Commissioner of Canada (OPCC) Ministry of Foreign Affairs of Japan Ministry of Economy, Trade and Industry of Japan Ministry of Internal Affairs and Communications of Japan Ministry of Finance of Japan Ministry of Justice of Japan Ministry of Agriculture, Forestry and Fisheries of Japan Ministry of Land, Infrastructure, Transport and Tourism of Japan Ministry of Defense of Japan Ministry of Health, Labour and Welfare of Japan Ministry of Education, Culture, Sports, Science and Technology of Japan Ministry of Environment of Japan Cabinet Office of Japan Consumer Affairs Agency of Japan Financial Services Agency of Japan National Police Agency of Japan Ministry of Public Administration and Security (MOPAS) of Korea

383 Chatelois, Daniele, and Josh Harris, “Introduction to the APEC CrossBorder Privacy Rules System: Data privacy in Canada”, Presentation to the American Bar Association, Privacy and Information Security Committee, 16 April 2012. http://www.americanbar.org/content/dam/aba/publications/antitrust_law/20120416_at12416_materials.authcheckdam.pdf 384 Yeo, Vivian, “APEC leads new initiative for privacy cooperation”, ZDNet, 16 July 2010. http://www.zdnet.com/apecleadsnewinitiativeforprivacycooperation2062201400/

123

Federal Institute for Access to Information and Data Protection of Mexico Reconstruction Agency of Japan Personal Data Protection Commission, Singapore (PDPC)

The role of the cooperation framework administrator can be performed by the APEC secretariat, a Privacy Enforcement Authority, or jointly between the secretariat and an authority, as designated by the Electronic Commerce Steering Group. The administrator is responsible for assessing membership applications, maintaining uptodate information and compiling contact points, and may conduct publicity activities and promote cooperation initiatives. Participants should assist one another by considering other participants’ requests for assistance and referrals for investigation or enforcement, and share information and cooperate on the investigation or enforcement of Privacy Laws. Participants may decline requests for assistance, or limit their cooperation on the basis of inconsistency with domestic law, requests being outside the authority’s jurisdiction, lacking the authorisation to investigate, resource constraints, prioritisation, absence of mutual interest, the matter being outside the scope of the cooperation agreement, another body is more appropriate, or any other applicable circumstances. The determination of these circumstances is at the discretion of the participant.385 The cooperation agreement sets out the encouraged information sharing activities. These include designation of a contact point for other privacy enforcement authorities, the preparation of the statement of practices, policies and activities to be made available to other participants, and the sharing of experiences. Participants are encouraged to provide information to other participants respecting important relating to matters within the scope of the Cooperation Arrangement, including:

surveys of public attitudes bearing upon enforcement matters; details of research projects having an enforcement or crossborder cooperation

dimension; enforcement training programmes; changes in relevant legislation; experiences with various techniques in investigating privacy violations and with

regulatory strategies, including selfregulatory strategies, involving such violations; information about trends and developments in the types and numbers of complaints

and disputes they handle; and opportunities for privacy enforcement staff training and employment.386

4.4.2 Data Privacy Subgroup of the APEC Electronic Commerce Steering Group In November 2004, Ministers of the AsiaPacific Economic Cooperation (APEC) endorsed the APEC Privacy Framework, developed by the Data Privacy Subgroup of the Electronic Commerce Steering Group. The Framework acknowledges the importance of protecting information privacy alongside the desirability of maintaining information flows between economies in the Asia Pacific region. Lack of consumer trust and confidence in the privacy

385 APEC, APEC Cooperation Arrangement for Cross-Border Privacy Enforcement, Japan, 28 February 2010. http://aimp.apec.org/Documents/2010/ECSG/DPS1/10_ecsg_dps1_013.pdf 386 APEC, APEC Cooperation Arrangement for Cross-Border Privacy Enforcement, Japan, 28 February 2010. http://aimp.apec.org/Documents/2010/ECSG/DPS1/10_ecsg_dps1_013.pdf

124

and security of online transactions and information networks is seen as a potential barrier to realising the benefits of electronic commerce for member economies. The framework is positioned as being consistent with the OECD's 1980 privacy Guidelines. 1998 Electronic Commerce Steering Group (ECSG) established 2001 eAPAC Strategy includes focus on data protection and consumer trust387 2003 ECSG Data Privacy Subgroup (DPS) established November 2004 APEC Privacy Framework endorsed by APEC ministers 2005 APEC Privacy Framework published388 2006 Data Privacy Individual Action plans 2007 Data Privacy Pathfinder 2009 CrossBorder Privacy Enforcement Arrangement (CPEA) 2011 CrossBorder Privacy Rules (CBPR) system finalised

Table: key events in APEC privacy cooperation The Framework consists of nine principles to assist APEC countries in developing approaches to privacy that maximise privacy protection whilst at the same time encouraging the crossborder flow of information. The principles are preventing harm, notice, use, collection limitation, choice, security safeguards, integrity, access and correction, and accountability. The Framework's privacy principles and implementation guidance are focused on the achievement of four main goals:

To develop appropriate privacy protections for personal information. To prevent the creation of unnecessary barriers to information flows. To enable multinational businesses to implement uniform approaches to the collection,

use, and processing of data; and To facilitate both domestic and international efforts to promote and enforce

information privacy protections.” 389 The Framework is intended to be implemented in a flexible manner which may differ between member economies. However, different methods of implementation should be designed so as to maximise compatibility of approaches in privacy protection across the region. Member economies are encouraged to share information on matters with impacts upon privacy, on educational and training efforts, on experiences of investigations, on regulatory strategies, and to designate public authorities responsible for crossborder cooperation and information sharing in relation to privacy protection.390 The Framework asks member economies to consider developing cooperative arrangement and procedures to facilitate cross border collaboration in the enforcement of privacy laws (taking into account existing international arrangements and the requirements of domestic law). The Framework envisages cooperative arrangement as including mechanisms for efficient notification of investigations, information sharing, investigative assistance, prioritisation, and the maintenance of confidentiality. The Guidance for Domestic

387 Electronic Commerce Steering Groups, e-APEC Strategy, People’s Posts & Telecommunications Publishing House, October 2001. http://publications.apec.org/publicationdetail.php?pub_id=584 388 AsiaPacific Economic Cooperation, APEC Privacy Framework, APEC Secretariat, Singapore, 2005. http://publications.apec.org/publicationdetail.php?pub_id=390 389 OECD, Report on the Cross-Border Enforcement of Privacy Laws, Paris, October 2006, p. 23. 390 AsiaPacific Economic Cooperation, APEC Privacy Framework, APEC Secretariat, Singapore, 2005. p. 34. http://publications.apec.org/publicationdetail.php?pub_id=390

125

Implementation of the APEC Principles also annexes a future work agenda that includes the following: “Member Economies should cooperate in relation to making remedies available against privacy infringements where there is a crossborder dimension. In order to contribute to this goal, Member Economies will endeavour to develop cooperative arrangements between privacy investigation and enforcement agencies of Member Economies.” 391 A stocktaking exercise of the national implementation of the APEC Privacy Framework is part of the 20132014 work programme for the Data Privacy Subgroup. In line with the call in the Framework, APEC’s Data Privacy Subgroup developed CrossBorder Privacy Rules along with information and cooperation among privacy regulators in the area of investigation and enforcement. 392 The Data Privacy Subgroup also had responsibility for the Data Privacy Pathfinder Initiative. The APEC Data Privacy Pathfinder was established in 2007. The aim of the pathfinder was to allow for accountable crossborder flow of personal information in the APEC region. Amongst other projects, this was to be achieved through the development and implementation of a set of CrossBorder Privacy Rules (CBPR) consistent with the APEC Privacy Framework. CrossBorder Privacy Rules allow businesses to set out their practices for collecting and processing personal information, and to use these rules as internal procedures. The rules must comply with the APEC Privacy Framework and the national laws of the countries where the business operates. 393 The Framework implementation guidance notes that organisations are still responsible for complying with local data protection laws, but that CBPR allows mutual recognition between economies. The Data Privacy Subgroup has recently worked upon a CBPR Glossary. Currently the USA and Mexico have applied and met the requirements for participation in CBPR. APEC members also develop Data Privacy Individual Action Plans (IAP) and lodge these with APEC.394 The aim of the IAP is to allow member economies to understand the stage of data privacy that another member economy has reached, and thereby facilitate the development of common effective privacy protections and the crossborder flow of information. IAPs are intended to update periodically to reflect domestic implementation of the APEC Privacy Framework, although only five out of 14 have been updated since 2006. 2013 saw the first meeting of the APEC/EU Working Team under the auspices of the 27th Meeting of the Electronic Commerce Steering Group. The EU was represented by officials from the French, German and EU data protection authorities as part of the Article 29 Data Protection Working Party. The discussion centred upon the relationship between the European Binding Corporate Rules and APEC CBPR. 4.4.3 APEC – Art 29 WP Promoting Co-operation on Data Transfer Systems

391 OECD, October 2006, op. cit., p. 23. 392 Ibid p. 24. 393 Attorney General’s Department, “AsiaPacific Economomic Cooperation privacy”, undated. http://www.ag.gov.au/RightsAndProtections/Privacy/Pages/APECprivacy.aspx 394APEC, “Data Privacy Individual Action Plan”, undated. http://www.apec.org/Groups/CommitteeonTradeandInvestment/ElectronicCommerceSteeringGroup/DataPrivacyIndividualActionPlan.aspx

126

Representatives of the Article 29 Working Party and the Asia Pacific Economic Cooperation (APEC) met for the first time, in Jakarta, with the aim of facilitating transfers of personal data, for multinational companies that operate both in Europe and the AsiaPacific.395 In the European Union, Binding Corporate Rules (BCR) have been developed to govern international data transfers made by companies or groups of companies. These binding internal rules define a company’s policies on data transfers in order to ensure adequate safeguards for personal data transferred from the European Union to third countries. In 2012, APEC Member Economies completed development of CrossBorder Privacy Rules (CBPR) for the protection of personal data throughout the AsiaPacific. Like BCRs, CBPRs are designed to ensure that a company’s privacy policies meet established standards for the protection of personal information. Such policies must be validated by APECrecognised Accountability Agents. Both BCRs and CBPRs use of internal binding rules for crossborder transfers of personal data, subject to prior approval by EU Data Protection Authorities or by APECrecognized Accountability Agents. Before the Jakarta meeting, the Article 29 WP conducted a study of CBPRs to identify the similarities and differences with BCRs. Using this initial comparison as a starting point, the Article 29 WP and participating APEC member countries are cooperating to develop practical tools, including a common referential, for those multinational companies that have data collection and/or processingrelated activities in both the EU and APEC region. In January 2013, a BCR/CBPR committee met for the first time to discuss this topic. Participants from the EU included representatives from the CNIL (France), the German Federal Commissioner for Data Protection and Freedom of Information, the European Data Protection Supervisor and the European Commission. From APEC, 10 member countries participated including Canada, Chinese Taipei, Japan, Korea, Malaysia, New Zealand, the Philippines, Singapore, Thailand and the United States. The committee set to work on the development of a roadmap for continuing cooperation and for developing practical tools for use by companies doing business in Europe and the AsiaPacific region. 4.5 ASIA PACIFIC PRIVACY AUTHORITIES (APPA) APPA brings together privacy regulators from Pacific Rim countries for cooperation and collaboration.396 APPA convenes twice a year, sharing jurisdictional reports and discussing topical issues including privacy and security, crossjurisdictional law enforcement in the Pacific Rim, privacy legislation amendments, and personal data privacy. Established in 1992, the Asia Pacific Privacy Authorities is a forum for privacy authorities from the AsiaPacific region. The APPA was formerly known as PANZA and PANZA+

395 The information in this section has been adapted from Article 29 Data Protection Working Party, “Promoting Cooperation on Data Transfer Systems Between Europe and the AsiaPacific”, Press release, Brussels, 26 March 2013.http://ec.europa.eu/justice/dataprotection/article29/pressmaterial/pressrelease/art29_press_material/20130326_pr_apec_en.pdf. APEC issued a similar press release. See http://www.apec.org/Press/NewsReleases/2013/0306_data.aspx. Additional details about APEC meetings, events, projects and publications can be found at www.apec.org. 396 APPA’s website is located at www.appaforum.org.

