1) Background - ICDPPC€¦ · Resolution on a Roadmap on the Future of the Conference. which mandated the Working Group on the Future of the Conference with the following tasks to

1

ICDPPC Working Group

Working Group on the Future of the Conference

Draft Report on 2018-2019 Activities / 2019-2020 Forward Looking Plan

1) Background

Following a decision taken at its 2017 Annual Meeting in Hong Kong, the ICDPPC launched a consultation, amongst members and non-members, on its own future. The consultation pivoted around three main themes: the Conference’s objectives and common future; the Conference’s identity; and the Conference’s format and structure.

This consultation exercise resulted in the adoption at the 40th ICDPPC annual meeting of the Resolution on a Roadmap on the Future of the Conference which mandated the Working Group on the Future of the Conference with the following tasks to be completed and presented at the 41st conference in 2019:

completing a paper serving as the foundation to consult on and assess the articulation between the closed and open sessions of the Annual Meeting;

developing a background document on the interpretation of the membership and independence criteria;

writing a detailed proposal on the creation of an ICDPPC contact group with external stakeholders, in particular civil society organisations;

evaluating the possibilities and modalities, including technical and financial requirements, for the creation of an ICDPPC members’ secure online platform;

establishing plans for the development of a funded, stable Secretariat, in place for renewable terms of three years or more, and for the establishment of membership fees and its modalities.

The Membership of the Working Group on the Future of the Conference was refreshed in May 2019 and currently consists of 14 delegations. The Co-Chairs of the Working Group are the Office of the Privacy Commissioner of Canada (OPC) and the Information Commissioner’s Office of the UK (ICO).

2

2) Executive Summary

As highlighted above, the Working Group was mandated by the Conference with the completion of five papers. These are enclosed as Annexes to the current report. A short executive summary for each is presented below.

a. The Relationship between the Closed and Open Sessions and Proposals to Maximize the Attractiveness of the Annual Meeting Agenda

As part of the consultations in 2017-18, members raised the issue of the closed and open sessions’ articulation and specifically the order in which these occur. The paper presents options and recommendations for organizing the annual meeting in a way that can maximize its effectiveness and advance the Conference’s purpose of becoming an effective platform for cooperation and influence. The recommendations include: scheduling the open session first before the closed session; putting selected topics on a multi-year cycle for output and implementation; allocating more time in the closed session for operational exchanges and discussions on Conference priorities; canvassing for topics to cover during the operational exchanges; and holding regional network side events prior to the Welcome reception.

b. A Background Document on the Interpretation of the Autonomy and Independence Criteria

Following members’ request that current membership criteria be maintained and, in particular, that the criteria for appropriate autonomy and independence be guaranteed, this paper serves as a background for interpretation of this criteria. The paper suggests a contextual approach to underpin the evaluation of ICDPPC membership applications and provides a list of elements that can help demonstrate appropriate autonomy and independence.

c. A Proposal for the Creation of the ICDPPC Reference Panel As part of the 2017 discussion on the Conference’s identity, several ICDPPC members highlighted the need for the Conference to strengthen informed exchanges and collaboration with external stakeholders. For the achievement of this objective, this paper proposes the establishment of an ICDPPC Reference Panel comprising of representatives of relevant civil society organisations, academic institutions, think tanks, non-privacy supervisory authorities and representatives of the private sector whose main task will be to provide expert consultation to the ICDPPC and its working groups on an ad hoc basis upon request.

d. A Paper on the Creation of an ICDPPC Secure Online Platform Options and Financial Requirements

This paper outlines three options, including an overview of the costs for each, for the creation of a secure, password-protected virtual space that would act as a platform for ICDPPC members to share good practice and exchange practical information on cases. These options are: a software-based solution (e.g. Office 365 or open source software), an enhanced version

3

of the existing ICDPPC website and the creation of a new ICDPPC website including a log-in area accessible to Conference’s members only. The paper concludes by suggesting to further test members’ preferences in relation to the need for the creation of an ICDPPC secure virtual space or for a continuation of the status quo.

e. A Paper on the Proposed Plans for the Establishment of an ICDPPC Stable Secretariat

During the 2017 strategic consultation on the future of the conference, a significant proportion of the membership stressed the desire for the Conference to evolve towards a more structured organisation, including through the establishment of a funded and stable Secretariat which could provide a more institutionally structured support to the work of the ICDPPC. This paper aims at mapping out plans for the achievement of this objective, including practical means to collect membership fees and proposed changes to the Rules and Procedures. Specifically, the paper proposes a model whereby the Secretariat will initially be a funded entity separate from the Chair but serviced by a member authority for renewable terms of four years, to be introduced starting from 2021.

3) Working Group Activity 2018-2019

The Working Group has successfully completed all the tasks mandated to it by the Conference. By July 2019, all draft papers were completed. Three written consultations of the papers were conducted in May, June and July 2019. The members of the Working Group convened via Teleconference two times in July and August. In order to ensure consensus on the final version of the papers within the Working Group, the Co-Chairs requested the Executive Committee for a short extension of the 26 August deadline. Following this extension being granted from the Executive Committee, a third call with the members of the Working Group will take place on 5th September.

4) Forward Plan for the Working Group 2019-2020

Subject to Conference’s approval at the 2019 Annual Meeting in Tirana, the following actions have been identified for 2019 – 2020:

Secure Online Platform:

November – December 2019: Launch a short survey amongst the member authorities to test members’ views on the need for the secure virtual space as well as for further scoping out the requirements and functionalities members would like to see on the platform; further explore the availability and scope of use of open source software or institutional collaboration solutions before taking steps towards the implementation of an entirely new ICDPPC website;

4

January – March 2020: On the basis of the results, engage in a soft market testing to

acquire more accurate figures required for the development of the secure online platform, as well as for carrying out a thorough risk assessment of the proposed approach;

April – May 2020: explore funding options to cover the costs of the creation of the secure online platform to present at the 2020 Annual Meeting;

Proposed Plans for the Establishment of a stable and funded Secretariat:

November 2019 – March 2020: gather the necessary census data from all member authorities in order to establish the relevant fee tier and conduct a survey amongst member authorities to identify legal obstacles for some authorities to accept funds for running the Secretariat;

April 2020 – May 2020: analyse survey results; reach out to those authorities which provided a Secretariat function in the past to collect information over costs incurred and tasks undertaken; explore options for alternative sources of funding which could complement the income sourced through the collection of the Secretariat fees; draft report to be circulated to the Conference at the 2020 Annual Meeting;

June – July 2020: consultation period.

5) Annexes a. The Relationship between the Closed and Open Sessions and Proposals to

Maximize the Attractiveness of the Annual Meeting Agenda; b. A Background Document on the Interpretation of the Autonomy and

Independence Criteria; c. A Proposal for the Creation of the ICDPPC Reference Panel; d. A Paper on the Creation of an ICDPPC Secure Online Platform Options and

Financial Requirements; e. A Paper on the Proposed Plans for the Establishment of an ICDPPC Stable

Secretariat.

In accordance with the mandate given by the Resolution on a Roadmap on the Future of the International Conference adopted at the 40th ICDPPC annual meeting, this paper serves as the foundation to ‘consult on and assess the articulation between the closed and open sessions of the Annual Meeting and present proposals in order to maximize the attractiveness of the Conference’s Annual meeting agenda’ for consideration at the 41st Conference in October 2019.

Working Group on the Future of the Conference

Annex A

The Relationship between the Closed and Open Sessions and Proposals to Maximize the Attractiveness

of the Annual Meeting Agenda

2

Table of Contents

1. Background ................................................................................................... 3

2. Current Practices Related to the Annual Meetings ........................................ 4

2.1 The Closed Session .................................................................................. 4

2.2 The Open Session .................................................................................... 5

2.3 Side Events.............................................................................................. 6

3. Proposals to Maximize the Annual Meeting Agenda ..................................... 6

3.1 Sequencing ............................................................................................. 7

3.2 Focus of the Sessions .............................................................................. 7

3.3 Enhancing Networking Opportunities ..................................................... 8

4. Conclusion .................................................................................................... 9

Table A – Overview of Suggested Annual Meeting Agenda ......................... 10

Table B – Sample Closed Session Agenda .................................................... 11

5. Next Steps .................................................................................................. 12

3

1. Background

Prior to the 2017 annual meeting in Hong Kong, ICDPPC members were consulted on the importance they give to the Conference’s purposes and how well these purposes were being achieved. Answers showed that members valued, and the Conference was achieving, its goal of being “a meeting point between members and international organizations that share common objectives.”1 However, several of the suggestions made by members as part of the survey pointed at how to improve on the Conference – particularly with regard to its role as a meeting point - with some recommendations specifically on the running of the annual meeting. Such proposals included:

• To allow for “more room for practical ‘getting to know each other’ [opportunities] with the aim of supporting each other and establishing effective and close cooperation”;

• To have “more follow up on the adopted resolutions”; • To be “a forum of guided controversial discussions”; and • To “more closely intertwine the closed session and the open session…keeping the closed session

exclusively for DPAs or Conference members” and moving “discussions on matters of general interest to the open session.”2

Throughout the consultations with members carried out in 2017-18, the format of the Conference and the means to achieve its objectives were the subject of much discussion, with members raising the issue of the closed and open sessions’ articulation and specifically the order in which these occur. Further, members expressed a desire to strengthen the closed session – both in content and attendance – as a way to “insist on the Conference’s independence.”3 Members rejected the idea of not having the open session noting the importance it held for interacting with stakeholders, in helping offset the cost of organizing the conference, and in helping raise the profile of host authorities.

Following up on the consultations, at its 40th meeting in 2018, the ICDPPC adopted the Resolution on a Roadmap on the Future of the International Conference, which mandates the creation of a task force on the Annual Meeting format, to consult and report on its recommendation at the 41st conference.4 The Future of the Conference (FOTC) Working Group has carried out this task.

In line with the mandate, this paper will look at current practices in the organization of the annual meeting – the closed session, the open session and its side events. It will then look at the goals of the annual meeting and present options and recommendations for organizing the conference in light of these goals.

1 Future size and membership of the Conference Discussion Paper, OPC-Canada, p. 1. 2 Future size and membership of the Conference Discussion Paper, OPC-Canada, pp. 2-3. 3 Strategic Consultation on the Future of the Conference – Summary of Inputs from the Internal Consultation, ICDPPC Secretariat, p. 4. 4 Resolution on a Roadmap on the Future of the International Conference, pp. 8-9.

4

2. Current Practices Related to the Annual Meetings

The ICDPPC Rules and Procedures stipulate that the Hosting Authority, with the advice and support of the Executive Committee, organizes the annual meeting. It further details that:

The annual meetings shall consist of a Closed Session (hereinafter, the Closed Session). At the discretion of the Executive Committee and the Hosting Authority, the annual meeting should seek to include, without prejudice to ordinary business and debates, during the Closed Session, dedicated occasions for members to share and exchange operational and practical experiences. The decision whether to hold an open meeting in conjunction with the Closed Session, with participation from governments, industry, academia and civil society, should be left to the Hosting Authority.

Should it wish to hold an open meeting, the Hosting Authority should be free to decide how to organize such an event. Individuals or organizations with specific expertise could be invited by the Executive Committee to present a specific subject and attend specific parts of the Closed Session.5

Consequently, the details of the organization of the annual meeting, and in particular of the open session, vary from year to year. Nevertheless, certain broad parameters and practices have set in over the last few years: that the closed session precedes the open session, that each of the sessions lasts approximately one and a half days, and that there are two half days of side events. In total, the annual meeting spans over four days, plus an additional evening for a welcome reception.

2.1 The Closed Session

The closed session includes ordinary and discretionary business. Ordinary business are those items detailed in section 2.2 of the ICDPPC Rules and Procedures, including but not limited to, the accreditation of members and observers, the adoption of working groups, the consideration of resolutions and declarations, and the election of Executive Committee members. As of last year, the closed session should also seek to include operational and practical exchanges between members. This change to the Rules responded to members’ desire to benefit from one of the unique features of the ICDPPC: the congregation of fellow data protection and privacy regulators (DPAs) from across the globe and the desire to share and learn from each other’s experience.

Discretionary items are the in-depth discussions that occur often on the first day of the closed session. For example, at the 37th, 38th and 39th Conferences one or two topics were identified for in-depth discussion.6 Experts, from academia mostly, and fellow DPAs were asked to present on emerging issues in an effort to inform and spur debate. At the 40th Conference, the in-depth discussion with experts was

5 ICDPPC Rules and Procedures: Consolidated version (October 2018), s 2.1. 6 At the 37th Conference, these were genetic and health data, and DPA oversight of security and intelligence; at the 38th Conference these were robotics and artificial intelligence, and encryption; and at the 39th Conference it was government information sharing practices.

5

set aside in favour of debating among members matters related to the future of the Conference and the Declaration on Ethics and Data Protection in Artificial Intelligence.

Both approaches – discussions of topical issues and debates on Conference matters – have their benefits and drawbacks. The main benefit of the topical discussions is that they provide DPAs from diverse legal traditions and regions a similar footing to understand and address these issues. One important drawback, however, has been that these policy discussions do not necessarily result in concerted action by ICDPPC members – via a declaration or resolution – nor do they necessarily respond to an identified strategic or policy priority of the members. They risk being “one-offs” – a valuable discussion in itself without further action or result. There is also the question of the value-added of having these discussions in the closed session as opposed to the open session – does having these discussions in the closed session lead to exchanges that cannot otherwise be held in the open session? If not, why not have these discussions in the open session and benefit from the participation of the wider privacy community?

