Memorandum of Understanding Between the U.S. Federal Trade Commission and the Dutch Data Protection Authority on Mutual Assistance in the Enforcement of Laws Protecting Personal Information in the Private Sector



MEMORANDUM OF UNDERSTANDING BETWEEN THE

UNITED STATES FEDERAL TRADE COMMISSION AND THE DUTCH DATA

PROTECTION AUTHORITY ON MUTUAL ASSISTANCE IN THE ENFORCEMENT

OF LAWS PROTECTING PERSONAL INFORMATION IN THE PRIVATE SECTOR

The United States Federal Trade Commission ("FTC") and the Dutch Data Protection

Authority (“Autoriteit Persoonsgegevens” or “AP”), (collectively, "the Participants"),

RECOGNIZING the nature of the modern global economy, the increase in the flow of

personal information across borders, the increasing complexity and pervasiveness of

information technologies, and the resulting need for increased cross-border

enforcement cooperation;

RECOGNIZING that the OECD Recommendation on Cross-Border Co-operation in

the Enforcement of Laws Protecting Privacy, the Global Privacy Enforcement

Network’s Action Plan, resolutions of the International Conference of Data Protection

and Privacy Commissioners, and the APEC Privacy Framework call for the

development of cross-border information-sharing mechanisms and enforcement

cooperation arrangements; and that such information sharing and enforcement

cooperation are essential elements to ensure privacy and data protection

compliance, serving an important public interest;

RECOGNIZING that the U.S. Federal Trade Commission Act, 15 U.S.C. § 41 et seq.,

as amended by the U.S. SAFE WEB Act, authorizes the FTC to share information

with law enforcement authorities from other countries under appropriate

circumstances;

RECOGNIZING that subsection 1 and 2 of Section 2:5 of the Dutch General

Administrative Law Act (de Algemene wet bestuursrecht) provide that a Dutch public

body may disclose confidential information to (a) person(s) or organization who is

involved in the execution of the task of this Dutch public body if this is necessary to

fulfill the supervisory task of the Dutch public body and the confidentiality of the

information is maintained;

RECOGNIZING that the AP is the designated authority in the Netherlands for the

purposes of the Convention for the Protection of Individuals with regard to the

Automatic Processing of Personal Data (which was opened for signature on 28th

January 1981) and is the supervisory authority in the Netherlands for the purposes of

the General Data Protection Regulation (GDPR) on the protection of individuals with

regard to the processing of personal data and on the free movement of such data.

The AP is also the supervisory authority in the Netherlands for the purpose of the

Dutch General Data Protection Regulation Implementation Act (Uitvoeringswet

Algemene verordening gegevensbescherming);

RECOGNIZING that the Participants each have functions and duties with respect to

the protection of personal information in their respective countries;

RECOGNIZING that the Participants have worked together in connection with several

international initiatives related to privacy;



RECOGNIZING that the Participants have cooperated in the context of several

international networks, including the Global Privacy Enforcement Network, and the

International Conference of Data Protection and Privacy Commissioners; and

RECOGNIZING that the Participants would not be able to provide assistance to the

other if such assistance is prohibited by their respective national laws, such as

privacy, data security, or confidentiality laws; or enforcement policies.

HAVE REACHED THE FOLLOWING UNDERSTANDING:

I. Definitions

For the purposes of this Memorandum,

A. "Applicable Privacy Law" means the laws identified in Annex 1, which may be

revised by mutual consent of the Participants, including any regulations implemented

pursuant to those laws, the enforcement of which has the effect of protecting

personal information.

B. "Covered Privacy Violation" means practices that would violate the Applicable

Privacy Laws of one Participant's country and that are the same or substantially

similar to practices prohibited by any provision of the Applicable Privacy Laws of the

other Participant's country.

C. “Person” means any natural person or legal entity, including corporations,

unincorporated associations, or partnerships, established, existing under or

authorized by the laws of the United States, its States, or its Territories, or the laws of

the Netherlands.