127

(Privacy Agencies of New Zealand and Australia plus Hong Kong and Korea). An internal review in 2005 resulted in updating the name of the forum to more accurately reflect its membership and to put a formal structure in place. The objectives of the forum are to facilitate knowledge sharing between the region’s privacy authorities, foster cooperation in privacy and data protection, jointly promote privacy awareness activities, promote best practice among privacy authorities, improve regulatory performance, and support efforts to improve crossborder cooperation in privacy enforcement.397 APPA only allows as members authorities that have been accredited by the International Data Protection Commissioners Conference398 and, since 2010, participants in the APEC Crossborder Privacy Enforcement Arrangement (CPEA) and members of the OECD Global Privacy Enforcement Network (GPEN). APPA also aims to maintain positive relationships with such complementary networks. Current APPA members include the following:

Federal Institute for Access to Information and Data Protection, Mexico Federal Trade Commission, United States Information and Privacy Commission, NSW Korea Internet and Security Agency Korea Personal Information Protection Commission Office for Personal Data Protection, Macau Office of the Australian Information Commissioner, Australia Office of the Information and Privacy Commissioner, British Columbia Office of the Information Commissioner, Queensland Office of the Northern Territory Information Commissioner Office of the Privacy Commissioner for Personal Data, Hong Kong Office of the Privacy Commissioner, Canada Office of the Privacy Commissioner, New Zealand Office of the Victoria Privacy Commissioner Superintendencia de Industria y Comercio (SIC), Colombia National Authority for Data Protection, Peru

The APPA meeting in Auckland in July 2013 was its 39th meeting. Issues commonly discussed at the forum include current privacy enforcement issues, jurisdictional reports, significant privacy and data protection events, the activities of and cooperation with other data protection networks, reports from the working groups, and presentations from invited external guest speakers. Since December 2009, APPA has a Secondment Framework that exists to foster collaboration between APPA members and promote best practice. The framework acknowledges the relatively small staff numbers of APPA members, and limited opportunities for internal promotion. Secondments help employees to develop new skills and experience, to transfer knowledge and experience, and even to fill gaps during absences.399

397 APPA, Statement of Objectives. http://www.appaforum.org/resources/#objectives 398 Greenleaf, Graham, “Independent of Data Privacy Authorities: International Standards and the AsiaPacific Experience”, Computer Law & Security Review, Vol. 28, Issues 1 & 2, 13 December 2011. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1971627 399 Asia Pacific Privacy Authorities, APPA Secondment Framework, December 2009.

128

APPA is also responsible for the coordination of Privacy Awareness Week, held in lateApril or earlyMay each year since 2006. The purpose of the Week is to promote greater privacy awareness and the importance of protecting personal information. The privacy awareness week website (http://www.privacyawarenessweek.org) hosts resources (particularly for young people) as well as collating links to individual campaigns conducted by individual data protection authorities under the Privacy Awareness Week banner. In November 2005, APPA agreed a standardised citation system for case notes issued by members, to facilitate reference to cases and investigations conducted by privacy authorities in the region. In November 2006, APPA adopted a recommended method for the dissemination of case notes in order to make these as widely available as possible and therefore maximise collective regional benefit. APPA encourages members to cooperate with third party publishers that wish to republish these notes, and to make them available in an electronic format to a regional consolidated access point. The suggested access point is the World Legal Information Institute’s Privacy Law Library.400 The Office of the Australian Information Commissioner provides the APPA secretariat. 4.5.1 Technology Working Group The Technology Working Group is made up of representatives with an interest in technology and privacy from each APPA member organisation. The Group collaborates on common issues experienced across APPA jurisdictions. The APPA Technology Working Group considered Google’s Privacy Policy in 2012. It adopted a position supportive of the Article 29 Working Party’s investigation of the Policy.401 4.5.2 Communications Working Group The Communications Working Group is made up of communications professionals from each APPA member organisation, who consult on communications matters. The group coordinates Privacy Awareness Week.402 4.6 IBERO-AMERICAN DATA PROTECTION NETWORK In 2003, the Spanish Data Protection Authority (Agencía española de protección de datos, AEPD) founded the IberoAmerican Data Protection Network (RIPD) as an advisory forum for national data protection efforts in Latin America.403 The network was established as a consequence of the agreement reached at the IberoAmerican Data Protection Meeting held in La Antigua, Guatemala in 2003, attended by representatives of 14 Latin American countries. This initiative had political support from its outset as it was reflected in the Final Declaration of the XIII Summit of Heads of State and Government of Latin American countries held in Santa Cruz de la Sierra, Bolivia, on the 14th and 15th of November, 2003.

http://www.appaforum.org/resources/APPA_Secondment_Framework_.pdf 400 http://www.worldlii.org/int/special/privacy/ 401 Pilgrim, Timothy, “Google’s Privacy Policy”, Letter to Jacob Kohnstamm, 12 October 2012. http://www.cnil.fr/fileadmin/documents/en/APPA_SUPPORT_LETTERArticle_29_Letter.pdf 402 See www.privacyawarenessweek.org 403 OECD, Report on the CrossBorder Enforcement of Privacy Laws, Paris, October 2006, p. 24.

http://www.privacyawarenessweek.org/

129

These members were fully aware of the nature concerning personal data protection as a fundamental right as well as the importance of Latin American regulatory initiatives to protect the privacy of their citizens. It became therefore a forum to promote the Fundamental Right to data protection law in that Community. The RIPD was regulated through the rules adopted on the occasion of the VI IberoAmerican Data Protection held in Cartagena de Indias, Colombia (from 27 to 30 May 2008). In turn, the RIPD was opened to all Latin American countries to promote and implement initiatives and projects related to this subject. The aim was to create a forum to involve various stakeholders, both public and private. So, the intention was to promote, maintain and strengthen a close and continuous exchange of information, experience and knowledge among them and, at the same time, to promote policy developments to ensure advanced regulation of data protection rights in a democratic context, taking into consideration the need for a continuous data flow between countries with different approaches but the same concern for this right. In terms of activity, there have been ten Annual Meetings in addition to many other seminars on a variety of topics of interest such as data protection of minors, health data, financial frauds, business and marketing industry concerns, especially the fight against spam, new technologies and their impact on privacy, international transfers and so on. This line of work has served to establish a leading development and promotion of dialogue and policy initiatives in the region, which have meant that over than 150 million Latin American citizens have today, alongside the traditional defense of habeas data, standards which effectively ensure the use of personal information and also specialized authorities with powers to protect such as guarantees. One of the strategic objectives of the RIPD is the definitive consolidation of this forum suitable for making decisions, taking documents and securing their future strategies. Eventually, it is of paramount interest for the institutions that currently make up the RIPD, to encourage the promotion and implementation of the Fundamental Right to Protection of Personal Data through entities with the capacity and skills to encourage national governments to develop regulatory legislation in this area. This is required in order to reach the attainment of Adequacy Statement by the European Commission in addition to achieve harmonization of national laws on data protection at a global level so that the development of international trade and new communication technology might be compatible with the protection of the rights of individuals. The RIPD is structured through the following organizational structures: The Presidency of RIPD is elected among the members attending the RIPD´s Assembly and is responsible for representing RIPD in all national and international fora, promoting and supporting national legislative initiative and standing for RIPD in all social activities in Latin America. Currently, the Presidency is held by Mexico, and it is exerted by the Federal Institute of Access to Information and Data Protection. The Executive Committee is integrated by the Presidency and four Members of the RIPD, and its main functions are to approve the working program for the upcoming year and to promote all the necessary actions for the celebration of the next Annual Meeting. Currently, Executive Committee is integrated by Spain, Portugal, Argentina, Mexico and Chile.

130

The RIPD´s Secretariat is assumed by the Spanish Data Protection Agency, which is in charge of coordinating tasks as the technical body and of the followup of the RIPD´s activities. The RIPD´s Secretariat is liable for maintaining a continuous relationship with the RIPD´s Executive Committee, establishing contacts with national and international organizations, carrying out, together with the Working Groups, the development of decisions and projects approved by the RIPD, making easier an open communication and exchange of information among the RIPD members and coordinating Seminars and Working Groups. The IberoAmerican General Assembly of the RIPD is held once a year. It is considered as a RIPD body, as well as a forum for direct discussion and adoption of decisions and documents. 4.6.1 Spanish DPA’s other outreach efforts in Latin America and East European

countries The Spanish Data Protection Agency (AEPD) has been cooperating with other Latin American countries for many years in the framework of many bilateral memorandums of understanding with Colombia (2012), Perú (2012), Chile (2011), Bolivia and the Mexican States of Nuevo León (2011), Distrito Federal (2009), Oaxaca (2009), Jalisco (2009) and Hidalgo (2009). In addition of that, it has been supporting and cooperating with others Eastern European countries data protection agencies such as: 1. The Czech Office for Personal Data Protection and the Spanish Data Protection Agency adopted a statement affirming the excellent results obtained while carrying out the Twinning Project PHARE CZ2000/IB/OT/03, in implementation of the Covenant signed by both parties. Both institutions were aware of the unavoidable need to increase cooperation between data protection authorities, with a view to the establishment of a uniform application of data protection legislation existing in different countries. 2. Bulgaria and the Spanish Data Protection Agency developed a twinning project PHARE BG/2005/IB/OT/02 that was signed on December 27th 2006 and its performance started in January as per the provisions of the contract. In that Project, 42 activities were included (37 work meetings and seminars in Bulgaria and 5 study visits in Spain) which covered the institutional development and those related to their investments in the Bulgarian CPDP so as to achieve higher effectiveness and better effectiveness of the activities in the field of personal data protection within the country, by means of acceptance and performance of the best practices of the EU with regard to preventing the infringements related to personal data protection, as well as providing their best protection. 3. The Twinning project IS/2007/ENPAN/JH/01 was brought about between Israel (The Israeli Law, Information and Technology Authority (ILITA), the data protection in Israel) and its counterpart in Spain (AEPD) and was set in motion on June 3rd, 2009. This twinning program aimed to strengthen the effective protection of personal data in Israel by developing ILITA's operational and effective enforcement capabilities, with the goal of bringing them in line with international standards and those set out in the EU data protection directive.

131

The twinning project consisted of the following aspects:

The enhancement of ILITA's competencies through the development and implementation of a personal data protection strategy plan, as well as enhancing ILITA's effective regulatory powers.

The enforcement enhancement through staff training in complaint handling and streamlining ILITA's complainthandling procedures, as well as through setting in place investigative and relevant intelligence capabilities.

Increase the awareness among data controllers, data subjects, policymakers, lawmakers and the general public about the importance of personal data protection, and increasing adherence to personal data protection legislation.

4. The European Union IPA Program for Croatia was founded by IPA 2007 EU. Its twinning project HR/2007/IB/JH/02 was titled “The Capacity of the Croatian Agency for Protection of Personal Data”. It started in August 2010 ending 22 months later. This EU project used the expertise of Spain, specially the Spanish Data Protection Authority in order to reach an efficient institutional framework capable of dealing with all the requirements of the Common data protection policies. The overall objective was the strengthening of the consultative and supervisory role of the Croatian Agency for Protection of Personal Data. This EU project was divided into two clearly distinct components: the first one dealt with legal issues while the second one tackled with Information security. 4.7 ASSOCIATION OF FRANCOPHONE DATA PROTECTION AUTHORITIES The Association francophone des autorités de protection des données personnelles (AFAPDP) has an important capacitybuilding component.404 The association of authorities for personal data protection of the Frenchspeaking countries was founded in 2007 and consists of 27 authorities for personal data protection from the 24 member states of the International Organization of the Francophone. Members of the Association are authorities for personal data protection from Albania, Andorra, Austria, Belgium, Bulgaria, Burkina Faso, Canada (federal authority, Quebec and New Brunswick), Cyprus, Croatia, Czech Republic, France, Greece, Hungary, Lithuania, Luxembourg,, Macedonia, Monaco, Poland, Romania, Senegal, Slovakia, Slovenia, Switzerland, Cape Verde and Tunisia.

The Association promotes cooperation and training between countries that speak French in the area of personal data protection. The commitment is to create a structure for support and sharing of knowledge. The Association is also a source of expertise for countries where there is no legislation for personal data protection. The Association participates in dialogue and the implementation of the right to privacy and personal data protection in the framework of international organizations such as the United Nations, the European Union, and the Asia Pacific Economic Cooperation. At the same time the Association has an observer status in the Consultative Committee of the Convention on the Protection of Individuals with regard to Automatic Data Processing (Convention 108).