For its part, the 40th Conference closed session focused mainly on internal matters. This had the benefit of allowing Conference members to directly address the Conference’s identity, make changes to its Rules and set forth a roadmap for its future. The critique, however, was that it was too much “housekeeping” and not enough discussion of big ideas. There was a concern, though not universal, that for new members and for observers, the discussion may have been of limited value. That said, to the extent that it was the exception and not the norm, the closed session of the 40th Conference allowed for emphasis of the policy role to be played by the ICDPPC and to enhance the operational and practical exchanges amongst DPAs that sets it apart from other privacy conferences.

2.2 The Open Session

As noted in the Background section, members have indicated the benefit and desirability of having an open session – noting the relational, economic and reputational advantages that it brings. Given the discretion Hosting Authorities have when organizing these events, the agenda for the open sessions can vary widely. For the most part, they consist of a number of keynotes and panel discussions, with some interaction with the audience via either question and answer periods or interactive polls. Speakers and panelists are generally from a mix of government, academia, the private sector, civil society and DPAs.

Recent conferences speak to the variety displayed from year to year. At the 37th Conference, there were breakout sessions to discuss specific aspects of the Privacy Bridges project commissioned by the host (the Dutch DPA). At the 38th and 39th Conference, the open session was mostly panels of expert speakers addressing a wide array of topics. At the 40th Conference, all panels addressed different aspects of the one theme (Debating Ethics: Dignity and Respect in Data Driven Life).

Having a single “formula” for the annual meeting is not a desired outcome since it would curtail the discretion of the Hosting Authority under the Rules. Nevertheless, greater coordination between the open and closed session can serve to address two issues members have brought up during the FOTC consultations: the first, to create more of a link between the lessons and discussions of the open session and the actions or resolutions of the closed session. The second, to have these sessions advance issues of

6

strategic interest to the Conference. The likely adoption at the 41st Conference of a strategic plan, including its Policy Strategy, can provide added clarity to this coordination.7

While not formally established under the ICDPPC Rules & Procedures, another link between the closed and open session has so far been ensured by having the Chair of the Conference address the open session and report on the outcomes of the closed session.

2.3 Side Events

The two half-days of side events are an important opportunity to interact with other DPAs and open session attendees in smaller groups. Side event organizers include regional networks8, observers, international organisations, private companies and civil society organizations, all in an effort to present and debate in more depth important initiatives, to conduct consultations and to highlight issues of general interest. In the case of regional networks, the annual meeting represents a cost-effective way for its members to meet face-to-face.

The main constraint surrounding side events – albeit a ‘good’ problem – is that there are too many in the few times slots allocated, making it difficult for DPAs to attend (or send staff to) all the sessions of interest. Side events are by their nature not part of the Conference’s core program, and so present important opportunities for practical exchanges and direct interactions with different stakeholders.

3. Proposals to Maximize the Annual Meeting Agenda

In surveys and consultations, members have repeated the desire for the annual meeting to allow for important exchanges between DPAs on topical and operational issues of importance. They also value the opportunity to hear from experts. These goals – to maximize the opportunity of being in the same room with colleagues from around the world, to learn and debate with each other – must be read in conjunction with the Conference’s objective to become a more effective platform for international cooperation and policy influence. In line with the mandate received in the Resolution on a Roadmap on the Future of the International Conference, the Executive Committee is working on a policy strategy to be adopted as part of the 41st Conference’s strategic plan 2019-2021 at the 41st Conference. Consequently, the proposals below seek to capitalize on the uniqueness of the ICDPPC – its membership and position as the premiere event of the privacy and data protection global community – while using the annual meeting to advance, discuss and perfect the progress of its strategic priorities.

7 The Resolution on a Roadmap on the Future of the International Conference, pp. 4-5 mandates “the Executive Committee to adopt a policy strategy, as part of the next Conference strategic plan 2019-2021, to be adopted at the 41st Conference in 2019.” 8 Regional networks include privacy networks organized by geographic, linguistic or cultural commonalities.

7

3.1 Sequencing

The highest-level decision is whether to have the closed session precede or succeed the open session. As noted above, the status quo is for the annual meeting to start with the closed session and end with the open session. Having the closed session first allows members to hold the Conference discussions while still fresh, and use the remaining days of the Conference to present any outcomes (resolutions or declarations) to the wider privacy community during the open session. The main limitation, however, is that whatever is learned or debated during the in-depth discussions from the open session cannot be used to inform any debates, resolutions or work plans during the closed session.

Having the open session first would open the possibility of linking the theme or themes from the open session to the work expected during the closed session (and these themes, in turn, to the Conference priorities as discussed below). This would require some coordination between the Hosting Authority and the Executive Committee when it comes to deciding at least one of the themes or sessions of the open session – something that occurs under the current format in any case. A risk to consider with this change is that having the open session first takes a toll on members, possibly resulting in loss of momentum during the closed session. On the other hand, an important benefit from this change is that the Conference outputs decided during the closed session can be informed by the expertise from the wide array of stakeholders present in the open session. While it is true that influential in-depth discussions can also be held during the closed session, linking the open session topics to what will be decided in the closed session provides added time and opportunities for reflection and discussion amongst members for their immediate application. The recommendation is to have the open session precede the closed session. Due consideration was given to whether the closed session should be extended to cover a full two days, instead of the usual one-and-a-half days but it was considered prudent to retain the current length of the closed session so as not to shorten the time allotted to either the open session or to side events.

3.2 Focus of the Sessions

An important part of member feedback has been the desire to ensure there is no loss of momentum between the open session and the closed session, and from one annual meeting to the next. While the ongoing ICDPPC Policy Strategy exercise will help identify what topics membership wants to focus on over the next few years, ensuring the theme or themes of the open session feed into the plans of the closed session – the resolutions, work plans, in-depth discussions – can add value to each session and the annual meeting as a whole.

One recommendation to facilitate the year-to-year connection is to put selected, prioritized topics on a multi-year cycle. To illustrate:

• At Conference 1, Topic A is the subject of an in-depth discussion in the open session, allowing members to deepen their knowledge and understanding of the issue.

• During the closed session, members discuss the parameters and modality (e.g. striking a new working group or mandating an existing one) by which to continue work on Topic A. In the year between Conference 1 and 2, the position on Topic A is prepared and consulted.

8

• At Conference 2, the output (e.g. a resolution or report) on Topic A is presented, debated and, if consensus is achieved, endorsed. Topic B is the subject of an in-depth discussion in the open session.

• Between Conference 2 and 3, members implement and promote the output on Topic A in their respective jurisdictions and networks. The position on Topic B is prepared and consulted.

• At Conference 3, if warranted, report on the impact of the ICDPPC output on Topic A. The output on Topic B is presented and debated. Topic C is the subject of an in-depth discussion in the open session.

• And so forth.

Such a cycle has the benefit of maintaining momentum from conference to conference. Further, it creates some predictability for at least one of the items on the closed session agenda. The selection of the topic would be a decision of the Hosting Authority in consultation with the Executive Committee and in accordance with the Policy Strategy due for adoption at the 41st Annual Meeting.

The suggestion above would not be to the exclusion of other in-depth discussions or panels during either the open or closed sessions. Nor is the intention to curtail the Hosting Authority’s discretion for the open session, which would remain. Rather, this proposal aims at enhancing and reinforcing the continuity between Annual Meetings as well as between the closed and open session, in line with the outcome of the 2017 strategic consultation with the Conference’s membership.

A further recommendation would be for the closed session to provide more time both for operational exchanges and for comprehensive discussions – of draft declarations and resolutions, and of Executive Committee and Working Group reports as they relate to the progress of strategic priorities (and validation or updating of these strategies). In the case of the operational exchanges, this includes the inclusion of working lunches devoted to member’s sharing of operational innovations and issues. The closed session being the main opportunity for members to interact and to steer the activities of the Conference, the focus of the closed session should be on member interactions. To be clear, this is not to the exclusion of expert-led discussions altogether, but to ensure members take full advantage of their time together.

3.3 Enhancing Networking Opportunities

The construction of the annual meeting agenda can play a pivotal role in achieving members’ desire to facilitate networking and operational exchanges. During the 40th Conference, members agreed to change the Conference Rules and Procedures to reflect the desire for the closed session to include dedicated times for members to share and exchange operational and practical experiences. There are several strategies for members, working groups or networks to present important projects (e.g. on policy initiatives, regional trends, enforcement strategies et cetera). These include breakout sessions, working lunches, panels, in-depth discussions and side events. The intent here is not to be prescriptive but to employ these alternatives on a case-by-case basis since different matters lend themselves to different modalities of presentation. That said, what is important is for the Executive Committee to canvass and

9

for members, working groups and networks to propose suggestions for operational and practical exchanges in the closed session.

As mentioned above, side events remain an important way to network, especially beyond the DPA community. The challenge, however, is in limiting the conflicts created by having a growing number of side events in a finite amount of time. One solution would be to have regional and other networks have their meetings prior to the Welcome reception (the day prior to the official start to the Conference). This would allow members added interaction without limiting their ability to attend other side events organized by the wider privacy community. Moreover, it would open more timeslots for such side events. Lastly, as the Conference continues to enhance its diversity and representativeness, such pre-Conference meetings by networks can allow for regional discussions on Conference-related matters (e.g. the election of Executive Committee members) prior to the closed session.

The constraint here would be adding to the already long schedule of the annual meeting, extending it to a full four and a half days, without accounting for travel time. This adds to the expense to DPAs that attend the Conference – both in time and money – and on the Hosting Authority. That said, considering these meetings would only add a few hours to the schedule prior to the Welcome reception and remain optional, the trade-off in additional side events and networking opportunities may well be worthwhile.

The foreseen establishment of an ICDPPC Stakeholder panel at the 41st ICDPPC may also assist in facilitating the preparation and scheduling of side events.

4. Conclusion In considering different options to maximize the annual meeting, the guiding principles have been to promote exchanges between members and to advance the Conference’s purpose of becoming an effective platform for cooperation and influence. It is in this spirit that this paper presents the following recommendations and options:

1- Scheduling the open session first before the closed session. 2- Selecting a topic in the open session that is then discussed in the closed session, and

subsequently put on a multi-year cycle for output and implementation. 3- Allocating longer timeslots in the closed session to provide for operational exchanges and for

comprehensive discussions related to Conference priorities. 4- Canvassing members, working groups and networks for suggestions and initiatives to highlight

as part of the operational exchanges. 5- Holding regional network side events prior to the Welcome reception.

10

Table A offers the broad strokes of the Conference agenda applying the recommendations above.

Table A – Overview of Suggested Annual Meeting Agenda Day 0 Day 1 Day 2 Day 3 Day 4 Morning Open Session Open Session Side Events

Part 2 Closed Session

Afternoon Meetings of Regional Networks

Open Session Side Events Part 1

Closed Session Closed Session

Evening Welcome Reception

Social Event(s) (optional)

Social Event(s) (optional)

Members’ Gala

Notes: • Regional network meetings are scheduled for before the Welcome Reception. • The Open Session is scheduled for 1.5 days (as is current practice). • Side Events have two half days (as is current practice), but are fully organized between the end of

the open session and the closed session, to maximize participation from non-DPA stakeholders. • The Closed Session is scheduled for 1.5 days (as is current practice). • Evenings remain free for social events.

11

Table B provides a sample closed session agenda following the recommendations. All time allocations and items are to be flexible and represent a general suggestion.

Table B – Sample Closed Session Agenda CONFERENCE DAY THREE – CLOSED SESSION (1st half day) Morning Side Events 12.00 – 13.30 Lunch 13.30 – 14.00 Start of the Closed Session

• Welcome remarks by ICDPPC Chair and Hosting Authority • Governance matters (e.g. resolution on new members and observers)

14.00 – 15.00 Report by the Executive Committee • Update on Activities and Strategic Priorities • Steer for upcoming year

15.00 – 16.00 In-depth discussion 1 – Follow up to open session discussion • Purpose: ensuring connection between open and closed session • Optionally: invite external expert speaker(s) • Discussion on follow-up actions and modalities

16.00 – 17.30 In-depth discussion 2 – Discussion on priority theme • Purpose: educational discussion on one of the Conference priorities • Optionally: invite external expert speaker(s) • Discussion on follow-up actions and modalities

Evening Members’ Gala CONFERENCE DAY FOUR – CLOSED SESSION (2nd day) 08.15 – 09.30

Presentations by Working Groups • Working Groups to report and present work plans for upcoming year. • Discussion on follow-up actions

09.30 – 10.30 Presentations from Stakeholders • UN Special Rapporteur • ICDPPC Observers • Berlin Group • Regional and other Networks

10.30 – 11.15 Networking Break 11.15 – 12.45 Discussion on Conference Priorities and/or Update on priority themes

• Purpose: update on status of priority strategies or presentation from experts on a priority theme

• Steer from members – validation, tweaking of priorities 12.45 – 14.15 Working Lunch

• Parallel Sessions based on suggestions from members, working groups or networks on items they would like to showcase.

