Lessons learned from ICDPPC 2009 (guest blog by EPIC)

4 May 2018

This case study was authored by the Electronic and Privacy Foundation (EPIC) and provides information on civil society engagement at the 2009 International Conference of Data Protection and Privacy Commissioners (ICDPPC).

In 2009, almost two hundred privacy experts, advocates, and governments officials from around the world gathered in Madrid for the “Global Privacy Standards” conference, organised by the Public Voice coalition which was set up in 1996 by the Electronic Privacy Information Center (EPIC). The event features panel discussions on “Privacy and Human Rights: The Year in Review,” “Privacy Activism: Major Campaigns,” “Your Data in the Cloud: What if it Rains?,” “Transborder Data Flow: Bridges, Channels or Walls?,” and “Toward International Privacy Standards.” Leading privacy officials from Spain, the European Union, the European Parliament, the OECD, and Canada participated. The event was held in conjunction with the annual meeting of the Privacy and Data Protection Commissioners (ICDPPC), which drew more than 1,000 participants from over fifty countries. The Public Voice event was cybercast and tweeted. @thepublicvoice #globalprivacy.



1. Introduction


03 – 06 November 2009

Type of mechanism

39th International Conference of Data Protection and Privacy Commissioners (ICDPPC)


The ICDPPC is the only conference that brings together data protection authorities from around the world. The first ICDPPC was held in 1979 in Bonn, Germany. Each conference is hosted on an annual basis in a different city.  The Conference is a forum for Data Protection Authorities (DPAs) to share expertise and to coordinate activities, aiming to implement regional and national data protection laws. At the Conference, DPAs listen to expert presentations, discuss emerging issues, and develop common approaches for data protection. The event is widely viewed as the most significant gathering of data protection officials and experts in the world. As a result, what happens at the ICDPPC has an impact on privacy rights around the world. The ICDPPC also publishes influential resolutions, declarations, and reports on emerging privacy issues to guide DPAs and state policy positions. Recent ICDPPC resolutions covered such topics as connected vehicles, consumer privacy, and international cooperation (Hong Kong 2017).

Structure and decisionmaking processes

The ICDPPC is composed of about 100 formal members. Membership is limited to public authorities that are responsible for the enforcement of data protection or data privacy regulation. Today, the annual conference programme is a mixture of Open and Closed Sessions and is supplemented by official side events and other events held in conjunction with the main conference. Open sessions can be attended by anyone who registers while the closed sessions can only be attended by members, official observers, and invitees. The Closed session is where all decisions related to the outcomes of the conference are made – including discussing and voting on resolutions, declarations, and reports, developing the ICDPPC agenda, and establishing Working Groups, voting privileges on resolutions and declarations are limited to members. Official side events organised in coordination with the main conference can be organised by any conference participant and must go through an application process with the ICDPPC. Other events and conferences are also typically organised in conjunction with the ICDPPC.


The ICDPPC convenes members to make decisions on the future of the Conference, develop and adopt reports of the Working Groups, resolutions, and declarations, and set up Working Groups.  It also provides a space for panellists and attendees at the Open Session and side events to engage with the ICDPPC members concerning key emerging privacy issues.


2. What was at stake

During the 31st ICDPPC in 2009, held in Madrid, civil society was focused on the increasing need for the creation of global standards for data protection. 2009 was characterised by a global trend of increasing corporate and government surveillance, from biometric identification to the consolidation of internet-based services dependent on the collection of personal data. At the same time, important regional and national privacy standards also emerged. For instance, Articles 7 and 8 of the European Union’s Charter of Fundamental Rights, which established fundamental rights to privacy and data protection, became legally binding that same year. Recognising these shifts, civil society were advocating to raise the level of privacy protection around the world. Specifically, civil society sought to:

  • Emphasise the central role of civil society in defending privacy and establishing international frameworks for privacy protection;
  • Highlight the need for international privacy standards to ensure consistent, strong data protection;
  • Re-affirm the significance of international human rights instruments that protect the right to privacy as a fundamental human right;
  • Develop solutions for emerging global privacy issues: international surveillance, trans border data flows in the private and public sectors, and multinational industries built on personal data.


3. Challenges for civil society engagement

The organising vehicle for civil society at the 31st ICDPPC was the Public Voice coalition, an international network of NGOs established in 1996 by the Electronic Privacy Information Center (EPIC). The coalition was created specifically to promote public participation in decisions concerning the future of the Internet and to increase the presence of NGOs at meetings across the globe. This well-established network helped identify specific strategies to advance civil society’s agenda, proposed speakers and panellists, and created a program committee to organise the civil society event.