In 2008, the Association held its second annual conference in Strasbourg immediately after the International Conference of Commissioners on Data Protection and Privacy. The

404 http://www.afapdp.org/

132

workshops of the conference were devoted to sensitivity and training on good practices, technical elements related to mobility and geolocalisation.”405

4.7.1 CNIL’s outreach efforts at co-operation The French data protection authority (CNIL) promotes data protection in francophone countries. 4.8 BRITISH, IRISH AND THE ISLANDS DPAS This informal and loose network covers the DPAs of: the United Kingdom ; Ireland; British Crown Dependencies with separate DPAs: Isle of Man, Jersey, Guernsey, Gibraltar; and other countries/territories with an historical association with Britain (e.g. Malta, Cyprus) and has existed since around 1989. Representatives from Bermuda have also been attending recently in anticipation of enactment of data protection legislation. In general, it is a loose gathering that anyone with a link to Britain and or commonlaw can ask to attend. It does not have a formal constitution or rules of procedure. In recent years, it has met once per year, with DPAs taking turns to host Gibraltar hosted last year, with Ireland hosting this year. The agenda of the meeting is as requested by members, but standard items includes a review of developments in the different jurisdictions and a review of developments in the EU (even though some members are nonEU for data protection purposes). 4.9 EU-US AD HOC WORKING GROUP ON DATA PROTECTION The EU and US launched an ad hoc working group on data protection in Washington DC on 8 July 2013 with a first meeting in Brussels 2223 July 2013. 406 The EU side comprises representatives from the EU Presidency, the Commission, the Counterterrorism Coordinator, the European External Action Service (EEAS), a member of the Article 29 Working Party and 10 experts from the Member States. The EU side is cochaired by the European Commission and the Presidency. The Chairs will report in due course to the COREPER which will decide on the followup to the outcome of the group. A hot issue of discussion between the EU and American sides in the working group is surveillance of EU premises. COREPER has discussed the modalities through which EU institutions and Member States will have the possibility to exchange information and coordinate their dialogues with their US counterparts. 4.10 MEMORANDA OF UNDERSTANDING (MOUS)

405 Directorate for Personal Data Protection, Republic of Macedonia, “Association francophone des authorites de protection des donnes personnelles (AFAPDP)”, Undated. http://dzlp.mk/en/node/622 406 Lithuanian Presidency of the Council of the European Union, Presidency statement on outcome of discussions on EU–US working group, 19 July 2013. http://www.eu2013.lt/en/news/statements/presidencystatementonoutcomeofdiscussionsoneuusworkinggroup

133

Data protection authorities and privacy commissioners are using memoranda of understanding (MoUs) to foster cooperation and coordination. One example of such an MoU is that signed in October 2012 by Canadian Privacy Commissioner Jennifer Stoddart and German Federal Data Protection Commissioner Peter Schaar, the aim of which is to strengthen their mutual cooperation in the crossborder supervision of data protection.407 Under the agreement, both data protection authorities will exchange information in connection with their supervisory activities and inform each other about important events or complaints. In concrete cases – contrary to previous practice – coordinated supervisory procedures relating to data protection law may take place in order to ensure the data subjects’ protection regardless of the location of the data processing. Another example of such an MoU is that signed between Irish Data Protection Commissioner Billy Hawkes and US Federal Trade Commissioner Edith Ramirez in July 2013.408 The MOU aims to support increased cooperation and communication between the two sides in their efforts to ensure protection of consumer privacy and data protection rights. The FTC describes itself as the chief U.S. consumer privacy agency. It uses law enforcement, research, policy initiatives, and consumer and business education to protect consumers’ personal information. Its functions mirror those of the Commissioner in the area of data protection. The MoU provides a basis for the sharing of experiences and knowledge of issues encountered by both agencies in their interactions with consumers and businesses and in relation to crossborder enforcement cooperation. Both sides expect the MoU will help companies to do business internationally while meeting their data protection responsibilities. Many U.S. multinational companies have subsidiaries in Ireland, and Irish companies have a “significant” investment in the U.S. It is important to both agencies that these companies respect the privacy rights of their customers and comply with applicable law. The MOU is a framework for voluntary cooperation and will not change existing law in either country. Even before signing the MoU, the two agencies had cooperated informally on crossborder policy and enforcement, through the London Action Plan (LAP, an antispam network) and the Global Privacy Enforcement Network (GPEN). Christopher Kuner from Brussels law firm Wilson Sonsini commented that the MOU was a significant development. "It continues the trend toward agreements between privacy enforcement authorities worldwide… It is particularly important given that many large multinationals have their main European establishment in Ireland, meaning that the Irish DPA is the main European enforcement authority for many leading companies. Both companies and consumers need better cooperation and coordination between data protection and privacy

407 German Federal Commission for Data Protection and Freedom of Information, “German and Canadian data protection authorities establish a basis for enhanced cooperation”, Press release, Bonn, 15 Oct 2012. http://www.bfdi.bund.de/EN/PublicRelations/PressReleases/2012/21_DCANEstablishABasisForEnhancedCooporation.html?nn=410156 408 Office of the Data Protection Commissioner, “Data Protection Commissioner signs Memorandum of Understanding with U.S. Federal Trade Commission”, Press release, 9 July 2013. http://www.dataprotection.ie/docs/27613PressReleaseDataProtectionCommissionersignsMemorandumofUnderstandingwihFTC/1317.htm

134

enforcement authorities in different countries, and bilateral memoranda like this are a good way to achieve that goal."409 Finally, the Macedonian DPA has signed several MoU with various DPAs.410 4.11 TAIEX PROGRAMME TAIEX is the Technical Assistance and Information Exchange instrument managed by the European Commission’s DirectorateGeneral Enlargement. 411 TAIEX supports partner countries with regard to the approximation, application and enforcement of EU legislation. It is largely demand driven and facilitates the delivery of appropriate tailormade expertise to address issues at short notice. The objectives of the TAIEX programme are:

To provide shortterm technical assistance and advice on the transposition of EU legislation into the national legislation of beneficiary countries and on the subsequent administration, implementation and enforcement of such legislation.

To bring ENPI412 partner countries closer to the European Union, through increased economic integration and a deepening of political cooperation by sharing the experience gained during the enlargement process.

To provide technical training and peer assistance to partners and stakeholders of the beneficiary countries.

To be an information broker by gathering and making available information. To provide database tools for facilitating and monitoring the approximation progress

as well as to identify further technical assistance needs. Strengthening the European Union as an area of freedom, security and justice without internal borders constitutes an important focus of TAIEX assistance. Technical assistance through the TAIEX instrument comes in many different forms and across a wide range of areas. Partner administrations can benefit from TAIEX’s flexibility to help meet wider training needs in EU legislation by reaching a significant number of officials. At the same time, it is important to retain an awareness of and be responsive to more targeted requests. In this regard, the expert and study visit format, depending entirely on requests received from beneficiary partners, provides a complementary institutionbuilding service. TAIEX is aimed at the following groups of countries:

Croatia, Iceland, Turkey, former Yugoslav Republic of Macedonia; Albania, Bosnia and Herzegovina, Montenegro, Serbia and Kosovo*; Turkish Cypriot community in the northern part of Cyprus;

409 Bracy, Jedidiah, “FTC, Irish DPA Reach Mutual Enforcement Agreement”, The Privacy Advisor (IAPP), 27 June 2013. https://www.privacyassociation.org/publications/ftc_irish_dpa_reach_mutual_enforcement_agreement 410 http://dzlp.mk/mk/potpisani%20deklaracii 411 http://ec.europa.eu/enlargement/taiex/whatistaiex/index_en.htm 412 ENPI is the European Neighbourhood Partnership Instrument. The ENPI is the EC’s main source of funding for the 17 partner countries (10 Mediterranean and six Eastern European countries, plus Russia). The ENPI replaces the cooperation programmes TACIS (for the Eastern European countries) and MEDA (for the Mediterranean countries). The main purpose is to create an area of shared values, stability and prosperity, enhanced cooperation and deeper economic and regional integration by covering a wide range of cooperation areas. The overall allocation for the ENPI instrument for the sevenyear period 20072013 amounted to almost €12 billion. http://ec.europa.eu/europeaid/where/neighbourhood/overview/

135

Algeria, Armenia, Azerbaijan, Belarus, Egypt, Georgia, Israel, Jordan, Lebanon, Libya, Moldova, Morocco, the Palestinian Authority, Syria, Tunisia, Ukraine and Russia.

The beneficiaries of TAIEX assistance includes those sectors, both public and private, who have a role to play in the beneficiary countries in the transposition, implementation and enforcement of EU legislation or in the case of the ENPI countries, in deepening economic and political cooperation. The main target groups are:

Civil servants working in public administrations; at national and subnational level and in associations of local authorities;

The judiciary and law enforcement authorities; Parliaments and civil servants working in Parliaments and Legislative Councils; Professional and commercial associations representing social partners, as well as

representatives of trade unions and employers’ associations; Interpreters, revisers and translators of legislative texts.

TAIEX does not provide direct support to private citizens, or to individual companies. The role of TAIEX is that of mediating between experts, who provide direct assistance, and users, for whom the assistance is intended. The beneficiaries of TAIEX assistance include those sectors playing a role in the beneficiary countries in relation with transposition, implementation and enforcement of EU legislation, particularly in data protection. Those experts who participate in the TAIEX programme are selected by European Union Member States. They are representatives of the administrations of EU Member States, EU institutions and experts coming from universities and private sectors. During recent years TAIEX has organized visits, workshops and provided experts to data protection agencies in Bosnia and Herzegovina, Macedonia and Croatia. As an example of TAIEX assistance, on 2223 September 2011, a study visit of representatives of the Albanian Data Protection Authority, organised jointly by the Inspector General for Personal Data Protection (GIODO) and the European Commission, took place at the GIODO offices in Warsaw. The study visit focused on the following issues: law and bylaw drafting, investigation and inspection, as well as approximation of Albanian legislation with the EU acquis on data protection.413 4.12 LEONARDO DA VINCI (LDV) PROGRAMME The Leonardo da Vinci (LDV) Programme 414 funds practical projects in the field of vocational education and training. Initiatives range from those giving individuals workrelated training abroad to largescale cooperation efforts. The LDV programme funds many different types of activities of varying scales. These include “mobility” initiatives enabling people to train in another country, cooperation projects to transfer or develop innovative practices, and networks focusing on topical themes in the sector. Beneficiaries of the programme range from trainees in vocational training to people who have already graduated, as well as professionals in vocational education and training and anyone from organisations active in this field. The LDV programme enables organisations in the vocational education sector to work with partners from across Europe, exchange best practices, and increase their staff’s expertise. Innovation projects are key to the programme. They aim to improve the quality of training

413 http://www.giodo.gov.pl/259/id_art/711/j/en/ 414 http://ec.europa.eu/education/lifelonglearningprogramme/ldv_en.htm

136

systems by developing and transferring innovative policies, courses, teaching methods, materials and procedures. 4.13 TWINNING Twinning is a European Commission initiative originally designed to help candidate countries acquire the necessary skills and experience to adopt, implement and enforce EU legislation.415 Since 2003, twinning has been available to some of the Newly Independent States of eastern Europe and to countries of the Mediterranean region. Twinning projects bring together public sector expertise from EU Member States and beneficiary countries with the aim of enhancing cooperative activities. They must yield concrete operational results for the beneficiary country under the terms of the Association Agreement between that country and the EU. Twinning projects are built around the secondment of at least one fulltime Member State expert who then goes to work in a beneficiary country administration: they are called Resident Twinning Advisers (RTAs) and are accredited by the European Commission. Projects can also include a number of other actions, usually run by relevant public bodies, including workshops, training sessions, expert missions and counselling. Neighbouring countries in which the Commission’s twinning initiative is available are: South: Algeria, Egypt, Israel, Jordan, Lebanon, Morocco and Tunisia. East: Armenia, Azerbaijan, Georgia, Moldova and Ukraine. 4.14 OTHER INITIATIVES 4.14.1 New Zealand – Privacy (Cross-border Information) Amendment bill The government of New Zealand introduced an amendment (section 72c) to its Privacy Act 1993 by means of its Privacy (Crossborder Information) Amendment Bill that deals with "referral of complaint to overseas privacy enforcement authority". 4.14.2 Communication from the Commission on fighting spam, spyware and malicious

software In a related field, A Communication from the Commission on fighting spam, spyware and malicious software contains a section on “International Cooperation”, which provides that

“[t]he Commission is further promoting international cooperation initiatives. The US and the EU have agreed to cooperate to tackle spam through joint enforcement initiatives, and explore ways to fight against illegal ‘spyware’ and ‘malware’. The Commission also takes part in the Canadian International Collaboration working group on Spam. Discussions are taking place with major international partners e.g., China, Japan. Concerning Asia the Commission initiated a Joint Statement on International Antispam Cooperation which was adopted at the ASEM conference on eCommerce in February 2005416”.417

415 http://ec.europa.eu/europeaid/where/neighbourhood/overview/twinning_en.htm 416 http://www.asemeclondon.org/ 417 European Commission, Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on fighting spam, spyware and malicious software, Brussels, 15 November 2006 COM(2006) 688 final, pp. 45. http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2006:0688:FIN:EN:PDF

137

The same Communication also contains a section on “Cross border cooperation”, that provides that “[r]ecently the Australian and Dutch spam fighting authorities cooperated in bringing down a large spam operation.”418 4.14.3 ROSKOMNADZOR Conference Since 2010 the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media has held an annual conference on Personal Data Protection. The conference traditionally features representatives of federal executive and legislative authorities of the Russian Federation, nongovernmental organizations, and information security experts. Participants of the Conference have included representatives of DPAs from Europe, Asia and Pacific, and the Commonwealth of Independent States, as well the Council of Europe, Europol, and Eurojust. Resulting from the conference, memoranda of understanding were signed between the competent authorities of Russia, Moldova, Kyrgyzstan, Armenia, Ukraine and Macedonia.419 4.15 CONCLUSIONS From the preceding overview of international mechanisms for cooperation and coordination between data protection authorities, we can draw the following observations and conclusions. As within the European Union, at the international level there exist a range of institutional frameworks which can and do support cooperation and coordination between data protection authorities. These can be understood as complimentary networks, in that they offer a range of options for DPA willing to increase their international collaboration. Privacy enforcement collaboration has been discussed in several of these international fora, alongside other forms of cooperation and coordination such as information exchange, staff exchanges, study visits and the sharing of best practice. The following figure shows the overlapping memberships of several of the key international DPA cooperation and coordination mechanisms discussed in this section. It should be viewed in parallel with the European diagram in the previous chapter, which provides a more granular image of overlapping European coordination mechanisms. GPEN act as a potential critical bridge between the cluster of European DPAs and the looser cluster of APEC CPEA/APPA. The groupings of DPAs and other responsible agencies, with the notable exception of the relatively new GPEN, appear to follow conventional regional or linguistic divisions, with origins in organisations such as the EU and APEC. The visualisation also allows the identification of a core group of European DPAs that participate in most of the coordination mechanisms available to them. The larger networks are supported by a range of bilateral agreements and memoranda of understanding between individual DPAs. The international networks are primarily voluntary, and are not legally binding. Those networks that do have binding requirements are those membership organisations based around preexisting political affiliations, that often have regional entry requirements and can make commitments upon members in areas beyond data protection and privacy (such as the OECD, APEC and indeed, the European Union). Cooperation arrangements such as the APEC protocol for requesting assistance have a presumption of cooperation, but provide many 418 Ibid., p. 7. 419 http://eng.rkn.gov.ru/personal_data/international_conference_personal_data_protection/

138

grounds for a DPA to decline to provide assistance, up to and including at the judgement of the DPA. The ICDPPC, potentially reaches over the geographical spread of this diagram, however, its membership requirements include assumptions about the organisational and institutional form of what constitutes a data protection and privacy commissioner prevents some organisation (particularly from outside Europe)from being members

Figure 2: Key international cooperation and coordination mechanisms, showing the overlap between their memberships In addition to dedicated networks of data protection authorities, three international governmental organisations exert particular influence in the field of privacy and data protection cooperation. The OECD has generated a number of recommendations and guidelines on privacy protection and enforcement, and has provided support to GPEN. Support from OECD countries for GPEN may result more OECD members participating in GPEN The EU has outreach programmes both at the EU level (e.g., TAIEX) and from the DPA of individual member states such as Spain and France, which are involved in languagebased networks of DPAS. There is evidence of interaction and learning between the groups. Examples include the APEC privacy principles being based on the 1980 OECD guidelines. Similarly APEC CPEA adopted the request for assistance form developed by the OECD. There is ongoing cooperation between APEC and the EU into the compatibility between APEC CBPR and the EU’s BCR, which on the surface appear to share similar intentions. There is also evidence of logistical cooperation when possible, such as the clustering of conference of the francophone DPA network to follow on from the ICDPPC in Strasbourg.

