Regulating the Digital Economy – Why Privacy and Competition Authorities Should Talk to Each Other

Data sits at the center of our digital economy and does not conform to regulatory or geographical boundaries. It is clear further understanding and collaboration by authorities across privacy, consumer protection and competition regulatory spheres is needed to achieve optimal regulatory outcomes. The Digital Citizen and Consumer Working Group (“DCCWG”) is focused on considering the intersections of, and promoting regulatory co‐operation between, the privacy, consumer protection and competition (also referred to as antitrust) regulatory spheres. In doing this, the DCCWG seeks to support “a global regulatory environment with clear and consistently high standards of data protection, as digitalisation continues at pace.” This article explores some of the key learnings of the DCCWG over the past 5 years. Ultimately, the DCCWG view is that collaboration between competition agencies and privacy agencies is becoming an imperative for any jurisdiction that seeks to achieve cohesive digital regulation.

By Melanie Drayton[1] & Brent Homan[2]

 

Read more

Privacy Enforcers Across the Globe Band Together to Coordinate investigations

The German and new U.K. data protection leaders diverged last week on their tone toward business during a top-dog conversation at the International Association of Privacy Professionals Global Privacy Summit 2022 in Washington, D.C. – but other privacy enforcers detailed seven instances of successful cooperation on investigations and productive engagement with different industries. This article reports on key global regulators’ comments at the summit about their priorities for 2022 and how they are increasing their enforcement capacity through coordination. See “Compliance Takeaways From the Latest GDPR Enforcement Statistics” (Feb. 2, 2022).

Read more 

Demande de renseignements sur l’application de la loi concernant les fusions

21 mars 2022

Organismes : Federal Trade Commission et département de la Justice des États-Unis

No de dossier : FTC-2022-0003-0001

 

Je m’adresse à vous, par la présente, à titre de coprésident du Groupe de travail sur le citoyen et le consommateur numérique (GTCCN) de l’Assemblée mondiale pour la protection de la vie privée (AMVP). Formé en 2017, le GTCCN se concentre sur l’examen des intersections des sphères réglementaires de la protection de la vie privée, de la protection des consommateurs et de la concurrence ainsi que sur la promotion de la coopération réglementaire en la matière Notre travail, qui est au cœur de la stratégie de l’AMVP, vise à faciliter la coopération et la collaboration en matière de réglementation afin de créer un environnement réglementaire mondial doté de normes claires et strictes en matière de protection des données. Le GTCCN offre une tribune qui favorise le dialogue, la coopération et le partage des expériences en lien avec les questions d’intersection inter-réglementaire. Il souhaite aussi faire en sorte que les autorités des trois sphères réglementaires travaillent ensemble et adoptent une approche holistique, au moyen de cadres existants ou de nouveaux cadres, pour favoriser une économie numérique vigoureuse et concurrentielle où le droit à la vie privée est respecté.

La transformation numérique de l’économie mondiale a entraîné à la fois des possibilités et des difficultés pour tous les organismes de réglementation. Entre autres, cette transformation a donné lieu à de plus grandes intersections entre les régimes réglementaires qui encadrent la protection de la vie privée, la concurrence et la protection des consommateurs. Il est devenu évident que la fréquence et l’ampleur des intersections ne cesseront de croître, car l’interaction entre ces régimes façonne l’économie et la société numériques d’aujourd’hui.

Le GTCCN a récemment terminé des travaux qui portent à la fois sur la théorie et la pratique selon notre compréhension actuelle de cette intersection. Ces travaux ont conduit à la publication de deux rapports complémentaires, qui se trouvent en annexe au rapport annuel de 2021 du GTCCN. Le premier est un rapport universitaire indépendant commandé par le GTCCN et rédigé par la professeure Erika Douglas de la faculté de droit Beasley de l’Université Temple, ayant pour titre Carrefour numérique : l’intersection du droit de la concurrence et de la confidentialité des données (Carrefour numérique). (Veuillez noter que seuls l’introduction et le sommaire sont offerts en français. Les autres parties du rapport sont offertes en anglais uniquement.) Soulignons que Carrefour numérique est le premier rapport du genre à examiner en profondeur l’intersection entre la concurrence et la protection de la vie privée. Il donne un aperçu détaillé du paysage réglementaire actuel, il fait ressortir les compléments ainsi que les tensions entre les philosophies qui sont au centre de ces deux domaines et il souligne son élaboration émergente comme un défi inter-réglementaire important qui nécessite l’établissement d’un plus grand consensus ainsi qu’une collaboration à l’échelle internationale.

Le deuxième rapport est rédigé par le GTCCN et s’intitule La protection de la vie privée et des données en guise de facteurs dans la réglementation de la concurrence : sondage auprès des autorités de réglementation de la concurrence visant à améliorer la collaboration inter-réglementaire (Rapport d’entretiens). Se fondant sur une série d’entretiens menés auprès des autorités responsables de la concurrence du monde entier, ce rapport cible les domaines de synchronicité potentielle entre les régimes réglementaires ainsi que les obstacles à surmonter et les tensions potentielles à atténuer. Fait peut-être encore plus important, ce rapport comprend plusieurs exemples qui illustrent comment les autorités en matière de concurrence sont parvenues à intégrer avec succès des éléments liés à la protection de la vie privée dans leurs analyses d’application de la loi ainsi que dans la collaboration ou la considération inter-réglementaire et ont réussi à trouver un juste équilibre entre les deux sans sacrifier les objectifs de l’une ou de l’autre en cours de route.

