Data protection authorities around the globe participate in a forum known as the International Conference of Data Protection and Privacy Commissioners. To be accepted into the Conference, members must be the highest data protection or privacy enforcement body in their nation, with an “appropriate range of legal powers” as well as “autonomy and independence.”
Conference members convene annually, participate in working groups and committees, and ultimately develop public resolutions and reports. Although their goals include promoting privacy rights internationally, they are also invested in “dialogue, cooperation, and information sharing,” particularly regarding enforcement actions.
Accordingly, privacy professionals concerned about protecting their employers’ and clients’ interests do well to know about and understand not only the Conference’s membership and inner workings, but also the significant body of policy work the Conference produces via its reports and resolutions. These works shed light on the issues of greatest interest and concern to privacy and data protection regulators.
The IAPP has reviewed the Conference’s resolutions and reports, dating back to its inception in 1979, and – for the first time anywhere – has organized them by subject matter.
The Conference’s public resolutions and reports vary in topic, but can be grouped into nine broad categories, summarized below: metrics and frameworks; cooperation; big data and new technology; surveillance; privacy education; promoting policies and ideas; transparency; humanitarian and relief work; and administrative.
Metrics and Frameworks
The Conference has adopted four substantive frameworks or metrics to form baselines for privacy authorities to consider when drafting new privacy legislation in these areas or to serve as privacy benchmarks. Each of the frameworks have been adopted within the last 13 years, suggesting the Conference has only recently turned toward metrics and frameworks as an approach to privacy issues rather than solely using informative resolutions or reports. However, the increased frequency of this structure demonstrates that the form has been useful, which may lead to more frameworks in the coming years. These materials differ from standard resolutions in that they provide a measurable and implementable template for DPAs to use in addressing certain privacy and data security issues.
The most well-known of these resolutions is likely the Madrid Resolution (2009), whose purpose was “[t]o define a set of principles and rights guaranteeing the effective and internationally uniform protection of privacy with regard to the processing of personal data … and [t]he facilitation of the international flows of personal data needed in a globalized world.” The resolution itself draws from several privacy principles already enshrined in different pieces of privacy literature from around the world (guidelines, recommendations, legislation, etc.) and compiles them into one unified document. Additionally, Article 12 of the GDPR, which puts forth controllers’ obligations to provide clear, transparent, and easily accessible information, was inspired by principles introduced in the Madrid Resolution.
Other metrics and frameworks adopted by the Conference include the Resolution for the Adoption of an International Competency Framework on Privacy Education (2016), the Resolution on Developing New Metrics of Data Protection Regulation (2016), and the Resolution on a Draft ISO Privacy Framework Standard (2004).
Metrics and Frameworks resolutions
Cooperation
Perhaps most central to the core mission of the Conference are the resolutions that directly address cooperation. Indeed, the cooperation resolutions’ importance is easily seen when looking at the sheer volume of documents within the category.
Recent resolutions have emphasized cooperation on international privacy enforcement, but prior resolutions called for different forms of cooperation, including agreed-upon international standards on data protection and enshrining privacy protection in international laws. All cooperation resolutions aim to coordinate a consistent base approach to privacy. This ensures that borders do not stand in the way of privacy and data protection and empowers privacy authorities to pursue privacy goals with the support of other agencies across the world.
The range of focus in these documents, from representation before international organizations to drafting binding agreements on privacy to adjusting privacy demands in cross-border information flows, demonstrates a consistent effort to facilitate and encourage cooperative privacy standards. In examining the content of these documents, we identified three core principles that the Conference deems necessary to successful international DPA cooperation: communication frameworks; participation in other collaborative bodies; and transparency.
1. Communication frameworks
First, the Conference places great emphasis on effective communication between privacy and data protection enforcement bodies. To that end, DPAs must have a structured framework in which to safely share information in a way that respects subject privacy. This is especially necessary in enforcement actions. In these cases, DPAs from different countries may be pursuing a joint action to address a privacy violation that affected consumers in multiple countries, an actor may be violating privacy rights of members of a country other than his own, or information necessary to pursue enforcement may be held in a country other than the DPA’s. These cases require information-sharing to most effectively protect user privacy rights.
