Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Welcome
Go
Free Newsletter Sign Up

The OECD Updates its 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Oct. 10, 2013, 5:36 PM

Introduction

In 2010, the Organisation for Economic Co-operation and Development (“OECD”) marked the 30th anniversary of its 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (“1980 Guidelines”). The 1980 Guidelines contained the first international set of privacy principles, and have proved to be very influential in data privacy regulation and policy.

Whilst the fundamental principles of the 1980 Guidelines remain unchanged, the OECD has recognised the pressing need to update the regulation in this area, in order for it to satisfactorily accommodate revolutionary technological changes and “take account of a very important shift, to a data-driven economy in the world”. Therefore, on September 9, 2013, the OECD published a revision to the 1980 Guidelines (“Revised Guidelines”) see WDPR, September 2013, page 31.

The Revised Guidelines apply to personal data, both in the public and private sectors, which, due to various factors, including its nature and the way in which it is processed, may pose a risk to privacy and individual liberties.

The Revised Guidelines adopt a practical approach to data privacy, focusing on compliance and the ways in which effective implementation can be realised. In light of this, a key theme that runs through the Revised Guidelines is making organisations accountable for their data protection and data privacy practices.

Revised Guidelines

Privacy Management Programmes

In recognising the principle of accountability and its role in promoting organisational responsibility, the Revised Guidelines develop the concept of privacy management programmes. These will serve as the primary operational mechanism in delivering privacy protection, and should implement the Revised Guidelines as regards “all personal data under its control”1. In accordance with the definition of “controller”2, the scope of protection is extended to mean that the privacy management programme should address the data controller’s operations, in addition to all operations for which it is accountable, irrespective of where or to whom data is transferred.

A key function of a privacy management programme is that it incorporates effective safeguards for when agents of the data controller process personal data on its behalf, or when the data controller’s responsibility is shared. Examples of appropriate safeguards may include: contractual provisions which require compliance with the data controller’s privacy responsibilities; notification protocols in the event of a security breach; training and education; provisions for sub-contracting; and processes for conducting audits. The Revised Guidelines advise that such safeguards should be determined through a process of identifying, analysing and evaluating the risks concerning individuals’ privacy.

The Revised Guidelines place a further responsibility on data controllers to be prepared to demonstrate that their privacy management programme is appropriate to meet its objective, at the request of a privacy enforcement authority. This reflects a general trend towards promoting the concept of accountability.

The Revised Guidelines note that privacy management programmes will need to be inherently flexible, adapting to the locations, volume and sensitivity of the controller’s operations. Further, the Revised Guidelines recognise that ensuring the privacy management programme is integrated into the governance structure of a data controller is central to its successful implementation. Measures which may enhance a successful privacy management programme include support of senior management and sufficient resources and staff. Furthermore, regular updates and reviews of any privacy management programme will ensure its relevance to the risk environment to which it relates.

It is important to note that, in addition to implementing the Revised Guidelines, a privacy management programme may also need to incorporate other sources of data privacy regulation and policy, such as domestic law, international obligations, self-regulatory programmes, or contractual provisions.

Data Security Breach Notification

The Revised Guidelines promote security safeguards to enhance protection against risks such as “loss or unauthorised access, destruction, use, modification or disclosure of data”3. Data breaches can often be attributed to the data controller, for example, lack of employee training and awareness, lack of appropriate oversight, over-collection of data and unspecified retention periods. The potential impact on organisations can be significant, incurring substantial costs responding to the breach appropriately, in addition to any subsequent harm incurred to the organisation’s reputation.

The purpose of breach notification laws and regulation is to increase a data controller’s incentive to disclose breaches voluntarily and quickly and adopt appropriate safeguards. Imposing notification obligations on a data controller potentially allows individuals to take protective measures against identity theft or other harms, and allows privacy enforcement authorities to determine whether further investigation of the incident, or any other measures, may be necessary.

Further core principles of the Revised Guidelines, such as accountability, individual participation and openness, will be enhanced by data breach notification and may assist in improving the evidence base for policy making.

When a security breach occurs, other points should be considered in addition to the data controller’s internal notification protocol, such as:

  • whether other entities should be notified (such as law enforcement, computer incident response teams, or teams responsible for cybersecurity oversight); and


  • proportionality — Notification of every security breach may impose an undue burden on the data controller and enforcement authorities, which may cause the mechanism to be less effective. The Revised Guidelines therefore endorse a risk-based approach4, requiring notification where there is a “significant security breach affecting personal data”. Notification should therefore occur where an individual’s privacy and individual liberties are put at risk, or where they are likely to be “adversely affected” by the breach.

Privacy Enforcement Authorities

A significant change from the 1980 Guidelines and the 2007 OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy is that the Revised Guidelines explicitly require that privacy enforcement authorities are established and maintained. The Revised Guidelines go further and incorporate a new definition of “laws protecting privacy”, which refers to “national laws or regulations, the enforcement of which has the effect of protecting personal data consistent with these Guidelines”.

Fundamental to the success of these authorities is that they can operate and make decisions on an “objective, impartial and consistent basis”5. This is highlighted in a new provision in Part Five, “National Implementation”, which requires the privacy enforcement authorities to be free from instructions, bias or conflicts of interest when making decisions in connection with laws protecting privacy.