Étant donné que notre groupe de travail est composé d’autorités de la protection des données et de la vie privée, nos observations se limiteront à la protection de la vie privée et à la collaboration inter-réglementaire; il ne s’agira donc pas directement d’une évaluation de vos lignes directrices existantes en matière de fusion. Nos observations seront en fonction des questions ci‑dessous, présentées dans votre demande de renseignements sur l’application de la loi concernant les fusions, dans le contexte des deux rapports susmentionnés et de l’intersection des sphères réglementaires de la protection de la vie privée et de la concurrence.

 

  1. Types et sources d’éléments probants

a. Le cadre des lignes directrices a-t-il été interprété d’une manière indûment restrictive comme étant principalement axé sur les résultats prévus d’une fusion sur le plan des prix? Est-ce possible que certains effets non liés aux prix n’aient pas été analysés adéquatement par rapport aux effets liés aux prix? De quelle façon les lignes directrices devraient-elles aborder ces effets? Quels éléments probants devraient être pris en considération dans les lignes directrices afin d’évaluer ces effets?

d. Le cadre des lignes directrices tient-il suffisamment compte de l’éventail de situations dans lesquelles une fusion est susceptible d’accroître la capacité des parties concernées ou d’autres acteurs du marché à réduire la concurrence, ou de susciter leur intérêt à le faire? De plus, ce cadre tient-il compte de l’éventail d’éléments probants qui peuvent être pertinents à cet égard?

 

6. Définition des marchés

h. Comment faut-il définir les marchés lorsque l’atteinte possible à la concurrence ne découle pas directement du risque de l’augmentation immédiate des prix, mais plutôt de facteurs à plus long terme ou de facteurs non liés aux prix, comme une perte de l’innovation, des changements au niveau de la qualité ou de la diversité des produits ou la création de nouvelles barrières à l’entrée?

 

11. Marchés numériques

a. En ce qui concerne les lignes directrices, l’analyse des fusions dans les marchés numériques devrait-elle différer de celle des fusions dans d’autres marchés? Si oui, en quoi devrait-elle être différente? Comment faut-il définir les marchés pour ce qui est des fusions dans le secteur numérique où les produits et les services connaissent une évolution rapide? De quelle façon les lignes directrices devraient-elles aborder les effets négatifs possibles sur la concurrence dans les marchés qui évoluent rapidement?

c. De quelle façon les lignes directrices devraient-elles aborder la définition des marchés dans le cas des marchés à prix zéro, des marchés à prix négatif ou des marchés sans prix explicites? Dans la définition des marchés, la « qualité » et d’autres caractéristiques peuvent-elles jouer le même rôle que le prix?

f. De quelle façon les lignes directrices devraient-elles permettre d’analyser les fusions où les regroupements de données constituent un motif ou un effet important? Comment devrait-on évaluer les économies d’échelle et de gamme dans ces cas-là?

 

La vie privée jouera un rôle plus important dans la politique de la concurrence

Comme il est indiqué dans Carrefour numérique, la vie privée jouera un rôle plus important dans la politique de la concurrence pour les marchés numériques. Dans cette optique, si l’on considère la vie privée comme un facteur non lié au prix de la concurrence, il n’est pas difficile d’imaginer comment une organisation peut se livrer à un comportement anticoncurrentiel. Si la réduction du nombre de concurrents sur un marché à la suite de fusions est susceptible d’entraîner l’augmentation des prix, l’inverse peut aussi être vrai en ce qui a trait aux mesures de protection de la vie privée comme élément de la qualité des produits et services. Quand les concurrents sont moins nombreux, il y a moins d’incitation à maintenir ou à améliorer les niveaux de protection de la vie privée en tant que composantes qualitatives d’un produit ou service. Dès qu’une entreprise numérique acquiert une position dominante sur le marché, ou détient un véritable monopole, les consommateurs n’ont guère d’autre choix que d’accepter un produit ou un service de qualité inférieure si cette entreprise décide de faire marche arrière et d’adopter ses anciennes pratiques en matière de vie privée. Par exemple, si cette entreprise commençait à suivre les habitudes en ligne de ses clients afin de monnayer les renseignements obtenus, l’absence de produits de substitution ne laisserait aux consommateurs d’autre choix que d’accepter des produits ou services de moindre qualité ou de cesser d’utiliser les produits ou services en question. Dans l’économie numérique d’aujourd’hui, ce n’est pas toujours réalisable, car les consommateurs dépendent de plateformes numériques dominantes et d’autres effets et externalités de réseau. Parallèlement, un géant du numérique disposant d’une emprise sur le marché pourrait supprimer les innovations permettant d’offrir des produits et services respectueux de la vie privée et éliminer potentiellement la concurrence quant au niveau de protection de la vie privée offert par les concurrents.

La grande importance accordée aux facteurs de concurrence liés aux prix et les efforts visant à réduire les facteurs de concurrence non liés aux prix sont susceptibles d’instaurer une approche « traditionaliste » à l’égard de la réglementation, comme il est expliqué dans le Rapport d’entretiens. Cette approche n’est pas propre aux organismes de réglementation de la concurrence, comme il est indiqué à la page 12 de ce rapport.

 Cette approche part de l’idée selon laquelle les autorités chargées la concurrence peuvent remplir plus efficacement leur mandat en se concentrant sur les questions et les éléments de concurrence lors de l’évaluation du comportement en cause, en écartant tout facteur n’ayant aucun aspect concurrentiel. Selon cette approche, les évaluations concurrentielles reposent sur des indicateurs concurrentiels traditionnels, tels que les prix ou les parts de marché, et excluent généralement les facteurs tels que la protection de la vie privée.

