This report was prepared by the Information Commissioner s Office, United Kingdom (hereafter UK ICO ).

Similar documents
2016 Global Privacy Enforcement Network (GPEN)

Motorola Mobility Binding Corporate Rules (BCRs)

ENISA s Position on the NIS Directive

Promoting accountability and transparency of multistakeholder partnerships for the implementation of the 2030 Agenda

RESOLUTION 45 (Rev. Hyderabad, 2010)

EIT Health UK-Ireland Privacy Policy

6056/17 MK/ec 1 DG D 2B

10007/16 MP/mj 1 DG D 2B

Council of the European Union Brussels, 23 November 2016 (OR. en)

DATA PROTECTION POLICY THE HOLST GROUP

ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP

The Global Research Council

Standardization mandate addressed to CEN, CENELEC and ETSI in the field of Information Society Standardization

Version 1/2018. GDPR Processor Security Controls

CEM Benchmarking Privacy Policy

Stakeholder Participation Guidance

Dated 3 rd of November 2017 MEMORANDUM OF UNDERSTANDING SIERRA LEONE NATIONAL ehealth COORDINATION HUB

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

The Core Humanitarian Standard and the Sphere Core Standards. Analysis and Comparison. SphereProject.org/CHS. Interim Guidance, February 2015

ADMA Briefing Summary March

STATEMENT OF STRATEGY

Global Infrastructure Connectivity Alliance Initiative

Remit Issue April 2016

NHS R&D Forum Privacy Policy: FINAL v0.1 May 25 th 2018

FIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017

Joint Declaration by G7 ICT Ministers

INSPIRE status report

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Global Wildlife Cybercrime Action Plan1

Managing Jurisdictional Risks for Public Cloud Services

PS Mailing Services Ltd Data Protection Policy May 2018

UWC International Data Protection Policy

Copernicus Space Component. Technical Collaborative Arrangement. between ESA. and. Enterprise Estonia

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

Call for expression of interest in leadership roles for the Supergen Energy Networks Hub

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

KISH REMARKS APEC CBPR NOV 1 CYBER CONFERENCE KEIO Page 1 of 5 Revised 11/10/2016

Package of initiatives on Cybersecurity

Data Protection and GDPR

International Nonproliferation Export Control Program (INECP) Government Outreach for Enterprise Compliance

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

EXAM PREPARATION GUIDE

Data Protection System of Georgia. Nina Sarishvili Head of International Relations Department

Background Note on Possible arrangements for a Technology Facilitation Mechanism and other science, technology and innovation issues

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

FIRST TIER COMPLAINTS HANDLING GUIDANCE

Electronic Commerce Working Group report

RESOLUTION 130 (REV. BUSAN, 2014)

Commission Action Plan on Environmental Compliance and Governance

Guiding principles on the Global Alliance against child sexual abuse online

G8 Lyon-Roma Group High Tech Crime Subgroup

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

Status of activities Joint Working Group on standards for Smart Grids in Europe

IAEA Perspective: The Framework for the Security of Radioactive Material and Associated Facilities

The University of British Columbia Board of Governors

GSEP Sectoral Working Groups (Power WG, Steel WG, Cement WG) Ministry Economy,Trade, and Industry

EXAM PREPARATION GUIDE

13967/16 MK/mj 1 DG D 2B

GC0106: Mod Title: Data exchange requirements in accordance with Regulation (EU) 2017/1485 (SOGL)

The commission communication "towards a general policy on the fight against cyber crime"

RESOLUTION 47 (Rev. Buenos Aires, 2017)

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

THE BERKSHIRE ARCHERY COACHING GROUP PRIVACY NOTICE

Our Data Protection Officer is Andrew Garrett, Operations Manager

Regulating Cyber: the UK s plans for the NIS Directive

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

NIS Directive : Call for Proposals

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

This procedure sets out the usage of mobile CCTV units within Arhag.

Cyber Security Strategy

15412/16 RR/dk 1 DGD 1C

CHAPTER 13 ELECTRONIC COMMERCE

etning_2015_web.pdf

EXAM PREPARATION GUIDE

Third public workshop of the Amsterdam Group and CODECS European Framework for C-ITS Deployment

Report from UN-GGIM: Europe A year in review

This article will explain how your club can lawfully process personal data and show steps you can take to ensure that your club is GDPR compliant.

EXAM PREPARATION GUIDE

Frequently Asked Questions

Report of the Working Group on mhealth Assessment Guidelines February 2016 March 2017

World Wide Jobs Ltd t/a Findmyexpert.com Privacy Policy 12 th April 2018

PROJECT BACKGROUND AND RATIONALE

Data Processor Agreement

Developing an integrated e-health system in Estonia

EXAM PREPARATION GUIDE

RESOLUTION 130 (Rev. Antalya, 2006)

Wesley House data protection statement and privacy notice (short-course delegates)

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Multi-lateral and Bi-lateral Cooperation: the Australian Approach.