14.15 – 15.45 Presentation of Resolutions • Purpose: for members to discuss and adopt resolutions

15.45 – 16.30 Networking break 16.30 – 17.00 Executive Committee Elections 17.00 – 17.15 Presentation by next Hosting Authority 17.15 – 17.30 Announcement of Hosting Authority for following annual meeting 17.30 – 17.45 Chair and Hosting Authority Closing Remarks

12

5. Next Steps Should the current proposal be adopted, the following steps should be taken for implementation by the 42nd Conference and thereafter:

1. Request the Hosting Authority to organize the open session to take place prior to the closed session;

2. Mandate the Executive Committee to work with the Host Authority to select and to propose to members an in-depth topic from amongst identified priorities in the Policy Strategy for debate at the open session;

3. Mandate the Executive Committee, when preparing the agenda of the closed session, to allocate sufficient time for in-depth discussions on Conference-related matters and operational exchanges between members;

4. Mandate the Secretariat to consult members, working groups and networks for suggestions and initiatives that they would like to present during the closed session;

5. Request the Hosting Authority to allocate meeting rooms for regional network side events available prior to the Welcome reception.

1

In accordance with the mandate given to the Working Group on the Future of the Conference by the Resolution on a Roadmap on the Future of the International Conference adopted at the 40th ICDPPC annual meeting, this paper seeks to serve as background for the interpretation of the “appropriate autonomy and independence” criteria for membership of the ICDPPC. This paper will be presented at the 41st Conference in 2019 for members’ consideration.

Working Group on the Future of the Conference

Annex B

Interpretation of the Autonomy and Independence Criteria

2

Table of Contents

1. Background ................................................................................................................................3

2. Overview of how independence has been defined in the regulatory context ................................4

3. Recent ICDPPC interpretation of the “appropriate autonomy and independence” criteria ............8

4. Conclusion ................................................................................................................................ 10

5. Next Steps ................................................................................................................................ 12

3

1. Background In 2017, the ICDPPC Secretariat conducted a survey of members as part of the Project on the Future Size and Membership of the Conference.1 The survey showed, among other outcomes, that members would like the Conference to broaden its global reach and promote its regional diversity, yet that it retains its selective process when doing so by paying particular heed to the independence of data protection and privacy authorities.

Section 5.1 of the ICDPPC Rules and Procedures sets out the criteria for those Supervisory Authorities wishing to become members of the Conference:

a. A public entity, created by an appropriate legal instrument based upon legal traditions of the country or international organisation which it belongs to;

b. Has the supervision of the implementation of the legislation on the protection of personal data or privacy as one of its principal regulatory mandates;

c. The legislation under which it operates is compatible with the principal international instruments dealing with data protection or privacy;

d. Has an appropriate range of legal powers to perform its functions; and e. Has appropriate autonomy and independence.2

In October 2018, during the 40th International Conference of Data Protection and Privacy Commissioners held in Brussels, members adopted the Resolution on a Roadmap on the Future of the Conference. This Resolution lays down a series of recommendations and corresponding actions to be taken in the immediate or medium term, for the future evolution of the conference, on the basis of three guiding objectives identified as a result of the strategic consultation process.3 One of these objectives is “Identity: reaffirming members’ independence while promoting diversity, openness and visibility.” To address members’ requests that current membership criteria be maintained and that independence from both governments and private sector be guaranteed, the ICDPPC mandated the Working Group on the Future of the Conference to “develop a background document on the interpretation of the membership and independence criteria, to be adopted at the 41st Conference in 2019.”

The definitions of the other membership criteria (i.e. legal basis, consistency with international instruments and appropriate functions), are more straightforward and, for their interpretation, we recommend that the ICDPPC continues to rely on the Accreditation Features

1 Project Page: The Future of the Conference. 2 ICDPPC Rules and Procedures: Consolidated version (October 2018), s 5.1. 3 Resolution on a Roadmap on the Future of the International Conference, 40th International Conference of Data Protection and Privacy Commissioners, 23 October 2018.

4

of Data Protection Authorities, adopted during the 23rd International Conference in Paris in 2001. However, the autonomy and independence criteria continue to be the subject of debate when conducting accreditation analysis given their underlying subjectiveness. Therefore, in order to clarify and help interpreting this membership criteria and in line with the mandate mentioned above, this paper seeks to establish guiding principles for the interpretation of the “appropriate autonomy and independence” criteria.4

For the purpose of this paper, Data Protection Authorities (DPAs) will encompass both data protection and privacy commissioners.

2. Overview of how independence has been defined in the

regulatory context In this section, we provide a few examples of how independence has been interpreted in other instances.5

The ICDPPC’s Accreditation Features of Data Protection Authorities, adopted on 25 September 2001 during the 23rd International Conference held in Paris, provides the following guidelines regarding the “autonomy and independence” principle:

The data protection authority must be guaranteed an appropriate degree of autonomy and independence to perform its functions.

Comment: Autonomy requires that an authority be empowered, both in a legal and practical fashion, to initiate and undertake appropriate action without having to seek others’ permission. Independence is important for agencies to be able to operate free from political or governmental interference and to withstand the influence of vested interests. Typical guarantees include:

• Appointment for a fixed term; • Removal only for inability to perform the office, neglect of duty, or serious

misconduct; • The power to report directly to the head of government or legislature and to

speak publically on matters of concern;

4 Accreditation Features of Data Protection Authorities, adopted on September 25, 2001 during the 23rd ICDPPC, Paris, 24-26 September, 2001. 5 The rest of the document focuses on autonomy and independence of regulators. That said, the influence of Council of Europe, Recommendation No. R (94) 12 of the Committee of Ministers to Member States on the Independence, Efficiency and Role of Judges, 13 October 1994, also bears noting given its informative and influential role on this subject.

5

• Immunity against personal law suit for actions carried out as part of official duties;

• Power to initiate investigations.

The matter of independence has been addressed by the United Nations in the so-called

Paris Principles, a set of international standards adopted by the General Assembly in 1993,

which define the role, composition, status and functions of National Human Rights Institutions

(NHRIs).

Under the title “Composition and guarantees of independence and pluralism,” the Paris Principles provide the following:

1. The national institution shall have an infrastructure which is suited to the smooth conduct of its activities, in particular adequate funding. The purpose of this funding should be to enable it to have its own staff and premises, in order to be independent of the Government and not be subject to financial control which might affect its independence.

2. In order to ensure a stable mandate for the members of the national institution, without which there can be no real independence, their appointment shall be effected by an official act which shall establish the specific duration of the mandate. This mandate may be renewable, provided that the pluralism of the institution's membership is ensured.

Under the title “Methods of operation,” the Paris Principles further affirm that the national institution shall:

(a) Freely consider any questions falling within its competence, whether they are submitted by the Government or taken up by it without referral to a higher authority, on the proposal of its members or of any petitioner;

(b) Hear any person and obtain any information and any documents necessary for assessing situations falling within its competence;

(c) Address public opinion directly or through any press organ, particularly in order to publicize its opinions and recommendations;

6

[…] 6

The European Union’s General Data Protection Regulation (GDPR)7, defines the

independence of supervisory authorities as follows:

Article 52 Independence

1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.

2. The member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.

3. Member or members of each supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.

4. Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.

5. Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned.

6. Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.8

Articles 53 and 54 (first paragraph) of the GDPR also provide requirements which guarantee the independence of supervisory authorities:

Article 53 General conditions for the members of the supervisory authority

6 United Nations, Paris Principles – defined at the first International Workshop on National Institutions for the Promotion and Protection of Human Rights in Paris 7-9 October 1991, adopted by Human Rights Commission Resolution 1992/54, 1992 and General Assembly Resolution 48/134, 1993. 7 European Union, General Data Protection Regulation, 2016. 8 See also GDPR Recitals 118, 120 and 121.

7

1. Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by: - their parliament; - their government; - their head of State; or - an independent body entrusted with the appointment under Member State

law.

2. Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.

3. The duties of a member shall end in the event of the expiry of the term of office, resignation or compulsory retirement, in accordance with the law of the Member State concerned.

4. A member shall be dismissed only in cases of serious misconduct or if the member no longer fulfils the conditions required for the performance of the duties.

Article 54 Rules on the establishment of the supervisory authority

3. Each Member State shall provide by law for all of the following:

a) the establishment of each supervisory authority; b) the qualifications and eligibility conditions required to be appointed as

member of each supervisory authority; c) the rules and procedures for the appointment of the member or members of

each supervisory authority; d) the duration of the term of the member or members of each supervisory

authority of no less than four years, except for the first appointment after 24 May 2016, part of which may take place for a shorter period where that is necessary to protect the independence of the supervisory authority by means of a staggered appointment procedure;

e) whether and, if so, for how many terms the member or members of each supervisory authority is eligible for reappointment;

f) the conditions governing the obligations of the member or members and staff of each supervisory authority, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office and rules governing the cessation of employment.

[…]

In a 2016 report titled Being an Independent Regulator, the Organisation for Economic Co-operation and Development (OECD) notes that, compared to multi-annual budget allocations,

8

annual allocations to regulators can increase their risk of undue influence. The OECD also warns against the risk of "revolving doors" and conflicts of interest with industry, when no restrictions on pre-or post-employment of professional staff are established. 9

In a 2017 guidance brochure titled Creating a Culture of Independence. Practical Guidance Against Undue Influence, the OECD outlines five dimensions towards a culture of independence:

• “Role clarity” to avoid undue influence; • “Transparency” to foster credibility and trust on the regulator’s decisions and

processes, and “accountability” to enable responsible behavior; • “Financial independence”; • “Independence of leadership,” the head of a regulator being likely to be exposed to

pressures; and • “Staff behavior,” a culture of independence helping “foster an environment that

helps staff produce the needed unbiased advice” and reject undue influence. 10

Finally, the Centre for Effective Government, a non-government organization based in the

US dedicated to building an “open and accountable government that promotes fairness and

equity,” provides the following definition for “Independent Regulatory Agency” in a glossary

available on its website11:

Independent regulatory agencies are federal agencies created by an act of Congress that are independent of the executive departments. Though they are considered part of the executive branch, these agencies are meant to impose and enforce regulations free of political influence. The Consumer Product Safety Commission, the Nuclear Regulatory Commission, the Federal Communications Commission and the Securities and Exchange Commission are examples of such agencies.

3. Recent ICDPPC interpretation of the “appropriate autonomy and independence” criteria

9 Organisation for Economic Co-operation and Development (OECD), Being an Independent Regulator, 19 July 2016. 10 OECD, Creating a Culture of Independence. Practical Guidance Against Undue Influence, 2017. 11 Centre for Effective Government, “Independent Regulatory Agency,” 2015.

9

Over the past three years, the ICDPPC has received approximately twenty applications for membership, resulting in fourteen new members.12 When reviewing applications and determining that applicants had met the requirement for “appropriate autonomy and independence”, members of the ICDPPC Executive Committee have looked at both functional and operational aspects.

On the one hand, in determining functional autonomy and independence, assessors have relied on specific and explicit provisions in the legislation that creates or regiments the DPA. For example, a statement in the law indicating that the authority is an independent entity or that it enjoys autonomy in the performance of its tasks. Independence in this context appears to have been interpreted as being free from direction or undue influence from other government branches or entities.

On the other hand, when evaluating the operational aspect of autonomy and independence, assessors have measured the criteria against three elements. The first relates to the procedural aspects of the appointment and removal of the head of the authority. This covers, for example, the existence in the relevant law of provisions setting forth the formal process to follow for appointment, including length of service, as well as safeguards against arbitrary removal, e.g. dismissal being allowed in adherence with due process and for specified reasons. The second element to which assessors have given consideration is the head of the authority’s ability to speak publicly, to report on its work to other branches of government and to commence investigations on its own initiative. Lastly, although not consistently across time, assessors have also taken into account how the authority is provided with financial resources usually via the national budget allocation process in a manner similar to other government organizations.

In short, it is a combination of both functional and operational factors that help decide whether the autonomy and independence criteria are met. Nevertheless, a complete failure of one of the factors, such as appointment and removal at the whim of the Executive, has sufficed for an adverse determination. To a limited extent, the assessments have looked at the legal and institutional context of the applicant; that is, whether it followed a similar institutional structure as other independent regulatory bodies in that jurisdiction. It should be noted, however, that this additional information is not specifically requested in the application form and is only available by requesting further information from the applicant or using available public sources.

12 Please note that for reasons of confidentiality and the good exercise and maintenance of relationships, this sections purposely avoids providing the names and details of specific applicants. Also, the three year timeframe was chosen given it provides an adequate sample size and corresponds to the last time section 5 of the Rules was amended (at the 37th Conference).

10

Of those membership applications that were not accepted in the past three years, several were instead granted observer status, in accordance with section 5.3 of the ICDPPC Rules that states that:

Public entities that do not meet [the criteria provided for in article 5.1], but are involved in dealing with the protection of personal data and/or privacy” [can take part in the Conference, with an Observer status.]

In a few instances, the criteria that was not met for membership was that of autonomy and independence. In those cases, the reporting structure of the authority and the appointment and removal process of the head(s) of the authority were determinative. Authorities entirely within the Executive branch – that is, that are part of a ministry or department or whose members serve at the pleasure and direction of a minister or President – were deemed not appropriately autonomous and independent.

4. Conclusion When interpreting what it is to be autonomous and independent, the analysis should be mindful that, throughout the world, autonomy and independence are applied informed by local laws, institutions and governance structures as well as by socio-cultural norms. In recognition of this, it is suggested that a contextual approach should underpin the evaluation of ICDPPC Membership applications under the autonomy and independence criterion, while relying on a set of common guiding principles. This reflects the global nature of the Conference, its respect for the principle of cultural and legal diversity and would support the role of the ICDPPC as a forum that encourages dialogue, cooperation and information sharing.