Cette approche repose sur l’intervention d’autres organismes de réglementation pour traiter les autres enjeux, comme la vie privée, en fonction de leur domaine d’expertise. Comme il a été soulevé dans le Rapport d’entretiens, une approche de ce genre à l’égard de la réglementation de la concurrence pourrait mener à l’augmentation du nombre de règlements d’application ou de positions stratégiques dichotomiques qui favorisent la concurrence au détriment de la vie privée, ou vice versa. Un résultat binaire de ce genre risque non seulement de compromettre le droit à la vie privée, mais aussi de déjouer les efforts pour favoriser la concurrence au sein d’une économie numérique vigoureuse, entraînant des retombées sous-optimales. Selon nos recherches, nous sommes rendus à un point où les considérations en matière de vie privée et de données sont largement acceptées dans la communauté antitrust comme ayant le potentiel, dans certaines circonstances et sur certains marchés, d’être des facteurs importants dans le calcul de la concurrence.

 

La collaboration inter-réglementaire deviendra de plus en plus nécessaire

Le chevauchement des régimes réglementaires pour les marchés numériques appelle à une meilleure collaboration. Cela permettra de promouvoir une approche globale et uniforme en matière de réglementation numérique au profit de marchés compétitifs, à l’avantage des consommateurs et de leur droit à la vie privée.

Les avantages de la collaboration inter-réglementaire sont démontrés, par exemple, dans la résolution « Banque » de la Superintendencia Industria y Comercio (SIC), comme il est expliqué dans Carrefour numérique et le Rapport d’entretiens. La SIC est notamment l’autorité colombienne chargée entre autres de la protection des consommateurs, de la concurrence et de la protection de la vie privée. Tel qu’il est décrit en détail dans les paragraphes 78 et 79 du Rapport d’entretiens, l’organisme colombien de réglementation financière a demandé à la SIC d’effectuer une évaluation de la concurrence à la suite de la création d’une coentreprise numérique formée des trois plus grandes banques de la Colombie. L’équipe de la concurrence chargée de l’évaluation a souligné les répercussions sur la vie privée que cela pourrait entraîner et la nécessité pour la coentreprise de gagner la confiance des consommateurs envers ses services en faisant preuve de transparence et en respectant les règlements de la Colombie sur la protection des renseignements personnels. Par la suite, l’équipe a consulté ses homologues chargés de la protection de la vie privée et, malgré que l’évaluation ait porté sur la concurrence, elle a intégré plusieurs recommandations liées à la vie privée dans son rapport définitif.

On retrouve un autre exemple dans le « Digital Regulation Cooperation Forum » du Royaume-Uni, qui est formé des organismes suivants de ce pays : Competition and Markets Authority (CMA), Information Commissioner’s Office (ICO), Office of Communications, Financial Conduct Authority. Ce forum a été mis sur pied pour assurer une collaboration accrue dans les dossiers réglementaires portant sur des enjeux en ligne. En mai 2021, la CMA et l’ICO ont publié une déclaration conjointe exposant leurs opinions communes sur la relation entre la concurrence et la protection des données dans les marchés numériques.

J’aimerais aussi attirer votre attention sur la Competition and Consumer Commission of Singapore (CCCS) pour démontrer comment les intérêts des deux domaines réglementaires ont progressé grâce à la considération et à la collaboration intersectorielles. Dans le cadre d’une consultation publique portant sur des modifications proposées à différentes lignes directrices pour l’application de la loi, la CCCS a explicitement déclaré que, le cas échéant, ses évaluations des fusions considéreront la protection des données en tant qu’aspect de la qualité. Une autre modification proposée souligne que le contrôle ou la propriété des données constitue un facteur déterminant de l’emprise sur le marché en ce qui a trait à l’utilisation abusive des évaluations de la dominance. Ces exemples, et d’autres, sont examinés de façon plus exhaustive dans le Rapport d’entretiens et dans Carrefour numérique, annexés au rapport annuel de 2021 du GTCCN (et aussi annexés à cette lettre pour des raisons pratiques).

En outre, l’importance croissante accordée à la collaboration inter-réglementaire entre les autorités de la concurrence et de la protection de la vie privée se reflète dans l’entente conclue récemment entre les autorités de protection des données et de la vie privée du G7 visant à renforcer la collaboration avec leurs homologues de la concurrence à l’échelle nationale en matière de régulation des marchés numériques.

 

Je vous remercie de m’avoir donné l’occasion de participer à cette consultation. Si vous souhaitez discuter plus à fond de ces enjeux, vous pouvez communiquer avec moi à l’adresse Brent.Homan@priv.gc.ca.

Je vous prie d’agréer l’expression de mes meilleurs sentiments.

 

Coprésidents du Groupe de travail sur le citoyen et le consommateur numérique

Assemblée mondiale pour la protection de la vie privée

 

  1. j.

Request for Information on Merger Enforcement

21 March 2022

Agencies: Federal Trade Commission and US Department of Justice

Docket No.: FTC-2022-0003-0001

I am writing to you in my capacity as the Co-chair of the Global Privacy Assembly’s (“GPA”) Digital Citizen and Consumer Working Group (“DCCWG”). Established in 2017, the DCCWG is focused on examining the intersections of, and promoting regulatory co-operation between, the privacy, consumer protection and competition regulatory spheres. Our work goes to the heart of the GPA’s Policy Strategy to facilitate regulatory co-operation and collaboration to create a global regulatory environment with clear and consistently high standards of data protection. The DCCWG provides a forum that encourages dialogue, co-operation and the sharing of experiences regarding cross-regulatory intersection issues. It further aims to advance how authorities from all three regulatory spheres may use existing frameworks, or foster new ones, to work together and holistically promote a robust and competitive digital economy where privacy rights are respected.

