Privacy enforcement transcends all borders

 For the London Free Press - October 18, 2010 Read this on Canoe

Global Privacy Enforcement Network aids cross-border co-operation to enforce privacy laws

In the age of Facebook and MySpace, privacy issues do not stop at national boundaries. More and more, business relies on a flow of personal information across both national and jurisdictional borders. As a result, privacy enforcers have begun to strengthen their capacity for cross-border co-operation.

Thirteen privacy enforcement authorities, including Canada's Office of the Privacy Commissioner, recently formed the Global Privacy Enforcement Network (GPEN) to aid cross-border co-operation to enforce privacy laws. Other countries with privacy enforcement authorities include the U.S., France, New Zealand, Israel, Australia, Ireland, Spain, the United Kingdom, the Netherlands and Germany.

The global network will be responsible for enforcing laws and investigations to protect personal data. It will encourage its members to develop shared enforcement policies, and support joint enforcement initiatives.

The network does not create new legally binding obligations among the participants. Participation is voluntary, and all member authorities remain subject to domestic and international law. But though each country has unique privacy laws, the protections are similar.

The network has set out steps to further international privacy enforcement co-operation. This includes sharing information about effective investigative techniques and enforcement strategies. It will also organize training sessions on privacy and data security issues with non-governmental advisers from industry, academia, international organizations and professional associations.

The organization is supported by the Organization for Economic Co-operation and Development that, in 2007, adopted a recommendation of cross-border co-operation protecting privacy, calling for member countries to foster the establishment of an informal network of privacy enforcement authorities.

Cross-border privacy enforcement has come a long way over the past few years. As recently as 2007, the Canadian privacy commissioner declined to investigate an American website called Abika that was accused of collecting and disclosing personal information about Canadian citizens without their consent. For a fee, Abika would provide its customers with criminal record searches, e-mail traces, unlisted and cellphone numbers and licence plate details.

The privacy commissioner refused to investigate Abika, thinking it had no authority to do so. Because Abika refused to provide the names of its Canadian-based sources, there wasn't any means of investigating those companies.

Instead, the privacy commissioner was forced to rely on the U.S. Federal Trade Commission for enforcement. The commission found Abika violated privacy laws, and placed an injunction on Abika prohibiting it from trading personal information without express written permission from the consumer.

Upon review of the matter, the Federal Court of Canada ordered the privacy commissioner to reinvestigate the issue. Although the privacy commissioner may not have effective enforcement mechanisms, the prevailing legislation - the Personal Information and Protection of Electronic Documents Act - still gave the commissioner the power to investigate complaints relating to the transborder flow of personal information.

That decision, the formation of the Global Privacy Enforcement Network, and the Canadian Privacy Commissioner's investigations of companies such as Facebook, show that privacy enforcement will occur without national borders getting in the way