The Public Voice coalition continued a long-standing tradition to of working with the host country to host a civil society conference, which was welcomed by the Spanish DPA. The goals of the conference would be closely linked to the events of the year: to review the privacy developments of the past year; promote civil society participation in decisions concerning the protection of privacy as both a fundamental human right and an essential facilitator for a global economy; develop global privacy standards; and to review and coordinate civil society involvement in privacy discussions in regional and other global arenas. But there were challenges:

  • High cost of attendance: The cost of attending the ICDPPC itself is high, with registration running at around $900 a ticket for NGOs; not including by travel expenses and lodging for the duration of the conference. Together with the need to add another day to travel plans to attend the civil society conference, these costs can be prohibitively high and put attendance at the conference out of reach for some members of civil society who do not have financial assistance or waivers.
  • Engaging data protection authorities. The ICDPPC is composed of an expert group of international DPAs. To effectively reach this audience, a separate civil society conference must include a rigorous, high-level program. DPAs, around whom the conference is centred, should also be included as speakers. Organising a full day conference and securing these panellists requires the investment of substantial time and resources from often under-resourced members of civil society.
  • Civil society panel participation at the main and civil society conferences. For civil society members seeking spots as panellists in the main conference, creative and persistent advocacy with conference hosts is necessary. An all-day civil society conference in conjunction with the main conference provides an opportunity for broad-based civil society participation at the ICDPPC. As a result, identifying and securing good civil society speakers is critical.
  • Civil society coordination. To amplify any concrete outcome of the civil society conference, NGOs around the world must coordinate. Speaking with one voice will maximise impact by, for instance, obtaining statement signatories from a broad civil society coalition. Utilising pre-existing networks and securing substantial attendance at the civil society conference is important to quickly coordinate with large numbers of civil society organisations.
  • Internet presence. The work of NGOs can be amplified with an effective Internet presence. This requires ensuring that there is a good Internet connection and people specifically responsible for managing a website and tweeting the event.


4. What happened

A global coalition of civil society organisations helped shape the annual conference of the 2009 ICDPPC in three ways:

A civil society conference: Civil society hosted a full day civil society conference organised by the Public Voice coalition titled “The Public Voice: Global Privacy Standards for a Global World.” The conference also sought to engage DPAs and increase the civil society voices at the ICDPPC on civil society’s target issues in 2009.  

The civil society conference was scheduled for the day before the ICDPPC main conference to allow for participation by data protection authorities and other experts participating in the main conference. The topics were wide-ranging and tied to the main conference “Privacy and Human Rights: The Year in Review,” “Privacy Activism: Major Campaigns,” “Your Data in the Cloud: What if it Rains?” “Transborder Data Flow: Bridges, Channels or Walls?” and “Toward International Privacy Standards”.

Twenty-one civil society organisations and universities from around the world – including China, South Korea, Spain, Bangladesh, Brazil, the USA, Belgium, and the UK – co-organised the civil society conference. The host of the ICDPPC in 2009, the Spanish Data Protection Agency provided funding to support the Public Voice conference and secure attendance of civil society members. The event was webcast and tweeted to allow broad participation possible @thepublicvoice #privacidad (in Spanish) #globalprivacy (In English).

High-level authorities participated in the civil society event, resulting in a meaningful dialogue between civil society and DPAs ahead of the main conference. These discussions were a critical opportunity to forge channels of communication, seek NGO and DPA collaboration and shape the international debate on emerging privacy issues at this influential conference. High-level panellists who participated in the conference included the 2009 ICDPPC host and Chair of the Spanish Data Protection Agency Artemi Rallo, the then Privacy Commissioner of Canada Jennifer Stoddart, the Vice Chairman of the Article 29 Working Party (the leading group of EU privacy experts) Jacob Kohnstamm, the Vice President of the European Parliament Stavrbefos Lambrinidis, and the European Data Protection Supervisor Peter Hustinx. It was a remarkable assembly of many of the world’s leading privacy officials who attended the NGO event.

The Public Voice event featured a comprehensive discussion of privacy issues. The day-long programme allotted enough time for participants to discuss the international dimensions of privacy protection. Panels reviewed the year’s privacy developments from around the world, major privacy and data protection campaigns and their successes, transborder data flows in the public and private sector, the development of global privacy standards, and more.

The development of a joint civil society declaration: To call the 31st ICDPPC’s attention to the need for global privacy standards, civil society also developed, adopted, and published a joint statement during 2009 civil society conference. The product was the Madrid Declaration – a formal agenda for global data protection in the 21st century. Before the conference, the Public Voice coalition provided an opportunity for NGOs around the world to provide input for a draft statement planned for release at the civil society conference. After gathering in Madrid for the civil society conference, NGOs in attendance then circulated and collaborated on the text during the course of the daylong conference.  A critical mass of civil society was assembled, providing the opportunity to secure signatories to the statement that same day and indicate broad support for the text. Over one hundred civil society organisations and privacy experts from more than forty countries signed the declaration over the course of the day. The text was presented and published by the close of the civil society conference.