The digital transformation of the global economy has brought with it a number of opportunities and challenges for all regulators. Among other things, this transformation has led to an increased cross-regulatory intersection between privacy, competition and consumer protection. It has become apparent that these intersections will only continue to grow both in frequency and magnitude, as their interplay shapes today’s digital economy and society.

The DCCWG recently completed work that brings together both the theory and practical application underpinning our current understanding of this intersection. It resulted in two complementary reports appended to the DCCWG’s 2021 Annual Report. The first is a DCCWG-commissioned independent academic report by Professor Erika Douglas of Temple University Beasley School of Law, titled ‘Digital Crossroads: The Intersection of Competition Law and Data Privacy’ (the “Digital Crossroads”). It is worth noting that the Digital Crossroads is the first report of its kind to delve comprehensively into the intersection between competition and privacy. It provides a detailed overview of the current regulatory landscape, highlights complements and tensions between the philosophies at the center of these two fields and underscores its emerging development as an important cross-regulatory challenge requiring further consensus-building and international collaboration.

The second is the DCCWG-authored ‘Privacy and Data Protection as Factors in Competition Regulation: Surveying Competition Regulators to Improve Cross-Regulatory Collaboration’ (the “Interview Report”). Based on a series of interviews with competition authorities from around the globe, the Interview Report identifies potential synchronicity between regulatory regimes as well as obstacles to be surmounted and possible tensions to be mitigated. Perhaps most importantly, this report also includes multiple examples illustrating how competition authorities have successfully incorporated privacy considerations into their enforcement analyses and through cross-regulatory collaboration or consideration, have found the balance between the two without sacrificing the objectives of either.

As our membership is comprised of privacy and data protection authorities, our comments will be limited to privacy and cross-regulatory insights, as opposed to a more direct assessment of your existing merger guidelines. It is within the context of the intersection between privacy and competition regulation, and the two reports noted above, that we offer comments with respect to the following questions in your Request for Information on Merger Enforcement:

  1. Types and Sources of Evidence
    1. Has the guidelines’ framework been interpreted unduly narrowly as focusing primarily on the predicted price outcome of a merger? Are there non-price effects that are not adequately analyzed by analogy to price effects, and how should the guidelines address such effects? What evidence should the guidelines consider in evaluating these effects?
  2. Does the guidelines’ framework sufficiently capture the range of circumstances in which a merger will likely enhance the ability and/or incentive of the merging parties or other market participants to reduce competition, and the range of evidence that may be relevant to that consideration?
  3. Market Definition
  4. How should markets be defined when the potential harm to competition stems not from the risk of an immediate price increase, but instead from other longer-term or non-price factors such as a loss of innovation, changes to product quality or variety, or creation of new entry barriers?
  5. Digital Markets
    1. How, if at all, should the guidelines’ analysis of mergers in digital markets differ from mergers in other markets? How should markets be defined in the case of mergers in the digital sector where products and services undergo rapid change? How should the guidelines address prospective competitive harms in rapidly evolving markets?
  6. How should the guidelines approach market definition in zero-price markets, negative-price markets, or markets without explicit prices? Can “quality” and other characteristics play the same role as price in market definition?
  7. How should the guidelines analyze mergers involving data aggregation as an important motive and/or effect? How should economies of scale and scope be measured in these cases?

 

Privacy will play a larger role in competition policy

As noted in the Digital Crossroads, privacy will play a larger role in competition policy within digital markets in the future. With this in mind, when one views privacy as a non-price factor of competition today, it is not hard to imagine how an organization can engage in anti-competitive conduct. If a reduction in the number of competitors due to mergers in a market is likely to lead to increased prices, the inverse can be true with respect to privacy protections as an element of product and service quality. With fewer competitors in the market, there is less incentive to continue to enhance or maintain existing levels of privacy protections, as a qualitative component of a product or service. Once a digital enterprise gains a dominant market position, if not an outright monopoly, consumers will be left with little to no choice but to accept a lower quality product or service should that enterprise choose to reverse course with respect to previous privacy-serving practices. If, for example, that enterprise were to begin tracking their customers’ online habits in an effort to monetize that information, the lack of substitutable products or services leaves consumers no meaningful alternative but to accept a lower quality product/service or stop using the product/service altogether.  In today’s digital economy that may not always be practicable, given consumer dependence on dominant digital platforms as well as other network effects and externalities. At the same time, a digital giant with market power could suppress privacy-friendly product/service innovations and potentially eliminate competition with respect to the level of privacy protections offered by competitors.

A heavy focus on price-based competitive factors, combined with efforts to minimize non-price competitive factors, is likely to entrench what the Interview Report has termed the “traditionalist” approach to regulation. While not unique to competition regulators, as presented on page 12 of that report,

 “[t]his approach is rooted in the view that competition authorities can more effectively achieve their mandates by focusing on competitive issues and elements when assessing the conduct at issue, and setting aside any factors that do not have a competitive bearing on the conduct. Under this theory, competitive assessments utilize traditional competitive indicators such as price or market share, and would generally exclude factors such as privacy.”