The Revised Guidelines specify that member countries need to ensure their privacy enforcement authorities are equipped with the “governance, resources and technical expertise” necessary to carry out their obligations effectively. Note that the Revised Guidelines do not prohibit this concept from being realised through a group of bodies collectively enforcing laws protecting privacy, rather than necessarily being within a single entity.

Transborder Flows of Personal Data

Part Four of the Revised Guidelines is a consolidation of various mechanisms implemented by member countries since the 1980 Guidelines, in connection with protecting individuals’ privacy in the context of transborder data flows. As a result of the technological advances since the 1980 Guidelines, member countries have needed to adapt to data being processed simultaneously in multiple locations, stored all over the world, re-combined instantaneously and moved across borders via individuals’ mobile devices. Underpinning this approach is the Revised Guidelines’ principle that the data controller remains accountable for personal data under its control without regard to the location of the data6.

There are the two circumstances in which a member country should refrain from restricting transborder flows of personal data: Firstly, preserved from the 1980 Guidelines, transborder data flows should not be restricted between countries in which the Revised Guidelines are substantially observed7. Secondly, where sufficient safeguards exist to ensure compliance with the Revised Guidelines, restrictions are actively discouraged8.

The Revised Guidelines indicate that any restrictions imposed should be proportionate to the risks presented, bearing in mind the type of data and processing involved9. This point is reiterated in the Paragraph 6 acknowledgement that member countries may supplement the principles of the Revised Guidelines in implementing additional measures. The Revised Guidelines require that, where such measures impact transborder data flow, these must be implemented such as to have the least impact on the free flow of personal data.

Important to note is that the principle of a data controller’s accountability for personal data is independent of another country’s restrictions and measures regarding transborder data flows, and as such does not affect the accountability principle. Data controllers therefore remain accountable irrespective of another country’s data privacy practices.

National Implementation

In implementing an effective and robust privacy regime, the OECD recognises the need for a unified, co-ordinated approach at the national level, along with consistent levels of protection across governmental bodies10. Further, intra-governmental co-ordination is emphasised in the Revised Guidelines, so as to promote coherence between various levels of government, as part of a country’s national privacy strategy.

In developing this principle, the Revised Guidelines suggest some ancillary measures, such as education and awareness raising, with a particular emphasis placed on privacy literacy initiatives in the context of providing children with the necessary knowledge and skills to use online facilities in a safe and productive manner.

Another ancillary measure suggested by the Revised Guidelines is in the context of skills development, as privacy professionals will play an increasingly important role in implementing privacy management programmes. Member countries should consider credential programmes in data protection and privacy, specialised education and professional development services. Further, the Revised Guidelines promote technical measures as a way of enhancing the implementation of laws protecting privacy. To this end, the development of privacy-enhancing technologies is highlighted, for example, by member countries promoting research in this area, or supporting the technical development of standards which advance the principles of data protection and privacy11.

These ancillary measures encouraged by the Revised Guidelines should involve governments, privacy enforcement authorities, self-regulatory bodies, civil society organisations and educators, in order to be truly effective. Further, member countries are encouraged to consider the role of individuals, other than data controllers, in a manner relevant to their role. This is increasingly appropriate as individuals become increasingly involved in creating, posting and sharing personal data online, although the OECD recognises that not every individual should be regulated in the same way.

International Co-operation and Interoperability

A central theme which underpins the Revised Guidelines is the fundamental importance of consistency and co-operation in the implementation of an effective data privacy regime. To this end, the OECD Council Recommendation on Principles for Internet Policy Making, published in December 2011, and the earlier Communiqué on Principles for Internet Policy-Making of June 2011 highlight this need at a global level, recognising the importance of global, governmental interoperability in this area. Practical measures which have been highlighted by the OECD, both in the Revised Guidelines and previously, which will be fundamental in achieving global interoperability include those such as a global network of privacy enforcement authorities, co-operating to achieve a common goal, in addition to ensuring such authorities are equipped with adequate powers and resources to do so.12

The issue of interoperability was addressed by the OECD in 2005, and was formalised in the 2007 Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, implementing a framework for cross-border co-operation. Consequently, member countries were encouraged to identify and tackle obstacles, in order to enhance the effective enforcement of data privacy regulation. The 2007 Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy therefore identified eliminating barriers as a key initial aspect of achieving global interoperability.

Improving the Evidence Base for Policy Making

The OECD has demonstrated that the evidence base upon which policy making in the field of data privacy relies is unsatisfactory. Its 2011 Recommendation on Principles for Internet Policy Making raised this concern, demonstrating a need for the policy-making process to be further focused on publicly available, reliable data, and therefore that facilities to collect such data need to be introduced into the process.

Conclusion

In revising its 1980 Guidelines, the OECD has provided a timely update to the framework underpinning data privacy regimes in many parts of the world. The focus on privacy management programmes is very much in line with the proposed European Union position. There is likely to be popular support in relation to the independence of national regulators, whether a single entity or multiple entities.

However, greater clarity on the mechanics for successful transborder data flows may have been useful.

What remains to be seen is how these Revised Guidelines will impact the development of the EU regime and regulatory safeguards in other jurisdictions which are also being reconsidered in light of exponential growth in data collection and transfer on a global basis, and the increasing risks this may signify to individuals.

Rohan Massey is a Partner in the IPMT group of McDermott Will & Emery UK LLP, London. He may be contacted at rmassey@mwe.com. He would like to thank Catherine O’Connell, Trainee Solicitor at McDermott Will & Emery UK LLP, London, for her assistance in the preparation of this article.