In this Guernsey Press Column published on 2 April 2024, Bailiwick of Guernsey Data Protection Commissioner Brent Homan explains how international cooperation amongst data protection authorities advances privacy rights on both a global and domestic level.
You can see it in the headlines almost every day. Cyber-attacks on global digital platforms. Data breaches at government institutions. Global technological innovations such as AI that along with their promise of societal and economic benefits, also bring significant risks to individuals’ data protection rights. These are global challenges that regulators face in their domestic jurisdictions, and certainly ones that we face at home here in Guernsey.
And that raises a key question – with privacy and data protection issues gaining greater prominence each year, with the rising number of complaints and with an increasing complexity of data protection issues:
“How as a regulator with limited resources do we meet unlimited demands on those resources?”
While there are many elements to that answer, one critical part of the equation is the “
power of partnership”. Put simply, “
international collaboration expands the capacity to take action and amplifies the impacts of those actions”.
And that is nowhere truer than in the regulatory sphere of data protection where we are facing unprecedented global challenges that call for a global response.
For an excellent example of the “power of partnership” let’s go back to the early days of the pandemic.
In January 2020, few people knew about a video-conference platform called Zoom, yet two months later it felt like the whole world was on it, as families and friends sought to maintain connections during lock-downs with quiz nights and virtual birthday parties, individuals were scheduling video medical appointments, and children were introduced to online schools.
Just like that (feeble finger-snap), literally overnight, video-conference platforms of all sorts took on a greater prominence and importance in holding together the fabric of our society.
And with this shift in societal priority, there was a collective obligation amongst data protection authorities to ensure that these platforms, that were managing the flow of huge volumes of personal information in the form of video/audio, were doing so in a privacy-protective manner.
One response could have involved a number of different regulators looking at the issue in a number of different ways, involving duplicative interactions with vid-platform companies.
But the International Enforcement Cooperation Working Group (IEWG) of the
Global Privacy Assembly (GPA) got together, leading to six member Authorities (Canada, UK, Australia, Switzerland, Hong Kong and Gibraltar) jointly drafting an open letter to the world’s leading video platform companies setting out their collective expectations. Engagement ensued with Microsoft, Google, Cisco and Zoom who responded positively and constructively.
As a result, this joint initiative was not only able to highlight areas of best practices amongst the video platforms, including
security testing, implementation of privacy programs, provision of meeting controls, but to also identify opportunities for further enhancement or improvement such as: s
urrounding end-to-end encryption, secondary use of data, and location of data.
This action demonstrated that by joining forces to adopt shared positions on issues that have a significant impact on privacy, the group was not only able to expand its collective enforcement capacity but was able to have an expedient, positive global privacy impact, one in which not only the video platforms, but individuals worldwide benefited from.
The ODPA is already a member of the GPA, which is the leading international data protection network in the world. And we are now further leveraging the power of partnership, having assumed in January the position of co-chair of the IEWG alongside Canada, Australia, Colombia, Norway and Hong Kong.
Through this alliance we will better understand and advance matters of shared global priority, leading to an even greater protection of the privacy rights of our residents, right here at home in the Bailiwick.
And the Bailiwick has much to share with the global community, as a leading global financial services hub where the ODPA will strive to ensure the highest level of data protection standards and security safeguards.
That journey has already begun.
In January the ODPA endorsed a joint statement on data scraping and the protection of privacy, issued in August 2023. Joining forces with 14 international data protection authorities, this statement outlines:
- Key privacy risks of data scraping (automated extraction of personal data from online platforms)
- How social media companies and other websites can protect individuals’ personal data
- The actions individuals can take to minimise harms from scraping
Through this joint initiative with Australia, Canada, the UK, Hong Kong, Switzerland, Norway, New Zealand, Colombia, Morocco, Argentina, Mexico, Italy and Jersey, we are engaging with global social media platforms to ensure they have sufficient safeguards in place to protect their billions of users from unlawful harvesting of their personal data.
In joining forces with our international data protection partners we are setting out key global expectations towards ensuring adequate safeguards to combat non-authorised scraping.
The plan is to release the results of this initiative later this year.
So there you have it – the power of partnership in action, expanding the ODPA’s ability to protect and promote the data protection rights of Guernsey through International cooperation.
To conclude where I started, yes, data protection issues are increasingly demanding a global response.
And rest assured that the ODPA will be that leading voice for the Bailiwick with a seat at the global regulatory table.