D. "Request" means a request for assistance under this Memorandum.

E. "Requested Participant" means the Participant from which assistance is sought

under this Memorandum, or which has provided such assistance.

F. “Requesting Participant” means the Participant seeking assistance under this

Memorandum, or which has received such assistance.

II. Objectives and Scope

A. This Memorandum of Understanding sets forth the Participants’ intent with regard

to mutual assistance and the exchange of information for the purpose of

investigating, enforcing and/or securing compliance with Covered Privacy Violations.

The Participants do not intend the provisions of this Memorandum of Understanding

to create legally binding obligations under international or domestic laws.

B. The Participants understand that it is in their common interest to:

1. cooperate with respect to the enforcement of the Applicable Privacy Laws,

including sharing complaints and other relevant information and providing

investigative assistance;



2. facilitate research and education related to the protection of personal information;

3. facilitate mutual exchange of knowledge and expertise through training programs

and staff exchanges;

4. promote a better understanding by each Participant of economic and legal

conditions and theories relevant to the enforcement of the Applicable Privacy Laws;

and

5. inform each other of developments in their respective countries that relate to this

Memorandum.

C. In furtherance of these common interests, and subject to Section IV, the

Participants intend to use best efforts to:

1. share information, including complaints and other personally identifiable

information, that a Participant believes would be relevant to investigations or

enforcement proceedings regarding Covered Privacy Violations of the Applicable

Privacy Laws of the other Participant's country;

2. provide investigative assistance in appropriate cases, including obtaining evidence

under the Participants’ respective legal authorities on behalf of the other Participant;

3. exchange and provide other relevant information in relation to matters within the

scope of this Memorandum, such as information relevant to consumer and business

education; government and self-regulatory enforcement solutions; amendments to

relevant legislation; technological expertise, tools or techniques; privacy and data

security research; and staffing and resource issues;

4. explore the feasibility of staff exchanges and joint training programs;

5. coordinate enforcement against cross-border Covered Privacy Violations that are

priority issues for both Participants;

6. participate in periodic teleconferences to discuss ongoing and future opportunities

for cooperation; and

7. provide other appropriate assistance that would aid in the enforcement against

Covered Privacy Violations.

III. Procedures Relating to Mutual Assistance

A. Each Participant is to designate a primary contact for the purposes of requests for

assistance and other communications under this Memorandum.

B. If a Participant requests assistance for matters involved in the enforcement of

Applicable Privacy Laws, then Participants understand that:

1. requests for assistance are to include sufficient information to enable the

Requested Participant to determine whether a request relates to a Covered Privacy

Violation and to take action in appropriate circumstances. Such information may

include a description of the facts underlying the request and the type of assistance

sought, as well as an indication of any special precautions that should be taken in the

course of fulfilling the request;

2. requests for assistance are to specify the purpose for which the information

requested will be used;

3. consistent with Section V.A., a request for assistance certifies that, subject to any

relevant applicable legal restrictions in its own jurisdiction on its ability to do so, the

Requesting Participant is to maintain confidentiality in respect of:

- each request for assistance,

- the existence of any investigation related to the request,



- all materials related to each request, and

- all information and material provided in response to each request, unless otherwise

decided; and,

4. prior to requesting assistance, Participants should perform a preliminary inquiry to

ensure that the request is consistent with the scope of this Memorandum.

C. Participants should use their best efforts to resolve any disagreements related to

cooperation that may arise under this Memorandum through the contacts designated

under Section III.A, and, failing resolution between the designated contacts in a

reasonably timely manner, by discussion between appropriate senior officials

designated by the Participants.

IV. Limitations on Assistance

A. The Requested Participant may exercise its discretion to decline the request for

assistance, or limit or condition its cooperation, including where it is outside the

scope of this Memorandum, or more generally, where it would be inconsistent with

domestic laws, or important interests or priorities.