139

In addition to the organisational structures that are already a range of tools available for coordination and cooperation between DPAs. Examples include the GPEN website and online platform (hosted by the OECD) as well as lists of contact points (although there are multiple of these and they may require reconciliation and combination). Finally, there is evidence to suggest that cooperation can encourage further cooperation. For example, the Memorandum of Understanding between the Irish DPA and the US Federal Trade Commission followed on from the two organisation’s cooperation in GPEN and the in the London Action Plan antispam campaign.

140

5 PHAEDRA SURVEY OF DPAS ON IMPROVED CO-OPERATION AND CO-ORDINATION

5.1 RESULTS OF THE SURVEY QUESTIONNAIRE In midFebruary 2013, the PHAEDRA consortium sent out a questionnaire to 79 data protection authorities and privacy commissioners around the world. The twopage questionnaire had 10 questions asking about areas for improving cooperation and coordination, possible constraints, measures for improving coordination of investigations, sharing information, suggestions for case studies and examples of cooperation. This chapter summarises the results of the survey. As of March 2014, the consortium had received 53 responses. The respondents were mainly from European DPAs and privacy commissioners, but also included responses from the Americas, Asia/Pacific, and the Middle East, as depicted in Figure 3 below.

Figure 3: Respondent percentage by region

This section presents the collated answers to the questions from the survey.

Respondent Percentage by Region

67% 12% 19% 2%

141

1. In what areas would you like to see improved co-operation and co-ordination with other privacy commissioners and data protection authorities (DPAs)?

DPAs were asked to rank five possibilities. Discounting “Other”, the overall ranking from most important to least important is shown in the following charts:

Figure 4: Importance of factors to improve cooperation and coordination

The list of areas or factors from the questionnaire included:

Coordination in enforcement actions, especially against multinational data controllers, to avoid duplication of effort and make more efficient use of resources

Exchange of knowledge, experience and best practice Consistency (i.e., avoiding situations where privacy commissioners and DPAs apply

different criteria in enforcement actions) Measures aimed at converging the powers of privacy commissioners and DPAs Other

In evaluating responses, we also looked at the most highly ranked (i.e., given importance of 1 or 2) and the least highly ranked items (given importance of 3, 4 or 5), which revealed that the two most highly ranked areas retained that designation when the rankings were combined, with a slight edge for “Coordination in enforcement actions...”. Nineteen respondents identified “Exchange of knowledge, experience and best practice”, as the most important factor to improve cooperation and coordination, while 17 identified “Coordination in enforcement”.

142

Figure 5: Frequency with which each area is ranked as of high importance

Figure 6: Frequency with which each area is ranked as less important

143

2. What are the chief constraints on you in achieving more co-operation and better co-ordination?

DPAs were asked to rank five possibilities. Again, discounting other, the first possibility below was regarded as the most serious and the last as least serious.

Lack of information from other privacy commissioners and DPAs about cooperation and coordination activities

Limited budgetary and/or human resources Legal constraints Language differences

Figure 7: Frequency with which each constraint is ranked as of high importance

Figure 8: Frequency with which each constraint is ranked as less important

144

3. At what level would you like to see improved co-operation and co-ordination? Please tick the relevant ones.

DPAs were offered three choices, in addition to other, i.e., at the regional and international levels and by language group (e.g., IberoAmerican group, Francophone group). Most respondents indicated that they would like to see improved coordination and cooperation at either the regional level, the international level or both. In a few cases (10), respondents expressed an interest in improved coordination by language group.

Figure 9: levels at which improved cooperation and coordination is desired

145

4. What measures do you think could be taken to improve co-operation and enhance co-ordination of investigations with other privacy commissioners and DPAs?

DPAs were given several options to rank in order of importance. Discounting the other option, the first below was regarded as most important, followed in order by the others.

Online tools to facilitate sharing of information (e.g., intranet) Additional resources (manpower, budget). A small secretariat for exchange of information and best practice An international treaty (i.e., binding instrument) A memorandum of understanding or other nonbinding instrument Amending your enabling legislation Regularly scheduled teleconferences to discuss common issues

It is interesting to note that DPAs place greater importance on collaboration than on additional resources, even though many have a shortage of resources for the tasks they perform. .

Figure 10: Frequency with which each measure is ranked as of high importance

Figure 11: Frequency with which each measure is ranked a less important

146

5. Some measures (e.g., an international treaty or amendment of your enabling legislation) might take a long time. Which measures do you think could be taken in the short term to improve co-operation and co-ordination?

DPAs made various suggestions. Albania, BosniaHerzegovina, Costa Rica, the Czech Republic, Macau, the Isle of Man, Poland, Portugal and Sweden said that the signing of memoranda of co-operation or other nonbinding instruments would help foster closer cooperation between privacy commissioners and provide procedures for more effective exchange of information between competent authorities. Hungary agreed with this, but emphasised bilateral and regional agreements. Israel also thought an MoU would be useful, especially for training, educating and exchanging personnel and sharing practical information. Uruguay said it was establishing MoUs with Mexico, Costa Rica and Canada. Poland advocated standardised forms and procedures. Portugal had some specific suggestions regarding an MoU. It said its implementation could be better and more easily achieved through the establishment of a common information platform (internal website), where key information should be available, such as a list of contact persons; a resumé of the powers and functions of each DPA and sectors covered; a repository of guidelines, enforcement actions, best practices and case law (by themes and covering different areas), initiatives aimed at raising awareness; a discussion forum where any DPA may request assistance or advice; where they can discuss “hot” topics informally; where they can share news and experience, where they can find a calendar of major international activities; and where they can collaborate on joint actions. Portugal felt that some mechanism was needed to push DPAs to participate regularly. It said some basic rules might be needed, for example, regarding deadlines to reply to each other, otherwise cooperation won’t be effective. Serbia and Vietnam also mentioned online tools to facilitate sharing of information (e.g., an intranet). Australia said the OECD Global Privacy Enforcement Network has already developed a website to share information, and is in the process of developing a nonbinding instrument to facilitate coordination and cooperation.420 The Asia Pacific Privacy Authorities (APPA) is another network established to facilitate exchange of information between DPAs. 421 The GPEN would seem to address Hong Kong’s perceived need for online and informal sharing of views, enforcement actions being taken and/or experience sharing in a secured environment. France said it believes that the International Conference is the most appropriate basis on which cooperation should be built. However, it recognises that the GPEN offers a privileged opportunity for the exchange of good practice and that it is a useful forum and an efficient tool for cooperation. It felt consideration should be given to the possibility that the GPEN be involved and participate in the work of the International Conference (e.g., by creating windows of cooperation). Bavaria and Finland saw need for clear agreements, especially about who is the leading institution in an enforcement action. Bavaria suggested the creation of an online portal for an exchange of views. It also saw a need for a repository of data protection acts, translated into at least English. Estonia was of a similar mind regarding a website operated by a small secretariat that could initiate questionnaire and topics. Cyprus, Ireland, the Isle of Man, Ontario, Macedonia, Moldova, Russia and Switzerland also supported an Intranet for DPAs, 420 http://www.privacyenforcement.net/ 421 http://www.appaforum.org/

147

teleconferencing and a small secretariat. Estonia referred to CIRCA 422 for uploading documents, but said there is a lack of an interactive environment for the exchange of comments and questions. Bulgaria saw a need for a framework document containing common rules for information exchange and cooperation on joint inspections. Canada and Belgium saw a need for an efficient, secure mechanism for authorities to indicate that they are interested in an issue or incident, determine whether other authorities are interested in working together on a particular issue and forming a group to pursue the matter. Canada and New Zealand said authorities should consider making greater use of GPEN, although the functionality of the website needs to be improved. Also needed is a discussion of how GPEN relates to other initiatives, such as the working group to promote international enforcement coordination, created at the Mexico City International Conference in 2011. Canada said authorities need to assess their ability to cooperate and share information and, where necessary, discuss this with their governments. New Zealand said countries could refer to the OECD Recommendation on Enforcement Cooperation as a blueprint for updating their data protection laws. The Slovak Republic also said DPAs should work toward a legally binding instrument for privacy coordination. Belgium, Colombia, Germany and Japan saw a need for information sharing on major crossborder cases/issues, including legal assessments and envisaged measures; sharing of best practices; joint case studies; regular meetings, workshops and conferences on defined cases and issues with high relevance for data protection in an international context. Liechtenstein also saw a need for regional meetings of Germanspeaking countries. The Slovak Republic also said cooperation could start at the neighbour level. France suggested the creation of a task force dedicated to enforcement with regular meetings in order to exchange about best practices, ongoing cases or technical aspects. Greece suggested each DPA should appoint at least one contact person who would be responsible for coordination of all activities between the DPAs. Iceland saw a need for regular interEuropean meetings but commented that it could not attend such meetings due its severe lack of funding. Italy, Lithuania, Serbia, the Slovak Republic and Sweden also mentioned a need for additional resources. Israel suggested developing a model proactive regulatory approach towards data protection and combining legal and technological R&D activities, somewhat like the Article 29 Working Party, but able to undertake a wider range of activities. Japan felt that nonbinding instruments like the APEC CrossBorder Privacy Enforcement Agreement were helpful for improving the international framework of cooperation.

422 CIRCA: Communication and Information Resource Centre Administrator, is a simple groupware, developed by the European Commission under the IDA Programme. It is a webbased application providing online services that offer a common virtual space for Workgroups, enabling the effective and secure sharing of resources and documents. Its architecture is based on Open Source Software. It has been widely used by the EU public administrations since 1996. It is also a generic service (including help desk, assistance and training services) operated by the European Commission's DirectorateGeneral for Informatics (DIGIT) to support the work of the numerous EU committees. For more information see: http://ec.europa.eu/idabc/en/document/6540.html

148

Mexico, Montenegro and Ontario had several suggestions for improving shortterm cooperation and coordination, but all in line with other DPAs. Mexico mentioned:

Establishing cooperation agreements between authorities to coordinate enforcement actions;

Sharing information on criteria, studies, guidelines, resolutions and relevant case cross or common materials that could serve as a reference to other authorities;

Creating a website that would serve as a kind of library, in which the authorities could find different types of documents (resolutions, criteria, guidelines, regulation) on various topics of interest;

Creating working groups with welldefined objectives that provide continuity for specific cooperation projects;

Developing forums and conferences focused on regional, international or group issues; Providing training and professional practices to the personnel of other data

protection authorities. Moldova also supported joint workshops and study visits in order to share experiences and best practices. Ukraine cited a need for some training and an expert from some other DPA to help them. Belgium also suggested creation of a program between DPAs that could help in the exchange of experiences and best practices with regard to, for example, binding corporate rules (BCRs), privacy impact assessments, inspections and internal organisation of work. Vietnam said that trainers should have (of course) good skills, good communication and a sensitivity towards international cultures.