This approach relies on other regulators to address other issues (such as privacy) within their regulatory sphere. As raised in the Interview Report, such an approach to competition regulation could result in an increased number of “either-or” enforcement resolutions and policy positions that promote competition at the expense of privacy – or vice versa. Such a binary outcome may not only compromise privacy rights, but could also result in a sub-optimal outcome as it relates to promoting competition in a robust digital economy. Our research suggests that we have arrived at a point where privacy and data considerations have been largely accepted in the anti-trust community as having the potential, in certain circumstances and markets, to be material factors in the competitive calculus.

 

The Need for Cross-Regulatory Collaboration will continue to grow

 

The overlapping regulatory nature of digital markets calls for a cooperative process. This will help promote a holistic and consistent approach to digital regulation to the benefit of competitive markets, consumer welfare, and the protection of privacy rights.

The benefits of cross-regulatory cooperation can be seen in examples such as the Colombian Superintendencia Industria y Comercio’s (“SIC”) “Bank’s” resolution as discussed in both the Digital Crossroads and the Interview Report. Among other things, the SIC is Colombia’s consumer protection, privacy and competition authority. As discussed in greater detail in paragraphs 78 and 79 of the Interview Report, when Colombia’s financial regulator asked the SIC to conduct a competitive assessment of the creation of a digital joint venture between Colombia’s three largest banks, the competition team conducting the assessment recognized both the privacy implications and the need for the joint venture to garner consumer trust in its services through transparency and respect for Colombia’s privacy regulations. As a result, they consulted with their privacy counterparts and, despite the competitive nature of the assessment, incorporated several privacy-related recommendations into their final report.

Another example can be found in the UK’s Digital Regulation Cooperation Forum, which is comprised of the UK’s Competition and Markets Authority (“CMA”), the Information Commissioner’s Office (“ICO”), the Office of Communications and the Financial Conduct Authority. The Forum was established to ensure greater cooperation on online regulatory matters. In May of 2021, the CMA and the ICO published a joint statement setting out their shared views on the relationship between competition and data protection in digital markets.

I would also draw your attention to the Competition and Consumer Commission of Singapore (“CCCS”) as an example of how both regulatory spheres’ interests have been advanced through cross-sector consideration and collaboration. As part of a public consultation on proposed amendments to various enforcement guidelines, the CCCS has explicitly stated that, where appropriate, their merger assessments will treat data protection as an aspect of quality. Another proposed amendment identified the control/ownership of data as a possible determinant of market power with respect to abuse of dominance assessments. These and other examples are explored in greater detail in the Interview Report and Digital Crossroads, appended to the DCCWG’s 2021 Annual Report (and also accompanying this letter for convenience).

In addition, the growing importance of fostering cross-regulatory cooperation between privacy and competition authorities is also reflected by the G7 data protection and privacy authorities’ recent agreement to strengthen collaboration with their domestic competition counterparts on the regulation of digital markets.

Thank you for the opportunity to participate in your consultation.  I can be reached at Brent.Homan@priv.gc.ca should you wish to discuss these issues further.

Sincerely,

Co-Chairs of the Digital Citizen and Consumer Working Group

Global Privacy Assembly

 

Encl.

GPA Annual Meeting Host Authorities announced for 2022 and 2023

The GPA Executive Committee is delighted to announce that the Turkish Personal Data Protection Authority (KVKK) has agreed to take on the role of GPA Annual Meeting Host 2022.

The President Commissioner of the Turkish Personal Data Protection Authority, Prof. Faruk BİLİR, “would like to thank the Executive Committee for the opportunity, and looks forward to the responsibility of hosting this important meeting in 2022.”

The Executive Committee is very thankful to the authority for their flexibility and willingness to host at a shorter than usual notice.

The Executive Committee is also delighted to announce that the GPA Annual Meeting will take place in Bermuda in 2023, hosted by the Office of the Privacy Commissioner of Bermuda.

The Executive Committee is looking forward to working closely with both authorities and is confident that they will both deliver a conference that will guarantee overall delegate satisfaction.

Members may recall that New Zealand had been selected by the Executive Committee to host the GPA Annual Conference in 2021, but that this was pushed to 2022 due to the coronavirus pandemic.

The Office of the Privacy Commissioner of New Zealand has recently informed the Executive Committee that it has with great regret decided to withdraw from hosting in 2022. This is due to the present uncertainty about the degree to which borders will be open for in-person attendance by members and the time-zone for virtual attendance being inconvenient for so many member authorities.

Solving the billion-dollar question: how do we build on the foundations of convergence?

Elizabeth Denham, UK Information Commissioner and outgoing Chair of the Global Privacy Assembly, delivered the following speech at the 43rd Global Privacy Assembly conference, hosted digitally by INAI, Mexico.

I’m here to discuss convergence and international standards. I want to talk about three foundations for convergence that already exist. And then I want to talk about three ways we can build on those foundations in the future.

First, let’s briefly discuss why convergence has a role to play.

Our digital world is international. Data flows around the world in a heartbeat. I open up my phone, check an app, and in a moment my data travels around the globe. Services like geolocation and cloud computing all rely on international data flows.

But the checks and balances on this data are domestic.

That brings problems.

It can mean that when a multinational company doesn’t follow the rules, or when there is an international data breach, the ability for regulators to work together across jurisdictions can be limited, as we try to match up our differing legal systems and approaches.

It can mean that businesses have to follow several sets of rules to reach a single customer base, spread across jurisdictions. Or that people are unsure what their protections are, or where to turn for help.