The proposed frameworks to meet this need require a certain level of flexibility to ensure compliance with the privacy and data protection laws of the respective countries. Of course, principles like equivalent legal safeguards, purpose limitation, and transparency must be in place within the framework. Establishing functional frameworks for information sharing facilitates enforcement cooperation and is a key element of effective and consistent communication between DPAs.
2. Participation in other collaborative bodies
Second, the Conference emphasizes the importance of participation in various international bodies, including APEC, the data protection authorities of the Article 29 Working Party, the OECD, the Council of Europe, the network of Francophone authorities, the Ibero-American network, ICANN, and the Global Privacy Enforcement Network, among others. These groups all produce extensive literature on privacy standards, privacy practices, and privacy education that are hugely beneficial for DPAs when drafting and evaluating the strength and efficacy of a country’s privacy and data protection legislation.
3. Transparency
Finally, the cooperation process must maintain transparency, both in communicating as much as possible to citizens about information sharing and use between DPAs and in allowing for data subjects to access and correct information as much as possible. Recommended steps toward achieving this transparency include having a clearly designated contact point for data subjects, educating data subjects about data collection and storage, and ensuring that data shared with other DPAs is being used for consistent or lawful purposes.
In addition to the resolutions and underlying principles listed above, there have been several reports from working groups that specifically address aspects of cooperation: the International Enforcement Coordination Working Group produced reports in 2013 and 2014 and the Steering Group on Representation before International Organisations produced reports in 2009 and 2011.
In the spirit of furthering and facilitating consistent communication between DPAs, the Communications Network-London Initiative Paper (2008) created a network for Data Protection Agencies to exchange information and work with one another on improving and developing various materials. The final input from a working group is the Steering Group Resolution to Consider Seeking Observer Representation Before Internet Governance Forum, London Action Plan, and ICANN (2009). This ties in with the principle of participation in international privacy groups.
Cooperation resolutions:
- Resolution on Collaboration between Data Protection Authorities and Consumer Protection (2018)
- Resolution on collaboration between data protection authorities and consumer protection authorities for better protection of citizens and consumers in the digital economy (2017)
- Resolution on exploring future options for International Enforcement Cooperation (2017)
- Resolution on International Enforcement Cooperation (2016)
- Resolution on Cooperation with the UN Special Rapporteur on the Right to Privacy (2015)
- Resolution on Enforcement Cooperation (2014)
- Resolution on International Enforcement Coordination (2013)
- Resolution on Anchoring Data Protection and the Protection of Privacy in International Law (2013)
- Resolution on the Future of Privacy (2012)
- Resolution on Privacy Enforcement Coordination at the International Level (2011)
- Resolution Calling for the Organization of an Intergovernmental Conference with a View to Developing a Binding International Instrument on Privacy and the Protection of Personal Data (2010)
- Resolution Concerning the Strengthening of the International Cooperation in the Field of Data and Privacy Protection (2009)
- Steering Group Resolution (2009)
- Resolution on the Urgent Need for Protecting Privacy in a Borderless World (2008)
- Resolution on International Cooperation (2007)
- Resolution on Development of International Standards (2007)
- Resolution Concerning the Transfer of Passengers’ Data (2003)
- Berlin Resolution of the International Conference of Data Protection Commissioners (1989)
Big Data and New Technology
When new or disruptive technology gains traction or appears to impact privacy rights, the Conference will often research it and adopt a resolution highlighting issues to watch out for. It may also recommend how DPAs can most effectively address privacy issues arising from use of new tech. These types of resolutions and reports have appeared consistently throughout the life of the Conference and serve as useful analysis of major technology developments and issues.
The first resolution to address privacy concerns in new technology, the Resolution on ISDN Problems (1989), explained to Conference members what Integrated Service Digital Networks (ISDNs) were, provided principles to promote data protection when using these networks, and noted particular concerns to be aware of. Since then, resolutions have addressed everything from automatic software updates (Resolution on Automatic Software Updates – 2003) to biometrics (Resolution on the Use of Biometrics in Passports, Identity Cards, and Travel Documents –2005) to user profiling (Resolution on Profiling – 2013).