Netherlands said that, in the absence of enabling legislation, DPAs could overcome coordination difficulties by identifying and recognising the differences in their legal frameworks and trying to find work-arounds, or to limit their co-operation to those areas where co-operation is feasible. This could already be done on the basis of a bilateral MoU. The US was of a somewhat similar view: It felt that adoption of an online enforcement coordination tool, and informal arrangements with other authorities to cooperate on appropriate matters using existing authority, are the most promising shortterm measures. In the short term, the UK said all privacy enforcement authorities should sign up to an international enforcement coordination mechanism which would allow for (a) sharing of best practice and information exchange for both public and private, national and regional activity and (b) pooling intelligence about past cases involving data controllers not established in the context of the processing in the privacy enforcement authority’s jurisdiction. It should allow for knowing where a data controller is established and identify the relevant authority for taking this forward. It should also allow for PEAs to signal that they are interested in the particular issue because they have legal authority regarding the data controller or because they have a complaint about the data controller from their citizens. This would allow other PEAs and the lead DPA to coordinate action as appropriate. Vietnam said that establishing a higher level of trust and sustaining relationships between DPAs so that they are willing to share information would help improve cooperation and coordination in the short term.

149

6. If you were to undertake an enforcement action against a data controller suspected of non-compliance with data protection or privacy legislation in your jurisdiction and where the case has cross-border dimensions, would you be able to share information, including confidential information, with other privacy commissioners and DPAs?

Although DPAs have frequently mentioned the difficulties in sharing information, especially confidential information, as a potential barrier to improved coordination enforcement actions internationally, in their responses to this question, it seems that most privacy commissioners and data protection authorities are able to share information with their counterparts in other countries, as depicted in the figure below. However, in many instances, whether DPAs are able to share confidential information is either contextdependent (the possibility of sharing information depends on the particular situation) or comes with conditions or there are no provisions in their relevant legislation dealing with such matters.

Figure 12: Ability of DPAs to share information across borders

150

7. How many full-time employees does your organisation have? Of those, how many work on international relations, either full-time or for a significant part of their time? Does your organisation have a unit or department dedicated to international relations?

The responses to this question are summarised in the following table:

Data Protection Authority

Number of employees

Number dedicated to international

relations

Does the DPA have a unit dedicated to international

relations?

Albania 29 6 Y

Australia 62 1 N

Austria 1.5 N

Bavaria 16 1 Y

Belgium 50 1 N

Berlin 37 2 Y

Bosnia & Herzegovina 24 3 Y

Bulgaria 73 4 Y

Canada 170 6 N

Colombia 20 3 parttime Y

Costa Rica 1 [28]423 [3] [Y]

Cyprus 14 3

Czech Rep 100 1 + 4 parttime Y

Denmark 32 0 N

Estonia 18 5 (0.5FTE) N

Finland 20 N

France 171 7 Y

Germany 80 7 Y

Greece 39 7 (1 FTE)424 N

Hong Kong 76 0 N

Hungary 59 5 Y

Iceland 4 4 N

Ireland 26.5 0 N

Isle of Man 4 0 N

Israel 25 1 N

Italy 109 4 Y

423 The Costa Rican authority said it was soon to begin a major recruitment, which would result in staff numbers as indicated in the square brackets. 424 Seven staff work on international relations, but their total time is equivalent to one fulltime employee (FTE).

151

Data Protection Authority

Number of employees

Number dedicated to international

relations

Does the DPA have a unit dedicated to international

relations?

Japan425 2 13 0 4 Y

Korea 40 1 N

Liechtenstein 2 1 N

Lithuania 30 3 Y

Macau 31 2 N

Macedonia 26 1 Y

Mexico 87 11 parttime Y

Moldova 18 3 Y

Montenegro 15 2 N

Netherlands 80 7 Y

New Zealand 30 1 N

Ontario 100 9 N

Poland 130 8 Y

Portugal 26 1 Y

Russia 298 N

Serbia 43 Y

Singapore426 40 2

Spain 164 2 (+5) Y

Slovak Republic 28 1 N

Slovenia 33 4 N

Sweden 40 1 + 4 parttime Y

Switzerland 22.7 0.8 N

Ukraine 43 4 Y

UK 350 2 Y

USA (FTC) 45 6 Y

Uruguay 12 12 parttime N

Vietnam 40 2 Y

The figures on international relations employees are misleading. Some DPAs have shown the number of all employees fully or partly dedicated to international relations (e.g., Estonian DPA: 5 of 18, but the real fulltimeequivalent is around 0.5). Some have shown the fulltime equivalent and some have shown only fulltime employees (e.g., Denmark: 0 of 32).

425 The Japanese Ministry of Economy, Trade and Industry (METI) responded to the questionnaire. However, in doing so, it noted that, in Japan, there is no authority dedicated to data protection. Each ministry enforces privacy in its own jurisdiction, and each ministry and external agency has a unit working on data protection. METI’s response to the questionnaire joined answers from various ministries and agencies. With regard to FTEs, it said there are cases where some departments or units also cooperate on privacy issues. The number of employees within a ministry/agency working on international relations on privacy and data protection ranged between 0 and 4. While it has a department or unit dedicated to international relations, data protection was only a part of its function. 426 Singapore’s Personal Data Protection Commission (PDPC) was formed in January 2013; hence, it is still ramping up its recruitment. It envisages 4050 employees.

152

We aim to compile a set of case studies, as examples where DPAs or privacy commissioners have investigated the same issue (e.g., Google Street View) and where privacy commissioners and DPAs collaborated or shared the results of their investigation with other privacy commissioners and DPAs (e.g., CNIL shared the results of its investigation into Google’s combining its privacy policies). Could you suggest from your experience any other case studies you think the PHAEDRA consortium could usefully investigate? DPAs suggested a range of case studies worthy of investigation. The PHAEDRA consortium has carried out 11 case studies, most of which were mentioned by the DPAs in their response to Question 8. Following is a list of the cases mentioned by DPAs. Some of the cases mentioned below are examples of successful cooperation and coordination, others not. Suggested cases marked with an * have been explored as case studies in section 2 of this report.

Assessment of the implementation of the Data Retention Directive (2006/24/EC)* Badoo case (Cyprus DPA cooperated with CNIL and the ICO)427 Big data CCTV in public spaces and in the workplace Children’s use of the Internet Cloud computing Consent in the technological age Corporate information and advertising Data breach at Sony Computer Entertainment Europe Limited* Data losses, e.g., a case involving the Isle of Man and the UK ICO Data protection implications regarding the research in, and disclosure of, records of

the Historic Archive of the National Security Services Electronic medical records Eurodac Europol Google’s privacy policy* Google Street View and the collection of WiFi data* Health data Heritage information centres and credit risk assets (private and public) IberoAmerican Data Protection Network Investigations or studies into MNC [multinational company] data controllers by a

single DPA ISO standardisation LinkedIn Methodologies for controllers to fulfil their obligations Microsoft Services Agreement Microsoft’s Office 365, which involves cloud services Nordic Inspection Cooperation Personal data protection in registers of voters Powers of tax administration and data protection Privacy notices

427 Wikipedia says Badoo is a datingfocused social discovery website, founded in 2006 and managed out of its Soho, London headquarters, but owned by a company based in Cyprus, which is ultimately owned by Russian entrepreneur Andrey Andreev. Opinions of Badoo.com on TrustPilot, which are based on user reviews, rather than press releases, rate the site as 'Very low'.

153

Protection of personal data in public records (land registry, central population register) Right to be forgotten Schengen Selfregulation Smartphone applications Social networks (mainly Facebook), notably the investigations by the Irish DPA* and

the Nordic countries Spam (Colombia and Spanish DPAs) SWIFT case, investigated by the Belgian DPA, results of which were shared with the

Article 29 Working Party* The annual Iberian meetings of Portuguese and Spanish DPAs to share experiences

and discuss common issues and cases involving companies with a presence in both countries

The Article 29 WP investigations regarding data retention by health insurance companies and telecom providers

The casehandling workshops under the aegis of the Spring Conference and DPAs’ use of the CIRCA network to exchange information and request assistance for handling similar cases or with the same companies

The investigation of TJX Companies Inc. conducted by the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner of Alberta

Unsolicited direct marketing and spammers Use of biometrics and its relationship with credentials or identity cards W3C "Do not track" (standardisation) WhatsApp* Google Glass* Bilateral cases regarding websites/ services operating in one country and processing

data related to subjects from another country.

154

8. Could you also provide some other examples involving co-operation (e.g., training) between your organisation and one or more other privacy commissioners and DPAs?

Albania mentioned the training of its personnel that it had received from other DPAs. It has also undertaken some study visits to more developed European authorities. As an example of cooperation, Australia cited the fact that the Asia Pacific Privacy Authorities (APPA, see section 4.5) has established a Technology Working Group made up of representatives from each APPA member organisation. The Group collaborates on common issues experienced across APPA jurisdictions such as the changes to Google’s privacy policy. APPA has also established a Communications Working Group made up of communications professionals from each APPA member organisation, who consult on communications matters. The Group's principal activity is collaborating on Privacy Awareness Week.428 Other examples of successful cooperation include the Asia Pacific Economic Cooperation (APEC, see section 4.4) Crossborder Privacy Enforcement Arrangement (CPEA, section 4.4.1)429 and the GPEN (section 4.3 and the case study in section 2.10).430 Austria said one of its employees underwent a training of two months at CNIL, while another spent several weeks at the Swedish DPA. The Austrian DPA contributed to several data protectionrelated twinning projects and cooperated closely with the concerned DPAs (Montenegro, Lithuania, Latvia, Czech Republic, Malta, Croatia).431 Bavaria cited examples of cooperation and coordination among the German DPAs in regard to GoogleAnalytics, analysis of apps, regular meetings on special themes. It cited examples between European DPAs such as exchange about questions of international data processing, i.e., standard contractual clauses and binding corporate rules. The Berlin DPA also mentioned Google Analytics, as an issue intensively discussed at the national level. This resulted in concessions by Google (limited to Germany). Furthermore, since 1980, the Berlin Commissioner for Data Protection has been convening the International Working Group on Data Protection in Telecommunications (see section 3.5) which has provided a platform for exchanging information on these issues and which has adopted numerous common positions, working papers and memoranda.432

428 http://www.privacyawarenessweek.org/ 429 http://www.apec.org/Groups/CommitteeonTradeandInvestment/ElectronicCommerceSteeringGroup/CrossborderPrivacyEnforcementArrangement.aspx 430 http://www.privacyenforcement.net 431 Word cloud created utilising tool at Wordle.net 432 These can be found at http://www.datenschutzberlin.de/content/europainternational/internationalworkinggroupondataprotectionintelecommunicationsiwgdpt.

155

The Bosnia and Herzegovina DPA has benefitted from “Twinning Assistance to the Personal Data Protection Agency” in cooperation with the Data Protection Commissioner of Saxony (Germany). The purpose of this project was to strengthen the protection of personal data processed by public authorities and law enforcement agencies in accordance with European standards. The project was successfully completed on 31 March 2010. Canada said it has hosted several delegations over the last few years, including the Commissioner of a newly created authority in the Caribbean who spent several days at the OPC. Canada has also hosted a South African delegation and officials from Burkina Faso and Benin, who spent a week at the OPC. Canada was one of the founding members of the Association francophone des autorités de protection des données personnelles (AFAPDP, see section 4.7), which has an important capacitybuilding component.433 The Canadian OPC has had several shortterm (of four or five weeks duration) staff exchanges with the CNIL, the FTC, the ICO and Mexico’s IFAI. As an example of good cooperation, the Czech Republic mentioned the TAIEX seminars and study visits held in cooperation with DPAs from different countries, mostly from the Central and Eastern Europe region (see section 4.10).434 Denmark said the Nordic countries have a tradition of meetings and sharing experiences and, some years ago, training. They also undertake joint supervisory actions on a casebycase basis. Finland also mentioned Nordic cooperation in meeting with expert lawyers and media officers. Iceland mentioned the Nordic countries’ having an exchange program for DPA employees, although it had not used that program. The Baltic DPAs (Estonia, Latvia and Lithuania) meet regularly (see section 3.7). They have cooperated regionally on two joint supervisions, one of which was of the Radisson Blu hotels. They also cooperate on monitoring and issuing recommendations. The Federal Commissioner of Germany said it is a member of and cooperates with the following bodies: International Conference of Data Protection and Privacy Commissioners (section 4.1) International Working Group on Coordination of Privacy Enforcement (section 4.1.4) International Working Group on Data Protection in Telecommunications ("Berlin Group") OECD Working Party on Information Security and Privacy (WPISP) (section 4.2.1) Global Privacy Enforcement Network (GPEN) Accountability Project Council of Europe TPD (Convention 108) (section 3.3) Article 29 Working Party and its Technology Subgroup, Borders Travel Law Enforcement

Subgroup and WADA Subgroup as well as its subgroups on the Future of Privacy, Key Provisions, EGovernment, International Transfers, Financial Matters. (section 3.2)

Coordinated Data Protection Supervision Group of Eurodac (section 3.8.4)

433 http://www.afapdp.org/ 434 TAIEX is the Technical Assistance and Information Exchange instrument managed by the DirectorateGeneral Enlargement of the European Commission. TAIEX supports partner countries with regard to the approximation, application and enforcement of EU legislation. http://ec.europa.eu/enlargement/taiex/whatistaiex/index_en.htm

156

Coordinated Data Protection Supervision Group of the European Visa Information System (VIS) (section 3.8.3)

Joint Supervisory Board of Europol (section 3.8.5) Joint Supervisory Authority of the Schengen Information System (SIS I; in near future

SIS II) (section 3.8.1) Joint Supervisory Authority of the European Customs Information System (section 3.8.2) European Conference of Data Protection Commissioners ("Spring Conference") (section