The analysis of this study has indeed shown that several overarching guiding principles can be discerned to assist the Conference in the interpretation of the autonomy and independence criteria. Autonomy requires that an authority be empowered, both in a legal and practical fashion, to initiate and undertake appropriate action without having to seek others’ permission. Independence is important for agencies to be able to operate free from political or governmental interference and to withstand the influence of vested interests. Elements that demonstrate autonomy and independence include:

• The existence of the DPA and its functional and operational independence from both public institutions and the private sector are established in the legislation. This includes setting out features of independence in legislation or explicitly designating this independence.

11

• The head or, where more than one, the principals of the DPA are appointed by an official act for a fixed term according to rules defined in the legislation. Possible guarantees of autonomy and independence here include:

o qualifications and eligibility conditions required to be appointed; o rules and procedures for the appointment; o duration of the term; o how many terms the head or principals of the DPA are eligible for

reappointment; o conditions governing the obligations of the head of the DPA, including

refraining from any action incompatible with their duties and not engaging in any incompatible occupation during and after term;

o limited and reasoned conditions for removal; o requirements for diversity of members, such as from different sectors or

appointed from or by different bodies (judiciary, legislative, trade or professional associations)

• The DPA is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks. Typical guarantees of this feature include:

o the DPA has dedicated, separate, annual or multi-annual budgets; o the funding is adequate and stable13; o The DPA can access other sources of funds and reimbursements; and, o the DPA chooses and has its own staff, which is subject to the exclusive

direction and authority of the head of the DPA. • The DPA functions as an autonomous and independent body. Features

demonstrating this function include that: o the DPA may freely consider any questions falling within its competence,

whether they are submitted by the Government or taken up by it without referral to a higher authority;

o the DPA has the power to initiate investigations; o the head or principals of the DPA have the power to report directly to the

head of government or legislature and to speak publicly; o the head or principals of the DPA remain free from external influence,

whether direct or indirect, and neither seek nor take instructions from anybody;

o the head or principals of the DPA enjoys immunity against personal law suit for actions carried out as part of their official duties;

13 See also Association for the Prevention of Torture, “Independence and NHRIs: What do we mean?” August 2015.

12

o the DPA decides how it conducts its work: how it spends its time and money, what procedures it uses for investigations and how it plans its activities;

o the DPA enjoys access to the information needed to conduct its works, including by summoning witnesses, administering oaths, compelling the production of evidence and visiting relevant premises;

o the DPA is subject to financial control which does not affect its independence; and

o The DPA staff is subject to a duty of professional secrecy and to rules governing conflicts of interests or political activities, including incompatible occupations and benefits.

• The DPA’s decisions and actions are made in a transparent way. This includes through regular reporting to parliament, government, and the public, and opportunities for public input into its activities.

5. Next Steps

Should members at the 41st ICDPPC agree with the above guiding principles to assess the autonomy and independence criterion of applicants, it is suggested that these be applied accordingly when assessing future ICDPPC accreditation applications and due consideration be given on whether this should be further elaborated or formalized into an ICDPPC Resolution.

1

In accordance with the mandate given to the Working Group on the Future of the Conference by the Resolution on a Roadmap on the Future of the International Conference adopted at the 40th ICDPPC annual meeting, this paper seeks to outline ‘a detailed proposal on the creation of an ICDPPC contact group with external stakeholders, in particular civil society organisations, to be presented at the 41st Conference in 2019’.

Working Group on the Future of the Conference

Annex C

A Proposal for the Creation of the

ICDPPC Reference Panel

2

Table of Contents 1. Background ................................................................................................................................ 3

2. Building Synergistic Relationships ........................................................................................... 4

3. Proposed Engagement Approach ............................................................................................. 5

4. Case Study: the EDPS Ethics Advisory Panel ............................................................................ 9

Annex I ............................................................................................................................................. 10

Annex II ............................................................................................................................................ 11

3

1. Background

Following a decision taken at its 2017 Annual Meeting in Hong Kong, the ICDPPC launched a consultation, amongst members and non-members, on its own future. The consultation, to which a total of 76 respondents contributed, pivoted around three main themes: the Conference’s objectives and common future; the Conference’s identity; and the Conference’s format and structure.

As part of the discussion on the Conference’s identity, several members highlighted the need for the Conference to strengthen informed exchanges and collaboration with external stakeholders, with a specific focus on civil society organisations, in order to ensure the Conference remains open to its surrounding environment. 1 The public consultation on the future of the conference echoed this view. A key theme that emerged from non-members responses was a call for the Conference to be more inclusive of a diverse range of stakeholders, notably by fostering a constructive dialogue with civil society organisations and non-privacy supervisory authorities on topics of common interest, including enhancing participation in the ICDPPC’s working groups’ discussions.2

This consultation exercise resulted in the adoption at the 40th ICDPPC annual meeting of the Resolution on a Roadmap on the Future of the Conference, mandating the WG [on the FoC] to ‘present a detailed proposal on the creation of an ICDPPC contact group with external stakeholders, in particular civil society organisations, to be presented at the 41st Conference in 2019’. 3

In line with this mandate, the following proposal will first examine the advantages for the ICDPPC to engage with external stakeholders before outlining the proposed approach for engagement and a supporting case study. The proposal concludes with an Annex comprising of a template for a call for expression of interest.

1 Resolution on a Roadmap on the Future of the International Conference, 40th International Conference of Data Protection and Privacy Commissioners, p. 6, https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_Resolution-on-a-roadmap-on-the-future-of-the-Conference_Adopted.pdf. 2 Public Consultation on the Future of the Conference, p. 2 [Available upon request] 3 Resolution on a Roadmap on the Future of the International Conference, 40th International Conference of Data Protection and Privacy Commissioners, p. 7, https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_Resolution-on-a-roadmap-on-the-future-of-the-Conference_Adopted.pdf.

4

2. Building Synergistic Relationships: the Merit of a Multi-Stakeholder Engagement Approach

Since its first meeting in 1979, the ICDPPC has been committed to be an outstanding international forum where data protection and privacy regulators and enforcers can meet in order to foster the diffusion of knowledge and to support the creation of networks, thereby enabling privacy and data protection authorities to effectively fulfil their mandates. 4

Within a context of global developments where data protection and privacy are becoming increasingly intertwined with related issues such as consumer protection, digital economy and national security, it becomes key to have an informed conversation and fruitful cooperation on priority cross-cutting issues with all relevant stakeholders in the international arena, ranging from representatives of civil society organisations to academic institutions, think tanks as well as members of the private sector. The strategic importance of having this kind of dialogue has been recognised by the ICDPPC membership which, as previously mentioned, identified the need for the Conference to remain open to its global surroundings as one of the core aspects of its identity. 5

Whilst recognising the significance of the above, there are at least three additional ways in which the establishment of an external, multi-stakeholder contact group can prove beneficial for the Conference’s objectives.

Firstly, broadening the scope of ICDPPC’s involvement with a targeted range of representatives in civil society organisations, academia, think tanks and the private sector can enhance the Conference’s diversity. The need to increase diversity and representativeness has been a recurring topic raised by members during the consultation on the Future of the Conference, although much of the focus was placed on better regional representation within the Executive Committee and the Working Groups.

Whilst not downplaying this key aspect, we argue that effectively engaging with external stakeholders can also significantly enhance the Conference’s diversity by opening to, and becoming more inclusive of, different perspectives and alternative approaches to key privacy and data protection challenges and related societal issues. This would not only facilitate the pooling of knowledge by bringing relevant stakeholders expertise and intelligence into the work of the ICDPPC but it would also help the Conference to minimise

4 Conference Strategic Plan 2016 – 2018. At the time of writing, the Conference is still in the process of refreshing its strategic plan 2019 – 2021 to be adopted at the 41st Conference in October 2019. 5 Resolution on a Roadmap on the Future of the International Conference, 40th International Conference of Data Protection and Privacy Commissioners, p. 6, https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_Resolution-on-a-roadmap-on-the-future-of-the Conference_Adopted.pdf. Likewise, during a survey conducted in 2017 on the Conference’s future size and membership, a clear majority of members approved of cooperation as one of the conference’s objectives. The results of the survey are available at the following link: https://icdppc.org/wp-content/uploads/2017/01/Survey-on-future-size-and-membership-of-the-Conference-complete-analysis-7-July.pdf.

5

the risk of a disconnect between DPAs on the one hand, and the general public and other key agents in the privacy and data protection field on the other.

Secondly, engagement with external stakeholders can lead to an increased visibility and stronger presence for the Conference amongst wider audiences. Representatives of civil society organisations and academic institutions bear the potential to act as a sounding board on the Conference’s policy resolutions as well as multipliers of the Conference’s activities on social media whilst the involvement of stakeholders from the private sector can enhance the dissemination of good practice in data protection within private organisations. This, in turn, can have the positive effect of strengthening the role of the ICDPPC as a policy leader and influencer.

Finally, the creation of a multi-stakeholder contact group can prove beneficial during the preparation phase of the Conference’s Annual Meeting as the members of the contact group would be ideally placed to be called upon on an ad hoc basis to provide support in shaping the relevant aspects of the programme of the open session through their expertise on data protection related, cross-cutting issues.6

3. Proposed Engagement Approach: the ICDPPC’s Reference Panel

In the previous section, we have examined the advantages for the ICDPPC to adopt a multi-stakeholder engagement approach with representatives of civil society organisations, academia and private sector organisations and the way this kind of engagement framework can help the ICDPPC in achieving its mission and vision. In order to maximise the benefits of a long-term, strategic collaboration we propose the establishment of a Reference Panel comprising of representatives of relevant civil society organisations, academic institutions, think tanks, non-privacy supervisory authorities, representatives of public authorities such as law enforcement authorities and representatives of the private sector. When selecting representatives of the private sector, priority will be given to representatives of SMEs and small organisations with expertise in emerging digital technologies in order to maximise input from less-represented categories within the private sector. The main task of the Reference Panel will be to provide expert consultation to the ICDPPC and its working groups on an ad hoc basis, upon request.

This section will set out the Terms of Reference of the ICDPPC Reference Panel, outlining the panel’s objectives, activities as well as participation and selection criteria. These will be submitted for consultation to the ICDPPC’s membership and wider audience before presentation at the 41st Conference in 2019.

6 This would also be a way for the Conference to respond to recent calls from CSOs to become more integrated as active participants into the ICDPPC’s Annual Meeting’s programme. Please see the letter sent by Access Now to the ICDPPC’s Executive Committee in 2017: https://www.accessnow.org/cms/assets/uploads/2018/05/ICDPPC-Consultation-Access-Now-.pdf.

6

3.1. Overall Objective and Tasks of the Reference Panel

As stated in its Rules of Procedure,7 the purposes of the ICDPPC include the promotion of the development of international standards in the field of the protection of personal data and the improvement of privacy and data protection through the provision of a global forum aimed at encouraging dialogue, cooperation and information sharing amongst privacy regulators and enforcers. In line with these purposes, the overall objectives of the ICDPPC’s Reference Panel is to provide expert knowledge and practical expertise on data protection and privacy as well as on data protection related issues and developments in information technology, thereby equipping the Conference with the ability to identify cross-disciplinary policy solutions to privacy and data protection issues.

Specifically, members of the reference panel could be tasked to:

Provide input into the ICDPPC’s Policy Strategy whilst giving expert advice on risks the ICDPPC should be aware of in the global arena;

Help in stimulating a multi-stakeholder dialogue in the area of data protection and privacy as well as related fields (e.g. consumer protection, digital economy) by supporting the Conference in broadening the scope of its engagement and outreach and by promoting the Conference’s vision and activities at relevant events and through social media;

Contributing, upon request, to the work and discussions of the ICDPPC’s working groups;

Providing, upon request, expert knowledge to Host Authorities of the Conference’s Annual Meeting in shaping the programme of the open session as well as of the closed session8.

The Panel will provide advice to the ICDPPC and its working groups on the above matters upon request. The Panel will meet on a quarterly basis via videoconference. These meetings can be complemented by email consultation on an ad hoc basis, where necessary. Once a year, mirroring the process of the Working Groups, the Panel will produce a short report on its activities to be presented by either the Chair or the Secretariat during the Conference’ s Closed Session.

3.2 Composition and Participation

Given the broad range of topics the Panel could be called upon to give advice on, we recommend the panel to be comprised of up to 15 members – 3 members for each category of stakeholders evenly distributed across regions and sectors. 9Members of the panel will be nominated by the ICDPPC’s Chair, following the consensus of the ExCo, during the closed

7 https://icdppc.org/wp-content/uploads/2018/11/20181030_Rules-and-Procedures_ICDPPC_October2018-Consolidated.pdf (2018 amended version), page 3. 8 This could be achieved for example by involving members of the Reference Panel in the delivery of workshops and practical break-out sessions during the closed session, thereby also responding to the call raised by some members during the consultation on the Future of the Conference to rethink the format of both the open and closed session [link to be added]. 9 See page 11 for a list of the categories of stakeholders which are foreseen to be included.

7

session of the Annual Meeting following a selection process. Participation in the Panel is voluntary and members shall not be remunerated for the services they offer. Members can be appointed either in a personal capacity (e.g. academics) or as representatives of an organisation. Members shall be appointed for two years (renewable). If a member of the Panel subsequently wishes to withdraw their participation, s/he can do so by giving notice to the Secretariat.