B. The Participants recognize that it is not feasible for a Participant to offer

assistance to the other Participant for every Covered Privacy Violation. Accordingly,

the Participants intend to use best efforts, as outlined in Section II, to seek and

provide cooperation focusing on those Covered Privacy Violations most serious in

nature, such as those that cause or are likely to cause damage or distress to a

significant number of persons, and those otherwise causing substantial damage or

distress, especially if this concerns both countries.

C. If the Requested Participant is unable to offer full assistance or declines

assistance, it should explain the reasons why.

D. Participants intend, in so far as they are able and are allowed by their respective

laws, to share confidential information pursuant to this Memorandum only to the

extent that it is necessary to fulfill the purposes set forth in Section II.

V. Confidentiality, Privacy, and Limitations on Use

A. Subject to any restrictions imposed by their respective national laws, to the fullest

extent possible, each Participant certifies the confidentiality of information to be

shared under this Memorandum. The certification of confidentiality applies not only to

the shared information, but also to the existence of an investigation to which the

information relates. The Participants are to treat the shared information, the existence

of the investigation to which the information relates, and any requests made pursuant

to this Memorandum as confidential, and so far as they are able, not further disclose

or use this information for purposes other than those for which it was originally

shared, without the prior written consent of the Requested Participant.

B. Notwithstanding Section V.A., it is understood that:

1. A Participant may disclose information provided pursuant to this Memorandum in

response to a formal request from a Participant country’s legislative body or an order

issued from a court with proper jurisdiction in an action commenced by the

Participant or its government.



 

2. Material obtained in connection with the investigation or enforcement of criminal

laws may be used for the purpose of investigation, prosecution, or prevention of

violations of either Participant’s country’s criminal laws.

C. Each Participant is to use best efforts to safeguard the security of any information

received under this Memorandum and respect any safeguards decided by the

Participants. In the event of any access to, or disclosure of, the information not

authorized by a Participant, the Participants are to take all reasonable steps to

prevent a recurrence of the event and are to notify the other Participant of the

occurrence.

D. Where a Participant receives an application by a third party for disclosure of

confidential information or materials received from a Requested Participant, the

Requesting Participant should notify the Requested Participant forthwith and seek to

obtain that Participant’s consent to the release of the information or – if the

Requested Participant does not agree with the disclosure – oppose, to the fullest

extent possible consistent with their countries’ laws, any request for disclosure.

Where the Participant that receives an application for disclosure from a third party is

unable to obtain consent for its disclosure from the Requested Participant, if the

Receiving Participant is nevertheless obliged under its laws to release the

information, it should notify the Requested Participant as soon as possible of its

decision to disclose the information, as well as the general procedure concerning the

disclosure of information.

E. The Participants recognize that material exchanged in connection with

investigations and enforcement often contains personally identifiable information. If

the Requesting Participant wishes to obtain confidential information that includes

personally identifiable information, then the Participants understand that they are to

take additional appropriate measures to safely transmit and safeguard the materials

containing personally identifiable information. Protective measures include, but are

not limited to, the following examples and their reasonable equivalents, which can be

used separately or combined as appropriate to particular circumstances:

1. transmitting the material in an encrypted format;

2. transmitting the material directly by a courier with package tracking capabilities;

3. transmitting the materials by facsimile rather than non-encrypted email;

4. maintaining the materials in secure, limited access locations (e.g., password-

protected files for electronic information and locked storage for hard-copy

information); and

5. if used in a proceeding that may lead to public disclosure, redacting personally

identifiable information or filing under seal.

VI. Changes in Applicable Privacy Laws

In the event of significant modification to the Applicable Privacy Laws of a

Participant's country falling within the scope of this Memorandum, the Participants

intend to consult promptly, and, if possible, prior to the entry into force of such

enactments, to determine whether to modify this Memorandum.



VII. Retention of Information

A. If Participants wish to retain materials obtained from the other Participant under

this Memorandum, the Participants understand they are not to retain such materials

for longer than is reasonably required to fulfill the purpose for which they were shared

or for longer than is required by the Requesting Participant's country's laws.

