OECD Roundtable on Privacy Law Enforcement Co-operation
12 March 2007, 9:30 -- 13:00
OECD Headquarters, Paris
Agenda
Objectives

Continue the dialogue among privacy enforcement authorities begun in London in October 2006,
exchanging cross-border enforcement experiences and strategies to improve co-operation.

Help establish closer relationships between the privacy law enforcement authorities and other
stakeholders, in the context of the OECD project on enforcement co-operation.

Examine and learn from the ways law enforcement co-operation is done in other areas and stay
current with relevant privacy initiatives in other forums.
Preliminary Remarks
9:30 – 9:45

Welcome from the OECD Secretariat

Introduction by the Chair: Progress since the London Roundtable
Jennifer Stoddart, Privacy Commissioner of Canada
Session I
Cross-border Privacy Enforcement Challenges and Approaches
9:45 – 11:00
This session will consider the practical and legal challenges that can arise in the context of privacy law
enforcement in cross-border cases. The session will begin with a discussion of a Canada-United States
cross-border case, with perspectives offered from authorities in both countries about the challenges
encountered and approaches to addressing those challenges. The second part of the Session will consider
the cross-border enforcement challenges raised by a hypothetical factual scenario (attached). Following an
introduction to the scenario by the moderator, each of the panellists will be invited to comment on how their
enforcement authorities would address the scenario, highlighting possible obstacles and tactics for
addressing them. The discussion will be opened to all Roundtable participants.
Moderator: Malcolm Crompton, Information Integrity Solutions, Pty.
Panellists
 Jennifer Stoddart, Privacy Commissioner of Canada
 William Kovacic, Commissioner, Federal Trade Commission (United States)
 Gary Davis, Data Protection Commissioner’s Office (Ireland)
 Masao Horibe, Chuo University School of Law (Japan)
 Mercedes Ortuño, Data Protection Authority (Spain)
 David Smith, Information Commissioner’s Office (United Kingdom)
Roundtable discussion
Coffee Break
11:00 – 11:30
Session II Cross-border Enforcement Co-operation: the Broader Context
11:30 – 13:00
In the first part of this session, speakers will provide updates on activities in other privacy
forums related to privacy law enforcement co-operation. The speakers and other roundtable
participants will be invited to discuss how best to co-ordinate the OECD efforts in this area with
those in other forums. In the second part of the session will include presentations about how
cross-border law enforcement co-operation is co-ordinated in other areas, with a view to
gaining insights into useful models and practices that could be adopted by privacy enforcement
authorities. Following a final round of discussion, the Chair will offer concluding remarks to
bring the Roundtable to a close.
Privacy co-operation

Update from the EU Article 29 Working Party Subgroup on Enforcement
Hana Pecháčková, European Commission

Update from the International Conference of Data Protection and Privacy
Commissioner’s Conference
Clarisse Girot, Commission Nationale de l'Informatique et des Libertés (France)

Role of Company Privacy Officers
Christopher Kuner, Hunton and Williams (Belguim)
Law Enforcement Co-operation in Other areas

Consumer Protection, Spam, and Competition
Hugh Stevenson, Federal Trade Commission (United States)

International Organisation of Securities Commissions (IOSCO)
Christophe Caillot, Autorité des Marchés Financiers (France)
Roundtable discussion and conclusions
2
Hypothetical Factual Scenario for Session I
Background
Health Research Company A is a private sector health research organisation based in Country A that
uses software on physicians’ computers in Country A to extract health records from the physician’s
computer. The individual’s name is stripped from the data before Company A collects it but the record
includes the area code, profession and date of birth.
Pharmaceutical Company B is a multinational pharmaceutical company with headquarters in Country B
and a branch in Country A that buys this health record data from Health Research Company A to help it
monitor prescription rates and identify any side effects from its drugs.
Marketing Company C is a Web site marketing alternative heath care treatments, of unknown location.
The Incident
John is a resident of Country A and has high blood pressure. John’s information is collected by Health
Research Company A and then sent off shore to Pharmaceutical Company B in Country B. An employee
of Pharmaceutical Company B has the latest downloads from Health Research Company A in her laptop
(which is password protected but with unencrypted data) which she leaves in a car. The laptop is stolen
by an opportunistic thief who sells it on the black market to Marketing Company C. Company C looks up
John’s details in various databases and gets his address and phone number. Company C calls John in
Country A and asks if he would like to buy an alternative treatment for high blood pressure.
John complains to the Privacy Law Enforcement Authority in Country A. He says that although he agreed
that de-identified information could be sent to a company for research purposes, he did not agree to it
being used to market to him. He also expresses concern about who else may have obtained his health
information.
Sample Questions
The following questions are proposed to stimulate participants in thinking about the challenges entailed
to address the incident, and more importantly the best strategies and tools for meeting those challenges.
To what extent would co-operation be enhanced through informal tools? (e.g., contact lists, better
communication channels . . .) To what extent are domestic legislative changes needed to better able cooperation? Would enforcement networks or MOUs be helpful?
If you were the Privacy Law Enforcement Authority in Country A:

Would you have sufficient legal authority and tools to resolve the case alone? Would you be able to
investigate yourself what had happened in Country B?

How would you go about obtaining assistance with the authorities in Country B? Would you try to
contact criminal authorities in Country B, and if so via what channels?

Would you be able to share information with Authority in Country B?
If you were the Privacy Law Enforcement Authority in Country B:

What assistance would you be able to provide the Authority in Country A? Could you obtain
documents or records? Obtain statements from individuals?

Would you be able to help obtain compensation for John for the activities of Company B?

Would you be able to assist in the enforcement of any order or judgment obtained by the authorities
in Country A against Company B?
3