Update from the Working Group on Digital Education

The Global Privacy Assembly (GPA) membership is organised into Working Groups that concentrate on the most significant GPA initiatives identified by the membership, deriving their mandate and direction from the annual conference, typically leading from Resolutions. Learn more about the GPA Working Groups.

In this video, Ms Marie-Laure Denis, President of the Commission Nationale de l’Informatique et des Libertés (CNIL), gives an update on the work of the Working Group on Digital Education.

GPA marks International Data Protection Day 2020

Happy International Data Protection Day from the Global Privacy Assembly!

Elizabeth Denham CBE, Chair of GPA and UK Information Commissioner, is speaking by video today at the International Data Protection Day 2020 event hosted by the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) in Mexico City.

In her speech, Ms Denham says that the data protection world has perhaps never been a more challenging one. But that our international partnerships can bring solutions, with the GPA moving towards stronger regulatory co-operation, paving the way not only to sharing best practice but potentially sharing lines of enquiry – view the GPA Strategic Plan 2019-2021.

Ms Denham also says that one of the emerging areas of data protection right now is considering the human values that underpin privacy. And it’s welcome that our GPA conference in Mexico City later this year will take this emphasis on human values as a starting point for its theme, of ‘Privacy and Data Protection: A human-centric approach’.

You can read more about the GPA 2020 in Mexico City in our latest newsletter.

Call for interest to the GPA Reference Panel

The Global Privacy Assembly (GPA) is launching the first ever call for interest to participate in the GPA Reference Panel.

The deadline for submitting your nomination is Friday 20 March 2020. Please download the relevant form here.

Established in 1979, the GPA is an international forum of data protection and privacy authorities which seeks to provide leadership at the international level by connecting the efforts of more than 130 data protection and privacy authorities from across the globe. If you wish to know more about the GPA’s current priorities, please refer to our Strategic Plan (2019 – 2020) and Policy Strategy.

What is the GPA Reference Panel?

The GPA Reference Panel will be a contact group involving a variety of external stakeholders which the GPA is seeking to establish in order to provide expert knowledge and practical expertise on data protection and privacy, as well as on data protection related issues and developments in information technology.

Who can respond to the call?

The call for interest is aimed at representatives of relevant civil society organisations, academic institutions, think tanks, non-privacy supervisory authorities, representatives of public authorities such as law enforcement authorities, and representatives of the private sector who have an interest in the vision and mission of the GPA.

How do I apply?

Please download the call for interest form and return it along with your cover letter by Friday 20 March 2020 to the GPA Secretariat at secretariat@globalprivacyassembly.org

Please note that late submissions will not be accepted.

In order to ensure a well-balanced cultural, geographic and legal diversity in the Panel’s composition, the GPA Secretariat will be liaising closely with relevant GPA Regional and Linguistic Networks during the sifting and nomination process.

The GPA Secretariat can also be contacted for any queries relating to the process and the GPA Reference Panel.

Application process for new members and observers now open

The Global Privacy Assembly (GPA) has re-opened the application process to welcome new members and observers into its community.

Established in 1979, the GPA community has continued to grow ever since, currently comprising more than 100 member authorities across the globe.

Each year, the GPA welcomes new applications for data protection authorities wishing to join as members, as well as for other public entities and international organisations having an interest to become GPA observers.

If you wish to become a Member, please complete the online application form. Membership applications will close on 10 July 2020, although prospective applicants are strongly encouraged to submit their application as early as possible to allow the Executive Committee to carefully examine the evidence submitted.

If you wish to join the GPA community as an Observer, please complete the relevant application form. Applications for observer status will close on 9 August 2020, although prospective applicants are strongly encouraged to submit their application at an early stage.

For any questions related to the GPA Accreditation process for membership and observer status please get in touch with the GPA Secretariat at secretariat@globalprivacyassembly.org

Conference launches new name and logo

Today the International Conference of Data Protection and Privacy Commissioners has launched a new logo and a new name: Global Privacy Assembly (GPA).

Building on our 40-year history, the new logo and name represent the evolution of the conference and the current work to modernise it, including a new policy strategy which sets out a clear vision for the organisation.

Elizabeth Denham, GPA Chair and UK Information Commissioner, said: “Our new name feels hugely significant. Data protection and privacy is now too great an issue for this community to only have a role once a year. That’s why we took a step forward at last month’s conference in Tirana, when we agreed a set of strategic priorities that strengthen the group’s position as an effective and influential international forum. The new name reflects a group that supports one another year round, sharing knowledge and building stronger cooperation.”

Our colleagues from the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI), México undertook the challenge to design options for our new logo and name, with the membership having the final say by voting for their preferred option. INAI is also hosting the next Global Privacy Assembly conference in Mexico City in October 2020.

Francisco Javier Acuña Llamas, President Commissioner of the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI), México, said: “Thanks to the collaboration of our colleagues, we created a logo which represents the organisation’s main attributes: international cooperation, knowledge sharing, independence and leadership.

“These four concepts emerged from a consultation with the membership, and they were used as guiding concepts for the design of the logo and were translated into organic and iconic forms, in complementary and harmonious colours.

“The implementation of elements that point towards progress, such as the arrow, indicates the leadership of the representatives of each country, and the circular forms aspires to reflect the exchange of knowledge and the capacity for cooperation among the international authorities involved.

“For the name of the Conference, it was sought to recall, in an easy and short way, the nature of the Conference itself, but not with less strength. And with the intention of expressing modernity and balance together with the other elements of the logo, Global Privacy Assembly (GPA) was created.”

Over the next few weeks, the Assembly’s visual identity will start to align around its new direction. You’ll see changes on the website, social media and on stationery. It’s an evolution of our 40-year-old history. It’s a Global Privacy Assembly of data protection and privacy commissioners.

Blog: Accountability – an upward force?

Dr Andrea Jelinek

For protecting personal data today and in the future, accountability is key. There is no doubt about that. The International Conference has rightly placed the principle of accountability in the spotlight.

In the terms of the General Data Protection Regulation, accountability means two things: first, an accountable organisation must have appropriate measures in place to ensure compliance. And secondly, an accountable organisation must be able to demonstrate its compliance.

This might seem straightforward, but it actually is an important evolution. The incorporation of the accountability principle in the GDPR is a key change compared to the Data Protection Directive and is a fundamental shift in approach. It is a move away from red-tape and box-ticking exercises, such as the requirement to obtain authorisation from the regulator before launching a processing operation. Instead, organisations must now pro-actively define their approach to data protection and create a culture of commitment to this fundamental right. Organisations must understand the risks that they create for others with their data processing operations, and mitigate those risks by introducing internal measures, such as privacy management programmes.

It is important to remember that accountability is a process and not just a toolbox.  Demonstrating compliance is more than just a snapshot of processing operations during a certain moment in time. It is rather an increasing awareness and understanding of how an organisation processes data.

Can accountability contribute to overcoming differences between data protection regimes in various parts of the world?

It can certainly play a significant role. However, organisations must:

  1. assess local jurisdictions carefully;
  2. adapt their privacy management programmes accordingly and
  3. use the highest standard as a common denominator across all jurisdictions.

This is a tall order, but organisations are not alone on this journey. Regulators worldwide have been leading and supporting the discussion on how to reach consensus on accountability across jurisdictions.

For more information about ICDPPC 2019 visit www.privacyconference2019.info

Dr Andrea Jelinek, Chair of the European Data Protection Board, is the moderator of ‘Panel IV: Accountability – the global bridge to support high standards of data protection?’, Open Session, 41st International Conference of Data Protection and Privacy Commissioners, Tirana, Albania.

Opening remarks from 41st ICDPPC Open Session

Opening remarks from Elizabeth Denham CBE, Chair of ICDPPC and UK Information Commissioner, at the 41st International Conference of Data Protection and Privacy Commissioners in Tirana, Albania on 23 October 2019.

Original script may differ from delivered version.

On behalf of the conference, let me thank Commissioner Dervishi and his team, and our ICDPPC 2019 Programme Advisory Committee co-led by Peter Hustinx, who’ve all done such a fantastic job organising this week’s programme.

This is our forty first conference, continuing an event first held in 1979.

This year’s event comes at a crucial time. We are in an era where privacy has become mainstream.

We all in this room have seen that change first-hand over the past year or two. People are expecting more around how their data is handled, and so many of the big international issues – the big discussions – have a central privacy element, from fair elections to keeping children safe online, from crypto currencies to facial recognition technologies.

The focus of our closed conference for ICDPPC members over the past two days reflected that context.

I’m so proud to be able to tell you that we have endorsed this week what I believe is an historic agreement towards greater regulatory cooperation and high data protection standards.

