Data protection authorities from around the globe meet in Montreal to discuss enforcement cooperation
No one will ever forget that moment during dinner when two commissioners stood up and serenaded their hostess, Privacy Commissioner of Canada Jennifer Stoddart, with a heartfelt rendition of the Beatles’ “We Can Work It Out.” The gesture by UK Information Commissioner Christopher Graham and Dutch DPA Chairman Jacob Kohnstamm perfectly encapsulated both the tone and the content of a special two-day meeting in Montreal on May 14 and 15 to explore options for enhanced enforcement co-operation. The temporary working group was formed under the Resolution on Privacy Enforcement Coordination at the International Level
,
which was adopted last November during the 33
rd
International Conference of Data Protection and Privacy Commissioners in Mexico City. The Montreal meeting included representatives from 12 privacy enforcement authorities. The focus of their discussions was on developing practical ways in which to coordinate enforcement efforts. Given that some of the most significant privacy breaches stem from the global nature of the Internet, it follows that the actions of those entrusted with investigating these breaches should also become global. The group agreed that there is nothing to be gained from a dozen authorities investigating the same incident in silos and everything to be gained from them using their limited resources in a concerted fashion. As one delegate put it, data protection authorities should aim to be less like the Lilliputians against Gulliver and more like David against Goliath. One obstacle to co-operation in enforcement matters is in not knowing who is doing what. Too often, two or more enforcement authorities start looking into the same issue or incident without realizing that others are looking into the same matter. Another obstacle is the differences among enforcement authorities in terms of their ability to share information and their investigative processes. Much of the discussion focused on practical suggestions that could be implemented immediately or in the very near future to overcome these obstacles—such as joining the Global Privacy Enforcement Network and using bilateral memoranda of understanding until multilateral co-operation agreements can be negotiated. The Canadian and Dutch authorities, who are presently conducting coordinated investigations on the practices of a single organization based in the United States, shared the lessons they have already learned from their positive experience. The greatest takeaway for them is that where there is a will, there is a way: When the head of the privacy authority is committed to enforcement co-operation and demonstrates that commitment to his or her team, things have a way of sorting themselves out. Recognizing that the key to protecting the privacy of the citizens under their jurisdictions in light of global threats is to collaborate toward international enforcement, the members of the working group agreed to complete 10 action items, which will also be shared with the conference membership at large. Each of these items is a simple, practical measure that can be adopted in the coming months and that is expected to facilitate co-operation between all privacy enforcement authorities. The working group will report to the International Conference on the progress of these items during a closed session at the 34
th
International Conference of Data Protection and Privacy Commissioners is Uruguay in less than six months. Because, “life is very short, and there’s no time for fussing and fighting my friends.”