And it can mean a system for international data flows based on assessments of how other nations’ laws measure up to our own, no matter how many flaws we may be willing to acknowledge in our own systems.

The result is an international problem that could be costing economies around the world billions of dollars.

Convergence – through common standards and better architecture between our laws, could reduce those problems. But how do we achieve that? That is what I want to discuss today.

 

Mexico

Before I begin discussing the foundations for convergence that already exist, and how we can build on them, allow me a brief tangent.

We were, of course, originally scheduled to be discussing this topic in person, in Mexico City. I’ve been fortunate enough to attend a number of GPA and ICDPPC conferences, and been lucky enough to see some incredible parts of the world as a consequence – including Mexico back in 2011. And much as I love London, it isn’t the same as enjoying Mexican hospitality.

So while we can’t travel to Mexico, I’ve tried to bring a little of Mexico to us today. I’ve themed my speech today around some of the incredible historic sights the country has to offer. I hope one day I can again experience these sites in person.

 

Building on the foundations of convergence

Let’s begin with my next slide, the Pyramid of the Sun at Teotihuacan. A step pyramid built around 1,800 years ago, it is 75 metres high and more than 200 metres across.

Having climbed to the top myself, I can tell you that’s high.

It was built from two and half million tonnes of stone and earth, with each tier rested securely on the wider tier below.

This is how our moves towards greater international convergence must be constructed, if we are to reach the heights we aspire to. We must build on the carefully constructed work already completed.

The GPA has been central to the work in this area. The Assembly exists to bring together data protection and privacy authorities from around the world, and that international collaboration is the very first foundation of any convergence. What’s more, work by a GPA working group to analyse ten global frameworks from across the world showed strong commonalities. In particular, there were overlaps in the core principles and data subject rights, and also in requirements for independent supervisory bodies.

Those findings should perhaps come as no surprise. The development of data protection legislation in the last decade has seen a model of building ‘best of breed’ laws, with the newest privacy laws, such as those in Brazil and California, standing firmly on the shoulders of other existing laws.

That’s a sensible approach, as common features across laws bring a greater ability to share expertise and even work together on investigations, as well as increasing the potential for free flow of data between countries.

That free flow of data was a central motivation for the recent meeting of G7 data protection and privacy authorities, another part of the pyramid we can build upon. The meeting grew from the ambition of ‘data free flows with trust’, a central part of the 2019 G20 in Japan. We discussed at our G7 meeting how we could better work together on topics like AI, cookies and national security. The focus was on where we could commit to making progress that would have a positive impact for each of us domestically.

It is clear that we have a considerably wide base with which to build further convergence. I’ve not touched on the Council for Europe’s work in this area, for instance. But it is clear too that our work only goes so far. There are no easy answers here – if there were, we would already have taken them.

 

Image by Vlad Tchompalov on Unsplash

Respecting cultural differences

I’ll move now to my next historic sight of Mexico, and the UNESCO protected Cozumel reef. The reef is part of the second largest system in the world, which is home to more than a thousand marine species, living side by side.

That respect for one another’s cultures and approaches is another key foundation for convergence.

I think this is an important point. Historically, convergence has too often been seen as a shorthand for ‘why don’t you converge with my approach, or my law’. And that hasn’t worked.

Convergence has to be a meeting in the middle, and I think there’s a much better appreciation of that now. Our countries all have different legal structures, different administrative setups, and different cultures built on different histories.

Convergence must not mean leaving those differences behind. Instead, it needs to be about finding ways to join together these differences, and to weave a meaningful safety net of protections that work globally.

As an aside, that respect for another’s cultures has been one of the real impressive aspects of our conference this week.

For someone who has worked in data protection as long as I have, hearing so many bright minds engaged in discussing privacy is so positive. There has always been expertise in this field, but the diversity of knowledge now is what stands out. We have the brightest minds in academia, business, in law and in the regulatory and policy space all wanting to work on privacy issues. And we have the international diversity too – the Global Privacy Assembly really does bring voices together from all parts of the world. That diversity gives us so much collective wisdom.

 

Image by Diego Delso, delso.photo, License CC-BY-SA

Our response to the pandemic

Which brings me on to the third foundation of convergence

This is the Hospital de Jesus Nazareno in Mexico City. It is said to be the oldest hospital on the continent, and to have been built at the behest of controversial Spanish Conquistador Hernán Cortés.

It remains in operation today, and like most hospitals around the world, has spent the past couple of years facing the challenges of the COVID-19 pandemic.

The pandemic has brought a great number of challenges to our community.

But it has shown the value of privacy too, and how we benefit from our shared expertise.

I saw this first hand in the UK. When the UK government wanted to develop a contact tracing app, it considered data protection at an early stage, and it consulted with my office. The government understood that answering the questions we posed on transparency, legality and fairness would help to develop an app trusted by more people.

The advice my office provided government was informed by conversations we had with colleagues across the Global Privacy Assembly network. Regulators across the world were facing similar challenges, and we all  benefited from the shared wisdom of the Assembly.

Crucially – and this goes back to my conference opening yesterday – I saw our community asking the right questions. Do we understand how people feel? And how can we make sure our input is providing practical value?

When I look now through the ICO’s opinion on contact tracing apps, and through the GPA’s Compendium of Best Practices, I think the benefits of focussing on those two questions shines through. Privacy remained relevant.

And if you’ll allow me just a moment’s reflection, I believe the success of our community’s response to COVID-19 was built on the modernisation of the GPA.

