International Partnerships

Global Privacy Assembly

Lead Sector and Directorates:

1. Compliance Sector
2. Policy, Research and Parliamentary Affairs Directorate
3. Technology Analysis Directorate

Purpose

• The Global Privacy Assembly (GPA) provides international leadership on data protection and privacy issues by connecting the efforts of data protection and privacy authorities from across the globe.
• According to the GPA’s Mission Statement, the GPA seeks to:
  • Be a highly effective global forum for privacy and data protection authorities;
  • Provide regulatory and policy leadership at the international level in data protection and privacy;
  • Connect and support efforts at the domestic and regional level, and in other international forums, to enable authorities to better protect and promote privacy and data protection;
  • Disseminate knowledge, provide practical assistance and help authorities to more effectively perform their mandates; and
  • Facilitate cooperation on cross border data flows.
• The GPA’s three Strategic Priorities for 2021 to 2023 are:
  1. Advancing global privacy in an age of accelerated digitalization;
  2. Maximizing the GPA’s voice and influence; and
  3. Capacity building.

Background

• The GPA first met in 1979, as the International Conference of Data Protection and Privacy Commissioners (ICDPPC). The ICDPPC was re-branded and modernized into the GPA in 2019 at the conclusion of a multi-year exercise co-led by the OPC and France’s Commission Nationale de l’informatique et des libertés (CNIL).
• The GPA holds an annual meeting each fall, which consists of a Closed Session and an optional Open Session. The functions of the Closed Session include the adoption of resolutions, communiqués and Declarations, defining the Assembly’s strategic direction, adopting reports from the Executive Committee (‘Exco’) and working groups, electing Exco members and its Chair, and accrediting new members and observers.
• The GPA has a governance structure consisting of a five-member Exco with each Exco member serving a two year term. The Chair and Secretariat are currently held by the Mexican Authority. The GPA currently has over 130 accredited members and 30 observers. All Canadian provinces and territories other than PEI and Yukon are “sub-national” members. Only national authorities may vote.

Current OPC Participation

• The OPC is an accredited member of the GPA and actively participates in the GPA’s annual meetings. The OPC typically sponsors and/or co-sponsors several resolutions each year and is regularly called upon to present on various privacy matters.
• The OPC participates in the GPA’s Translation Services network.
• The OPC participates in several GPA working groups including those on Ethics and Artificial Intelligence, Digital Education, Data Protection Metrics, and Data Sharing. The OPC holds the chair and co-chair of the following three working groups:
  1. Data Protection and Other Rights and Freedoms Working Group (DPORF): The OPC Chairs the DPORF working group and is represented by the Deputy Commissioner, Policy and Promotion. The DPORF, formed in 2021, was previously called the “Policy Strategy Working Group 3” which was responsible for developing a narrative report exploring the relationship between privacy and other human rights. The DPORF is currently working to promote the narrative report amongst relevant stakeholders.
  2. Digital Citizen and Consumer Working Group (DCCWG): The OPC co-chairs the DCCWG with the Office of the Australian Information Commissioner, and is represented by the Deputy Commissioner, Compliance. Established in 2017 and made permanent in 2021, the DCCWG is focused on considering the intersections of, and promoting co-operation between, the privacy, consumer protection and competition regulatory spheres.
  3. International Enforcement Working Group (IEWG): The IEWG was established as a permanent working group in 2019 with an overarching mandate derived from Pillar 2 of the Policy Strategy in the GPA’s Strategic Plan. It is comprised of 32 members and 2 observers, and is currently co-chaired by the OPC represented by the Deputy Commissioner, Compliance, PCPD (Hong Kong), Datatilsynet (Norway), and SIC (Colombia). The IEWG focuses on developing and promoting practical cooperation tools as well as engagement and coordination with other Privacy Enforcement Networks. The group organizes closed enforcement sessions to discuss topics of mutual interests. Examples of such discussions, which have yielded collaborative initiatives, include video teleconferencing; credential stuffing; data scraping, facial recognition technology and adtech.
• International Working Group on Data Protection in Technology – Berlin Group: The IWGDPT was established in 1983 and provides an informal setting to discuss ideas, experiences and perspectives related to technology. The Technology Analysis Directorate regularly attends IWGDPT meetings which occur twice yearly. The group publishes “Working Papers” that are aimed at improving the protection of privacy in the field of technology. Current topics of discussion include facial recognition, smart cities and sensor networks, telemetry and diagnosis data. Participants include data protection authorities, civil society organisations, scientists in the field of data protection and privacy and International organizations mainly active in the field of human rights and fundamental freedoms.