POWER AND WATER CORPORATION POLICY MANAGEMENT OF EXTERNAL SERVICE PROVIDERS

EXAM PREPARATION GUIDE

Notification under the North West Children s Services Information Sharing Protocol (ISP)

APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!

EXAM PREPARATION GUIDE

CNPD Course: Data Protection Basics

European Union Agency for Network and Information Security

EISAS Enhanced Roadmap 2012

EUROPEAN COMMISSION DIRECTORATE-GENERAL INFORMATION SOCIETY AND MEDIA

Transcription:

REPORT TO THE 38 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS - MOROCCO, OCTOBER 2016 ON THE 5 th ANNUAL INTERNATIONAL ENFORCEMENT COOPERATION MEETING HELD IN MANCHESTER, UK, IN MARCH 2016 This report was prepared by the Information Commissioner s Office, United Kingdom (hereafter UK ICO ). The UK ICO hosted the fifth Annual International Enforcement Cooperation event in Manchester on 21 and 22 March 2016. The event reflected on the recent initiatives taken within the International Conference framework to improve cross-border enforcement cooperation. It also explored areas where further work may be needed for a more effective cooperation. The 2016 International Enforcement Cooperation event Manchester, 21-22 March 2016 The 2016 international coordination event took place in Manchester Airport and Alderley Park on 21-22 March 2016. It principally considered how the recent tools developed to facilitate cross-border enforcement cooperation can enable the international enforcement community to move on up to an efficient form of cooperation among law enforcement authorities. The event consisted of break-out workshops on the practical aspects and implications of cross border enforcement activities. The workshops were followed by discussion on the practical usefulness of the enforcement cooperation tools which authorities now have at their disposal. Using case studies based on real-life examples, the workshops provided participants with the opportunity to evaluate potential models, approaches and solutions that data protection and privacy authorities can consider when addressing cross border data privacy infringements, from identifying threats and gathering intelligence through to the possibility and constraints to engaging in enforcement cooperation, depending on 1

legal powers, investigation capabilities and other factors influencing how collaboration will work in practice. The scenarios also gave participants the chance to explore the various ways authorities gather intelligence, make use of investigative techniques and technical expertise and engage with international colleagues. Participants discussion on the case studies also emphasised how tools such as the Global Cross-border Enforcement Cooperation Arrangement and the Enforcement Cooperation Handbook may be complementary to authorities thinking in developing their cross border enforcement strategies, coordinating specific investigations and identifying threats, challenges and opportunities. Among the key discussion points arising out of the workshop were: Checking that your authority has completed a thorough legal analysis before sharing any information. Including points in the Handbook in relation to considering the most appropriate jurisdiction for consumers to seek redress in and choosing the form and partners for cooperation. The possibility of proceeding with one-way sharing (ie sharing information with a country that cannot share back). Importance of timeliness of responses and investigations including how to develop detailed mutually-acceptable milestones. Details on how to establish agreement between parties terms of reference/investigative scope. Ability for a Data Protection or Privacy Authority to request a response sent to another authority from a Data Controller. Procedural fairness considerations, particularly in relation to procedures pursuant to which shared evidence was gathered. The second day of the event was dedicated to assess the usefulness and the specific purposes of the Arrangement and the Enforcement Handbook, looking at the experience of authorities who have already implemented or integrated these tools into their day-to-day operations. Participants largely agreed that the Handbook steered in the right direction by signposting information that case investigators would need to have at hand when considering possible actions under a cross-border enforcement framework, be it the Global Arrangement or another form of cooperation. 2

Suggestions received from participants have provided opportunities to expand existing sections of the handbook or clarify points about data subjects access to information, and access to redress, as well as integrating the points outlined in the key discussion outcomes listed above. GPEN Side-meeting Continuing the engagement that the International Conference has had with the Global Privacy Enforcement Network (GPEN) over the years, and considering the clear overlap in membership between the two networks, an invitation had also been sent to GPEN members to meet up in Manchester in the margins of the International Enforcement Cooperation event. The side-meeting took place in the early afternoon of Monday 21 March, with an update from the GPEN Committee covering the network s activities over the previous twelve months and a conversation with participants regarding the work that the network should consider doing in the near future. Privacy Bridges workshop There was also a special session on Tuesday 22 March afternoon which followed up the Privacy Bridges report from the 2015 Amsterdam International Conference. This workshop, which was presided by the chair of the Dutch data protection authority (Persoonsgegevens Autoriteit) with a panel of US and European policy and technology experts, focused on two related privacy bridges these being User Control on the one hand and Transparency on the other. This led to discussions on the challenge posed by new technologies and the complex digital environment in which individuals control over their personal data is clearly eroding. A recording of the workshop is available online. Future work These follow-up activities emerged from the discussion among delegates: The U.K. ICO and Canada OPC promised to bring relevant amendments to the Handbook in line with recommendations to expand certain sections, as raised at the workshops, and the updated Handbook would be presented ready in time for the 2016 3