We have agreed an international approach that tells a shared story, built on the foundations of the ICDPPC’s own Madrid Declaration and previous conference resolutions.

  • We all know consumers in Canberra, Cape Town and Accra suffer alike when big companies get data protection wrong. And so the ICDPPC has moved to strengthen regulatory co-operation, paving the way not only to sharing best practice, but potentially sharing lines of enquiry.
  • We all know people in Seoul, San Francisco and Stockholm are asking the same data protection questions. Questions around how new technologies and new approaches affect them. And so the ICDPPC has moved to better our collaboration on policy themes, so we can build on each other’s work.
  • Authorities worldwide, so many of whom are in this room today, share ambitions to continue to be effective and efficient data protection regulators. This week we have endorsed a move to work harder to share expertise, help one another and work together year-round.

We have resolved to open our gates further. We will share ideas within our membership, and engage with the world beyond our community, including a new reference panel to be formed next year.

Do look at the new release on the ICDPPC website to see more details of the important discussions we had in that closed session.

And I’d add that we agreed a new name and logo reflecting our continued growth – more on that later in the conference.

The thread joining all of that work is convergence and connectivity, a theme we continue in the fantastic agenda we have ahead of us today and tomorrow.

We’ll hear more of the clamour for high standards globally. We’ll talk about the impact of data driven business models and the role of data in competition. And tomorrow we’ll hear about accountability and the challenges we can expect in the future.

We also have three outstanding keynote speakers:

  • the always thought-provoking Jamie Bartlett,
  • Brad Smith, who brings a crucial insight from the digital economy,
  • and then tomorrow Christopher Docksey, who brings expertise on accountability and the GDPR.

Before we begin, we must acknowledge someone who is not with us today. I spoke at the closed session of how our work this week in Tirana builds on the wisdom and expertise shared at previous conferences. We stand on the shoulders of giants. And Giovanni Buttarelli was truly a giant of our community.

Giovanni Buttarelli was an inspiring figure in the international data protection and privacy community. He was an integral member of our Executive Committee and co-host of last year’s conference. And to so many of us in this room he was a friend.

I’d like to conclude my welcome by playing this short tribute video, which we’re grateful to the European Data Protection Supervisor for providing.

Blog: Convergence in data protection law

Where are we converging? What progress are we making toward common standards?

Graham Greenlef AM

It is 50 years since the first recognisable data protection law, the Datenschutzgesetz of the German State of Hessen was enacted, and then in force in 1970. It is 40 years since development of the first two international agreements in relation to data protection, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (‘OECD Guidelines’) and the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’), both completed in 1980.

Both international instruments responded to a fundamental question with which we still grapple today: how can the flow of personal data between countries be guaranteed, or at least facilitated, by minimum standards for data protection agreed between groupings of countries – members of the OECD and the Council of Europe respectively. Their required data protection principles were substantially similar, but slightly higher in Convention 108.

Forty years later, 136 countries have enacted data privacy laws which meet the shared standards of these 1980s instruments.  Although there has also been a modest increase in membership of the OECD, and of accessions to Convention 108 by countries outside Europe, most countries with data protection laws are not yet included.

However, there have also been further international instruments which deal with the same issues of establishing minimum data protection standards in order to allow flows of personal data, in regions such as the European Union, west Africa, the African Union, and the member economies of APEC. Latin America Data Protection Authorities, have also established their own recommended standard, at the request of their governments. New subsidiary instruments have also been developed, such as Standard Contractual Clauses and Binding Corporate Rules.

What are considered to be the necessary ‘minimum standards’ that must be met have also risen, most notably with the EU’s recent General Data Protection Regulation, and the revised ‘Convention 108+’, but also to a much lesser extent with the OECD and APEC instruments.

Meanwhile, the extent which the international economy and modern life utilises and relies upon cross-border transfers of personal data has increased exponentially since the 1980s.  But the core issue remains: the necessity for minimum standards of data protection to be agreed, and for international flows of personal data to be consistent with them.

The first panel of the Conference’s Open Session addresses this issue in a positive way, seeking to bring together perspectives from each of the main regions of the globe that are developing instruments and techniques to deal with issue, in order to identify convergence of approaches, and to suggest how they can be further strengthened into common standards.