We are now a year round assembly, able to respond quickly to challenges that arise between conferences, such as the COVID-19.

We are more collaborative than ever, able to share our expertise and to speak with one voice, as we did when we emphasised the importance of continued protections for people’s data rights during the pandemic.

And we are more outward facing than ever before, working with so many of you, including the likes of the OECD, the UN and the WHO, to make sure the advice we offered through the pandemic is rooted in practical benefit.

Our teamwork, across the privacy community, showed that we can work together, no matter our differing laws and cultures.

The pandemic showed how convergence could work.

 

Image by Mario La Pergola on Unsplash

Building common principles

But it showed too that we still have further to travel, if we are to truly benefit from the potential of convergence.

I will now set out the three areas where our experience shows that more must be done, to build on the foundations of convergence already in place.

The Kukulcán is a step pyramid in the south of Mexico. Across its four sides, the pyramid has a total of 365 steps, one for each day of the Mayan year.

Early separation of the year into formal calendars gave a framework for Mayan society, and was important for trade, agriculture and religion.

As we look to the next stage of international convergence, we need to find our own framework. We need recognisable common principles that can translate across borders.

Aspects like transparency and fairness are not specific to a single law or regulatory approach, and so can act as a bridge to better international collaboration and cooperation.

This is work that is already underway within the GPA. Our Global Frameworks and Standards Working Group has focused this year on key principles that members can agree on, touching on aspects including the independence of data protection authority, international transfer mechanisms and government access to data. The latter has resulted in a resolution we’ll discuss in the closed session later this week.

The Council of Europe’s work around C108 and C108+ has also looked to set common principles. And there is potential too for further exploration of how codes and certifications, including those led by business and trade groups, could assist in this area.

But it is clear that there is room for further progress.

 

Image by Charlie Marchant on Flickr

Architecture to join our laws

Let’s move to our next sight.

The Copper Canyon is a network of canyons covering 65,000 square kilometres. The Canyons are linked by the Chihuahua al Pacifico, a railway passing over 37 bridges and through 86 tunnels.

The architecture needed to join the different canyons is a neat analogy for the second area where we need to build on the foundations for convergence.

It is accepted that the flow of data, from individual to organisation, from organisation to organisation, from country to country, is integral to digital innovation.

It is accepted – I hope – that such data flows rely on the public trust earned through sensible data protection regulation.

And yet we continue to consider those protections domestically.

We do have systems to transfer data internationally, of course. CBPRs enable data flows in parts of the world, while elsewhere adequacy agreements have their place.

But it remains the case that we are working with a series of bridges, rather than a single railroad.

What we need is better architecture to join together our world, and to allow different laws to work side by side. We need a railroad through the canyons.

 

A new approach

Which brings me to our final Mexican historic site. The Temple of San Agustin is a 16th century church. A beautiful white stone building built as a convent, with an eye-catching bell tower and historic murals.

But it is also abandoned. The convent was built near a lake, and flooding in the 17th and 18th century kept washing away the friars’ work. Eventually, they gave up fighting the waters, and moved away.

There is a lesson there for today. We are all proud of our domestic laws, built with good intentions. But if the waters of international digital innovation keep washing away our work, at what point do we need to move to a new approach?

It is my view that there is a real urgency to this work. The pace of acceleration in digital uptake, and the increasing use of data in innovation brings those flood waters ever closer.

We are not making quick enough progress in our response. Talk of convergence has, for too long, stalled around a sense of us needing to pick a favoured legislative approach or scheme, and insist it is extended to all four corners of the world. As our community spends time focusing on faults with one another’s regime, businesses are left with unwieldy processes that increasingly make privacy and data protection feel like too heavy a burden.

To put is simply, we risk all of our good work being washed away.

It is my own view that fresh thinking is needed. What is needed is a Bretton Woods for data, repeating the 1944 conference that brought together 730 delegates from almost 50 countries to consider how the world could rebuild from war. Delegates came from diverse cultures, and brought diverse ideas, but with a united understanding: the old system had failed, and a new one, built on international cooperation, was needed.

A Bretton Woods conference could provide the melting pot of ideas needed to take this forward, something I have spoken about recently at Oxford University.

That could be in the shape of a global data protection accord. An accord that found common ground between nation’s data protection regimes would enable member nations to better work together, and could allow for the transfer of low risk data to countries who were fellow members.

But that’s only one idea – we need more ideas, and more discussion.

I know the data protection community stands ready to be part of the solution. I see that in my work with the GPA. I see the ambition when I talk with my G7 colleagues.

But that challenge must now go further.

The challenge must go to governments and international organisations like OECD, Council of Europe and WTO, bodies with the convening power to make a Bretton Woods conference for data happen.

And then the challenge must go further afield. Data is such a broad, cross societal issue that impacts every facet of our lives. And so the solutions must come from the bright minds across society from think tanks, academia, from civil society, from businesses and from the people whose trust so much relies on.

 

Conclusion

I want to be clear. My view is that finding a solution here – building on our existing foundations, and finding a way for international convergence – is achievable. We can make this happen.

But we must decide to do this. As a community, regulators, business, civil society, and especially policy makers, must commit to making it happen.

  • That will mean compromise.
  • It will mean conversation.
  • It will mean accepting that there is not a perfect solution.

If we get it right, there is no limit to how high we can build our pyramid.

Winner announced for the first GPA Giovanni Buttarelli Award

The Global Privacy Assembly’s (GPA) Chair and Executive Committee are delighted to announce Shoshana Zuboff as the first winner of the Giovanni Buttarelli Award.