3.3 The Selection Process

The proposed selection process would unfold as follows:

The ICDPPC Executive Committee to formally agree on the Panel’s members selection criteria. The WG on the Future of the Conference recommends the following criteria to be taken into consideration at the sifting stage: - candidate’s demonstrated interest in the vision and mission of the ICDPPC; - a proven track record of expertise in the field of data protection and privacy or in

a data protection related field such as consumer protection, technology policy and human rights;

- Applicant’s willingness to dedicate time, effort, expert knowledge, and expenses, if necessary, to render assistance to the ICDPPC and its working groups.

- independence and impartiality, i.e. absence of circumstances which would give rise to a conflict of interest and the capacity to represent the common interest and position shared by stakeholders;

- ability to represent the interests of minority and vulnerable groups; - expertise in emerging digital technologies; - cultural, geographic and legal diversity, as well as gender balance.

The ICDPPC Secretariat to launch and promote a call for expression of interest, giving

a three-month window timeframe to receive nominations.

Regional Networks10 to nominate candidates deemed suitable according to the Selection Criteria and send them to the ICDPPC Secretariat. This is without prejudice to the possibility for candidates lacking representation in one of the Networks to submit his/her expression of interest directly to the ICDPPC Secretariat.

The ICDPPC Secretariat will review and assess the nominations received and make a recommendation to the Executive Committee which will formally agree on a list of successful nominees. In order to ensure a balanced representation of points of view, the Secretariat will ensure there is an even distribution of representatives of different categories of stakeholders when reviewing nominations.

10 For an overview of recognised networks, please visit the ICDPPC’s website https://icdppc.org/ > Other Networks. This is not an exhaustive list and the ICDPPC Secretariat is currently in the process of taking stock of the regional and linguistic networks recognised by the ICDPPC.

8

As far as possible, the Committee shall strive for consensus when deciding on the appointment of members to the ICDPPC Reference Panel. Further, in order to fulfil the Conference’s commitment to transparency, the outcome as well as assessment and review process shall be published on the ICDPPC website. The decision of the Executive Committee shall not be appealable.

Upon recommendation by the ICDPPC Executive Committee, the ICDPPC Closed Session shall formally appoint members during the closed session of the Conference’s Annual Meeting.

Proposed Timeline:

November 2019: ExCo meeting. ExCo to reach a formal decision on Selection Criteria and develop the Terms of Reference and Rules of Procedure for the functioning of the Panel;

December 2019 – February 2020: ICDPPC Secretariat to launch Call for Expression of Interest;

March 2020: Regional Networks to send their nominations to the ICDPPC Secretariat, accompanied by the nominee’s cover letter and an explanation of how the proposed candidate meet the Selection Criteria;

April 2020 – June 2020: ICDPPC Secretariat to review and assess the nomination received and make a recommendation to the Executive Committee;

July 2020: Executive Committee to formally agree on a list of successful nominees; August 2020: ICDPPC Secretariat to publish the outcome as well as assessment and

review process on the ICDPPC website; September/October 2020 (depending on the selected dates for the Annual Meeting):

Upon recommendation by the Executive Committee, the ICDPPC Closed Session to formally appoint members to the ICDPPC Reference Panel.

9

4. Case Study: the EDPS Ethics Advisory Panel

The previous sections have explored the rationale for the ICDPPC to broaden the scope of its engagement framework by being more inclusive of a wide range of external stakeholders in its work and discussions as well as annual meetings. An argument was made that this engagement framework should take the shape of a Reference Panel comprising of representatives of civil society organisations, academic institutions and think tanks to be called upon on an ad hoc basis to provide advice and support to the work of the Conference and its working group.

The aim of this section is to analyse the establishment and functioning of the Ethics Advisory Group set up by EDPS in 2016 in order to demonstrate how a strategic approach to engagement with external stakeholders can give rise to a virtuous circle of reflection, research and action in the field of privacy and data protection.

Following a decision of December 2015 to establish an external advisory group on the ethical dimensions of data protection, the EDPS launched a call for expression of interest to select members to the Ethics Advisory Group.

The Ethics Advisory Group was set up with the mandate to explore the relationship between human rights, technology, markets and business models in the 21st century as part of the EDPS 2015-2019 strategy. The group comprises of six members selected amongst experts in the fields of ethics and philosophy, sociology, psychology, technology and economics. The Terms of Reference of the Advisory Group outline the deliverables which include the production of a number of reports11 as well as the dissemination of the findings of the group amongst a wide audience through workshops and public conferences.

The positive effects of the synergistic relationship between EDPS and the Advisory Group were clearly visible in the successful organisation by the EDPS of the open session of the 40th ICDPPC Annual Meeting in Brussel. If we look at the programme of the open session, we can see how the work of the Advisory Group significantly contributed to shaping its content as well as several panels’ composition and discussion. The members of the Ethics Advisory Group were active participants to the Conference which saw an unprecedented participation from NGOs as well as representatives of the academic community12.

11 The Group’s final report was published on the 28th of January 2018 (Data Protection Day) and is available online at the following link: https://edps.europa.eu/sites/edp/files/publication/18-01-25_eag_report_en.pdf. 12 As shown in the EDPS’ Conference Report: https://edps.europa.eu/sites/edp/files/publication/19-01-28_icdppc_2018_report_final_en.pdf.

10

Annex I Call for Expression of Interest

The International Conference of Data Protection and Privacy Commissioners (hereafter ICDPPC) is a global forum for privacy and data protection authorities seeking to provide leadership at international level through diffusion of knowledge and supportive connections amongst authorities, thereby enabling them to effectively fulfil their mandates – both individually and in concert.

Every September or October, the ICDPPC holds an Annual Meeting during which independent regulators on privacy and data protection adopt high level resolutions and recommendations addressed to governments and international organisations.

The ICDPPC consists of a 7 member governance body called the Executive Committee. The Executive Committee comprises five elected members and the host authorities of the previous and next conferences.

Following a resolution adopted at its 2019 Annual Meeting in Tirana,13 the ICDPPC intends to set up an external, cross-disciplinary Reference Panel comprising of a maximum of 15 representatives of relevant civil society organisations, academic institutions and research centres, think tanks, non-privacy supervisory authorities as well as representatives of private sector organisations whose main task will be to provide expert consultation to the ICDPPC and its working groups on an ad hoc basis. Members of the ICDPPC Reference Panel shall not be remunerated for the services they provide.

The ICDPPC Reference Panel will work in a transparent manner and in line with the ICDPPC’s Vision and Mission (please visit https://icdppc.org/ for more information). In line with the ICDPPC’s commitment to encouraging cultural, geographic and legal diversity, the Conference would particularly welcome nominations from underrepresented regions.14

Regional Networks are called to nominate candidates deemed suitable according to the Selection Criteria (Annex II) by sending an email to the ICDPPC’s Secretariat ([email protected]), along with the nominee’s cover letter which should clearly explain the candidate’s motivation for answering the call and the contribution they can bring to the work of the ICDPPC. Where lacking representation in one of the Networks, a prospective candidate will be given the possibility to submit his/her expression of interest directly to the ICDPPC Secretariat. The closing deadline for nominations is 29 February 2020 at 5pm. Applications received after this deadline shall not be accepted.

The ICDPPC Secretariat will review and assess received nominations and make a recommendation to the Executive Committee. The Committee will seek to announce the outcome by August 2020.

13 Link to resolution and background proposal. 14 According to the findings of the ICDPPC Census 2017, 64% of the authorities which responded to the census survey were located in Europe. To access the ICDPPC Census 2017, please visit: https://icdppc.org/wp-content/uploads/2017/09/ICDPPC-Census-Report-1.pdf.

11

Annex II Guide for Regional Networks and Prospective Candidates

Regional Networks are kindly requested to take into consideration the Selection Criteria and Reference Panel’s Deliverables before submitting their nominations for the ICDPPC Reference Panel. When submitting your nomination, please ensure to provide the required information as set out in the Nomination Template below.

Selection Criteria:

The ICDPPC Review Committee shall assess applications on the basis of the following selection criteria:

1. applicant’s motivation and demonstrated interest in the vision and mission of the ICDPPC (cover letter);

2. a proven track record of expertise in the field of data protection and privacy or in a DP-related field;

3. cultural, geographic and legal, as well as gender balance; 4. independence and impartiality, i.e. absence of circumstances which would give rise to

a conflict of interest and the capacity to represent the common interest and position shared by stakeholders.

Deliverables:

The overall objectives of the ICDPPC’s Reference Panel is to provide expert knowledge and practical expertise on data protection and privacy as well as on DP-related issues, thereby equipping the Conference with the ability to identify cross-disciplinary policy solutions to privacy and data protection issues.

Specifically, members of the reference panel will be tasked to:

Provide input into the ICDPPC’s Policy Strategy whilst giving expert advice on risks the ICDPPC should be aware of in the global arena;

Help in stimulating a multi-stakeholder dialogue in the area of data protection and privacy as well as related fields (e.g. consumer protection, digital economy) by supporting the Conference in broadening the scope of its engagement and outreach and by promoting the Conference’s vision and activities at relevant events and through social media;

Contributing, upon request, to the work and discussions of the ICDPPC’s working groups;

Providing expert knowledge to Host Authorities of the Conference’s Annual Meeting in shaping the programme of the open session as well as of the closed session;

12

Nomination Template

Nominee’s Name

Gender

Contact Email Address

1) The nominee is (please tick as appropriate):

⃝ An individual to be appointed in a personal capacity

⃝ An individual to be appointed as representative of an organisation

2) If applying to be appointed as representative of an organisation, please select from the list below the category which describes most appropriately the organisation:

⃝ Academic Organisation (e.g. University, Research Institute within university)

⃝ NGOs or Civil Society Organisation (i.e. non-state and non-for profit organisations pursuing a shared goal) ⃝ Think Tank or Research Centre (i.e. research institutes not affiliated with an institution performing academic and educational activities) ⃝ Non-privacy supervisory authority or Sectoral Regulator

⃝ Private Sector Organisation or Industry Groups

3) Policy Area:

⃝ Consumer Protection

⃝ Human Rights

⃝ International Enforcement Cooperation

13

⃝ National Security and the Right to Privacy

⃝ Online Children’s Privacy

⃝ Privacy and Data Protection

⃝ Technology Policy (Privacy in the Digital Age, Big Data, IoT, Cloud Computing, AI)

4) Region:

⃝ Africa

⃝ Asia

⃝ Europe (in the broad sense)

⃝ Middle East

⃝ North America

⃝ Oceania

⃝ South America

⃝ Global (please tick this if from an organisation with a global outreach)

1

In accordance with the mandate given to the Working Group on the Future of the Conference by the Resolution on a Roadmap on the Future of the International Conference adopted at the 40th ICDPPC annual meeting, this paper seeks to examine and ‘evaluate the possibilities and modalities, including technical and financial requirements, for the creation of an ICDPPC members online platform at the 41st conference in 2019’.

The ICDPPC Secretariat and the Co-Chair of the Working Group on the Future of the Conference wish to acknowledge the help and support received by the ICO’s IT Department in the preparation of this document.

Working Group on the Future of the Conference

Annex D

Creation of an ICDPPC Secure Online Platform

Options and Financial Requirements

2

Table of Contents Background ............................................................................................................................................. 3

The Purpose of an ICDPPC Secure Online Platform ............................................................................. 4

Options for the Creation of an ICDPPC Secure Online Platform ........................................................... 5

Proposed Solution and Options for Funding ........................................................................................ 8

Next Steps ............................................................................................................................................ 10

3

1. Background During its 2017 annual meeting in Hong Kong, the ICDPPC begun a strategic consultation process on

its own future. One of the themes that emerged from this consultation exercise was a growing demand

from the membership for the Conference to strengthen its role as both a network for practical

cooperation on privacy and data protection as well as a forum for the exchange of knowledge among

authorities, not only during the annual meeting but also throughout the year, thereby further

enhancing the visibility of the Conference as an ongoing forum for privacy developments.1 In order to

achieve these objectives, several members recommended the creation of a secure, password-

protected virtual space that would act as a platform for ICDPPC members to share good practice and

exchange practical information on cases.

Following up on the outcome of the consultation, at its 40th meeting in 2018, the ICDPPC

adopted the Resolution on a Roadmap on the Future of the International Conference which mandates

the WG [on the FoC] to study the development of a secured online platform for ICDPPC members only

by examining ‘the possibilities and modalities, including technical and financial requirements’ for its

creation.2

In line with this mandate, this paper will first outline the three possible options which have

been identified, including an overview of the costs associated with each, before setting forth the

proposed recommended solution for consideration and discussion at the 41st Annual Meeting in Tirana

this year.

1 Strategic Consultation on the Future of the Conference – Summary of Inputs from the Internal Consultation, ICDPPC Secretariat, p. 2. 2 https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_Resolution-on-a-roadmap-on-the-future-of-the-Conference_Adopted.pdf, p. 5.

4

2. The Purpose of an ICDPPC Secure Online Platform

As explained in the background section, the proposal to create a secure virtual space for the

Conference’s membership comes in response to several members’ request to develop an operational

platform for practical cooperation and exchange of knowledge, thereby enhancing the Conference’s

vision and mission.

On this premise, an ICDPPC Secure Online Platform could serve the following purposes:

sharing of non-confidential information, e.g. guidance, investigative strategies etc;

privacy authorities database in wiki-format, including the work contact details such as email

and phone number of relevant enforcement contact person within the authority;

discussion forum;

sharing of draft resolutions and outcome of consultation on resolutions and declarations;

WGs’ updates;

‘what’s new’ and ‘Hot Topic’ area;

repository of DP&Privacy national laws and trends in DP case law developments;

research portal.