Strategic Goals

• The GPA allows the OPC to engage in dialogue and build relationships with other privacy authorities and to share with them best practices. It enables engaging in joint initiatives that enhance privacy protection for Canadians.
• Through GPA resolutions, the OPC can participate in and lead the development and harmonization of international policy positions on key issues.

Next steps

• The GPA’s 2022 annual conference will take place mid-October in Turkey. PRPA will coordinate and prepare briefing materials in support of the OPC’s participation.

Further reading

• GPA Website
• GPA Rules and Procedures
• 43^rd Closed Session of the GPA, Adopted resolution on the Assembly's Strategic Direction - Strategic Plan 2021-2023
• DCCWG 2021 Annual Report
• IECWG 2021 Annual Report
• IWGDPT Working Paper Publications

---

Global Privacy Enforcement Network

Lead Directorate: PIPEDA Compliance Directorate

Purpose

• The Global Privacy Enforcement Network (GPEN) is a network for privacy enforcement authorities (PEAs) to share knowledge, experience and best practices on the practical aspects of privacy enforcement and cooperation.
• According to its mission statement, GPEN primarily seeks to promote cooperation by:
  • Exchanging information about relevant issues, trends and experiences;
  • Encouraging training opportunities and sharing of enforcement knowledge;
  • Promoting dialogue with organizations having a role in privacy enforcement;
  • Creating and supporting processes or mechanisms useful to cooperation; and
  • Undertaking or supporting specific activities as outlined below.

Background

• GPEN was created to strengthen global personal privacy protections by assisting public authorities with responsibilities for enforcing domestic privacy laws strengthen their capacities for cross-border cooperation.
• GPEN is an outcome of the 2007 Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy adopted by the Organisation for Economic Co-operation and Development (OECD) Council calling for the establishment of an informal network of PEAs.
• Currently, GPEN is comprised of 75 PEAs from 54 countries throughout the world, with over 375 individual GPEN members, and six different partner networks.
• One of GPEN’s key strengths is its emphasis on building working-level relationships, as compared to the Global Privacy Assembly, which is more executive focused.

Current OPC Participation

• The OPC plays a key leadership role in GPEN. The OPC is a founding member and has been a member of GPEN’s Management Committee since 2013, alongside our counterparts from the United Kingdom, Hong Kong, Israel and the United States.
• The OPC is responsible for maintaining and hosting the GPEN website, which members use to exchange ideas and non-confidential documents. Currently, the OPC is working on upgrading the GPEN website’s platform to increase security and usability.
• The OPC leads or participates in coordinating various GPEN activities including:
  • Privacy Sweeps: GPEN holds an annual Privacy Sweep whereby participating PEAs conduct an internet-based search in a coordinated compliance activity to assess privacy practices of organizations in relation to a predetermined theme. The OPC conceptualized the Privacy Sweep and launched it through GPEN in 2013.
  • Monthly teleconferences: GPEN holds an average of two teleconferences per month for members to discuss enforcement issues and trends, share experiences and best practices.
  • Practitioners’ workshop events: GPEN hosts an annual Practitioners’ workshop event to provide operational-level staff the opportunity to share and develop investigative skills and enforcement collaboration strategies.
  • Network of Networks Initiative: This initiative allows various privacy regulatory networks, and other sectoral networks interested in privacy, to benefit from GPEN’s activities and platform in order to exchange information to improve international enforcement cooperation.
  • GPEN Alert Tool: This tool allows participating GPEN members to notify each other, through a secure platform managed by the US Federal Trade Commission, of their privacy investigations and enforcement actions for potential cooperation. The use of the tool requires signing a Memorandum of Understanding, which 12 PEAs, including the OPC, have signed to date.

Strategic Goals

• GPEN allows the OPC to engage in dialogue with other PEAs to share best practices in addressing cross-border challenges and to work to develop shared enforcement priorities.
• By participating in GPEN, the OPC also aims to:
  • Build connections with international counterparts that could serve as the foundation for future collaboration on enforcement matters;
  • Leverage experiences and practical aspects of privacy enforcement to improve the OPC’s operations and compliance actions; and
  • Increase privacy compliance worldwide by demonstrating a coordinated PEA presence.

Next steps

• The OPC will coordinate the upcoming Privacy Sweep for Fiscal Year 2022-2023. We are in discussions with the International Consumer Protection and Enforcement Network (ICPEN) to organize a coordinated sweep addressing both privacy and consumer protection matters.
• The OPC has proposed to host an in-person Practitioners workshop in Canada in spring 2023, should health conditions and regulations permit.
• The GPEN committee is drafting a proposed revised GPEN Action Plan with a target completion of the end of 2022.