The Resolution on Big Data (2014), was a compendium of several newer technologies and privacy concerns. The Resolution draws from issues first discussed in the Resolution on Profiling and previous reports from the working group on data protection in telecommunications to form a list of considerations for DPAs to take into account regarding big data use and to integrate into privacy regulation. The list hits on several already-established privacy actions (privacy impact assessments, anonymization techniques) and highlights various concerns also present in the GDPR – purpose specification, transparency, etc. It essentially serves as a one-stop-shop for all things privacy when dealing with or thinking about big data.
The Resolution on data protection in automated and connected vehicles (2017) highlights that while automated vehicles offer users enhanced convenience and usability, it poses a challenge to the rights to the protection of personal data and privacy of users.
These resolutions are useful both for DPAs grappling with how to quickly adapt to new technologies and to privacy pros on the lookout for major changes in the tech landscape.
Big data and new technology resolutions:
- Resolution on data protection in automated and connected vehicles (2017)
- The Resolution on Big Data (2014)
- Resolution on Profiling (2013)
- Resolution on Web Tracking and Privacy (2013)
- Resolution on Cloud Computing (2012)
- Resolution on the Use of Unique Identifiers in the Deployment of Internet Protocol Version 6 (2011)
- Resolution on Privacy Protection in Social Network Services (2008)
- Resolution on Privacy Protection and Search Engines (2006)
- Resolution on Use of Personal Data for Political Communication (2005)
- Resolution on the Use of Biometrics in Passports, Identity Cards, and Travel Documents (2005)
- Resolution on Automatic Software Updates (2003)
- Resolution on Radio-Frequency Identification (2003)
- Report of the Working Group on Telecommunications and Media (1993)
- Resolution on Problems Related to Public Telecommunication Networks and Cable Television (1990)
- Resolution on ISDN Problems (1989)
Surveillance
There are three resolutions that specifically addressed surveillance issues: the Resolution on the Transfer of Passenger Data (2003), the Resolution on the Urgent Need for Global Standards for Safeguarding Passenger Data to be Used by Governments for Law Enforcement and Border Security Purposes (2007), and the Resolution on Privacy in the Digital Age (2014). The first noted that several countries were considering measures that would use passenger data in the struggle against terrorism and organized crime. It called on those countries to be cognizant of privacy protections and to safeguard privacy rights as much as possible in crafting these measures. The next resolution follows up on this in more detail, providing a list of safeguards and considerations in reaction to heightened demand for passenger data. The resolution calls on all governments requesting this information to demonstrate that the information is necessary to address specific problems, likely to address those problems, proportional to the threat, less invasive than alternative options, and regularly monitored. The goal was to coordinate protection levels for passenger information across country lines and to ensure robust privacy protections.
The Resolution on Privacy in the Digital Age is largely in reaction the USA Patriot Act and Foreign Intelligence Surveillance Act. It calls for members to ensure that any existing surveillance programs at minimum comply with the privacy standards set forth in the 2009 Madrid Standards, the International Covenant on Civil and Political Rights, and the Convention of the Council of Europe with regards to protecting individual rights in automatic processing.
Surveillance resolutions:
Privacy Education
Four of the adopted resolutions highlight and promote privacy education. These either emphasize education for a specific group (such as the Resolution on Children’s Online Privacy of 2008) or promote general privacy education. The Resolution for the Adoption of an International Competency Framework on Privacy Education and the accompanying Personal Data Protection Competency Framework for School Students (2016) sets out a framework for key points of knowledge on data protection that educators should go over with students to ensure properly informed digital stewardship. It serves to enable students to safeguard their own data and be aware of their own digital and privacy rights in the hope that they carry this information with them as they grow and expand their digital footprints. The Resolution on Digital Education for All (2013), promotes education on privacy-protecting skills and awareness of rights and duties for all ages. The final resolution in this category, the Resolution on e-learning platforms (2018) weighs the balance between enhanced educational services provided by artificial intelligence and the privacy threats it poses to the individuals who partake in e-learning, specifically when it comes to children, as they have specific protections when it comes to personal data.
