Executive Summary

International enforcement cooperation in the field of data protection is currently characterized by a significant gap between theoretical legal possibilities and practical implementation. While the GDPR provides a sophisticated framework for cooperation among European Economic Area (EEA) Data Protection Authorities (DPAs), cooperation at the international level—specifically between EEA DPAs and authorities in countries with an EU adequacy decision—remains limited, fragmented, and predominantly “soft.”

Most international cooperation consists of informal best-practice exchanges, general information sharing, and participation in global fora such as the Global Privacy Assembly (GPA) and the Global Privacy Enforcement Network (GPEN). Enhanced cooperation, such as joint investigations or providing investigative assistance, is frequently hindered by legal barriers regarding confidentiality, lack of investigative powers on behalf of foreign authorities, and the absence of mechanisms to enforce DPA decisions in third countries.

Download: IDPEC IDPEC.pdf774 KB.a{fill:none;stroke:currentColor;stroke-linecap:round;stroke-linejoin:round;stroke-width:1.5px;}download-circle Comparative analysis of consumer protection and competition law reveals more mature frameworks. Consumer protection benefits from centralized platforms like econsumer.gov, while competition law utilizes “second-generation” intergovernmental agreements and confidentiality waivers to bypass legal obstacles. To bridge the existing gap, this briefing document recommends a multi-faceted approach involving enhanced legal frameworks, the creation of a secure information-sharing platform, government-level interventions for decision enforcement, and the standardization of cooperation templates and guidance by the European Data Protection Board (EDPB).

I. The Current State of Data Protection Enforcement Cooperation

The current landscape of international data protection enforcement cooperation relies on a mix of binding legal instruments and non-binding “soft law” arrangements.

  • National Law and GDPR Article 50: Article 50 of the GDPR (and Article 51 of the EUDPR) serves as a general legal basis for international mutual assistance. However, many DPAs interpret this provision narrowly, often requiring supplementary arrangements to engage in substantive cooperation.- **Multilateral Agreements:**Convention 108/108+: A binding agreement for ratifying states, though its practical scope is limited as it is not self-executing and requires domestic implementation.- EU–U.S. Data Privacy Framework (DPF): A binding mechanism for transfers between the EU and the U.S., involving commitments from the U.S. Department of Commerce and the Federal Trade Commission (FTC) to assist EU DPAs. Soft Law and Global Fora:
  • Memoranda of Understanding (MoUs): The most frequent tool for bilateral cooperation, though they are non-binding.- Global Privacy Assembly (GPA): Facilitates high-level information sharing and joint open letters.- Global Privacy Enforcement Network (GPEN): An informal network for sharing best practices and coordinating annual “privacy sweeps.”- Global CAPE: A multilateral mechanism under the Global CBPR Forum that allows for joint investigations and staff exchanges on a voluntary basis.

2. Practical Utilization and Active Participants

Despite the variety of instruments, formal enforcement cooperation is infrequent. The UK and Canada are notable exceptions, demonstrating active participation in joint investigations (e.g., the 23andMe investigation) and maintaining numerous MoUs. Conversely, half of surveyed DPAs reported zero or only one instance of formal international cooperation in the past five years.

3. Key Challenges and Limitations

DPAs identify several critical barriers to effective cross-border cooperation:

Challenge Category

Specific Issues

Legal Barriers

Restrictions on sharing confidential information or personal data; inability to exercise investigative powers for foreign DPAs.

Enforcement Gaps

No mechanism to enforce DPA decisions against controllers based in third countries.

Resource Constraints

Lack of human and material resources; absence of dedicated international units.

Reciprocity

“Dual unlawfulness” requirements where assistance is only provided if the conduct violates the laws of both jurisdictions.

Operational Issues

Language barriers, time differences, and fragmented multilateral fora.

II. Comparative Analysis: Consumer Protection and Competition Law

Insights from other regulatory fields offer potential models for improving data protection cooperation.

1. Consumer Protection

The International Consumer Protection and Enforcement Network (ICPEN) serves as a primary forum.

  • econsumer.gov: This platform allows for the sharing of consumer complaints and investigative data. By obtaining express consumer consent, the platform bypasses many confidentiality barriers that plague the data protection field.- OECD Toolkit: The OECD provides a “legislative toolkit” to help countries reduce legal barriers to cross-border enforcement.

2. Competition Law

Competition law features the most mature and formalized cooperation frameworks.

  • “Second-Generation” Agreements: These bilateral intergovernmental agreements allow competition authorities to exchange confidential information without prior consent from the source and provide mutual investigative assistance.- Confidentiality Waivers: Parties under investigation (especially in mergers) often voluntarily waive confidentiality to expedite reviews, providing a practical workaround for legal restrictions.- Positive and Negative Comity: These principles allow authorities to either refrain from interfering in another jurisdiction’s interest (negative) or actively request a foreign authority to take action on their behalf (positive).

III. Recommendations for Enhancing Cooperation

To maintain the credibility of data protection law in a global digital economy, the following legal, technical, and operational reforms are proposed:

  • Adopt “Second-Generation” Agreements: Governments should negotiate binding agreements modeled on competition law to enable the exchange of confidential information and mutual investigative assistance.- Utilize Confidentiality Waivers: DPAs should develop model waivers for data controllers and explore consent-based mechanisms for data subjects to allow for the sharing of complaints across borders.- Maximize Existing Frameworks: DPAs should adopt less restrictive interpretations of Article 50 GDPR and other national provisions to facilitate routine information exchange.

2. Technical and Operational Improvements

  • Secure Information-Sharing Platform: Establish an encrypted platform modeled on econsumer.gov for sharing complaints, case facts, and investigative findings. Key features should include:Standardized notification of investigations.- Case-specific confidentiality agreements.- Language support and automatic translation features. Resource Pooling: Create dedicated international cooperation units and expert pools for technical investigations.Standardized Frameworks: Develop templates for joint investigations and Terms of Reference (ToRs).

3. Government-Level Interventions

  • Mutual Recognition of Decisions: Governments should negotiate treaties to allow for the enforcement of DPA decisions (or at least the service of documents) in third countries.- Resource Allocation: Ensure DPAs have sustainable funding for personnel and infrastructure dedicated to international collaboration.- Adequacy Incentives: Encourage the European Commission to integrate specific enforcement cooperation commitments into the EU adequacy framework.

4. Guidance and Standard-Setting by the EDPB

  • Interpretive Guidance: The EDPB should clarify the relationship between professional secrecy (Article 54(2) GDPR) and the mandate for international cooperation.- Legislative Toolkit: Develop a toolkit of legislative actions, modeled on OECD initiatives, to help DPAs advocate for necessary domestic legal powers.- Contact Point Directory: Maintain a comprehensive and updated directory of international cooperation contact points, including emergency procedures.