After examining several technical options, the Working Group on the Future of the Conference –

informed by the technical advice provided by the Digital&IT Services Department of the ICO – has

identified three options for delivering the potential requirements mentioned above. These are:

1. Software-based solution (e.g. Office 365);

2. Enhanced existing ICDPPC website;

3. Creation of a new ICDPPC website including a log-in area for Conference’s members only.

In the following sections, we are going to examine these options in more detail, including by

giving an overview of the projected costs for the implementation of each and options for

funding. The Working Group on the Future of the Conference does not offer a conclusion on

which of these options would be the most appropriate solution to meet the need for a secure

virtual space expressed by a section of the membership during the 2017 strategic

consultations. The paper concludes by suggesting to further test members’ preferences in

relation to the need for the creation of an ICDPPC secure virtual space or for a continuation

of the status quo, including promoting enforcement cooperation via platforms hosted by

5

other networks such as the Global Privacy Enforcement Network (GPEN),3 through a survey

to be carried out following the 41st Annual Meeting in Tirana.

3. Options for the creation of an ICDPPC Secure Online Platform

3.1 Software-based solution

The first option available to the ICDPPC is the use of a software suite as a collaboration

platform. Specifically, Microsoft Office 365 would provide all the functionalities and features

to meet the requirements outlined in section 2. These are shown in the table below provided

by the Digital&IT Services Department of the ICO:

No. Requirement Met by 1. Discussion Forum Microsoft Teams is an online

collaboration and communication platform with channel based chat / discussion

2. Working Group updates Updates can either take the form of a specific ‘broadcast’ channel for the Working Group or a SharePoint news and announcement page.

3. ‘what’s new’ and ‘Hot Topic’ area ‘what’s new’ and ‘Hot Topic’ areas can be supported through blog posts or news articles within SharePoint Online

4. Repository of DP & Privacy national laws and trends in DP case law developments

Document libraries within SharePoint Online can hold and index this documentation

5. Research portal Depending on the specifics, document libraries can act as the repository for research data

6. Privacy authorities database in wiki-format (NB: this would include contact details such as email and phone number of relevant enforcement contact person within the authority)

Wikis form a core part of Microsoft Teams functionality.

7. Sharing of non-confidential information, e.g. guidance, investigative strategies etc.

Microsoft SharePoint is certified to hold OFFICIAL-SENSITIVE data.

8. Sharing of draft resolutions and minutes of ExCo meetings

Document, folder or document library sharing is a core function of Microsoft SharePoint online

9. Rights based access (i.e. users given different levels of access to different document sets)

SharePoint supports different user or group permissions at multiple levels, including site collection, site, document library or individual document level.

3 https://www.privacyenforcement.net/.

6

10. Document Version Control (i.e. documents are checked in and checked out to make changes

SharePoint document libraries support check in / check out, version control and document reversion

The cost of Microsoft Office 365 ranges from £ 6 to £ 30.80 per user per month depending on

the additional functionalities of each specific licensing tier. These are illustrated in the table

below:

Office 365 E1 Office 365 E2 Office E5 Cost per user per month

£6 £17.60 £30.80

Microsoft Office Applications Licence & Download

No Yes Yes

Microsoft Office Web Applications (more simple functionality)

Yes Yes Yes

Microsoft Teams Yes Yes Yes Microsoft SharePoint Yes Yes Yes Voice and Video Conferencing

Yes Yes Yes

Dial in tele-conferencing

No No Yes

eDiscovery (legal search and hold)

No Yes Yes

Advanced eDiscovery (advanced legal search and hold)

No No Yes

Advanced Security Features

No No Yes

Advanced Data Governance Features

No No Yes

Microsoft Office 365 has the potential to effectively support the Conference’s membership

need to have an operational platform for sharing information and practical assistance.

However, the adoption of this solution is constrained by three fundamental

drawbacks.

The first is the annual costs per user associated with buying the licenses of Microsoft

Office 365. As shown in the table above, even the less expensive solution would entail annual

costs ranging between £ 33,000 (roughly € 36,800) and £ 40,000 (roughly € 44,000)4 based on

4 Exchange rate applied at the time of writing (1 July 2019).

7

a projected number of 560 users across the whole membership. In addition to this, it is

necessary to take into account the annual costs associated with the run of a 24x7 Helpdesk.

The second, which is closely linked to the above, is the fact that the software solution

is based on a ‘per user’ model which risks leading to an uneven distribution of licenses across

the membership, depending on the resources available to each individual member authority.

Finally, there is the issue of the ownership of the licence. Given the fact that the

ICDPPC is currently no more than a gathering of data protection authorities with no legal

personality, there is the question of who would be the central licence holder. .

In light of the shortcomings highlighted above, we believe that this option is not

suitable for the ICDPPC. Nonetheless, the members of the Working Group on the Future of

the Conference agreed that there may be scope to further explore the availability and scope

of use of open source software or institutional collaboration solutions.

3.2 ‘Enhanced’ ICDPPC website

The second option for establishing a collaboration platform for Conference’s members is

enhancing the functionalities of the existing version of the ICDPPC website5 by including

features such as a research portal, a repository of data protection and privacy national laws

and working groups’ updates in the public facing area of the website complemented by a

collaboration portal solution for the sharing of practical information, relevant ICDPPC

documents and holding relevant work contact details of member authorities.

Such collaboration platform could be a software based solution such as Confluence.

Compared to Microsoft Office 365, Confluence is a cheaper option with an average cost of £

2 per user per month, adding up to roughly £ 1,100 (roughly equivalent to € 1,200)6 on the

basis of 550 users.

Whilst a good compromise solution, achieving a balance between meeting the needs

of the membership and implementation costs, this options suffers from the same

shortcomings as the one outlined in section 3.1, albeit to a lesser extent. Indeed, although

5 It must be noted that this, i.e. an ‘enhanced’ version of the ICDPPC website, is currently part of the work plan of the Working Group on International Enforcement Cooperation with a view to be implemented prior to the 41st Annual Meeting in Tirana in October this year. 6 Exchange rate applied at the time of writing (1 July 2019).

8

the annual cost of a software such as Confluence would be more manageable for ICDPPC

members when compared to Microsoft Office 365, there would still be the issue of the

software’s monthly cost coupled with the problem of the ownership of the software licence.

It follows that this solution would also not be ideal for the ICDPPC.

3.3 A Brand New ICDPPC Website

The final solution identified by the Working Group on the Future of the Conference is the

creation of a new bespoke ICDPPC website comprising of a public interface similar to the one

outlined in section 3.2 coupled with a log-in area which would give ICDPPC members the

possibility to share official information and access to the privacy authorities contact database

as well as to discussion forums and draft resolutions and reports.

Based on an estimated web development metric, the cost for the creation of a new

bespoke ICDPPC website would amount to approximately £ 40,000 (equivalent to roughly

€ 44,900).7 In addition to this one off cost, there would be additional yearly costs associated

with the security maintenance of the website which would amount to an annual cost of

approximately £ 5,000 (equivalent to roughly € 5,600).8 It is important to stress that this is a

rough estimate and that a more accurate figure can be given once the membership has

agreed on the specific requirements and features to be included in the log-in area and the

associated security requirements. In addition to this, members should consider that

maintenance and ad hoc additional development costs may increase over time due to the

popularity of the site and potential expansion in the pool of users.

The main advantages of choosing this option are threefold.

First, although the initial cost of developing the website would be quite substantial, this cost

would need to be met only once. Second, there would be no limit of account users to the

log-in area of the website, thereby making this option a more ‘democratic’ solution compared

to the use of a software-based cooperation platform. Finally, the development of a brand new

ICDPPC website would have the additional advantage of contributing to strengthen the

Conference’s identity from an external communication point of view by linking with the work

7 Exchange rate applied at the time of writing (1 July 2019). 8 A big portion of this monthly figure comprises the cost for hosting the website, monthly security checks and annual health checks of the site.

9

stream on the ICDPPC visual identity in line with the proposals which emerged from the

strategic consultation with members.

Although advantageous from the viewpoints presented above, the rebranding of the

ICDPPC website and creation of a secure virtual space on the platform is not free from

drawbacks. The first of these is represented by the not insignificant burden that the

maintenance of the security and integrity of the site and log in area would place on the

authority serving as the Conference’s Secretariat. Further to this, and as outlined above, this

option would entail a substantial upfront cost which may not be sustainable for the ICDPPC’s

membership.

In addition to these drawbacks, it needs to be considered that some of the members

of the Working Group on the Future of the Conference have expressed doubts about the need

for the ICDPPC of a secure virtual space in light of the fact that a collaboration platform,

including also a discussion forum and a Privacy Law Library, already exists. This is the Global

Privacy Enforcement Network (GPEN)9 which aims at fostering, among other things, a

discussion of the practical aspects of privacy law enforcement cooperation and the sharing of

best practices in addressing cross-border challenges. At the same time, it should be noted

that the GPEN site mainly focusses on enforcement cooperation whilst the envisaged ICDPPC

website would be broader in scope and targeted at supporting the Conference’s vision and

mission which includes, but is not limited to, enforcement cooperation. Further, whilst it

cannot be denied that an overlap exists between the two, the membership – as well as the

criteria for membership – between GPEN and the ICDPPC are distinct.

4. Options for Funding

As mentioned in section 3.1 and 3.2, a cost-based software collaboration platform – such as

Microsoft Office 365 or Confluence – would not be an appropriate option for the ICDPPC given

the high annual costs per user associated with buying the licence. For this reason, an

examination of the funding options for this solution has been excluded from this section.

As for the development of a new bespoke ICDPPC website including a log-in area (option 3.3)

– were the Conference’s membership to show a preference and a willingness to pursue this

option – two options for funding have been identified which would enable the Conference’s

9 https://www.privacyenforcement.net/about_the_network#our_mission.

10

membership to sustain the initial substantial cost for developing the website. These options

are presented below.

The first would be to apply for funding from organisations such as OECD. Indeed, in

view of the fact that the ICDPPC secure virtual space would act as an operational platform

enhancing cooperation among data protection and privacy authorities, there would be scope

to engage the OECD’s Working Party on Information Security and Privacy to request financial

support for the development of the ICDPPC secure online platform.

The second option would be to spread the cost of the development of the platform

across the Conference’s membership by requesting members to donate on a voluntary basis

an amount of their own choice or via membership’s fees.10

There could also be a third option which would be based on a combination of the two

presented above – i.e. external funding complemented by voluntary contributions from the

membership base.

However, all options above would have to take into account legal issues regarding the

entity receiving the necessary funding.

5. Next Steps

The Resolution on a Roadmap on the Future of the International Conference adopted at the

40th ICDPPC Annual Meeting gave mandate to the Working Group on the Future of the

Conference to ‘evaluate the possibilities and modalities, including technical and financial

requirements, for the creation of an ICDPPC members online platform at the 41st Conference

in 2019’. In line with this mandate, this paper has sought to present a number of options

which would be available to the Conference for the realisation of a secure virtual space to

enhance collaboration and exchange of knowledge amongst members. On the basis of the

discussion above, the Working Group on the Future of the Conference would like to propose

and request a mandate for the following mandate:

10 On the topic of the membership’s fees, please see the separate proposal on the ’Proposed Plans for the Establishment of an ICDPPC Stable Secretariat’.

11

- Following the 41st Annual Meeting, liaise with existing and new WGs to identify areas

of overlap for the creation of online repositories and tools for cooperation and scope

out options for collaboration;

- Launch a short survey amongst the member authorities to test members’ preferences

on the need for the secure virtual space as well as for further scoping out the

requirements and functionalities members would like to see on the platform. The

survey would also aim at requesting information from member authorities in relation

to funding options and legal obstacles in receiving funding (November – December

2019);

- Further explore the availability and scope of use of open source software or

institutional collaboration solutions before taking steps towards the implementation

of a website solution;

- On the basis of the results, were the membership show a preference for the

implementation of option 3.3 (creation of a new ICDPPC website with a log-in area),

engage in a soft market testing to acquire more accurate figures required for the

development of the website as well as for carrying out a thorough risk assessment of

the proposed approach (January – March 2020). Depending on the outcome, further

explore funding options.

- Subject to the above yielding positive results and if the proposed plans are adopted at

the 2020 Annual Meeting, start the funding application process with a view to launch

the website in conjunction with the closed session of the 2021 Annual Meeting. 11

11 If adopted, this would match the timeline for the establishment of a stable and funded Secretariat. In addition to this, there is also value in considering formalising the new name and logo for the Conference in conjunction with the launch of the Secretariat and new website.

1

In accordance with the mandate given to the Working Group on the Future of the Conference by the Resolution on a Roadmap on the Future of the International Conference adopted at the 40th ICDPPC annual meeting, this paper seeks to outline a proposal for the establishment of a funded, stable Secretariat, in place for renewable terms of three years or more, for potential adoption at the 41st Conference.

Working Group on the Future of the Conference

Annex E

Proposed Plans for the Establishment of an

ICDPPC Stable Secretariat

2

Table of Contents 1. Background ................................................................................................................................ 3

2. Why a Stable Secretariat ........................................................................................................... 4

3. The ICDPPC Secretariat: Scope of Work, Legal Entity and Accountability ............................ 7

4. Estimated Costs ....................................................................................................................... 13

5. Funding .................................................................................................................................... 14

6. Amendments to the Rules and Procedures ..................................................................... 16

7. Next Steps ..................................................................................................................... 17

3

1. Background

Since its first meeting in 1979, the International Conference of Data Protection and Privacy

Commissioners has brought together data protection and privacy regulators and enforcers

from around the globe with the objective to provide an outstanding international forum for

the exchange of knowledge and practical assistance, thereby enabling privacy and data

protection authorities to effectively fulfil their mandates.