In addition to the resolutions, the Conference hasseveralreports from the Digital Education Working Group and additional reports and surveys on effectively training people to educate others on data protection (2015), competitions teaching young people data protection (2015), and the success of DPA-lead initiatives on digital education (2014). These working-party reports are all from 2014 to 2016, reflecting that the focus on digital education is a recent trend, but the volume of reports in those years points to its importance.
Privacy Education resolutions:
- Resolution on e-learning platforms (2018)
- Resolution for the Adoption of an International Competency Framework on Privacy Education and the accompanying Personal Data Protection Competency Framework for School Students (2016)
- Resolution on Digital Education for All (2013)
- Resolution on Children’s Online Privacy (2008)
Promoting Policies and Ideas
The next set of resolutions is one of the broadest categories and runs the gamut on issues from safeguarding passenger data (the Resolution on the Urgent Need for Global Standards for Safeguarding Passenger Data to be Used by Governments for Law Enforcement and Border Security Purposes of 2007) to establishing an international privacy day (Resolution to Explore Establishing an International Privacy/Data Protection Day of 2008). These resolutions serve either to highlight a specific data or privacy issue that needs attention or to promote a general approach or concept, like privacy by design or data protection as a whole.
Identifying and advocating for more attention to pressing privacy issues has been a function of the Conference since its inception. The Berlin Resolution of the International Conference of Data Protection Commissioners (1989), one of the first resolutions adopted by the Conference, emphasized the importance of privacy considerations in the boom of telecommunications use at the time. As other issues popped up, the resolutions served to engage global privacy enforcers in discussion about how best to address the areas vulnerable to privacy concerns. Engaging DPAs in discussion about the fundamentals of new technologies or novel data uses serves to promote a swift privacy response and to reinforce the habit of considering privacy implications in every big shift in data use.
Promoting Policies and Ideas Resolutions:
- Resolution on Openness of Personal Data Practices (2013)
- Resolution on Privacy by Design (2010)
- Resolution to Explore Establishing an International Privacy/Data Protection Day (2008)
- Resolution on Development of International Standards (2007)
- Resolution on the Urgent Need for Global Standards for Safeguarding Passenger Data to be Used by Governments for Law Enforcement and Border Security Purposes (2007)
- Resolution on the Use of Personal Data for Political Communication (2005)
- Amendment to 2003 Conference Resolution on Automatic Software Updates (2004)
- Resolution on a Draft ISO Privacy Framework Standard (2004)
- Resolution on Automatic Software Updates (2003)
- Resolution on Data Protection and International Organisations (2003)
- Resolution on Improving the Communication of Data Protection and Privacy Information Practices (2003)
- Resolution Concerning Data Protection and the European Community (1990)
- Berlin Resolution of the International Conference of Data Protection Commissioners (1989)
Transparency
The Conference has turned focus to transparency in the past 15 years, beginning with the Resolution on Automatic Software Updates (2003) which called on software companies to be transparent with users about the product’s update process and to allow users to determine when and how to update. Since then, resolutions have addressed privacy concerns in search engines (2006), encouraged DPAs to release information about privacy cases they have pursued (2009), and pushed organizations to be open about their purposes for data collection and maintain a clear point of contact for consumers (2013).
The most recently adopted transparency resolution, the Resolution on Transparency (2015), addresses government requests to organizations for user personal data. The resolution calls on governments to keep records of the number, nature, and purpose of access requests they issue for personal information and to report this information in a way that is understandable and accessible to the public. It also urges organizations that receive government requests for personal information to conduct due diligence on the requests, keep records, and issue transparent reports on the number of requests, the nature of the requests, and the response they give to the requests. This resolution is linked with the rise in volume of requests from government agencies and criminal enforcement groups to use the data collected or held by companies like Google and Apple.