3.1) CaseHandling Workshop (section 3.1.1) In addition, it has a bilateral cooperation arrangement with the Privacy Commissioner of Canada. It has also cooperated with other DPAs on a casebycase basis, inter alia with the DPAs of Bulgaria, Macedonia and Moldova. Japan has cooperated with other privacy commissioners and DPAs in a case involving the leakage of personal data, but did not provide further details. For its part, Macao said it cooperated with some other DPAs, by contacting a designated contact person in GPEN. It raised formal requests of assistance and, on one occasion, technical support to find out the physical location of a website server. It sent staff to Hong Kong to attend training courses organized by the Office of the Privacy Commissioner for Personal Data. The Polish DPA (GIODO) also mentioned most of those bodies listed above, as well as the Central and Eastern Europe Data Protection Authorities Group. GIODO said it was also participating in some international projects: the Leonardo Da Vinci (LDV) mobility projects, LDV partnership projects (section 4.12), study visits and twinning projects (section 4.13) .435 Greece and Hungary also mentioned the Case Handling Workshop as an example of cooperation as well as twinning projects. Hong Kong gave as examples the APEC CrossBorder Privacy Enforcement Arrangement (CPEA), the Data Privacy Subgroup of the APEC Electronic Commerce Steering Group, the Asia Pacific Privacy Authorities (APPA) and the Technology Working Group (TWG) of APPA, which Hong Kong convenes. The TWG has carried cooperation including the enquiry into Google’s privacy policy change, sharing of views on cloud computing for the purpose of publishing guidelines for industry, and other exchanges of information on technology developments that might impact personal data protection. Several countries, including Hungary and Ireland, mentioned the TAIEX study visits (section 4.11). Ireland said it had hosted other DPAs at its office and gave one DPA inspection powers under its Act in the conduct of an audit. The Isle of Man mentioned regular informal communication and exchange of views between its Office, the UK, Ireland, Jersey, Guernsey and Gibraltar. Israel mentioned the AEPDILITA twinning program, which was “a successful, enriching and important program that allowed ILITA staff to discuss cutting edge issues with international colleagues”.

435 http://ec.europa.eu/education/lifelonglearningprogramme/ldv_en.htm

157

The Italian DPA gave as an example of cooperation its membership in the EU privacy taskforce, led by CNIL, which investigated Google’s privacy policy changes and the relevant consequences for users. It also mentioned GPEN of which it has been a member since 2010. It has also participated in several twinning and TAIEX projects (involving the DPAs and/or competent institutions from Croatia, Turkey, Albania, former Yugoslav Republic of Macedonia, etc.), providing knowhow and experience in implementing their data protection legislation. Mexico cited as an example of cooperation the trainings provided by senior officials from the Canadian Privacy Commissioner’s Office and the US Federal Trade Commission. Mexico noted that it is already part of the system APEC Cross Border Privacy Rules (CBPRs), holds the presidency of the IberoAmerican Data Protection Network (section 4.6) and is an active member of the APPA (section 4.5). Mexico has also collaborated bilaterally with CNIL regarding the Airline Advance Passenger Information System (APIS), particularly with regard to the legal basis for international data transfers between Mexico and France. Montenegro gave examples of a Twinning project “Implementation of Personal Data Protection Strategy” and study visits to Austria, Germany and Slovenia. The Dutch and Canadian privacy enforcement authorities jointly carried out an investigation into the handling of personal information by WhatsApp Inc., a Californiabased mobile app developer (see case study in section 2.4 of this report) .436 Vietnam said its opportunities to cooperate with others have been somewhat limited. It does, however, attend the International Conference as well as other conferences and events within APEC.

436 For more information about the joint investigation, see http://www.dutchdpa.nl/Pages/en_pb_20130128whatsapp.aspx

158

9. Do you have any other comments or suggestions regarding legal, technical and/or political factors that could help improve co-operation or that act as barriers to co-operation?

The following is a selection of the responses received. The Office of the Australian Information Commissioner (OAIC) said that enforcement in the online environment continues to be a challenge, particularly in relation to jurisdiction issues. The OAIC would welcome the sharing between DPAs of legal reasoning relating to how DPAs establish jurisdiction in matters relating to global data flows. Belgium said that an Internet platform, such as a discussion forum accessible to all DPAs, could be organised to help DPA to communicate easily, receive responses quickly and to access information in an organised manner. The Office of the Privacy Commissioner of Canada (OPC) said that, in its view, the most important priority is working together on enforcement and compliance issues and that it is valuable to share information on government initiatives. “Once we have a clearer idea of what we are trying to achieve, we need to develop a plan or strategy to achieve this,” said the Canadian respondent. “Identifying collective issues or priorities would be valuable, recognizing that events may require flexibility.” Cyprus said the issue of international cooperation with third countries should be given thorough consideration in the frame of the discussions about the proposed DP Regulation. The Finnish DPA suggested creation of a legal database where each data protection authority could share decisions with others. The legal database would help avoid divergent decisions about the same matter. CNIL said that data protection authorities should have a view of the forensic tools used by other DPAs in order to have a common technical approach. The German DPA said that cooperation and informationsharing between DPAs should focus on crossborder cases of high relevance for data protection in an international context, i.e., cases where data subjects at an international level are affected or cases concerning international transfers between private or public bodies. Common technical and language standards are important. A good example of a body performing effective information sharing is the secretariat of the Article 29 Working Party. Effective information sharing and cooperation should not result in additional transfers of huge amounts of data. Greece said that factors that would help improve cooperation include these: more human resources online tools an instrument to facilitate the exchange of information a coordinator or coordination body. The Hungarian DPA said that shortterm study visits and seminars were useful to gain firsthand experience and knowledge from other colleagues.

159

The Icelandic DPA is facing severe budget cuts, which will affect the work of the Authority. The number of cases grows every year and, at the same time, the cases are becoming bigger and more complicated. IILITA, the Israeli DPA, said the connection between the data protection authorities and other policymaking fora, such as the WTO and UNCITRAL, should be explored. Harnessing trade and economic discussions to data protection issues may promote these issues as part of the international discussion, in order to create a global policymaking network, like the work done by the Article 29 Working Party. The interaction between data protection, information security and cybersecurity may have the potential for ripe data protection concepts to break new ground. Garante, the Italian DPA, said there should be a specific provision in the law to facilitate a fruitful exchange of information among DPAs without breaching confidentiality rules, which should also make up the legal basis for enforcing procedures or measures initiated by other DPAs. The issues of jurisdiction and applicable law should also be addressed and clarified. In the light of the new cooperation and consistency mechanism pursuant to Article 55 and other Articles in chapter VII of the proposed EU General Data Protection Regulation, there will be an increase of the activities at EU level. This is why the Italian DPA considers it necessary to introduce a European funding mechanism to enable the DPAs to fulfill the aforementioned obligations to cooperate. The Liechtenstein DPA said it has participated several times in the CaseHandling Workshops, which have been useful. However, these are held less frequently now due to budgetary cuts. Small secretariats seem to be necessary for the organisation of exchanges of views. The Mexican DPA said one of the main barriers is the lack of regulation and an authority guarantor of the right to protection of personal data with sufficient powers to enforce the regulations that exist to regulate this right, as well as the principles and criteria relevant to this right. It is essential to develop tools and mechanisms to harmonise the various regulations and establish minimum standards for the treatment of personal data internationally. The Dutch DPA cited the collaboration between the Dutch and Canadian authorities and their having made the best use of each other’s expertise in their joint WhatsApp investigation. The Office of the Privacy Commissioner (OPC) of Canada said that generally there could be better coordination among DPAs, which may yield better outcomes for consumers and leverage use of limited DPA technical resources. Sometimes political or philosophical differences get in the way of global cooperation, but there are large areas of commonality. It would be helpful if the PHAEDRA project could address this issue. The project could also consider the need to collectively finance a cooperative infrastructure (e.g., a small secretariat). Relying on volunteers to host meetings or manage projects results in discontinuity, the lack of consistent ongoing strategies, an undue burden on a handful of leading DPAs, and overall slow progress. Insightful suggestions from expert outsiders as to what might work would be welcomed. The Ontario DPA noted that, in 2010, data protection authorities and privacy commissioners from around the world unanimously adopted a resolution in which privacy by design was cited as an essential component of privacy protection. Recently, jurisdictions such as the U.S.

160

and EU have introduced privacy by design into proposed data protection regulation and policies. If data protection authorities and privacy commissioners continue to incorporate privacy by design into their respective laws, cooperation on investigations and enforcements will be advanced and organisations will avoid privacy harms, as opposed to offering systems of redress after the breaches have occurred. Poland said that cooperation is composed of three elements: the expertise and availability of the DPA, the possibility of cooperation and its actual application. One of the solutions for an improvement of the actual cooperation in the shortterm would be a nonbinding instrument in order to reach common understanding of the procedures for cooperation (forms, language, time limits, expected activities). In the EU, several forms of cooperation (including enforcement actions) have been developed but still most of them are not used by DPAs. The problem is the awareness of the existence of the possible procedure and readiness to follow usually nonbinding procedures. The Portuguese DPA said that international cooperation is an urgent need, as is a consideration of the problems related to applicable law and jurisdiction. As major companies conducting business in Europe are established in the USA, European DPAs face difficulties in enforcement and effectiveness. DPAs have limited powers. At best, DPAs can manage damage control and minimise risks at a later stage. The longterm objective should be to build a worldwide understanding or agreement to tackle privacy problems. While developing shortterm strategies to increase effectiveness, consistency and cooperation, DPAs should also invest and develop a binding international framework for the protection of citizens’ privacy rights. DPAs should raise the awareness of stakeholders at the international level to provide an adequate response to the challenges to the individual’s rights presented by the rapid evolution of information technology. Republic of Macedonia is not yet member state of the European Union, which prevents it from being included in some EU bodies and institutions It hopes for better cooperation with no borders and limitations. The Russian DPA said the following could contribute to improving international cooperation in personal data protection: development and adoption of unified approaches in order to stop violation of laws

concerning personal data, implementation of law enforcement practices appropriate to the purposes;

establishment of a small secretariat to ensure the coordination of DPA activity in solving issues requiring multilateral engagement;

creation of a DPA contact list with email addresses for the rapid exchange of information;

participation in the work of international consultative and advisory bodies; broader representation of foreign DPAs in the protection of personal data and the rights of

citizens. DPAs should aim to protect and improve the rights of citizens as personal data subjects and to ensure compliance with the rights to privacy, protection of privacy, personal and family life, regardless of the country of residence. The Slovak DPA said that DPAs of Member States have many problems, tasks, issues in the rapidly developing environment of IT technology, Internet and electronic tools for monitoring

161

and collection of data. DPAs have budgetary and legal constraints and staff shortages. It is necessary to have clear, stable and binding legislation. The Swedish DPA said a clear legal basis for international cooperation and joint supervisory measures, including exchange of information, should be part of the EU rules on data protection. The ICO is open to any mechanisms which are easy to implement, are clear and provide sufficient safeguards when sharing information, including personal data which any privacy enforcement authority (PEA) would have the ability to choose the level of coordination and cooperation suits them. FTC staff believe that the best way to improve crossborder cooperation is for privacy enforcement authorities to seek opportunities for practical cooperation, even where the ability to cooperate remains subject to legal and resourcerelated constraints. Any effort will provide experience, which, in turn, will help authorities identify and inform any legal and logistical improvements needed. Better understanding of authorities’ differing confidentiality requirements in nonpublic investigations could improve crossborder informationsharing and cooperation. FTC investigations are generally nonpublic and confidential until a case is filed in court or other appropriate circumstances arise. Thus, FTC staff generally can only cooperate with counterpart enforcement authorities willing and legally able to protect the confidential nature of any communications in the course of an ongoing investigation. Also, privacy enforcement authorities without the legal ability to share nonpublic, confidential information and casespecific evidence with their counterparts across borders should obtain that authority. Promoting enforceable codes of conduct for crossborder data transfers, such as the APEC CrossBorder Privacy Rules, promotes crossborder enforcement cooperation between privacy authorities. Vietnam views international cooperation as a bridge between VECITA (the Vietnamese authority) and other more experienced authorities around the world to share information, experiences and skills. It looks forward to having further international cooperation.

