Privacy authorities typically perform regulatory and enforcement functions on their own - or occasionally with another public body - within their domestic jurisdiction. They know the domestic law they enforce. The law will clearly lay out the authority’s role and provide a clear pathway to the intended outcomes.

By contrast, cross-border cases offer none of these certainties.

We were recently asked the question: “What international privacy enforcement cooperation initiatives are in operation and what practical tools are available to facilitate cooperation?”

There are several difficulties:

• It may not be clear what authorities might or should be involved.
• The applicable law may be uncertain or unknown to authorities contemplating involvement in a case.
• The roles may not be clear or may be contested.
• The possible outcomes may not be known and the pathway to any outcome may not be clear.

For the past 10 years, much effort has been expended at an international level to create conditions whereby the chances of successful cross-border cooperation amongst regulators are improved. Here are some of those efforts and examples of the practical tools that now exist.

Building the right environment

Before turning to precise enforcement cooperation tools, it may be helpful first to canvas cooperation more widely.

It is probably unrealistic to expect instant success in cross-border enforcement, if an authority remains entirely domestically focused until it encounters its first case with a cross-border element.

Where would such a domestically focused authority turn? How would they know who to approach for assistance in a foreign jurisdiction? What would they know of the other jurisdictions law and how would they find out? What would an authority in another jurisdiction think of a request for assistance arriving ‘out of the blue’ from an authority it had never heard of?

Three approaches to creating cooperation might briefly be mentioned:

1. Networking with peers.
2. Connecting with stakeholders.
3. Access to law.

1. Networking with peers

The likelihood of successful cooperation across borders may be enhanced if you know your counterpart before that first case arises.Privacy authorities have networked with their peers for four decades through the International Conference of Data Protection and Privacy Commissioners.

Privacy authorities also network at a regional level. In our region this happens through the Asia Pacific Privacy Authorities Forum. Our French and Spanish speaking counterparts also have networks of their fellow-linguistic colleagues. 

There are also two specialised enforcement cooperation networks set up in 2010:

• APEC has established the Cross-border Privacy Enforcement Arrangement (CPEA), with 25 participating authorities.
• Global Privacy Enforcement Network (GPEN) was set up with the assistance of OECD, and now has participating authorities from 46 countries.

More information on these networks is available at the ICDPPC website.  

2. Connecting with stakeholders

Regulators and privacy enforcement bodies should engage with stakeholders such as global business, privacy professionals and civil society to build an environment for successful cooperation. Efforts by groups such as IAPP and iappANZ to build compliance capacity are positive steps that create an environment for cooperation.

3. Access to law

While no regulator has the time or inclination to become an expert in every other economy’s law, there are clearly benefits in some general information sharing about laws and legal interpretations. There is also benefit in being able freely to access legal information in greater detail as needed. In the area of privacy law, many of the key interpretations are issued by regulators rather than in court decisions, and may not be available through mainstream law reports.

There have been various efforts to address these deficits in legal information. Three examples from our own region are:

• APEC has each economy describe its privacy laws in a structured standardised way called an Individual Action Plan or Data Privacy IAP.
• The APPA Forum has issued standards for privacy authorities on citation and dissemination of case reports.
• The World Legal Information Institute (maintained in Australia) operates a huge free access repository of case reports and laws known as the International Privacy Law Library.

Tools for cooperation

The following are a selection of the practical tools developed in the last 10 years to promote enforcement cooperation:

• Policy guidance for updating existing privacy laws
• Cooperation networks
• Templates for requesting cross-border assistance
• Directories of enforcement contact points
• Standard statements of enforcement cooperation practices
• Discussion networks
• Templates for information sharing agreements
• Secure information exchange platforms
• Published guides

Updating existing laws

The OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy (2007) provides a blueprint for upgrading privacy laws more effectively to deal with cross-border cooperation.

Cooperation networks

The OECD Recommendation on Cross-border Cooperation suggested a need for cooperation networks of privacy authorities. Several networks have accordingly been established since 2007:

• APEC’s CPEA (2010)
• GPEN (2010)
• ICDPPC’s Enforcement Cooperation Arrangement (2015).

Templates for cross-border assistance

Both the OECD and APEC have released Request for Assistance templates for seeking assistance from authorities in other member economies.

Directories of enforcement contacts

The OECD, APEC and Council of Europe have each established processes for nominating and listing national or economy contact points. These three international organisations have cooperated in maintaining a combined directory which is maintained for access by authorities through the GPEN website.

Standard statements

APEC has established a requirement for authorities that participate in the CPEA to publish standard statements of enforcement cooperation practices. This is published both on the authority’s own website and centrally on APEC’s system.

Discussion networks

GPEN has a facility for general discussions amongst enforcement staff on its password-protected forum pages. It also hosts 20 discussion teleconferences each year. These are split into two regions - Pacific and Atlantic.

Information sharing agreements

GPEN has a standard information sharing agreements applicable to the GPEN Alerts System. ICDPPC’s Enforcement Cooperation Arrangement also features an optional template for an information sharing agreement.

Information exchange platforms

GPEN has established the secure GPEN Alerts System.

Published guides

The EU’s PHAEDRA Project produced several reports useful to enforcement cooperation. The ICDPPC has produced an enforcement cooperation handbook. In 2016, an Enforcing Privacy textbook was published.

Conclusion

In the past 10 years, and particularly since the publication of the OECD’s 2007 Recommendation, considerable progress has been made in creating conditions conducive to cross-border cooperation and to provide privacy authorities with the tools they need.

Cross-border cooperation remains difficult and the greatest progress will probably only been made when all privacy laws are upgraded, as recommended by the OECD, with cross-border action in mind.

Image credit: Wagah border ceremony - Wikipedia

Asia Pacific Privacy Authorities (APPA), Global Privacy Assembly (GPA), International Association of Privacy Professionals (IAPP), OECD, International, Europe, legal, Asia Pacific