My own suggestion is to start by looking at the principles actually enacted in 136 countries to date, with more soon to come. They are of consistently increasing strength, and they usually require something equivalent before international flows of personal data can be ‘free’ of transaction costs and impediments. Convergence on higher standards, in agreements with greater global coverage, will ultimately be effective even if some countries stand outside it with resulting higher transaction costs for their own economies.

But there are obstacles to convergence on higher standards, on which today’s panellists might comment:

  • Adequacy decisions are slow arriving – and the first one under the GDPR has not added much to our understanding of what ‘adequate’ means. Can’t the EU do better?
  • The existing Convention 108 had moderate success in attracting 8 non-European Parties. BUT how many countries are likely to be able to ratify the modernised Convention 108Plus, with its higher standards?
  • The OECD Guidelines have had little development toward higher standards in 40 years since 1980, and the APEC Framework is similar. How can they lead anywhere?
  • APEC’s Cross-Border Privacy Rules has only two countries fully involved after 7 years – the USA and Japan – and only tiny numbers of companies certified. Isn’t it dead?
  • Will the African Union data protection and cybercrime Convention ever obtain enough ratifications to come into force? AND will Latin America ever develop an enforceable Convention?

For more information about ICDPPC 2019 visit www.privacyconference2019.info

Graham Greenleaf AM, Professor of Law & Information Systems, UNSW Australia. Mr Greenleaf is the moderator of ‘Panel I: Global convergence in data protection law’, Open Session, 41st International Conference of Data Protection and Privacy Commissioners, Tirana, Albania.

41st ICDPPC – Closed Session summary

Historic progress towards regulatory cooperation and high data protection standards

41st International Conference of Data Protection and Privacy Commissioners in Tirana, Albania.

“I spoke yesterday about the opportunity we had for this week to go down as one of the most defining of the ICDPPC’s 40 year history. I think we would all agree we’ve achieved that aim.”
Elizabeth Denham CBE, ICDPPC Chair

The 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Tirana, Albania began with the closed session, where members agreed a framework that continues to strengthen the group’s position as an effective international forum.

Central to that is a policy strategy that sets out a clear vision for this organisation for the next two years. The policy strategy builds on the ICDPPC’s Madrid Declaration and last year’s Roadmap on the Future of the Conference. It is the result of significant international collaboration.

The policy strategy is based on three pillars: evolution toward global frameworks and standards, greater enforcement cooperation and identifying priority policy themes. It confirms three strategic priorities:

  • Advancing global privacy in a digital age, confirming a move towards a global regulatory environment;
  • Maximising the conference’s voice and influence, notably in enhancing the conference’s role in digital policy and strengthening relationships with other international bodies and networks;
  • Capacity building to support members sharing expertise year-round.

The diversity in support for the approach showed a global commitment to action. And the wealth of support in people committing their time and expertise to implementing the approach shows a group that is willing to take action.

The strategy will be reinforced by an outward looking approach to engaging with stakeholders, in particular civil society, in a new reference panel to be formed in 2020.

The policy strategy is published on the ICDPPC website.

This passion for privacy and data protection was reflected in the resolutions. Passed resolutions were:

  • Resolution on the promotion of new and long-term practical instruments and continued legal efforts for effective cooperation in cross-border enforcement;
  • Resolution on privacy as a fundamental human right and precondition for exercising other fundamental rights;
  • Resolution to support and facilitate regulatory co-operation between data protection authorities and consumer protection and competition authorities to achieve clear and consistently high standards of data protection in the Digital Economy;
  • Resolution to address the role of human error in personal data breaches;
  • Resolution on social media and violent extremist content online.

The resolutions are published on the ICDPPC website.

The conference opened with a warm welcome in Tirana from Commissioner Besnik Dervishi, Albanian Information and Data Protection Commissioner’s Office, and host authority of this year’s conference.

The following new members were welcomed:

  • Chilean Transparency Council, Chile;
  • Commission Nationale pour la Protection des Données à Caractère Personnel, Gabon;
  • Autorità Garante per la protezione dei dati personali, San Marino;
  • National Agency for the Protection of Personal Data, Sao Tome and Principe;
  • OECD Data Protection Commissioner (without voting rights).

Elizabeth Denham CBE, UK Information Commissioner, was confirmed as ICDPPC chair for a further two years. Marguerite Ouédraogo Bonane, President of the CIL, Burkina Faso was re-elected to the Executive Committee. Eduardo Bertoni, Director of Access to Public Information Agency, Argentina was elected to the Executive Committee.