162

5.2 RESULTS OF FOLLOW-ON INTERVIEWS In addition to the questionnaire survey sent to 79 data protection authorities, PHAEDRA has conducted oneonone telephone interviews with data protection authorities, privacy commissioners and other privacy enforcement authorities to gain deeper insights into privacy enforcement instruments and views on improving privacy enforcement coordination internationally. We have conducted interviews with representatives from the following agencies with responsibilities for privacy and data protection: Office of the Privacy Commissioner of Canada Commission Nationale de l’informatique et des libertés (CNIL) Office of the Data Protection Commissioner, Ireland Garante per la protezione dei dati personali, Italy Netherlands DPA Organisation for Economic Cooperation and Development (OECD) Portuguese Comissão Nacional de Protecção de Dados (CNPD) US Federal Trade Commission UK Information Commissioner’s Office Office of the Data Protection Ombudsman, Finland Israeli Law Information and Technology Authority (ILITA) European Data Protection Supervisor (EDPS) Personal Data Protection Commission, Singapore Office of the Australian Information Commissioner Consumer Affairs Agency, Japan Spanish Data Protection Agency (AEPD) Mexican Data Protection and Information Commissioner (IFAI) Colombian Data Protection Authority Uruguay Data Protection Authority Among the issues discussed in the interviews were the following: Differences in powers In Canada, the OPC cannot levy fines directly. It has to go a federal court and seek statutory damages as administered by the court. Nor does the OPC have ordermaking powers. The Office of the Australian Information Commissioner (OAIC) has an enforceable undertaking instrument, whereby it gets a company to agree to an undertaking and if it doesn’t that it can take the company to court. In Europe, one leading DPA noted that being compliant with the Data Protection Directive is one thing, but the way in which it has been transposed into national law is another. The proposed Data Protection Regulation is expected to lead to a harmonised administrative law within the EU. Even so, differences in powers will remain between EU DPAs and privacy enforcement authorities in other countries. The Netherlands and Canada cooperated in the WhatsApp case to show that it was possible to coordinate an action internationally, even if the enforcement powers are different. That effort was successful. It started within an MoU between the two authorities, and led to two reports. Ninety per cent of the conclusions of the conclusions were the same, but one report referred to Canadian law and the other to Dutch law.

163

He was of the view that to have harmonised administrative laws outside the EU would take a long time. The main point is to share information, notably within GPEN and/or the working group of the International Conference. Sharing confidential information Some of those interviewed mentioned the difficulty of exchanging confidential information. One European DPA said that they cannot say who they are investigating, while another DPA has to say who they are investigating. Hence, it is necessary to be careful about what information to share and when. Some EU Member States can’t exchange with nonEU countries, unless they establish a bilateral agreement. For some, collaboration between independent DPAs is easier than those that are statecontrolled. Some privacy enforcement authorities said that there has to be a clear legal basis for sharing information. “We need a legal framework for sharing information,” said one DPA. Another cited paragraph 46 of the APEC Privacy Framework437, which states: “Member Economies will endeavour to support the development and recognition or acceptance of organizations' crossborder privacy rules across the APEC region, recognizing that organizations would still be responsible for complying with the local data protection requirements, as well as with all applicable laws. Such crossborder privacy rules should adhere to the APEC Privacy Principles.” The security of information exchanges is still a challenge affecting the sharing of confidential information, said one interviewee. One European DPA suggested that privacy enforcement authorities could adopt a “layered” approach for sharing information, where some information is “semiopen” and can be more easily shared than other information which is secret or confidential. He said most authorities agree to such a layered approach to enforcement. One privacy enforcement authority said it could share confidential information, but it would need authorisation from its Attorney General before it could do so. Article 29 WP and APEC There is interest in improving collaboration and interchange between the Article 29 Working Party and APEC as manifested by the efforts aimed at achieving some interoperability (e.g., a double certification) between the Article 29 WP’s Binding Corporate Rules (BCRs) and APEC’s CrossBorder Privacy Rules (CBPRs). The International Conference and GPEN Some of the interviewees noted the difference between the International Conference of Data Protection and Privacy Commissioners, which does not have a website or permanent secretariat, whereas GPEN, with a somewhat different membership, does. The OECD developed and has been hosting the GPEN website, and seems willing to continue to do so, although the OECD is also constrained by its budget. While OECD hosts the website, members provide the content. 437 APEC Secretariat, APEC Privacy Framework, Singapore, 2005. http://www.apec.org/Groups/CommitteeonTradeandInvestment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx

164

The International Conference has some 50 national and 40 subnational DPAs accredited, while GPEN currently has many fewer members, about 32. GPEN aspires to be global in participation, so gaining more participants is a challenge. However, one DPA emphasised that there is no competition between the International Conference and GPEN. While there might be some overlap, one privacy enforcement authority said that did not matter so much as the fact that people are talking to each other, improving their relationship and the prospect of working together. Another said there needs to be (and are) criteria for participating in the International Conference, but for the GPEN the bar does not need to be so high. “It’s the difference between policy and operations.” Even so, another DPA representative felt that while GPEN is useful for public information, it is not secure enough for sharing operational intelligence. An OECD representative said the real value – and challenge of GPEN – is to establish trusted relationships between DPAs and privacy enforcement authorities to facilitate cooperation and coordination. GPEN members also exchange good practices and information about how they perform certain activities. PHAEDRA discussed the working group chaired by representatives from the UK Information Commissioner’s Office and the Office of the Privacy Commissioner of Canada. The working group was established by the International Conference in Mexico in 2011 and held its first meeting in Montreal in May 2012, with representatives from Canada, the EDPS, Israel, Italy, Mexico, New Zealand, Poland, Spain, the UK and US. Representatives from the Netherlands, France and Germany have also participated subsequently. Membership is fluid, and any of the DPAs can join. Among the 10 action items from the Montreal meeting were the following:

1. Enforcement authorities are encouraged to join the Global Privacy Enforcement Network (GPEN), to use the GPEN website, to populate the fields related to their own authority including conditions for cooperation, and to explore its potential secure information sharing tool.

2. This Working Group shall take the lead in organizing regular videoconferences among enforcement authorities to identify specific issues and technologies that raise privacy concerns, and to coordinate action on targeted data holders.

7. Strategies are to be developed for national authorities to explain to the media, government and citizens of their jurisdiction the new international approach of identifying a lead authority, and to further explain this scheme when specific cases arise.

8. Enforcement authorities are urged to address the issues that constitute hurdles to cooperation. This exercise could also be used to contribute information to the PHAEDRA project.

The next meeting was held in Washington, DC, in March 2013, where an action plan was agreed. In addition, members of the group have held conference calls. The working group has focused on process issues (i.e., how can DPAs coordinate better their efforts?) as well as substantive issues (on which specific investigations do they wish to collaborate?). One DPA said it was useful now to get the right point of contact, but there is an issue re security of information shared with GPEN, because the GPEN website is not particularly secure.

165

An ICDPPC website and secretariat PHAEDRA posed some questions about the prospects for an ICDPPC website and secretariat, but such a prospect does not appear likely in the foreseeable future. The funding issue is difficult for the ICDPPC to deal with: who would collect the funding and how would members share the costs? However, an improved GPEN website is expected to be discussed in Warsaw. At least one privacy commissioner is willing to provide some funding for this, while another privacy enforcement authority seems willing to provide some technical support. A lead DPA in investigating issues of concerns to multiple DPAs One of the cochairmen opined that DPAs need to be more precise what they are trying to achieve re sharing information and collaboration, and argued that there is a lot that privacy commissioners and DPAs can already do. He said that it doesn’t make sense to have 25 commissioners pursuing the same investigation, but saw a potential problem in how DPAs could explain to their publics that they aren’t pursuing a particular issue because others are. He also said the closed sessions of the International Conference are getting better and more time. The relationship between the International Conferences and GPEN has been an issue of discussion. Although there are some differences in membership, there is some overlap between the two, but probably a role for both. More than one of the DPAs interviewed expressed the wish that the International Conference had an online archive and uptodate email list. The ICO sent a short questionnaire to its Article 29 WP colleagues seeking views on two parallel issues – the international enforcement coordination framework which has been developed by the international conference working group, and GPEN, which is one possible way of helping to deliver international enforcement coordination. One privacy commissioner representative said the best way to improve cooperation and coordination is personal relationships at both the Commissioner and staff level. He added that it was useful different points of view on an issue. Complaints DPAs get an increasing number of complaints about the way both governments and the privacy sector handle personal data. The Dutch DPA said it had been receiving some 6,000 complaints or requests for advice each year. It decided to stop responding to all these requests, because it was not efficient, and instead to refocus its efforts on enforcement. The main types of complaints received by the OPC of Canada are the following: Use and disclosure: Complaints involving allegations that personal information was inappropriately used or disclosed, without consent, for purposes other than those for which it was collected. Access: Complaints about difficulties gaining access to personal information. Collection: Complaints involving the unnecessary collection of personal information or personal information collected unfairly or unlawfully, such as without proper consent. Malta only has three people and they get about 100 DP complaints a year, but the ICO handles around 25,000 complains a year.

166

Instruments for enforcing privacy A principal issue discussed during the interviews was instruments for enforcing privacy. Examples of instruments are the following.

Receiving and investigating complaints Advice or guidance Inspections (or audits) Warnings or notifications Naming and shaming Orders Fines Criminal sanctions Taking away licences

One DPA dismissed the utility of advising companies at an early stage. From his experience, such an instrument had not proven successful. “Free information is worth nothing.” A representative of the FTC said that its best instruments are the FTC Act and its provisions against unfair and deceptive practices. He said the FTC can get redress; it can go to Federal court to get actions. It can get companies to agree to consent orders. It can investigate companies and then file in federal court or administrative court. Many DPAs don’t have a capacity for punitive fines. One said “We can say publicly to a company that it has to comply within three months or six months or whatever. The company has to redress what’s wrong. If it doesn’t do so, we will issue a fine. It could be any amount. We don’t fine right away. We give a warning. We have ‘cease and desist’ order power. In one case, we issued such a penalty for €50,000 which could make or break a small company, and in a Google case we fined them €1.5 million, which is nothing for Google, but they said they would comply.” In another case, the regulatory investigated a large company which had announced its intention to profile its big clients. The regulator wrote to the company and it stopped, but it wasn’t clear whether it was because of a threat to incur a fine or potential damage to its reputation. Not all DPAs can make unannounced inspections. However, one that can said unannounced inspections were better because if the inspection is announced in advance, the company can simply destroy evidence of wrongdoing. In many countries, organisations are obliged to notify the privacy enforcement authority before they can establish a database. If the organisation runs afoul of the privacy legislation, the regulator can take away its authorisation or licence. Actions to improve co-ordination globally One DPA said that the Google Street View case was not a good example of coordination. Various DPAs investigated Street View and, even within Europe, “we ended up with several different views on Street View. We learned a lot from that case.” In the instance of Google’s combining its privacy notices, CNIL led the investigation and worked with the Article 29 technology subgroup and a “coalition of the willing” to try to persuade Google to the collective findings.

167

One privacy enforcement authority said that GPEN members are looking at an online mechanism to discover which other GPEN members might be interested in collaborating on a particular enforcement action. Concerns regarding the security of the GPEN website could be minimal if it was used just for finding out whether some privacy authorities are interested in collaborating on an enforcement action. Other privacy authorities should be encouraged to join GPEN. Privacy commissioners should communicate regularly via GPEN. Currently, GPEN members have periodic conference calls (via landline telephones), usually every other month, to discuss recent enforcement issues and logistical or procedural issues. Typically, about 15 people participate in these calls. The conference calls are regarded as productive and help to build relationships among privacy authorities. Challenges to improve enforcement co-ordination Some DPAs said the main challenge was to be aware of which other privacy authorities might be interested in pursuing a particular issue. Another challenge, as mentioned above, is the inability of some DPAs to share confidential information. One nonEuropean privacy enforcement authority described the Article 29 Working Party as a model of international cooperation and knowledgesharing. It spoke favourably of the Article 29 WP as creating a network of professionals and a body of best practices. Privacy, security and consumer protection An OECD representative said that privacy is still discussed in isolation, separate from security and consumer protection, yet these have also established cooperation and coordination mechanisms. It might be useful to do a comparison. How do others collaborate? PHAEDRA should try to explore consumer protection and crossborder consumer protection, to see if there are lessons to be learned for privacy protection.

168

6 BENEFITS FOR EUROPE OF INTERNATIONAL CO-OPERATION AND CO-ORDINATION

This section of the report summarises the benefits for Europe of International cooperation and coordination. Individual DPAs have recognised the benefits (and necessity) of international cooperation in responding to privacy issues that cross borders. There are also a number of policy benefits from cooperation between DPAs that will accrue to the EU and its citizens. 6.1 PREVENT REGULATORY ARBITRAGE Coordination in enforcement actions helps ensure that data controllers are not able to shop for the most favourable regulatory regime. It also prevents data controllers from claiming that an issue has already been investigated on the basis of an unsatisfactory investigation, potentially conducted by a DPA with limited capacity or with little capacity for sanctions or fines. 6.2 HARMONISATION OF PRIVACY ENFORCEMENT Similarly, increased coordination and cooperation between DPAs within Europe, including the sharing of best practices and legal reasoning can contribute to the harmonisation of the practical activity of data protection authorities. This would mean that data controllers would better know what to expect from their interactions with DPAs and not have to deal with a wide range of different methodologies and approaches. This would have benefits for the common market. 6.3 EXPAND EUROPEAN MODEL OF PRIVACY AND DATA PROTECTION The activity of the Article 29 Working Party has been identified as particularly influential and a model of good practice for coordination, even by some DPAs outside of the EU. If the EU is able to offer strong lessons and best practice, based on its experience in data protection activity and privacy enforcement, then this offers a potential for the expansion of the European model of privacy and data protection outside the EU, as other countries work with EU DPAs and potentially learn from them. There are of course limits to this process based upon national privacy and data protection regimes. 6.4 PROTECT EUROPEANS IN THIRD COUNTRIES Coordination helps ensure that Europeans are protected in third countries. By building relationships with nonEuropean DPAs and equivalent organisations European DPAs acquire avenues for communication and interaction which can be used to ensure that the data protection rights of European citizens are not infringed. 6.5 RAISE OVERALL STANDARD OF PRIVACY PROTECTION Finally, cooperation should help raise the overall standard of privacy protection. More resources can be brought to bear more efficiently on particular investigations and issues. This provides a greater change for the appropriate and adequate handling of privacy investigations and the protection of European citizens’ privacy and data protection rights. Additionally,

169

different perspectives on these issues can be illuminative, increasing the collective expertise of the privacy protection community.

