During their “Fireside Chat” at Dentons’ offices in London today, UK Information Commissioner Christopher Graham and former Interim Canadian Privacy Commissioner Chantal Bernier previewed details of a new cooperation agreement amongst global data protection authorities that will be announced at the Data Protection and Privacy Commissioners Conference in Amsterdam later this month.
First discussed during the data protection authorities (DPAs) conference in Mexico City in 2011, the Arrangement, as it’s being referred to, creates a common understanding of the obligations of DPAs as they work together, so that separate memorandums of understanding don’t have to be negotiated and signed each time DPAs coordinate on a case.
“The great irony,” Graham explained, “is that very often DPAs are slow on the job because they’re respecting data protection and that is the height of madness: ‘Oh, I would love to talk to the Canadians, but that would involve moving data out of the EU, so I can’t do that.’ How absurd.”
The Arrangement will speed up the ability for DPAs to co-investigate and share information, Bernier noted, referencing a case recently where Canada's Office of Privacy Commissioner was able to work with the Romanian commissioner’s office to shut down sites that were shaming Canadians with personal information culled from the Internet and essentially extorting payments from their victims for removing the information.
This kind of coordination, along the lines of what GPEN has been doing with its privacy sweeps, is something you’ll see much more of in the future, Graham and Bernier agreed, in addition to groups like the Article 29 Working Party and APEC.
[quote]If you’re trying to get away with stuff, it may not be good news. -Christopher Graham[/quote]
“A big theme of this year’s conference is what’s called ‘privacy bridges,’ led by Dutch Commissioner Jacob Kohnstamm,” Graham noted. “There’s no point in the Europeans lecturing the Americans or the Americans lecturing the Europeans. Our systems are not the same, but just because you don’t have the same system doesn’t mean you can’t find points of purchase.”
To that end, there is already the Francophone Association of Data Protection Authorities (the AFAPDP, housed with the CNIL), which brings together 27 commissioners in 24 countries, and there is talk of a similar group, Bernier said, that would extend the Iberian collaboration between the Portuguese and Spanish commissioners out toward many of the Latin American DPAs.
Further, Bernier referenced the formation of what is being called the Common Thread, announced at last year’s DPAs conference in Mauritius, and which brings together data protection authorities that were formerly part of the British Commonwealth, including countries in Eastern Africa, Southern Asia and India. Having been a part of the Francophone group, which includes a number of developing nations in Western Africa, Bernier felt a similar group to bring together other developing economies with a common colonial touchpoint to Canada’s would make sense.
“Now this has life,” she said, “and the big tiger is India.” While there may not yet be a strong privacy regime there, she and Graham both expressed hope that the privacy expectations of European citizens would provide an incentive to those processors in India looking to do business with the EU.
The downside of all this collaboration, Graham joked, for data controllers is that “authorities will more effectively be on your case. If you’re trying to get away with stuff, it may not be good news. But I would say, look on the bright side. It will be a more rewarding experience to deal with authorities who have their acts together.”