Broad civil society participation in the ICDPPC 2009 Main Conference: Numerous NGOs served as panelists during the conference that year. Civil society panellists included Marc Rotenberg of the Electronic Privacy information Center (EPIC), Simon Davies of Privacy International (PI), Eddan Kats of European Digital Rights (EDRI), Willemien Bax of the European Consumer Organization (BEUC), Jules Polonetsky of the Future of Privacy Forum (FPF), and Jeffrey Chester of the Center for Digital Democracy (CDD). In total, civil society panellists served on nearly half of all ICDPPC panels, elevating the voices of civil society on issues ranging from surveillance to big data.


5. Outcomes

The Madrid Declaration. The joint civil society conference culminated in a concrete and lasting outcome – the adoption of the Madrid Declaration, which was signed by more than three hundred organisations and individual data protection and privacy experts. The Madrid Declaration reaffirms international instruments for privacy protection, identifies new challenges, and calls for concrete actions. The Declaration provides a framework for civil society, including a framework for measuring progress on protecting the fundamental right to privacy and has been cited in a range of publications. Among these publications are: Privacy Law Sourcebook: United States Laws, International Law, and Recent Developments (2016), Privacy Law and Society (3rd ed. 2015); Privacy in the Modern Age (2015); Data and Goliath: Hidden Battles to Collect Your Data and Control Your World (2015).

Recognition of the importance of civil society engagement in global privacy discussions: Civil society served alongside other panellists and attendees at both the civil society conference and main conference. A full day civil society conference scheduled ahead of the main ICDPPC also ensured significant discussion of civil society concerns before the main conference.

Building blocks for future advocacy. While not the first, the Madrid civil society conference was among the most effective civil society conferences in the coalition’s twenty-year history. Its success helped build relationships among members of civil society and with influential DPAs. The conference resulted in a concrete outcome, the Madrid Declaration, used subsequently as an advocacy tool and a benchmark measure annual progress on protecting privacy at international conferences. In short, the conference served as a point of reference as a best practice example of how civil society engagement can advocate at ICDPPC. For instance, the Public Voice coalition held a similarly styled, full day conference in conjunction with the 32nd ICDDPC in Jerusalem, Israel. Leading privacy officials from Canada, Mexico, Spain, the European Union, the European Parliament, and the OECD participated as panellists in the 2010 NGO event, and the event reviewed progress toward the Madrid Declaration’s goals.


6. Lessons learned

Build relationships with the conference organisers. At international events like the ICDPPC the barriers to civil society influence are multiple – from funding to access. Consistent efforts to build ties with conference organisers can be key to a strong civil society voice, whether through the commitment of resources or placement on panels. The support of the conference host, the director of the Spanish Data Protection Agency, for example was key to ensuring the inclusion of civil society representatives on behalf of the panels at the Conference in 2009, as well as the strength of the coordinated civil society conference. It’s important to identify the civil society leaders who have built relationships with their local or other prominent DPAs attending the ICDPPC.  

Create opportunities for meaningful engagement and discussion with DPAs:  

  • Organise a civil society event which includes DPAsThe civil society conference program covered key issues of interests to NGOs and DPAs. This helped ensure meaningful engagement. It’s therefore important to identify topics that complement the agenda of the Conference and attract DPAs, and to engage issues on the programme agenda at a rigorous, high level. Investing time and resources to do this is crucial. The concrete outcome of the Madrid Declaration and the success of the conference outcomes that enabled future civil society work is a testament to the importance of this approach.
  • Request speaking opportunities in the open and closed sessions of the Conference: Civil society should reach out to the selected DPA host shortly after they are announced, preferably in person, and open a line of communication. Civil society should seek a clear commitment from the host DPA to include civil society at the next ICDPPC.

Utilise and broaden existing civil society networks: A diverse coalition of civil society members is critical for any coordinated activity to influence a government focused event. Inclusiveness – preferably by membership in any planning or drafting committee, attendance on panels, or at very least via social media engagement, webcast, and signatories – is essential to developing strong, credible statements reflective of the larger community governments serve. The Public Voice coalition is a historical network established with the express aim of increasing the presence of civil society groups at meetings around the world. The Public Voice’s founding commitment to include civil society voices at key international meetings made sure the expansive civil society conference was well planned, resourced, and successful