January 19, 2020

January 17, 2020

Subscribe to Latest Legal News and Analysis

January 16, 2020

Subscribe to Latest Legal News and Analysis

On the Heels of FTC, FCC Joins Global Privacy Enforcement Network (GPEN) to Better Watch Data Abroad

Data is rarely still. It is captured, processed and moved around the world at speeds we wouldn’t have dreamed possible 20 years ago. Data often disrespects borders. By way of example, companies often mistakenly store personal data in the cloud to be accessed by multiple international locations, without considering the legal rights of the data subjects in the countries in which data processors or controllers do business, or where the data subject resides. These issues give rise to data transfer laws across geographic boundaries.

On October 28, the Federal Communications Commission (FCC) announced that it is joining fifty other countries and the U.S. agency the Federal Trade Commission (FTC) to launch the Global Privacy Enforcement Network (GPEN). FCC and FTC’s decision to help form this group grew out of a 2007 Recommendation on Cross-Border Cooperation in Enforcement of Laws Protecting Privacy, adopted by the Organization for Economic Cooperation and Development (OECD).

This is a development employers, especially those with international human resources information systems (HRIS) that are stored in the cloud, should follow. We do not yet have a full understanding of how the GPEN will function. However, industry press believes that increased focus on international data protection by two of the U.S.’s largest data privacy and security regulators could portend tighter auditing of those functions at home.

The GPEN will include, but not be limited to, the following sovereign nations in addition to the U.S.: Australia, Canada, France, Germany, Israel, Ireland, Italy, the Netherlands, New Zealand, Spain and the United Kingdom. FTC officials have said they hope to reduce the number of privacy and security related unfair and deceptive trade practices pertaining to privacy and cyber security.

Organizations in addition to FTC and FCC include the European Union, the Australian Information Commissioner, Office of the Privacy Commissioner of Canada, Dutch Data Protection Authority, Commission Nationale de l’Informatique et des Libertes of France, Federal Data Protection Authority of Germany, Federal Institution for Access to Information and Data Protection of Mexico, and the Office of the Privacy Commission of New Zealand.

Employers with HRIS or other cloud-based symptoms that process data abroad should assess risks related to data transfer rules both in U.S. and their other host countries. FTC and FCC’s move in helping to form GPEN is just one of many more “nods” from U.S. and foreign regulators that they are examining data at home and abroad.

Jackson Lewis P.C. © 2020


About this Author


Amy R. Worley is a Shareholder in the Raleigh office of Jackson Lewis P.C. She is a Certified Information Privacy Professional (CIPP-US) with the International Association of Privacy Professionals. She is also a North Carolina Certified Mediator. She is a member of the Privacy, e-Communication and Data Security practice group. Ms. Worley is also a member of the Non-Competes and Protection against Unfair Competition group. In short, her practice focuses on identifying, protecting, and maximizing valuable business assets including consumer, commercial...