Dr. Zuboff, Professor Emerita at Harvard Business School and author of The Age of Surveillance Capitalism, has been recognised for her exceptional contribution to international data protection and privacy.

Elizabeth Denham, outgoing GPA Chair and UK Information Commissioner, said: “Shoshana’s work as an academic and an author has revolutionised the way we look at data and data protection. The Executive Committee and I could not have been more excited about this choice. Many congratulations!”

The inaugural GPA Giovanni Buttarelli Award was presented at the Open Session of the 43rd Global Privacy Assembly Conference on 19 October 2021.

The Award was created by the GPA Executive Committee in 2021 in memory of Giovanni Buttarelli, former European Data Protection Supervisor and Executive Committee Member. It aims to recognise Giovanni’s invaluable contribution to the international data protection and privacy community as a leader and as a passionate advocate for international collaboration.

Ms. Denham said: “Giovanni was an inspiring leading figure in the GPA community. He understood that the only way to face today’s challenges was by working together. Most important of all, Giovanni had a vision to ensure a fairer digital future for all. This Award will help to carry on his legacy in the years to come.”

Mr. Wojciech Wiewiórowski, European Data Protection Supervisor, said: “Professor Zuboff’s ideas and forward-looking vision have captured the general public attention on how digital market dynamics are deeply affecting societies, freedoms, and rights. Her ideas have inspired a wider change on how the privacy-specialised community approach these topics.”

Dr. Zuboff said: “I shall not rest until the digital lives in democracy’s house… a world in which we all benefit from new knowledge, where data collection is tethered to fundamental rights, and data use is defined by public service and democratic flourishing. This is the future that the world yearns for and deserves.”

Watch the Award acceptance video below.

The GPA Executive Committee would also like to sincerely thank the Buttarelli family for their support and for endorsing this Award.

For more information on the GPA Giovanni Buttarelli Award visit: https://globalprivacyassembly.org/news-events/giovannibuttarelliaward

Highlights from the Global Privacy Assembly Closed Session 2021

Ce communiqué de presse est disponible en français.

Este comunicado de prensa está disponible en español.

Privacy is getting increasingly important in the digital age, so what can data protection and privacy authorities do to further uphold people’s fundamental rights?

These were central issues under discussion as the Global Privacy Assembly joined together for their 43rd Closed Session (20-21 October).

The virtual conference was hosted by National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), Mexico, and brought together more than 90 members and observers to consider key data protection challenges. It followed an open session earlier in the week.

Opening the session, Elizabeth Denham CBE, outgoing GPA Chair and UK Information Commissioner, praised the work of the privacy community through the pandemic, calling for the Assembly to continue to be impactful.

Ms Denham said: “We were already in a data-driven age, even before the pandemic supercharged that acceleration of digital growth. Now data-driven innovation is helping us through health crises, and influencing every facet of society.

“Our community’s work is central to that, ensuring people trust that innovation. But we cannot assume that privacy will always have a seat at the table. Our input into discussions on key societal issues is dependent on an understanding that data protection and privacy supervisors bring a valuable insight, a practical mindset and we can respond promptly.”

Resolutions were discussed and agreed at the conference, giving a shared view on a range of important current topics:

  • Data sharing for the public good;
  • Children’s digital rights;
  • Government access to data; and
  • The future of the Global Privacy Assembly

Other topics discussed in detail included international enforcement cooperation and regulatory sandboxes.

The Assembly also adopted a strategic plan for the next two years, committing to a continued focus on advancing global privacy, maximising the GPA’s influence and building capacity for members.

The Global Privacy Assembly brings together more than 130 members and observers from around the world. At the closed session, the following new members and observers were welcomed:

New members:

  • Commissioner of Data Protection, Abu Dhabi Global Market
  • Office of the Queensland Information Commissioner, Australia

New observers:

  • National Data Protection Authority (ANPD), Brazil
  • Saudi Data and Artificial Intelligence Authority, Saudi Arabia
  • Ministry of Transport and Communication, Qatar
  • Data Protection Office, Qatar Financial Centre
  • Privacy and Civil Liberties Oversight Board, United States
  • Consumer Financial Protection Bureau, United States
  • Asia Pacific Privacy Authorities (APPA) Forum
  • Inter-American Institute of Human Rights (IIHR)

The results of the GPA Executive Committee election were also announced:

  • Marguerite Ouedraogo Bonane, from Burkina Faso’s Commission for Information Technologies and Civil Liberties, stood down having completed her second two year term; and
  • Morocco’s National Commission for the control and the protection of Personal Data (CNDP), was elected to the Executive Committee for a two year term.

Commissioner Besnik Dervishi, from Albania’s Information and Data Protection Commissioner also stood down from the GPA Executive Committee after serving an additional year as Past Host Authority.

President Commissioner Blanca Lilia Ibarra Cadena, of Mexico’s INAI, was elected as Chair of the Assembly. She replaces Elizabeth Denham CBE, UK Information Commissioner, who has completed her three year term.

Welcoming her successor, Ms Denham thanked the Secretariat and the Executive Committee for their support.

President Commissioner Blanca Lilia Ibarra Cadena responded: “The GPA is alive and flourishing thanks to our interactions and exchanges.

“Our partnership is deepening, with our cooperation covering issues that concern society as a whole, achieving a growing impact.

“The ideas expressed at this conference invite us to rethink and draw new horizons on the incorporation of best practices in the handling of personal data.”

For more information, visit globalprivacyassembly.org