Monday 20 October 2014

Privacy regulators resolve to try more joined-up enforcement – but why?

You need to read the latest resolution of the international conference of data protection and privacy commissioners on enforcement cooperation a couple of times before much of its meaning becomes apparent.

It may be just over 900 words long, but crystal clear it aint.

It recalls previous resolutions from the 29th, 33rd, 34th and 35th conferences and the Montreux Declaration from the 27th Conference. It recalls earlier decisions to set up an International Enforcement Coordination Working Group, and notes that the Working Group reported back with six recommended co-ordination principles.

It further notes that the previous conference mandated the Working Group to “work with other networks to develop a common approach to cross border case handling and enforcement co-operation, to be expressed in a multilateral framework document addressing the sharing of enforcement-related information, including how such information id to be treated by recipients thereof, and that this work was not intended to replace existing national and regional conditions for sharing information, or to interfere with similar arrangements by other networks.” 

It also notes progress on developing  “arrangements for cross-border cooperation in the enforcement of laws protecting privacy, including efforts by APEC, the data protection authorities of the Article 29 Working Party, the OECD, the Council of Europe, the network of Francophone authorities, the Ibero-American network and the Global Privacy Enforcement Network (GPEN)” 

The resolution goes on (and on, and on) until you get to to (perhaps the most significant bit, which is  “To support the development of a secure international information platform which offers a ‘safe space’ for members of the International Conference and their partners to share confidential information and, to facilitate the initiation of coordinated enforcement action and, complement other international enforcement coordination mechanisms, adding value to the international enforcement operational framework.” 

What (slightly) surprises me is why, after some 36 international meetings, it is still necessary for privacy commissioners to bang on about the need for international co-operation amongst themselves.

Why do they need additional mandates to facilitate a greater sense of working together – is it because some regulators find it hard to cooperate with others? They all ought to be working together anyway, and it would be scandalous if they weren’t.

Or is it because they need to send more messages to data controllers to reassure them that scarce tools and resources are being pooled, and that, perhaps one day, they may be sufficient to deal with the behemoths that seek to transgress?

The reference in the resolution to the sharing of confidential information caught my attention, particularly as the Data Protection Act has a few things to say about this.

 Section 54 of the DPA provides a gateway for the ICO to exchange some information with supervisory authorities in the colonies, other EEA States or with the European Commission. The Act does not refer to cases where it may be prudent to share information with authorities elsewhere around the globe.

Section 59 places various constraints on the ability of the ICO to disclose certain types of confidential information. Presumably, the Commissioner will argue that any disclosures for fellow regulators of information supplied to it in confidence will be lawful as the disclosure will, of necessity, be in the public interest.