Transparency Resolutions:
Humanitarian and Relief Work
There have been three resolutions, all recent, where the Conference directly addressed the privacy challenges posed by natural disasters or conflict situations (collectively referred to as “humanitarian crises”). These circumstances are particularly challenging for three primary reasons: 1) they often affect people of many nationalities, 2) they call for a structure that both ensures that privacy protection does not go out the window and has enough flexibility to account for extenuating circumstances and challenges, and 3) they must be capable of addressing the privacy complications brought by issues like destruction of official documents, lack of access to information, or family members trying to contact loved ones in uncertain situation. To that end, the Conference has adopted three resolutions dealing with privacy issues in humanitarian crises and has formed a working party to explore the issue further. All of these actions have occurred within the last six years.
First, the Conference adopted the Resolution on Data Protection and Major Natural Disasters (2011). This resolution addresses the specific privacy challenges posed by natural disasters – namely, that they have effects beyond the bounds of a single country, that both victims and responders may be citizens of many countries, and that personal information both within and from outside the affected zone may be damaged or required. The resolution calls on DPAs to review their laws and policies to determine whether they have the protection and flexibility necessary to handle such a disaster. It also alerts governments, businesses, and international organizations to create a pre-considered privacy infrastructure to prepare for these disasters.
Next, the Conference adopted the Resolution on Privacy and International Humanitarian Action (2015). This resolution encompassed violent conflicts and attacks as well as natural disasters, referring to them collectively as “humanitarian crises.” The resolution demonstrated a commitment to analyzing how privacy regulations affected humanitarian efforts, worked to facilitate cooperation among DPAs in creating frameworks for applying privacy rules to emergency situations, and formed a working group to lead these efforts. The following year, the Resolution on Human Rights Defenders (2016) enshrined the importance of humanitarian aid, vowed to promote the UN’s 1999 Declaration on Human Rights Defenders, and encouraged governments to better incorporate the declaration into existing privacy frameworks. Further, the resolution advocated for governments and organizations to provide safe and effective channels for victims and aid workers to report privacy violations and poor practices and gain redress for disproportionate actions that endanger private data. The existence of a working group on the subject indicates that updates on privacy in this area may continue.
Humanitarian and Relief Work Resolutions:
Administrative
Finally, the Conference also produces many administrative resolutions and reports addressing such housekeeping matters as funding issues, determining and evaluating the Conference’s strategic direction, and establishing websites and networks for the Conference.
Conference administration resolutions:
- Resolution to amend the ICDPPC rules and procedures (2018)
- Resolution on a roadmap on the Future of the International Conference (2018)
- Resolution on the Conference Census (2018)
- Resolution on Conference’s Strategic Direction (2015)
- Strategic Direction Working Group Report (2015)
- Proposal: Proposed Workable Plan to Fund the Conference Secretariat (2015)
- Working Paper: Elements of a Workable Plan to fund the Secretariat and Associated Core Conference Expenses (2015)
- Working Document – Previous Host Handover (2015)
- Working Document – List of Networks (2015)
- Strategic Direction Working Group Report (2014)
- Resolution on Conference’s Strategic Direction (2013)
- Resolution on the Improvement of the Conference’s organisational Set Up (2010)
- Steering Group Resolution – Admitting International Observers to the Closed Session (2009)
- Website Working Group Report (2009)
- Resolution Giving Directions to the Steering Group to Consider Seeking Observer Representation Before Internet Governance Forum, London Action Plan and ICANN (2009)
- Communications Network – London Initiative Paper (2008)
- Website Working Group Report (2008)
- Resolutions by the Website Working Group (2008)
- Resolution Concerning the Establishment of a Steering Group on Representation of Meetings of International Organizations (2008)
- Working Group Report on Conference Organisational Arrangements (2007)
- Resolution of the Working Group on Conference Organisational Arrangements (2007)
- Resolution on Conference Organisational Arrangements (2006)
- Resolution of the Credentials Committee Concerning Country Observers (2005)
- Resolution on Accreditation Features of Data Protection Authorities (2001)
- Guidelines and Procedures for Conference Resolutions (2000)
- Resolution…About the Working Group on “Media” (1989)