A detailed session on artificial intelligence, building on last year’s resolution, discussed the technology in the context of international regulation and ethics, followed by a session sharing practical experience from members of running an effective data protection and privacy authority.

The session welcomed contributions from ICDPPC working groups, ICDPPC observers at international organisations and updates from regional, linguistic and topic-specific networks.

The second day included updates from Professor Joseph Cannataci, UN Special Rapporteur on the Right to Privacy, and Professor Colin Bennett, University of Victoria, who discussed his research on privacy and democratic engagement.

There was a presentation looking ahead to the 2020 conference in Mexico, and the announcement of New Zealand as 2021 host.

Closing the closed session, Commissioner Besnik Dervishi said: “As a result of this week, the conference will no longer be the same. I’m happy and excited that Tirana will remain a landmark in the history of the conference.”

For further updates visit www.privacyconference2019.info

Winners announced for the Global Privacy and Data Protection Awards 2019

(From left to right): Bruno Baeriswyl, Privacy Commissioner, Data Protection Authority of the Canton of Zurich; John Edwards, New Zealand Privacy Commissioner; Wojciech Wiewiorowski, Acting European Data Protection Supervisor; Mar España Martí, Director of the Agencia Española de Protección de Datos (AEPD); Besnik Dervishi, Albania IDP Commissioner; Thomas Zerdick, Head of IT Policy Unit at the EDPS.


The Global Privacy and Data Protection Awards 2019 were celebrated last night at the 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Tirana, Albania.

Now in their third year, the Awards celebrate the achievements of the entire ICDPPC community and shine a light on good practice.

Elizabeth Denham CBE, Chair of ICDPPC and UK Information Commissioner, said: “The awards celebrate the creative ideas, the practical innovations and the brilliant people we are privileged to call part of our community. I hope the winners not only take home their award but also the pride that goes with that – to have been recognised by your peers.”

This year’s winners are:

Education and Public Awareness Award

Winner: Data Protection Authority of the Canton of Zurich, Switzerland

Project: Educational Resources for Children aged 4-9 years old

Bruno Baeriswyl, Privacy Commissioner, Data Protection Authority of the Canton of Zurich, said: “To receive an award by the ICDPPC is a great honor and encouragement for our Authority to continue our work in the area of education.”


Dispute Resolution and Enforcement Award

Winner: Office of the Privacy Commissioner, New Zealand (OPC)

Project: Inquiry into the Ministry of Social Development

John Edwards, New Zealand Privacy Commissioner, said: “My office is honoured to receive this award from the ICDPPC. OPC is particularly humbled given the calibre of entries from other data protection authorities. We are proud to have successfully advocated for the privacy rights of vulnerable members of New Zealand society. Our inquiry and resulting report illustrates that personal information is about people. Misusing that information can cause measurable harm – especially to individuals who have to depend on the welfare system to support themselves and their families. These people are entitled to fairness in the system. I do want to acknowledge the cooperation of the Ministry of Social Development and its commitment to fixing the wrongs identified in our report.”


Innovation Award

Winner: European Data Protection Supervisor (EDPS)

Project: Website Evidence Collector Tool

Thomas Zerdick, Head of IT Policy Unit at the European Data Protection Supervisor, said: “Global Privacy and Data Protection Award in ‘innovation’ emphasises that the data protection authority can approach its enforcement tasks in a modern and technically sophisticated way to address new and evolving challenges to data protection and privacy. We are also proud to share the software with other DPAs, civic society and individual ‘privacy geeks’ making it a freely accessible open source.”


Accountability Award and People’s Choice Award

Winner: Agencia Española de Protección de Datos (Spanish DPA)


Ms Mar España Martí, Director of the Agencia Española de Protección de Datos (AEPD), said: “These awards are a great satisfaction for the Spanish Data Protection Agency, as they represent a recognition of the hard work of all its staff and also of its commitment to support organizations, in particular small businesses, to provide a high level of protection of the personal data they handle.”


Albanian Information and Data Protection Commissioner’s Award

Awarded to Giovani Buttarelli to recognise his outstanding contribution to the protection of personal data and privacy. Besnik Dervishi, the IDP Commissioner, handed the award to Wojciech Wiewiorowski, Acting European Data Protection Supervisor, who highlighted Giovanni’s legacy in the data protection and privacy community.

For more information on the awards and submitted projects, visit the ICDPPC website.