This objective is reflected in the Conference’s past strategic plans, with capacity

building being identified as a priority in the 2016 – 2018 Strategic Plan1 adopted in 2015 at

the 37th Annual Meeting. The need to strengthen capacity building and the desire – expressed

by a significant proportion of the membership – for the Conference to evolve towards a more

structured organisation was also one of the outcomes resulting from the strategic

consultation launched by the ICDPPC in 2017. 2 A key step in this direction – already identified

in 2015 by the Strategic Direction Working Group3 – includes the establishment of a funded

and stable Secretariat which could provide a more institutionally structured support to the

work of the ICDPPC and help the Conference to move beyond being merely an annual

gathering of privacy and data protection authorities.

In response to the results of the consultation, the ICDPPC adopted at its 40th Annual

Meeting the Resolution on a Roadmap on the Future of the International Conference. The

Resolution mandated the Working Group [on the FoC] to prepare a proposal mapping out

plans for the establishment of a stable Secretariat, including practical means to collect

membership fees and proposed changes to the Rules and Procedures.

1 https://icdppc.org/wp-content/uploads/2015/02/Conference-strategic-plan-2015-2018.pdf. 2 Resolution on a Roadmap on the Future of the International Conference, 40th International Conference of Data Protection and Privacy Commissioners, p. 8, https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_Resolution-on-a-roadmap-on-the-future-of-the-Conference_Adopted.pdf. 3 The Strategic Direction Working Group produced several outputs in relation to the creation of a permanent and funded ICDPPC Secretariat. Relevant resources can be found at the following links: https://icdppc.org/wp-content/uploads/2015/02/Proposal-Proposed-workable-Plan-to-Fund-the-Conference-Secretariat-August-2015.pdf, https://icdppc.org/wp-content/uploads/2015/02/Working-paper-Elements-of-a-workable-plan-to-fund-the-Secretariat-and-associated-core-Conference-expenses-MayJune-20151.pdf, https://icdppc.org/wp-content/uploads/2015/02/Strategic-Direction-Working-Group-Report.pdf. Unfortunately, due the lack of consensus in the Executive Committee at the time, the plans proposed by the Working Group did not proceed any further.

4

In line with this mandate, this document seeks to identify a viable proposal for the

setting up of an ICDPPC stable Secretariat and a fair and proportionate fee structure. This

proposal draws significantly from two documents prepared for consideration at the 40th

Annual Meeting by the Office of the Privacy Commissioner of Canada. These are: the

‘Backgrounder: the Secretariat of the International Conference and Options on its Level of

Service, Funding and Placement’ and the ‘Proposals Paper: Costing and Paying for the

Secretariat of the International Conference.’4

2. Why a Stable Secretariat

The establishment of the first Secretariat in support of the work of the ICDPPC dates back to

2011 with the Dutch Data Protection Authority providing a secretariat function until 2014,

while it held the post of Conference Chair. Under the Chairmanship of the New Zealand

Privacy Commissioner (October 2014 – September 2017) the work of the secretariat

expanded on the work by the Dutch DPA by increasing communication channels, such as the

establishment of a permanent website for the Conference, the launch of the ICDPPC

newsletter and an increased presence on media channels such as Twitter and YouTube.

The current version of the Rules and Procedures states that ‘until such a time as a

Permanent Secretariat is created the Chair will provide a Secretariat function. The Secretariat

function would include the management and preservation of the documents and files of the

conference’.5 Although this statement does not limit the functions of the Secretariat to File

Management and Preservation, this is currently the sole mandatory responsibility of the

Secretariat. Additional functions such as offering support and liaison work to the Executive

Committee and the Hosting Authority of the Annual Meeting as well as Communication and

Promotion work are discretionary tasks, which often depend on the resources available to the

authority serving as the Chair of the Executive Committee.

Whilst this model has its merits, it also comes with a number of shortcomings which

can potentially hinder the Conference from reaching its objectives. Specifically, as highlighted

in the backgrounder document on the Secretariat of the International Conference prepared

4 These are available on the WG’s page on the ICDPPC website at the following links: https://icdppc.org/wp-content/uploads/2019/07/20180727_FOTC-Backgrounder-on-Permanent-Secretariat.pdf, https://icdppc.org/wp-content/uploads/2019/07/20180727_FOTC-Proposal-on-Permanent-Secretariat.pdf. 5 ICDPPC Rules and Procedure, p. 7, October 2018 (Secretariat consolidated version).

5

by the Office of the Privacy Commissioner of Canada,6 these shortcomings include the loss of

expertise, momentum and institutional memory, intrinsic in the rotating nature of – and

resources available to – the Chair providing the Secretariat function. In addition to this, the

implied cost burden accompanying the Chair’s role – due to the provision of the Secretariat

services – may discourage smaller and less resourced authorities from serving as the ICDPPC’s

Chair, thereby running counter to one of the overarching principles of the Conference –

cultural, geographic and legal diversity.7

The establishment of a stable and funded Secretariat has the potential to overcome

these shortcomings on three scores.

First, by providing stability of service over time, a stable Secretariat could contribute

to strengthen the Conference’s information governance infrastructure by enhancing

continuity and consistency in file management and preservation and, as a result, helping to

minimise the hazards to ICDPPC’s generated information.

Secondly, and related to the above, an ICDPPC stable Secretariat can play a pivotal

role in the building and retention of the Conference’s knowledge and capability, through the

development of systematic organisational processes, thereby defusing the risk of loss of

institutional memory.

Finally, separating the Secretariat function from the Chair and spreading the

secretariat costs across the Conference’s membership can offer an incentive to smaller and

less resourced authorities to take the role of Chair of the ICDPPC, resulting in ‘a wider and

more diverse pool of authorities over time who lead the Conference and play a key role in

setting its priorities and strategic directions’.8

Although having the potential of supporting the Conference in achieving its objectives,

a decentralised governance framework based on de-linking the Chair from the Secretariat is

6 Backgrounder: the Secretariat of the International Conference and Options on its Level of Service, Funding and Placement, pp. 1 – 2, https://icdppc.org/wp-content/uploads/2019/07/20180727_FOTC-Backgrounder-on-Permanent-Secretariat.pdf. 7 Supporting evidence for this can be found in the fact that the past three Chairs and the current one have been well-established and resourced authorities from Western countries. 8 Backgrounder: the Secretariat of the International Conference and Options on its Level of Service, Funding and Placement, p. 2, https://icdppc.org/wp-content/uploads/2019/07/20180727_FOTC-Backgrounder-on-Permanent-Secretariat.pdf.

6

not free from drawbacks. Specifically, there are two main risks associated with this

Secretariat model. The first relates to the appeal of holding the Secretariat function without

the prestige of the Chair’s role. This risks constraining member authorities’ willingness to put

forward their candidacy for the Secretariat. In addition to this, there is a not insignificant

danger of miscommunication and, consequently, loss of effectiveness due to the higher level

of coordination required between the Chair and the authority holding the Secretariat function

which could risk jeopardising the work of the Executive Committee as well as that of the

Conference as a whole .9

Based on the arguments presented above, and in light of the fact that the Conference is

currently undergoing a period of evolution towards formal governance, this document

proposes a phased implementation approach towards the establishment of a stable ICDPPC

Secretariat. This approach is based on a model whereby the Secretariat will initially be a

funded entity separate from the Chair but serviced by a member authority for renewable

terms of four years, to be introduced starting from 2021. In the event no member authority

puts forward their candidacy to serve as the Secretariat, we propose to include the possibility

for the authority holding the Chair to retain the Secretariat function and receive funding for

its provision. In the event the trial period of de-linking the Secretariat function from the Chair

proves successful, this would open the way for the Conference to explore and examine

workable plans to establish the ICDPPC Secretariat as a separate legal entity.

The benefits of adopting a phased implementation approach are twofold. First,

postponing the establishment of the Secretariat to 2021 will allow the setting up of the

necessary processes and procedures, seek a prospective candidate willing to provide the

Secretariat function as well as for the collection of the essential financial and organisational

information from members in order to determine an accurate and proportionate fee tier

structure. Second, a Secretariat in place for renewable terms of four years can offer medium-

term stability to the work of the Conference whilst giving members the opportunity to test

whether separating the Secretariat from the Chair is a viable solution or if other options –

9 The Proposal Paper on Costing and Paying for the Secretariat of the International Conference (page 3) prepared by the Office of the Privacy Commissioner of Canada highlights similar dangers in its description of the decentralised Secretariat (i.e. a Secretariat function provided by more than one member authority).

7

including a return to the status quo or the establishment of a separate legal entity – should

be explored.

The following sections will first outline the scope of work of the prospective ICDPPC

Secretariat before giving an overview of estimated costs and options for funding.

3. The ICDPPC Secretariat: Scope of Work, Legal Entity and

Accountability

3.1. Scope of Work

In the previous section, we have highlighted the advantages for the ICDPPC to establish a

stable and funded Secretariat in terms of strengthening the Conference’s identity and

institutional structure.

In this section, we will offer an overview of the scope of work to be provided by the

new Secretariat before recommending options for its legal entity and accountability

framework.

The scope of work and functions of the ICDPPC Secretariat have been extensively

examined in the Backgrounder paper authored by the Office of the Privacy Commissioner of

Canada. This document lists the following secretariat functions: File Management and

Preservation, Support and Liaison Work, Communication and Promotion. Of these, as

previously mentioned, information management currently constitutes the only mandatory

service entrusted to the Secretariat.

If the proposed plans for the establishment of a funded and stable ICDPPC Secretariat

are approved at the 41st Annual Meeting, we suggest the following services and functions to

be included in the scope of work of the Secretariat:

Information Management:

This would entail, in addition to file management and preservation, the duty for the

Secretariat to develop and maintain an information and records management

system for the ICDPPC, including creating retention and archiving policies as well as

systematic ways of organising the Conference’s information. This would facilitate the

handover of the secretariat functions between organisations whilst strengthening the

8

Conference’s information governance framework, thereby enhancing the

preservation of the ICDPPC’s institutional memory;

Support and Liaison Work:

This would become a mandatory secretariat function, making the Secretariat the

central and dedicated point of contact between the Conference and its membership,

as well as with the ICDPPC Reference Panel (if established)10 and other networks. In

this capacity, the Secretariat would be responsible for: coordinating and overseeing

the exchange of information between the Chair and the Executive Committee as well

as between the ICDPPC and other privacy networks; liaising with working groups in

order to ensure regular progress updates reach the Committee and wider

membership; overseeing the resolution drafting and implementation process;

supervising the bid and assessment process of applications received to host the

Annual Meeting and to join the Conference as an Observer or Member authority;

supporting the Hosting Authority by facilitating discussions with guest speakers; and,

finally, ensuring that member-generated knowledge and resources are circulated

amongst the Conference’s membership and beyond (e.g. among interested networks

such as GPEN, APPA and CTN). In addition to this, if the proposal for the establishment

of the ICDPPC Reference Panel is adopted at the 41st Annual Meeting, an additional

task would be the coordination of the work of the Panel (e.g. nomination process,

organisation of the logistical details of the panel’s meetings).

10 See A Proposal for the Creation of the ICDPPC Reference Panel.

9

Communication and Promotion Work

This would also become a mandatory function of the Secretariat, which would

therefore be entrusted with the responsibility to develop a coherent and effective

communication strategy for the Conference as well as for its promotion via the

ICDPPC’s established channels of communication: the ICDPPC’s website, Twitter

account, YouTube channel and the ICDPPC Newsletter. If, in the future, a members-

only online platform is created on the Conference’s website, the Secretariat

communication function would be broadened to comprise the management of the

new functionalities of the platform,11 including maintenance and technical support.

Treasurer functions

Subject to the adoption of the proposal of a self-funded Secretariat at the 41st Annual

Meeting, the new Secretariat would be responsible for overseeing the financial affairs

of the Conference, ensuring proper records are kept and that effective financial

procedures are in place in order to effectively monitor the financial health of the

ICDPPC. As part of its duties as Treasurer, the Secretariat would be responsible for

regularly reporting to the Executive Committee and wider membership on the

Secretariat’s budget and expenditures.

11 See Creation of an ICDPPC Secure Online Platform – Options and Financial Requirements.

Chair and ExCo

Hosting Authority

Working GroupsMembers

ICDPPC Reference Panel

Secretariat

10

In view of the fact that the ICDPPC is currently undergoing a period of evolution – from

being a semi-structured annual gathering of data protection and privacy authorities which

meet the membership criteria towards the creation of a more formal organisational

framework – we have excluded from the initial scope of work of the stable Secretariat ad hoc

special functions such as translation services and hoc policy work. This is not to suggest these

services would be lost. Rather, the recommendation put forward is for their provision to be

outsourced to member authorities as well as observers. For example, a functional level of

provision of translation service can be expected to continue via the existing Volunteer

Translation Network. Likewise, the need for any ad hoc policy work required of the Secretariat

could be met through the setting up of a secondment programme or the establishment of

voluntary cooperation mechanisms whereby relevant expertise could be provided at no

significant costs for the authority providing the Secretariat function. In addition to the

practical and financial advantages, this solution offers the added value of fostering the

ICDPPC’s vision and mission of creating an outstanding international forum where knowledge

is disseminated, expertise shared and supportive connections enabling authorities to

effectively fulfil their mandates developed.