Further reading

• Global Privacy Enforcement Network Website

---

Organisation for Economic Co-operation and Development Working Party on Data Governance and Privacy

Lead Directorate: Policy, Research and Parliamentary Affairs Directorate

Purpose

• The OECD’s Working Party on Data Governance and Privacy (OECD DGP) develops policies on privacy and security in digital products and services.

Background

• The Department of Innovation, Science and Economic Development (ISED) is the Government of Canada delegate at the Data Governance and Privacy.

Current OPC Participation

• The Policy, Research and Parliamentary Affairs Directorate attends meetings of the OECD DGP as part of the Canadian delegation. At ISED’s request, the OPC reviews and shares its privacy expertise on OECD materials. The OPC’s input is incorporated into ISED’s positions and communicated to the DGP.
• An OPC Compliance representative has been nominated to participate in an advisory expert group to the DGP on enforcement cooperation.

Strategic Goals

• The OPC leverages its participation in the OECD DGP to provide the Government of Canada with privacy advice with the goal of influencing the scope and direction of OECD privacy related initiatives, and fostering interoperability.

Next steps

• The next meeting of the OECD DGP is expected to take place in late fall 2022, in anticipation of a ministerial meeting in December 2022. The OPC will provide ISED with views and input on documents related to both events, as appropriate.

Further reading

• OECD DGP Website

---

Asia Pacific Economic Cooperation Data Privacy Subgroup

Lead Directorate: Policy, Research and Parliamentary Affairs Directorate

Purpose

• The Asia Pacific Economic Cooperation Data Privacy Subgroup (APEC DPS) is an APEC subgroup that aims to reduce trade barriers and promote data flows by harmonizing privacy rules that apply within the APEC region.
• The DPS also administers the APEC Cross Border Privacy Rules (CBPR) System, a regional privacy certification scheme.

Background

• Several APEC members have recently created a “Global CPBR Forum”, aiming to create a global version of the APEC CBPR system. The Department of Innovation, Science and Economic Development (ISED) is Canada’s delegate at the APEC DPS and the Global CBPR Forum.

Current OPC Participation

• Most DPS delegations include representatives from their national privacy authority. The Policy, Research and Parliamentary Affairs Directorate attends meetings of the APEC Data Privacy Subgroup and the Global CBPR Forum as a member of the Canadian delegation.

Strategic Goals

• The OPC works with the Canadian delegation to ensure that APEC DPS products are compatible with Canada’s privacy requirements. Attendance by the OPC and other regulators helps raise the privacy bar by providing a counterweight to the significant private sector voice and influence.
• The DPS represents a key opportunity for the OPC to hear from and liaise with policymakers and legislators from the Asia-Pacific region. Insight from this forum provides a useful complement to our participation at the Asia Pacific Privacy Authorities (APPA) forum.

Next steps

• The next meeting of the APEC DPS will take place in August 2022 while the Global CPBR Forum holds virtual monthly meetings. PRPA will continue to attend meetings of the APEC DPS and meetings of the Global CPBR Forum as a member of the Canadian delegation, where feasible and appropriate.

Further reading

• APEC Digital Economy Steering Group Website

---

Group of Seven Data Protection and Privacy Authorities Roundtable

Lead Directorate: Policy, Research and Parliamentary Affairs Directorate

Purpose

• The Group of Seven Data Protection and Privacy Authorities Roundtable (G7 Authorities Roundtable) allows data protection and privacy authorities from G7 countries to identify areas of mutual concern or opportunity and respond with agility to ongoing developments.

Background

• On September 7-8, 2021, the OPC participated in the inaugural Roundtable of G7 data protection and privacy authorities, hosted by the United Kingdom’s Information Commissioner. The G7 Authorities Roundtable is held annually, hosted by the authority whose country holds the G7 Presidency.

Current OPC Participation

• The OPC is working with our G7 counterparts on furthering the outcomes envisaged by the 2021 Communique by participating in two Working Groups focused on Emerging Technologies and Enforcement. See: Communique: “Data Free Flow with Trust.”
• The OPC is also preparing its provocation for the 2022 Roundtable, which will be hosted by the German Data Protection Authority.

Strategic Goals

• The G7 Authorities Roundtable presents an opportunity for the OPC to join voices with authorities representing the most advanced digital economies in order to have a greater impact and influence on policymakers.

Next steps

• G7 Working Groups met June 8 to 10, 2022 to discuss updates on topics from the 2021 Roundtable. The 2022 Roundtable will take place in Germany on September 7 and 8, 2022, with a working-level preparatory meeting the week of June 20, 2022.

