29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive OECD Work on Cross-border Privacy Law Enforcement Co-operation Michael Donohue
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Overview Working Party on Information Security and Privacy –created expert group: privacy officials, EC, CoE –chaired by the Privacy Commissioner of Canada –consulted with business, civil society, other intl groups Report on Privacy Law Enforcement (Oct. 2006) –describes existing enforcement authorities and systems –identifies cross-border challenges New OECD Instrument (June 2007) –OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy –now into the implementation stage
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive 4 Why work on improved enforcement co-op? the need for this work is a recurring theme for OECD... OECD Privacy Guidelines (1980) –facilitate mutual assistance in procedural & investigative matters. Ottawa Ministerial Declaration (1998) –ensure effective enforcement mechanisms for non-compliance and redress Report on Privacy Online (2003) –establish mechanisms for cross-border co-operation between public agencies in procedural and investigative matters and consistent with a broader trend... Intl Commissioners Conference (Montreux Declaration) APEC Data Privacy Subgroup Council of Europe, EU Art. 29 Working Party
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive The evolving climate for data flows and privacy risks Technology and Data flows fast, cheap connections efficient storage and processing data and voice converge via IP data flows with a mouse click Changing Business Processes global distribution of tasks international data transfers are increasingly integral to the economy human resources, financial services, customer service, education, e-commerce
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive The evolving climate for data flows and privacy risks Privacy risk environment Data breach Secondary usage Identity theft Changing user perceptions Data breach reports consumers may go elsewhere Increasing fears of data misuse threaten online banking interest Online users mobilise fast
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive The New Recommendation Adopted by the OECD Council on 12 June 2007 –approval at level of ambassadors sends an important signal –non-binding, but represents a serious political commitment –co-operation occurs within existing legal frameworks –leaves the implementation details to MCs and their authorities What does it do? –recites high-level policy objectives –identifies key elements for successful co-operation –invites non-OECD economies to collaborate with OECD members Builds on OECD precedents on enforcement co-operation –consumer protection, spam, competition law Grounded in the 1980 OECD Privacy Guidelines
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Scope and Related Issues Covers the enforcement of Laws Protecting Privacy –national laws, the enforcement of which, has the effect of protecting personal data consistent with the OECD Privacy Guidelines Focus of the Recommendation –violations most serious in nature –primarily aimed at laws governing the private sector (but can include public sector) –and is not intended to interfere with government activities related to sovereignty, security, public policy Recognises the role of discretion –authorities may decline or limit assistance, where the request is outside the scope or otherwise inconsistent with national laws, important interests or priorities
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Key Actors Privacy Enforcement Authorities –Public bodies –Enforcement responsibility for Laws Protecting Privacy –Power to investigate or pursue enforcement proceedings Other stakeholders –Criminal law enforcement bodies –Privacy officers in organisations –Private sector oversight groups Dont forget governments
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Domestic Measures Recognises that you need to have the right domestic arrangements to co-operation internationally Calls for a review of laws, procedures -- and adjustments if needed Authorities need effective powers –sanctions and deterrence –investigations –corrective action Authorities need the ability to co-operate –to share information –to provide assistance (e.g., obtain documents or statements)
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive International Co-operation Mutual Assistance –requests for assistance –preserve the confidentiality of non-public information –respect the purpose specified when information exchanged –co-ordinate investigations to (at a minimum) avoid interference –referral of complaints, notifications Collective initiatives in support of mutual assistance –contact points, information about laws –sharing information about outcomes –foster the establishment of an informal network of authorities Co-operation with other stakeholders –criminal authorities, privacy officers, civil society, business
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive Implementation Developing a Contact List –single national point of contact –internal list (with complete contact information) –public list (without personal contact information) –co-ordination with other lists (e.g. APEC) Request for Assistance Form –identifies key categories of information –ensures careful pre-request preparation –flexible: can be adopted to fit the situation –non-duplicative: doesnt ask for what is readily available elsewhere Review implementation and report back to Council: June 2010