It goes without saying that this does not preclude the possibility of including these

services among the ICDPPC Secretariat functions in due course. This would allow for the

development and settling in first of the stable Secretariat infrastructure and associated

institutional and financial procedures.

3.2 Legal Entity and Accountability Framework

In the previous section, we have highlighted the scope of work to be provided by a prospective

ICDPPC stable and funded Secretariat. In order to be able to deliver the above-mentioned

secretariat functions and, therefore, effectively support the Conference’s vision, mission and

objectives, it is proposed that the new Secretariat will be established for an initial trial period

of four (renewable) years with the following structure:

• A funded entity which is separate from the Chair but still serviced by a member

authority. However, in order to ensure continuity in the provision of the Secretariat

services, in the event no member authority puts forward their candidacy to serve as

the Secretariat, the Chair of the Executive Committee will be entrusted with providing

11

the Secretariat function until such a time a candidate authority to hold the Secretariat

can be found;

• Terms of service of four years (renewable for additional four years) so as to align the

tenure of the Secretariat with that of the Executive Committee whilst avoiding the

potential risk of an overlap between a new Chair and a new Secretariat;

• [If the Secretariat function is provided by a member authority other than the Chair] an

accountability framework whereby the Secretariat will report to, and be subject to the

oversight of, the ICDPPC’s Executive Committee as the elected organ and collective

representative of the Conference;

• In order to ensure financial transparency, the authority providing the Secretariat will

be required to issue quarterly reports on the Secretariat’s budget and expenditures to

the Executive Committee as well as providing an annual financial report to the broader

membership during the closed session of the Annual Meeting.

As highlighted also by the Proposal Paper prepared by the Office of the Privacy

Commissioner of Canada,12 this model would offer a solution to the problem stemming from

the two-year term limit of the Chair authority – thereby ensuring some continuity in the

Secretariat function – as well as allowing the Chair of the ICDPPC to focus on the strategic

policy direction of the Conference whilst giving an incentive to less resourced authorities to

take the Chair role by removing the cost burden associated with providing secretariat

services. At the same time, in order to address the risk of no member authority putting

forward their candidacy to provide the Secretariat function, the proposal envisages that, were

this circumstance to arise, the authority holding the Chair will be required to service the

Secretariat until such a time a candidate to provide secretariat functions can be found.

In addition to the above, the members of the Working Group on the Future of the

Conference discussed alternative options for structuring the Secretariat’s governance

framework by focussing in particular on two additional options.

The first is the possibility of having more than one authority serving as the Secretariat,

each authority providing a specific secretariat function. This model, the main advantage of

12 Proposal Paper: Costing and Paying for the Secretariat of the International Conference, https://icdppc.org/wp-content/uploads/2019/07/20180727_FOTC-Proposal-on-Permanent-Secretariat.pdf, p. 2.

12

which lies in allowing more members to play an active role in the running of the Conference,

was first proposed as an option by the Proposal Paper authored by OPC13. However, there

was no consensus in the working group in furthering this model as the majority of the

members participating to the discussion was wary of the risks this could entail in terms of loss

of efficiency due to the higher level of coordination required, were multiple member

authorities to provide the secretariat function.

The second governance framework option that was discussed by members of the working

group was the possibility to set up the ICDPPC Secretariat as a separate legal entity. Indeed,

some members of the working group noted that, were the Secretariat to be funded through

the collection of fees, some member authorities would encounter legal obstacles in doing so

due to the nature of their legal statute, thereby placing some authorities at risk of exclusion

from running for the Secretariat role. This is considered a very serious risk and members of

the working group agreed it was paramount to ensure no member authority would be left

behind in the plans for the establishment of an ICDPPC Secretariat. However, at the same

time, establishing the Secretariat as a separate legal entity may not be a realistic option at

this time for a number of reasons. The first is the legal complexity associated with the task,

including a consensual decision being reached within the membership on the location where

the new entity would be based. The second reason relates to the necessity of testing whether

de-linking the Chair from the Secretariat is a workable solution for the Conference. And

finally, a drastic change such as the creation of a separate legal entity to service the

Secretariat may not be feasible at the present moment given the fact that the Conference is

still in the process of scoping options on its future identity and strategic direction.

Nonetheless, the Working Group on the Future of the Conference considers that there is value

for the ICDPPC to evaluate the possibility of creating a separate legal entity in the long-term,

if the pilot of separating the Chair from the Secretariat proves successful. For similar reasons

to the above, and in order to ensure the smooth transition from the current model to the new

proposed Secretariat structure, we would recommend introducing this proposed model in

2021 to provide a transition period to the new arrangements. This would enable members to

plan for any budgetary implications, give time for an orderly process of selecting the first

Secretariat host member authority and allow the establishment of a sufficiently robust

13 Ibid., p. 3.

13

governance infrastructure and associated procedures, thereby facilitating the future

implementation of the proposed Secretariat model.

4. Estimated Costs

In order to effectively perform the functions set out in section 3.1, it is foreseen that the

Secretariat – as a funded entity serviced by an existing member authority – would require a

roughly estimated budget14 of £ 183,400 (equivalent to roughly € 205,12215).

The budget breakdown16 is shown in the table below:

Human Resources

• Manager: £ 50,000

• 3 FTEs17 : £ 90,000

• 1 PTE: £15,000

Administrative costs

• Records Management System:

£ 1200

• Phone account: £ 600

• Bank Charges: £ 600

• Office Supplies: £ 1,000

Travel and Accommodation

• £ 20,00018

Website Maintenance19 • £ 5,00020

It is important to bear in mind that this is an estimated figure, tied to the employment

conditions and options available in a specific national context (UK). These figures will likely

15Exchange rate at the time of writing (24 June 2019). 16 All estimates are gross, yearly figures (i.e. before tax). Figures are given in local currency. 17 Full-time employee. The three full-time employees would cover respectively: Information management and support and liaison work, the treasurer functions and IT support whilst the part-time employee (PTE) would look after Communication and Promotion (including website management and the publishing of the newsletter). 18 This would cover, in addition to attendance of the Annual Meeting, travel and accommodation for occasional meetings in person of the Executive Committee and attendance to relevant regional meetings. 19 This cost is a variable dependant on the adoption and implementation of the proposal on the creation of an ICDPPC Secure Online Platform. 20 This figure includes monthly hosting costs, monthly costs for automated vulnerability scanning and yearly costs for a manual health check of the website by a security expert.

14

change depending on the country and cost of living/level of service of the country where the

authority providing the Secretariat function is based. For this reason, it is recommended that

the Conference seeks to identify a candidate at its 2020 meeting before formal appointment

in 2021, thereby allowing to draw a more accurate estimate.

5. Funding

5.1 Fee Structure and Modalities for the Collection of Payment

As mentioned in the Proposal Paper authored by the Office of the Privacy Commissioner of

Canada, the proposed funding approach to the establishment of a stable Secretariat is for the

secretariat costs to be met through the collection of fees from the Conference’s membership.

However, as shown by the ICDPPC Census,21 member authorities differ significantly in terms

of size and budget. In view of this fact, and in order to minimise the potential risk that

financing the Secretariat through the collection of fees will have a negative impact on the

Conference’s membership, it becomes key to ensure the proposed fee tier structure is fair

and proportionate and takes into account members’ organisational (e.g. members of staff)

and financial diversity.

Against this backcloth, we propose the adoption of a three-tier fee structure based

on a proportionality principle whereby the fee amount would be determined by the member

authority’s annual budget and size. The proposed fee structure is as follows:

• Tier one – Small Authorities. Fee exempt;

• Tier Two – Medium-sized Authorities;

• Tier Three – Large Authorities.

In addition to this funding model, the members of the working group discussed the

possibility of introducing a flat membership fee, albeit with the caveat that authorities from

less resourced countries would be exempt from the payment of the fee. The main advantage

of this system is that it would be easier to administer, with members from less resourced

countries being identified by referring to the UN List of Least Resourced countries22. However,

there was no strong consensus amongst the members of the working group on the flat

21 https://icdppc.org/wp-content/uploads/2017/09/ICDPPC-Census-Report-1.pdf. 22 https://unctad.org/en/Pages/ALDC/Least%20Developed%20Countries/UN-list-of-Least-Developed-Countries.aspx.

15

membership fee model, with some members showing a clear preference for the proportional

model as it better reflects the membership diversity in terms of budget and size.

A compromise solution between the two would be a funding model based on charging a

fixed percentage of the authority’s annual budget. This would simplify the fee structure whilst

respecting the proportionality principle in relation to the authority’s budget.

Be that as it may, in order to establish the actual fee amount for each tier as well as to

have a clear understanding of which tier an authority would belong to, it will be necessary to

conduct a survey amongst member authorities to collect the necessary information for

determining which authorities would be fee exempt and the fee amount associated with tier

two and three.23

For what concerns the practical modalities for the collection of fees, we recommend

the use of a payment service provider and payment methods such as BACS, SEPA or credit

card payment. This model would bypass the necessity to create an ad hoc bank account24

whilst allowing the authority holding the Secretariat function to collect payments in different

currencies.

Fees would represent the main source of income to cover the costs incurred by the

authority providing the secretariat functions. Nonetheless, as the Conference moves towards

a formal governance infrastructure, there is value in considering complementary sources of

funding which could contribute to reduce the level of funding required through the collection

of fees as well as to the creation of a Support Fund aimed at supporting less well-resourced

authorities (e.g. a subsidy to meet the registration or travel expenses to attend the Annual

Meeting).

For example, in light of the vision, mission and strategic policy direction of the

Conference, there would be scope to engage organisations such as OECD and the UN to

explore funding options the ICDPPC Secretariat might be able to apply for to complement the

income sourced through the collection of fees. In addition to this, the Support Fund would

23 Some of this information is available through the 2017 ICDPPC Census. However, it is important to recognise the fact that not all member authorities participated to the Census whilst, for those authorities which participated, data may now be outdated. 24 As mentioned, the proposed Secretariat model does not envisage the creation of a separate legal entity for the ICDPPC Secretariat.

16

also envisage an option whereby better resourced authorities could donate, on a voluntary

basis, additional funds to subsidize smaller and less resourced member authorities, for

example to cover registration costs to the Annual Meeting.

5.2 Penalties for non-payment

As shown in section 4, the bulk of the Secretariat expenditure is represented by the cost of

the human resources necessary to staff the Secretariat. In recognition of this fact, it is of

paramount importance that the income collected through fees is stable and adequate.

Although the model rests on the assumption that all member authorities will pay their dues

(unless exempt), foreseeing sanctions for non-payment of the secretariat fee is a necessary

precaution. Penalties for non-payment might range from the exclusion from the Annual

Meeting and freeze of the authority’s account on the ICDPPC Secure Online Platform (if

created) to the withdrawal of the ICDPPC membership in the most serious cases of repeated

failures to pay the Annual Fee.

When discussing penalties for non-payment, some members stressed that – whilst it

is important that there should be consequences for the authorities behind with the payment

of the membership fee – it is equally important to assess instances of non-payment on a case-

by-case basis by giving the non-paying member the opportunity to make their case in advance

to the Executive Committee and, whenever possible, mitigating circumstances should be

taken into account. A similar approach should be taken when considering any arrears, for

example by giving the non-paying member the opportunity to pay outstanding amounts in

instalments.

6. Amendments to the Rules and Procedures

As mentioned in section 2, the proposed approach in this paper is for the new Secretariat to

be introduced starting from 2021 with a view to be fully operational by January 2022. If this

model is approved at the 41st Annual Meeting, changes to the Rules and Procedures will be

submitted for consideration at the 2020 Conference. The changes – which have been drafted

by the Working Group – would entail the insertion of a new rule regulating the functioning of

the Secretariat and its funding.

17

7. Next Steps

If the current proposal is approved by the Conference, the following steps are recommended:

1. Retain the current governance infrastructure for the next two years;

2. The first year will be focussed on setting up the necessary processes and procedures

to ensure the establishment of a robust governance infrastructure. Further to this, a

one-year transition period will allow the Conference to agree the process for the

election of the Secretariat as well as to: gather the necessary census data from all

member authorities in order to establish the relevant fee tier; conduct a survey

amongst member authorities to identify legal obstacles for some authorities to accept

funds for running the Secretariat; reach out to those authorities which provided a

Secretariat function in the past to collect information over costs incurred and tasks

undertaken; explore options for alternative sources of funding which could

complement the income sourced through the collection of the Secretariat fees (e.g.

identify funding programmes available through organisation such OECD or the UN that

could be applied for on behalf of the Conference’s membership);

3. Two months before the 42nd Annual Meeting, launch a call for expression of interest

amongst member authorities to identify a prospective candidate willing to serve as

the future Secretariat starting from 2021. On the basis of expression of interest

received, the Conference will be asked to make a decision during the Closed Session

of the meeting;

4. During the second year, and after the 42nd Annual Meeting, the Conference will focus

on establishing robust financial procedures for collecting fees and the associated

control mechanisms guaranteeing proper accounts and records are kept. Following

the formal announcement of the new Secretariat at the 43rd Annual Meeting, the

authority serving as the new Secretariat will start the collection of fees from member

authorities with the expectation to be fully operational by January 2022. This would

also allow time for a handover between the former and the new Secretariat. Until

January 2022, it can be considered for the former Secretariat to provide some

operational support, if required.