Transcript Enforcing privacy: PHAEDRA findings

ENFORCING PRIVACY:
PHAEDRA FINDINGS
David Wright
Trilateral Research
Skopje
6 May 2014
Why do we need to enforce privacy?
• Privacy is a cornerstone of democracy
• Privacy gives us space to grow as individuals
• Privacy needs enforcers, esp. regulators, to
protect privacy
2
Enforcement powers
•
•
•
•
•
•
Notices and warnings
Naming and shaming
Mandatory PIAs
Inspections, investigations and audits
Fines
Court orders
3
Enforcement powers vary
from one DPA to another
• OPC cannot levy fines, but ICO, AEPD, CNIL can
• ICO cannot investigate private sector without consent of
target of investigation, whereas the Kosovo DPA can
investigate public and private sector organisations
• FTC cannot disclose an investigation underway, whereas in
Norway DPA documents are public by default
• Monaco has enforcement powers, but Singapore does not.
• ILITA cannot share criminal information but can share other
information.
4
Co-operation and co-ordination are ways
to leverage a shortage of resources
• Growing co-operation between and among DPAs and PEAs is
apparent to all.
• There are various levels or degrees of co-operation and coordination.
• Experience demonstrates benefits of co-operation.
• Building relationships is an evolutionary process.
5
Barriers to co-operation and co-ordination
•
•
•
•
Lack of resources
Variability in technical resources
Language
Confidentiality: Legislation may prevent or hamper sharing of
information. Laws have differences in scope
• Lack of awareness - Some DPAs are more “plugged in” than
others.
• Lobbying power and obstinacy of multinationals
• Recognition of PEAs
6
Efforts being made to overcome barriers
• Instruments
• Institutional arrangements
• Issues
7
Instruments
• Memoranda of understanding (MoUs)
• Revision of Convention 108
8
Institutional arrangements
• International Conference of Data Protection and Privacy
Commissioners (ICDPPC) and its working group on
enforcement
• Global Privacy Enforcement Network (GPEN)
• Regional and sectoral organisations
• Case-handling and privacy enforcement workshops
9
Issues
• Interoperability of BCRs and CBPR
• Agreeing a lead authority to investigate
• Reciprocity is important
10