The Organization for Economic Cooperation and Development (“OECD”) has revised its Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data. The revision has been triggered by changes in personal data usage as well as new approaches to privacy protection since the adoption of the first Guidelines back in 1980, which were the first set of internationally agreed privacy principles. Whereas the eight basic principles of the 1980 Guidelines (namely the collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, accountability principles) are maintained, the revised Guidelines introduce a number of new concepts and changes to the OECD privacy framework, implementing a risk based approach. These include:
- implementing privacy management programs – essential elements discussed in this respect include privacy policies, employee training and education, provisions for sub-contracting, audit process and privacy risk assessment;
- introducing mandatory data security breach notification – requiring notification to the privacy enforcement authority where there is a significant security breach affecting personal data and notification to individuals where such a breach is likely to adversely affect individuals;
- the need for privacy enforcement authorities and national privacy strategies – the revised Guidelines recognize the need to establish authorities with the governance, resources and technical expertise necessary to exercise their powers effectively and to make decisions on an objective, impartial and consistent basis; they also promote the development of a coordinated approach across governmental bodies up to the highest levels; Member countries should also consider complementary measures, including education and awareness raising, skills development and the promotion of technical measures;
- improving global interoperability – to be improved through international arrangements (examples mentioned include the U.S.-EU Safe Harbor framework, the EU Binding Corporate Rules and the Council of Europe Convention 108 on the Automated Processing of Personal Data) and global cooperation among privacy enforcement authorities.
As regards international data transfers, the changes to the 1980 Guidelines are more subtle. The revised Guidelines begin by recalling that a data controller remains accountable for personal data under its control regardless of the location of the data. Moreover, they give recognition to the measures that a data controller can put in place to ensure a continuing level of protection (this could be, for example, a combination of technical and organizational security safeguards, contracts, complaints handling processes and audits).
There are a number of parallels between the revised Guidelines and the European Commission’s proposal for a General Data Protection Regulation, published in January 2012 (for the latest status of the legislative process, see InsidePrivacy, EU Parliament’s Lead Committee Will Vote on EU Data Protection Regulation in October, September 17, 2013). Most significantly, both instruments put a strong emphasis on the principle of accountability as a means to promote and define organizational responsibility for privacy protection and articulate a number of very similar essential elements in this regard, including the concept of privacy by design and the role of privacy officers. Another striking example is the introduction of a mandatory security breach notification (although the revised Guidelines introduce a threshold for notification to the authority). It will also be interesting to see whether the General Data Protection Regulation, once adopted, will reflect a more risk-based approach similar to the one implemented in the revised OECD Guidelines and as also suggested by the Council in its examination of the Commission’s proposal (see InsidePrivacy, The Battle Lines are Clearing Up: The Irish Presidency Note on the Proposed General Data Protection Regulation, March, 2013).