170

7 FINDINGS AND RECOMMENDATIONS In this section we bring together the findings from this study and then present recommendations on improving cooperation and coordination for privacy enforcement. There is no global system for Privacy enforcement co-operation, There is currently no single global system for cooperation and coordination of privacy enforcement activities. There is no foundational international treaty in this area. There are a variety of national and regional legal regimes. However, Privacy enforcement co-operation and co-ordination is occurring The case studies in section two show that privacy enforcement cooperation has occurred, and may be increasing in both frequency and level of organisation. However this collaboration remains primarily in adhoc forms. Cooperation ranges from full joint investigations, to shared inquiries and letterwriting. The most common mode of European cooperation for individual investigations is the identification of the data protection authority with appropriate jurisdiction, then delegating the leadership for any collective response to this authority. Similarly, group investigations tend to be formed by “coalitions of the willing” …with some regional clusters and emergent organisations The EU, OECD and APEC have particular influence in this field. The European case studies and the overview of the Working Party’ coordination work demonstrated a strong role for the Article 29 Data Protection Working Party in European collaboration. More generally, the European network of overlapping mechanisms for cooperation provides a range of options for collaboration and the building of consensus at different levels and to different purposes. It provides European DPAs with a degree of flexibility in forming different coalitions. Regular interaction may be supportive of developing habits of communication, cooperation and coordination. This interaction is supported by data protection law (Directive 95/46/EC) and the Council of Europe Convention 108. International networks are generally voluntary and not legally binding. GPEN is a relatively new development which has demonstrated some initial successes. It is a nonbinding network for cooperation between privacy enforcement authorities, with an open, potentially global membership and some organisational support from the OECD. …but is not as effective as it could be DPAs themselves identified a large number of cases of potential and actual, effective and ineffective international cooperation between DPAs. Several cases in the case study analysis demonstrate that whilst there have been effective collaborations between DPAs there have also been some cases that clearly exhibit duplicated effort, or incomplete communication (for example, the multiple investigations of the Sony network hacking and in the Google Street View case). Co-operation and co-ordination mechanisms do exist at multiple levels The analysis of cooperation and coordination mechanisms, in the EU and internationally, shows that multiple networks and organisations of DPA and privacy enforcement authorities

171

exist at multiple levels. These range from bilateral memoranda of understanding, language groupings, regional grouping, up to the international level. The survey results suggest that DPAs primarily desire more cooperation and coordination at the international level. These networks can be seen as complimentary rather than in competition with each other, however limited resources means that some DPAs can only participate is some selected networks, and that this presents these DPAs with a choice about which they may find the most effective. …but are primarily conducted through senior roles There are several mechanisms at the level of senior representatives, privacy commissioners and heads of DPAs, such as the Spring Conference and the Article 29 Working Party, but there are fewer opportunities for coordination at operational levels, unless these are established by the individual DPAs in the course of a collective investigation. In this case, these mechanisms are likely to be informal and ad hoc. The Case Handling Workshop, study visits and staff exchanges are important counterweights to this tendency. Clear desire for co-operation and co-ordination among DPAs From the case studies, survey and interviews, there is also good evidence of a clear desire for increased cooperation and coordination enforcement, as well as information sharing between DPAs, even on unrelated cases. DPAs generally appear interested in learning from the experiences of other DPAs and engage in informal adhoc consultation and “watching with interest”. DPAs appear to recognise that they face challenges in privacy enforcement that cross national boundaries, including specific incidents that require a coordinated response, and that they may well be responding to similar issues to their peers in other countries. Even when individual DPAs felt unable to cooperate with their peers, for example for manpower or resource limitations, they expressed a desire to do so, and a belief that such cooperation would be productive and beneficial. Not all DPAs co-operated and co-ordinate to the same extent There appear to be a core group of DPAs, many of these are located in European Member States, which are involved in almost all of the cooperative arrangements available to them, These are also the DPAs with the largest resources and the most staff associated with international relations. Encouraging networking amongst these DPAs is therefore not particularly problematic, and it may be worthwhile focusing policy attention elsewhere. These DPAS might however be expected to play a leadership role in expanding the opportunities for cooperation and coordination out to other DPAs outside of this “core”. Some tools for co-ordination exist, but these are currently limited and under-used There are multiple lists of nominated DPA contacts (OECD, Case Handling workshop mailing list, GPEN, APEC, Article 29) but these lists are currently separate from each other, and need to be reconciled together, in a manner which is sustainable. Similarly, a number of websites act as potential hubs for information sharing (Article 29, Council of Europe TPD, Berlin Group) The responses to the survey suggest a clear desire for online tools to facilitate sharing information, but also that not all DPAs are aware of all the cooperative resources and networks that might be available to them.

172

Key challenges for co-operation and co-ordination remain Situational awareness of the international privacy enforcement context is a key barrier to effective cooperation. DPAs identified a lack of information from their peers about cooperation and coordination activities. This highlights the important role that centralised groups with regular channels of communication can play. From the survey and interviews, legal barriers to sharing of information between DPAs appear to be less significant than may have been believed, although they remain particularly significant for some DPAs due to their legal constitution. In the absence of harmonised legislation (which may be facilitated by the GDPR) it becomes important for cooperating DPAs to understand the limitations, powers and capacities of their peers. Limited resources that can be devoted to international working are a key issue that limits cooperation and coordination, whilst in part driving the desire for increasing these. DPAs have variable funding, capacity, experience and different powers in enforcement, investigation and audit, whilst some can only investigate following complaints. Responses to the survey showed that DPAs, both within Europe and externally had highly variable numbers of staff. However, converging the powers of DPAs was not seen as the highest priority for increasing coordination and cooperation. The WhatsApp case study suggests that cooperation on privacy enforcement is possible even across different legal regimes and with different enforcement powers. DPAs are not the only organisations that need to be involved in coordination of privacy enforcement activity. Well supported DPAs and networks are better able to leverage cooperation. When they are not well supported (as in the case where the Commission and the article 29 working party adopted differential positions on WADA’s code review (see section 2.8)) then coordination efforts can be undermined. Similarly, whilst it is important to have closed sessions, and networks with membership limited to accredited DPAs for sensitive discussions and building common positions, it is also important to have networks that can include other authorities with some form of privacy enforcement brief, and even representatives from government, NGOs, academia and the private sector. The mix of overlapping networks currently contributes to this capacity. 7.1 RECOMMENDATIONS. Based on the research and analysis in this report, including from our survey of and interviews with DPAs, we present the following summary of suggested measures to improve cooperation and coordination. Alongside these suggestions we present some reflection on these suggestions.

Proposed measures for improving co-operation and co-

ordination between DPAs on privacy enforcement

Evaluation and related issues

Memoranda of co-operation / Memoranda of understanding / Bilateral agreements

Several MoU already exist and DPAs have found these useful, both in spelling out what forms cooperation can take, as well as their protocols for cooperation and coordination. Some DPAs require such an agreement before they can cooperate or share information. These can be achieved relatively easily, if two parties are

173

willing, and do not require the same degree of consensus as required for forming or operating in larger groups.

Expand non-binding instruments Nonbinding agreements between DPAs can provide the basis for coordination in terms of expected methods of communication, protocols for requesting assistance, standard forms, and fora for interaction. Being nonbinding they allow DPAs to build the foundations for coordination whilst respecting national law and the discretion of the participants.

Regional agreements Some regional agreements already exist, and participants appear to find these useful, especially when the regions share common languages, or systems of law and government. The larger regional organisations, including the supranational governments such as the EU play an important role in supporting cooperation and coordination in data protection and privacy enforcement.

Common information platform / intranet for DPAs

Several DPAS suggested the creation or development of a common information platform for DPAs in order to make key information available, host discussion fora, communicate easily, receive responses quickly and to access information in an organised manner. A platform like this would respond to the challenges of situational awareness. Such a system would need to be secure in order to protection confidential information and to encourage open discussion between participants. It would also need to have layered access controls so that DPAs could share information with appropriate participants only. Beyond these requirements there are several options for what sort of information should be hosted on such a system which are explored below.

…with a list of contact persons Several lists of contact persons for international communication between DPAs exist. It would be advisable to attempt to collate and coordinate these lists into a single, regularly maintained, database of international contact points.

…with a repository of best practice

Would allow DPAs (including operational staff) to learn from their international peers. Best practice could expand beyond privacy enforcement to include media and public communication, training, technology watch and other areas of interest to DPAs. A repository of best practice should be combined with a discussion forum or commenting system to allow participants to discuss (and challenges) these best practices.

…with a repository of case law / legal reasoning

Maintaining and sharing a database of the legal reasoning that DPAs have used to come to particular decisions can help avoid divergent decisions about the same matter. This resource would also allow DPAs within the same legal regime to learn from the

174

experiences of their peers. ...with a repository of DPA powers / data protection acts

A central accessible database of the foundational legislation granting DPAs their authority and powers, translated into common languages would allow participants in cooperative exercises to understand the capacities of their partners. The PHAEDRA project deliverable 2.1 Legislative Review has collated legal provisions that both facilitate and impede cooperation and coordination.438

…with a secure mechanism to indicate interest in investigation

One challenge to cooperation is knowing when other authorities are interested in or intending to start an investigation, which would be conducted collectively, or coordinated in some other manner. One response to this, potentially based on the GPEN website, would be a mechanism for indicating such interest to other DPAs.

Co-operation between organisations

There is already cooperation between organisations, but also the potential for this to be increased and improved. For example, involving GPEN more closely in the work of the International Conference. Those DPAs that are involved in multiple networks are in a strong position to support this activity, which could bring the strengths of different networks into play. The overlapping and complimentary networks that currently exist do offer some advantages and it may not be necessary to bring these networks into full alignment.

Workshops and conferences This suggestion involves expanding existing workshops and conferences, or hosting more of these. Whilst this will likely have benefits in terms of increased interaction and communication between DPAs (including staff at operational levels) there are already a number of workshops and conferences available (likely more than several DPAs can attend due to budgetary limits) and such benefits may have diminishing marginal returns. Coordination at the level of conferences and workshops appears to be relatively strong and it may be most effective to devote resources to other forms of coordination.

Increased funding and additional resources

Whilst increased funding and resources is seen as desirable for many DPAs, this is not seen as particularly likely. DPAs may need to decide how much of their own internal resources they need to devote to international collaboration. Strong evidence on the benefits of international cooperation and coordination may help with this.

Combined technological and R&D activities

In addition to privacy enforcement cooperation, it may be possible for DPAs to engage in combined

438 De Hert, Paul and Gertjan Boulet, “Deliverable 2.1 A compass towards best elements for cooperation between data protection authorities”, PHAEDRA project deliverable 2.1, Brussels, February 2014. Available at http://www.phaedraproject.eu/wpcontent/uploads/PHAEDRA_D2.1_final.pdf

175

technological and R&D activities, as this is another area when they are likely to be encountering similar issues (for example new and emerging technologies which may pose privacy challenges) and there might be a similar duplication of effort. R&D may also involve the development or assessment of forensic tools for use in investigations. Such cooperation may be best determined by individual DPAs, again in coalitions of the willing and able, although efforts should be made to share and distribute the results of such efforts through the existing international networks and organisations.

Training for staff on co-operation and co-ordination

International cooperation between DPAs is a relatively new area, and staff may not have experience or skills to undertake these activities. Including training on international cooperation and coordination in professional development programmes for DPA staff may support this, but it is unclear if the capacity to develop the content of such training yet exists.

Identification of areas where co-operation and co-ordination is possible, and where it is not

Because they may operate under different legal regimes, different DPAs may not be able to conduct the same actions in the same contexts. However this is not necessarily a barrier to coordination and cooperation, as long as the various parties are aware of the capacities of their partners. Rather than attempting to identify these capacities in the course of an investigation (with the risk that these have not been identified in advance and have adverse effects on the investigation) these possibilities (and limitations) should be explored by the DPAs. On the basis of this, intelligent coordination may be achieved. This task would require analysis of the capacities of each DPA, and the collective analysis of the how these capacities and restrictions interacted.

Collective plan or strategy Increased precision about what is to be achieved through international coordination and cooperation could be established through a collective plan or strategy developed by DPAs.

International secretariat Both the Article 29 Working Party and GPEN have a secretariat, but the ICDPPC does not. The absence of a secretariat means that the ICDPPC is organised by a new team each year, and suffers from discontinuity problems. Establishing a small international secretariat was seen by some DPAs as a way of facilitating coordination and building institutional structures for cooperation. Finding agreement on funding, as well as location, capacity, and the particular role and responsibilities of the secretariat make this a challenging effort.

Linking privacy to other issues (security, consumer protection)

Rather than engaging only with other DPAS, it may be possible to connect other networks on related issues. These areas may have existing cooperation and co

176

ordination arrangements or mechanisms, which DPAs could either learn from, work with, or potentially join.