The Evolving OECD Privacy Guidelines

December 20, 2013

By Christine Runnegar, Director, Public Policy , Internet Society

2013 marks the 33rd anniversary of the OECD Privacy Guidelines. It is also the year that the OECD adopted the Revised Privacy Guidelines[1]. Much has changed in 33 years. Even the OECD has changed in that time. Since 1980, the OECD community has grown to include new members: Chile, Czech Republic, Estonia, Hungary, Israel, South Korea, Mexico, Poland, Slovakia, Slovenia; and two new advisory committees: CSISAC and ITAC.

In 2010, the OECD recognised that it was time to revisit the Guidelines, and after careful research and consideration as to how the privacy landscape has evolved[2], consultation with privacy experts, and thorough deliberation, the OECD adopted the Revised Privacy Guidelines in 2013.

How have the Guidelines evolved?

A new part has been added explaining how the “Accountability Principle” should be implemented. In particular, the Guidelines provide that data controllers should have in place a privacy management programme, be prepared to demonstrate that their respective privacy management programmes are appropriate, and provide notifications of significant data breaches.[3] Additionally, the guidelines make it clear that the data controller remains accountable without regard to the data’s location.[4]

Accountability-based approaches to legal compliance are likely to continue to gain popularity as they offer the potential of a more flexible approach, as well as a way to bridge diverse legal regimes and shift the resource burden from enforcement to compliance.

The changes to the principles governing transborder data flows seem subtle, but they are significant. Firstly, they now cover flows to non-OECD member countries. Secondly, although the text is still framed as “refrain from restricting transborder flows of personal data” the circumstances in which flows are not restricted are, arguably, narrower. Member countries now need to be satisfied that the recipient substantially observes the guidelines or that sufficient safeguards exist before they refrain from restricting transborder data flows.[5] However, the restrictions that may be imposed have been confined by the introduction of a requirement that they be proportionate to the risks presented[6]. How this works in practice remains to be seen.

The revisions regarding national implementation reflect the changing perspective on how best to achieve privacy protection. For example, they underline the importance of effective enforcement authorities. They also introduce the notion of a national privacy strategy and the idea of complementary measures such as the promotion of privacy-protecting technical measures.[7]

International cooperation has been expanded to specifically incorporate the concept of “interoperability”, strengthen cross-border enforcement cooperation, and encourage the development of internationally comparable metrics.[8]

One significant area that remains essentially untouched is “exceptions” (including, for national security). With different timing, this might not have been the case. However, as it presently stands, the guidance is minimal, i.e. that exceptions to the Guidelines should be: “as few as possible” and “made known to the public”[9]. It is abundantly clear that more work is needed to ensure that there are truly effective constraints and safeguards, plus a commitment to follow them. Here is a clear opportunity for the OECD to lead the way.


[3] See OECD Revised Privacy Guidelines, Part 3

[4] See OECD Revised Privacy Guidelines, Part 4, paragraph 16

[5] See OECD Revised Privacy Guidelines, Part 4, paragraph 17

[6] taking into account the sensitivity of the data, and the purpose and context of the processing. See OECD Revised Privacy Guidelines, Part 4, paragraph 18

[7] See OECD Revised Privacy Guidelines, Part 5, paragraph 19

[8] See OECD Revised Privacy Guidelines, Part 5, paragraphs 20-22

[9] See OECD Revised Privacy Guidelines, Part 1, paragraph 4

______________________________________________________

christine

Christine Runnegar is Director, Public Policy at the Internet Society, based in Geneva, Switzerland. Her current areas of interest include online privacy, security and identity. Christine contributes to the OECD’s work on privacy through the Internet Technical Advisory Committee (ITAC) and APEC’s work on the Cross Border Privacy Rules (CBPR) System through the APEC ECSG Data Privacy Sub-Group (DPS). She also participates in the Internet Architecture Board (IAB) Privacy Program, co-chairs the W3C Privacy Interest Group (PING), and works closely with other Internet technical experts on privacy and provenance. Christine also led the pilot Internet Society Copyright Working Group and the development of the Internet Society’s paper entitled Perspectives on Policy Responses to Online Copyright Infringement – An Evolving Policy Landscape.

Prior to joining the Internet Society in 2009, Christine was a Senior Executive Lawyer employed by the Australian Government Solicitor. As a lawyer for the Australian government, Christine worked in a variety of areas, principally in competition and consumer protection law, but also in administrative law, taxation law, privacy and freedom of information law, corporate regulation and commercial law, information technology, and communications law (specifically anti-spam law).

Christine holds Bachelor degrees in Law and Economics, and is a qualified arbitrator and mediator. She is qualified to serve as a panellist to resolve .au domain name disputes under the .au Dispute Resolution Policy.