Further reading

• Briefing Note, 2022 G7 Data Protection and Privacy Authority Roundtable, April 2022.

---

Information Security, Cybersecurity and Privacy Protection - Identity Management and Privacy Technologies Working Group

Lead Directorate: Technology Analysis Directorate

Purpose

• The Information Security, Cybersecurity and Privacy Protection - Identity Management and Privacy Technologies Working Group (ISO/IEC JTC1/SC 27 WG 5), established in 2006, covers the development of international standards and guidelines addressing security aspects of identity management, biometrics and privacy.

Current OPC Participation

• The Technology Analysis Directorate regularly attends international monthly meetings as part of the Canadian delegation, led by the Standards Council of Canada (SCC), which represents Canada at the International Organization for Standardization (ISO). Members of the delegation are from both the public and private sectors.
• The Technology Analysis Directorate is the editor for ISO/IEC DIS 27559: Privacy enhancing data de-identification framework, which is at the Draft International Standard stage.

Strategic Goals

• ISO standards are adopted worldwide and can have a significant impact. Participation of the OPC and other data protection authorities can help influence ISO standards development by balancing industry control while ensuring that appropriate privacy-enhancing best practices are built into standards.

Next steps

• The most recent virtual working session specifically on ISO/IEC DIS 27559 took place on May 30, 2022, where comments were disposed in preparation of the next round and potential move to the Final Draft International Standard stage.
• The next general WG5 session will be a hybrid virtual/in-person session held in Luxembourg in September or October 2022.

Further reading

• ISO/IEC JTC1/SC 27 “Information security, cybersecurity and privacy protection”
• ISO/IEC DIS 27559, Privacy Enhancing Data De-Identification Framework

---

Key Bilateral Relations

Lead Directorates:

1. PIPEDA Compliance
2. Policy, Research and Parliamentary Affairs Directorate

Purpose

• Personal data protection authorities (DPA) in different jurisdictions can face similar or identical issues when dealing with a multinational organization or technology that relies on personal information. DPAs can achieve efficiency and better mitigate the risks to individuals’ privacy by coordinating their actions and cooperating with one another.

Background

• The OPC engages with numerous DPAs to address global privacy issues.
  • The Policy, Research and Parliamentary Affairs Directorate examines evolving legislation in these jurisdictions, monitors development of relevant guidance and tools, and meets with representatives to leverage resources and share best practices.
  • The Compliance Sector has developed partnerships with key international partners whose countries have strong economic ties with Canada, including the ICO (United Kingdom), the FTC (USA), the EDPS (European Union), the OAIC (Australia) and the SIC (Colombia).
• Cooperation ranges from simple exchanges of opinions on a subject of common interest to shared co-chair roles to more thorough joint or coordinated investigations. Cooperation could alternatively involve soft enforcement actions such as the recent joint statement on global privacy expectations of Video Teleconferencing companies.

Current OPC Participation

• The OPC, the FTC and the ICO co-chaired, between 2019 and 2021, the Global Privacy Assembly's (GPA) International Enforcement Working Group (IEWG). These DPAs are currently influential members of the executive committee of Global Privacy Enforcement Network (GPEN). The OPC and the OAIC co-chair the Digital Citizen and Consumer Working Group (DCCWG). The OPC, the FTC and the OAIC are active members of the Asia Pacific Privacy Authorities (APPA) Forum.
• The SIC is the new Secretariat of the IEWG. The OPC has forged a close relationship with the SIC, both as co-chairs of the IEWG and through our leading work on the intersection of privacy and competition through the DCCWG. The SIC is an innovative leader in Latin America and has a unique structure, overseeing privacy, competition, consumer protection, and telecom matters.
• The OPC and the OAIC engage regularly via ad-hoc meetings to discuss topics of mutual interest, such as the ongoing Facebook litigation in both countries. Also, following an initiative of the IEWG, the OPC and the OAIC are co-leading the drafting of an open letter on data scraping.
• The OPC and the FTC meet bi-monthly to discuss policy and enforcement issues of mutual interest. Their cooperation has led to successful coordinated investigations, including and the ongoing MindGeek investigation.
• The OPC and the ICO co-lead many enforcement initiatives within several Privacy Enforcement networks. The Compliance Sector engages in bi-monthly bilats with the ICO to share information and perspective on hot topics and co-led initiatives in the United Kingdom and Canada.
• The EDPS initiated the Digital Clearinghouse (DCH) to bring together regulators from competition, consumer and data protection to share information and discuss the enforcement of rules in the interests of individuals. The OPC also leverages EDPS’ role as the Secretariat of the European Data Protection Board (EDPB) to foster cooperation with its European counterparts.
• The OPC’s bilateral cooperation with the FTC and the OAIC is legally governed by the APEC’s Cross-border Privacy Enforcement Arrangement (CPEA); while that with the ICO is governed by both the GPA Arrangement and a bilateral MOU. The FTC relies on the U.S. Safe Web Act to share confidential information and to provide investigative assistance.

Strategic Goals

• These engagements inform the OPC’s understanding of certain law reform proposals and policy issues and help the OPC extend its capacity and improve the efficiency of its enforcement activities, both on specific investigations and generally.

Further reading

• Memorandum of Understanding (United Kingdom)
• GPA, Global Cross Border Enforcement Cooperation Arrangement, Version 17
• GPA, An Enforcement Cooperation Handbook
• APEC Cooperation Arrangement for Cross-Border Privacy Enforcement
• Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner
• Adobe data breach
• Investigation into Equifax Inc. and Equifax Canada Co.’s compliance with PIPEDA in light of the 2017 breach of personal information

---

International Memorandums of Understanding

Lead Directorate: PIPEDA Compliance Directorate

Purpose

• The OPC has in place several bilateral arrangements in the form of Memorandums of Understanding (MOU) with international counterparts to share information and to provide mutual assistance in the enforcement of laws protecting personal information in the private sector.
• The OPC also participates in a number of international privacy networks though which it has signed multilateral MOUs to facilitate information sharing and enforcement cooperation amongst signatories.

Background

• Section 23.1 of PIPEDA allows the OPC to cooperate with its international counterparts.
• The OPC’s ability to share information with its international counterparts is subject to having a written arrangement, though not a binding agreement, with the other party, providing for confidentiality of shared information.

Current OPC Participation

• The OPC currently has bilateral MOUs in place with:
  1. The Autoriteit Persoonsgegevens of Netherlands;
  2. The Information Commissioner of the United Kingdom;
  3. The Commissioner of Data Protection of the Dubai International Financial Center;
  4. The Federal Commissioner for Data Protection and Freedom of Information of Germany;
  5. The Data Protection Commissioner of Ireland;
  6. The National Supervisory Authority for Personal Data Processing of Romania; and
  7. The Unit for the Regulation and Control of Personal Data of Uruguay.
• The OPC recently concluded the bilateral: Memoradum of Understanding between the Privacy Commissioner of Canada and the Commissioner of Data Protection of Abu Dhabi Global Market (ADGM) on Mutual Assistance in the Enforcement of Laws Protecting Personal Information in the Private Sector. [Redacted]
• The OPC signed the following multilateral MOUs:
  1. Asia-Pacific Economic Cooperation (APEC) Cross-border Privacy Enforcement Arrangement (CPEA): This arrangement establishes a process under which participating authorities may contact each other for help with collecting evidence, sharing information on an organization or matter being investigated, enforcing actions, and transferring complaints to another jurisdiction. The participants in the arrangement include Data Protection Authorities (DPA) such as the Office of the Information and Privacy Commissioner of Australia, Hong Kong’s Office of the Privacy Commissioner for Personal Data, the Office of the Privacy Commissioner of New Zealand and the U.S. Federal Trade Commission.
  2. Global Privacy Assembly (GPA) Cross Border Enforcement Cooperation Arrangement: The Arrangement, which the OPC co-drafted, addresses information sharing, including the treatment by recipients of enforcement-related information, promotes common understandings and approaches to cross-border enforcement cooperation, and encourages authorities to coordinate cross-border cooperation and to assist other authorities. The 16 participants to the arrangement include DPAs from Hungary, Ireland, Gibraltar and Isle of Man.
  3. The Global Privacy Enforcement Network (GPEN) Alert Tool MOU: GPEN members’ signatory of the MOU can use this secure network platform to notify other member authorities of their actual or prospective privacy investigations and enforcement actions for potential coordination and cooperation. Participants in GPEN Alert include authorities such as the Data Protection Authority of Norway, Personal Data Protection Commission of Singapore and the U.S. Federal Trade Commission.

Strategic Goals

• These international MOUs ensure that the OPC is able to cooperate with other international counterparts on the enforcement of applicable privacy laws, including the sharing of relevant information and the handling of complaints in which the OPC and the other international counterpart are mutually interested.

Next steps

• [Redacted]

Further reading

• International memorandums of understanding
• Canada joins APEC cross-border privacy enforcement initiative
• GPA, Enforcement Cooperation Arrangement FAQs
• GPA, List of participants in Enforcement Cooperation Arrangement