International Conference in Morocco; Participant authorities were encouraged to continue to share, via available platforms or fora, their experiences of how they are operationalising the Global Cross Border Enforcement Arrangement at their Authority, including staff awareness and training, procedures. Acknowledgement that regional and thematic networks of data protection/privacy enforcement authorities still need to do more to improve the exchange of information between them to avoid silos of valuable enforcement expertise. Participants also recommended proposing to the International Conference to develop a secure website, with password protected access controls, for authorities to populate with details about their legal powers, evidentiary requirements, definitions of personal data and confidential data, and to propose that GPEN could be used as a potential vehicle to pursue this in view of its operational focus. A separate draft resolution will be prepared for the consideration of the International Data Protection and Privacy Commissioners at the 38 th Conference in Morocco. In addition to the above, suggestion was made that organising a yearly grassroots enforcement practitioner (case officer level) event for all authorities around the globe would be beneficial to authorities as a concrete means to enhance operational enforcement capacity and relationships. As a test pilot, the GPEN Committee would look into the possibility of organising such an event alongside the European Case Handling workshop in 2017. Enforcement cooperation with enforcement authorities in those countries outside Europe will become even more relevant for European data protection and privacy authorities to address as they will be confronted with the implementation of the European General Data Protection Regulation and the requirement to provide, under its Article 50, international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange. The International Conference 2016 needs to nominate a Host for the International Enforcement Cooperation event in 2017. 4

BACKGROUND Since the 33rd International Conference in Mexico in 2011, significant progress has been made by members to enhance arrangements for crossborder enforcement cooperation. While efforts had already been undertaken prior to the 33 rd International Conference, the resolution on Privacy Enforcement Co-ordination at International Level adopted by the Conference in 2011 stepped up the engagement of participants in committing resources to facilitate crossborder enforcement activities: - The resolution mandated creation of an international enforcement coordination working group (IECWG) to come up with concrete international enforcement coordination mechanisms; - the Conference agreed on the organisation of a global annual event to discuss international enforcement coordination. The 2016 International coordination and cooperation event was the fifth meeting of its kind.the inaugural international meeting was held in Montreal in 2012 and subsequent meetings were held in Washington (2013), Manchester (2014) and Ottawa (2015); - the resolution encouraged all data protection and privacy enforcement authorities to undertake some work internally to understand any legal, technical or political barriers they may have to engaging in international enforcement coordination. An international enforcement coordination mechanism Fulfilling the mandate that it had received at the 33 rd and 35 th International Conferences, the IECWG developed a common approach to cross-border case-handling and enforcement coordination which was embodied in a multilateral framework document, the Global Cross Border Enforcement Cooperation Arrangement. This mechanism was later adopted at the 36 th International Conference in 2014 for data protection and privacy authorities to use on a voluntary basis to facilitate enforcement cooperation between members and the first intentions to participate in the Arrangement were confirmed during the 37 th International Conference in The Netherlands, in October 2015 once the mechanisms inside the Arrangement had been established. 5

A number of additional authorities have signed up to the Arrangement since then, emphasising the importance they are attaching to improving international enforcement cooperation and common practices. Elaborated to address the gaps in international cooperation activities, the Arrangement encourages authorities participating in this mechanism to - share information, including the treatment of confidential enforcement-related information about potential or on-going investigations; - promote common understandings and approaches to cross-border enforcement cooperation; and - coordinate cross-border cooperation and assistance in the most efficient manner; without creating legally binding obligations, overriding other competing legal obligations that authorities might be subject to or compelling participants to share any information. Enforcement Cooperation Handbook In addition to the Arrangement, the 37th International Conference in 2015 was also presented with the Enforcement Cooperation Handbook, a document prepared by the UK ICO and the Canada OPC, acting as cochairs of the IECWG, to serve as guidance to authorities participating or who wish to participate in the Arrangement in relation to the practical implementation of enforcement cooperation by providing (i) (ii) (iii) a non-exhaustive list of issues an authority may face in preparing for, and engaging in, enforcement cooperation, potential models, approaches and solutions that authorities can consider implementing to address such issues and, factors to consider in determining what, if any, proposed strategies may be appropriate in specific circumstances. The Guidance was also designed as a living document to be updated from time to time as the global privacy enforcement community gains further experience with enforcement cooperation. 6

Further details: For further information about this event, please contact international.team@ico.org.uk 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback