Global Privacy Enforcement Network (GPEN)

SuperheroIt could be a geeky group of superheros - Enforcement Network... Justice League... there's some similarity there, right? And the acronym is awfully close to G Pen, which is a line of vape devices. Upon hearing of the rarely mentioned organization we galloped off to learn what we could about the mellow, spandex-clad enforcers. 

But in fact the Global Privacy Enforcement Network is an informal group of data protection authorities from around the world. The mandate of this little known organization is to support and foster cross-border cooperation among data privacy authorities in the enforcement of laws protecting privacy. GPEN, consisting of 13 privacy enforcement authorities when it was established in 2010, grew by the end of 2015, to include 59 privacy enforcement authorities in 43 jurisdictions. 

Based on the organization's name, and the number of occurences of "enforcement", one might think it engages in some manner of enforcement. But GPEN itself posesses no powers of enforcement. And based on the mission statement, it doesn't seem intent on acquiring any. Rather, it is a network of entities responsible for privacy enforcement in their country or jurisdiction.

Membership is open to any public privacy enforcement authority that:  (1) is responsible for enforcing laws or regulations the enforcement of which has the effect of protecting personal data; and (2) has powers to conduct investigations or pursue enforcement proceedings. 

Multiple authorities from a country, economy, or jurisdiction may participate in GPEN. The US based members for example, are the Federal Communications Commission (FCC), Federal Trade Commission (FTC), and the Attorney General of California.

Enforcing Privacy with Capes & Vapes? Well, no.

Despite the lack of superheros, powers, or an appetite for attention, GPEN is a quietly interesting organization. It is extremely low profile. 

GPEN is mentioned primarily in relation to a yearly privacy sweep that member organizations participate in. GPEN coordinates the endeavor and the results are shared with the public primarily via press releases by each DPA.

Every year a topic is chosen and member DPAs can choose to participate in the one week Sweep. In 2015 the topic was children's online privacy and focused on apps and websites that targeted or were popular with children. The Sweep looked at 1,494 websites and apps and identified concerns in 41% of them. More info on the results is at bottom. Earlier topics were website privacy policies and mobile phone apps.

In 2016 the Sweep looked at connected devices. The individual DPAs focus on different areas and decide the approach they want to take. This year 25 DPAs participated, examining 314 devices. The DPAs purchased products and interacted with them as consumers would.

Among devices examined were fitness bands, smart meters, connected cars, in-home connected cameras, smart TVs, connected scales, blood pressure monitors and more. The DPAs assessed the security of devices, the degree of user control, transparency regarding the use of personal data, and the users ability to delete personal data.

Other GPEN initiatives are more about internal communication and coordination of effort. The GPEN Alert, for example, is an information sharing system that enables participants to confidentially share information about investigations.

This lowkey organization seems to be quietly meeting its objectives. New DPAs benefit from the experience and expertise of long standing authorities. Members inform other countries about areas of concern, and share specifics about ongoing investigations which may involve trans national companies. By sharing the results of investigations and research, duplication of effort can be minimized.

Below is more info about the Sweeps findings and links for further reading.

Children's online privacy sweep, 2015. From the Annual Report.

“The Sweep” is a GPEN initiative whereby privacy enforcement authorities work together for a week, once every year, to protect the privacy rights of individuals around the world. The Sweep is aimed at encouraging organizations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities. Concerns identified during the Sweep will typically result in follow-up work such as outreach to organizations, deeper analysis of privacy provisions and/or enforcement action.

The theme of the 2015 Sweep was children’s online privacy, and websites and apps targeted at or popular with children. In total, 1,494 websites and apps were examined. The Sweep identified concerns with 41 % of the 1,494 websites and apps considered, particularly around how much personal information was collected and how it was then shared with third parties.

Results included:

  • 67% of sites/apps examined collected children’s personal information;
  • Only 31% of sites/apps had effective controls in place to limit the collection of personal information from children. Particularly concerning was that many organisations whose sites/apps were clearly popular with children simply claimed in their privacy notices that they were not intended for children, and then implemented no further controls to protect against the collection of personal data from the children who would inevitably access the app or site;
  • Half of sites/apps shared personal information with third parties;
  • 22% of sites/apps provided an opportunity for children to give their phone number and 23% of sites/apps allowed them to provide photos or video. The potential sensitivity of this data is clearly a concern;
  • 58% of sites/apps offered children the opportunity to be redirected to a different website;
  • Only 24% of sites/apps encouraged parental involvement;
  • 71% of sites/apps did not offer an accessible means for deleting account information.

The Sweep did find examples of good practice, with some websites and apps providing effective protective controls, such as parental dashboards, and pre-set avatars and/or usernames to prevent children inadvertently sharing their own personal information. Other good examples included chat functions which only allowed children to choose words and phrases from pre-approved lists, and use of just-in-time warnings to deter children from unnecessarily entering personal information.

While the Sweep focused on privacy practices, authorities also noted concerns around the inappropriate nature of some advertisements on websites and apps aimed at children.

Connected Devices Sweep, 2016. Preliminary findings.

  • 59 per cent of devices failed to adequately explain to customers how their personal information was collected, used and disclosed
  • 68 per cent failed to properly explain how information was stored
  • 72 per cent failed to explain how customers could delete their information off the device
  • 38 per cent failed to include easily identifiable contact details if customers had privacy concerns.


Read more about GPEN on the Hunton & Williams blog.