B. The Participants recognize that in order to fulfill the purpose for which the

materials were shared, the Participants typically need to retain the shared materials

until the conclusion of the pertinent investigation or related proceedings for which the

materials were requested, including until a judgment has become irrevocable.

C. The Participants are to use best efforts to return any materials that are no longer

required if, at the time they are shared, the Requested Participant makes a written

request that such materials be returned. If no request for return of the materials is

made, then the Requesting Participant may dispose of the materials using methods

prescribed by the Requested Participant, or if no such methods have been

prescribed, by other secure methods, as soon as practicable after the materials are

no longer required.

VIII. Costs

Unless otherwise decided by the Participants, the Requested Participant is expected

to pay all costs of executing the request for information. When such costs are

substantial, the Requested Participant may ask the Requesting Participant to pay

those costs as a condition of proceeding with the Request. In such an event, the

Participants should consult on the issue at the request of either Participant.

IX. Duration of Cooperation

A. The Participants intend cooperation in accordance with this Memorandum to

become available as of the date it is signed by both Participants.

B. Assistance in accordance with this Memorandum is understood to be available

concerning Covered Privacy Violations occurring before as well as after this

arrangement is signed.

C. A Participant should endeavor to provide 30 days advance written notice to the

other Participant that it plans to withdraw from the understanding set out in this

Memorandum. However, prior to providing such notice, each Participant should use

best efforts to consult with the other Participant.

D. Upon cessation of cooperation through this Memorandum, the Participants, in

accordance with Section V, are to maintain the confidentiality of any information

communicated to them by the other Participant in accordance with this Memorandum,

and return or destroy, in accordance with the provisions of Section VII, information

obtained from the other Participant in accordance with this Memorandum.



X. Legal Effect

Nothing in this Memorandum is intended to:

A. Create binding obligations, or affect existing obligations, under international or

domestic law.

B. Prevent a Participant from seeking assistance from or providing assistance to the

other Participant pursuant to other agreements, arrangements, or practices.

C. Affect any right of a Participant to seek information on a lawful basis from a

Person located in the territory of the other Participant's country, or preclude any such

Person from voluntarily providing legally obtained information to a Participant.

D. Create a commitment that conflicts with either Participant’s national laws, court

orders, or any applicable international legal instruments.

E. Create expectations of cooperation that would exceed a Participant's powers.

Signed simultaneously in Washington D.C., United States and The Hague, the

Netherlands on ___________ in duplicate.

Joseph J. Simons Aleid Wolfsen

Chairman Chairman

United States Federal Trade

Commission

Autoriteit Persoonsgegevens

(Dutch Data Protection Authority)





Annex 1

Applicable Privacy Laws

I. Federal Trade Commission

a) Federal Trade Commission Act, 15 U.S.C. §§ 41-58

b) Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681u

c) The Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506

d) Gramm-Leach-Bliley Act, codified in relevant part at 15 U.S.C. §§ 6801-6809

and §§ 6821-6827

e) Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§

6101-6108

f) CAN-SPAM Act of 2003, 15 U.S.C. §§ 7701-7713

II. Dutch Data Protection Authority

a) General Data Protection Regulation

b) Dutch General Data Protection Regulation Implementation Act (Uitvoeringswet

Algemene verordening gegevensbescherming)

c) Dutch Telecommunications Act (Telecommunicatiewet), 19 October 1998,

Staatsblad 5 november 1998, nr. 610

Regulation (EU) 2016/679 of the European Parliament and of the council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and on the free movement

of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Wet van 16 mei 2018, houdende regels ter uitvoering van Verordening (EU) 2016/679 van het

Europees Parlement en de Raad van 27 april 2016 betreffende de bescherming van natuurlijke

personen in verband met de verwerking van persoonsgegevens en betreffende het vrije verkeer van

die gegevens en tot intrekking van Richtlijn 95/46/EG (algemene verordening gegevensbescherming)

(PbEU 2016, L 119) (Uitvoeringswet Algemene verordening gegevensbescherming), Staatsblad 2018,

nr. 144.