Three decades have passed since the Organisation for Economic Co-operation and Development (OECD) promulgated Guidelines on the Transborder Flows of Personal Data,18 and still the issue of transborder flows of personal data continues to plague policymakers, industry, and individuals who have no idea what happens to their data once that data is transmitted beyond their national jurisdictions. This article briefly reviews what happened in the 1970s, the factors that led to production of the guidelines, and some of the key points in them. We highlight the success of the guidelines, but also the shortcomings, and what is happening now to bridge the gap and ask whether an international binding convention or standard is needed. We conclude with a few modest suggestions for ensuring a new convention or standard has teeth.
In the 1970s, the decade before the OECD Guidelines were promulgated, some countries had already begun to enact privacy laws applicable to the public and private sectors. The world’s first data protection law was passed in the German Land of Hessen in 1970. In 1977, a Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG) followed. Sweden’s Data Act of 1973 was the first comprehensive national act on privacy in the world.24 France’s Data Protection Act, enacted in 1978 and amended in 2004, covers personal information held by government agencies and private entities.13,15,24
In the U.S., antecedents of the 1974 Privacy Act were the American Fair Credit Reporting Act of 1970 and a 1973 report of the Department of Health Education and Welfare (HEW) on fair information practices (FIP).27
In the seven-year stint between 1973 and 1980, one-third of the OECD’s 30 Member countries enacted legislation intended to protect in dividuals against abuse of data related to them and to give individuals the right of access to data with a view to checking their accuracy and appropriateness.a Some countries were enacting statutes that dealt exclusively with computers and computer-supported activities. Other countries preferred a more general approach irrespective of the particular data processing technology involved. The OECD became concerned that these disparities in legislation might “create obstacles to the free flow of information between countries.”
The OECD Council recognized that Member countries have a common interest in protecting privacy “and in reconciling fundamental but competing values such as privacy and the free flow of information.”b This persisting tension between data protection and the free flow of information is already obvious in the OECD Guidelines of 1980, which were intended to facilitate a harmonization of national legislation, without precluding the establishment of an international Convention at a later date.
As it turned out, the Council of Europe (CoE), another international organization mainly concerned with the fostering of human rights and democracy in Europe, was working simultaneously in that direction—that of an international convention. As European countries began to adopt data protection laws, pressure grew for more uniformity of these laws.13 From a human rights perspective, the CoE began preparing an international convention on data protection that nevertheless also included provisions dealing with data processing abroad. Efforts were made to avoid unnecessary differences between the texts produced by the two organizations; thus, the set of basic principles of protection proposed by the OECD and the CoE are similar in many respects.4
On Sept. 17, 1980, the Committee of Ministers of the CoE adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,5 the first legally binding international instrument in data protection. The convention sought to establish basic principles of data protection, to reduce restrictions on transborder data flows on the basis of reciprocity, and to bring about cooperation between national data protection authorities (DPAs). Parties to the convention are required to apply the principles in their domestic legislation.
Six days later, on Sept. 23, 1980, the OECD Council adopted its guidelines on transborder data flows. Although efforts were made to minimize the differences, some do occur nevertheless. The OECD Guidelines are not legally binding, whereas the CoE convention is binding on those countries that ratify it. The CoE convention only applies to personal data that are “automatically” processed, whereas the guidelines are valid for the processing of data in general, irrespective of the particular technology employed. The OECD Guidelines, unlike the CoE convention, do not mention the need to establish national data protection authorities, a crucial requirement in European data protection rules. But, all in all, the principles formulated are similar.
The OECD Guidelines and the CoE convention both recognize the need to harmonize data protection standards.13 Like the CoE convention, the OECD Guidelines aimed to prevent interruptions in the international flow of data, but are not to be construed as a set of general privacy protection principles per se. The guidelines explicitly say that invasions of privacy by candid photography, physical maltreatment, or defamation are outside their scope.
What’s in the Guidelines
The negotiation of the guidelines was “difficult and contentious,” because many Europeans saw the American espousal of the principle that information flows should rarely be impeded as a veiled attempt to protect U.S. hegemony in the global marketplace. Some Americans, on other hand, saw ulterior trade-protectionist motivations behind the data protection label.4
One can sense the tension where the guidelines say that “Member countries endeavour to remove or avoid creating, in the name of privacy protection, unjustified obstacles to transborder flows of personal data.” The wording seems to imply that obstacles to transborder flows are justified if there really are privacy concerns, but such obstacles are un-justified if one invokes privacy concerns simply as an excuse to impede the transborder flows. Distinguishing between these two situations seems fraught with difficulty.
The guidelines apply to data that can be related to identified or identifiable individuals. The guidelines are intended to cover both the private and the public sector.
The OECD Guidelines and the Council of Europe convention both recognize the need to harmonize data protection standards.
Eight basic principles are at the core of the guidelines:
Collection limitation. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.c
Data quality. Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.
Purpose specification. The purposes for which personal data is collected should be specified not later than at the time of data collection.
Use limitation. Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified except with the consent of the data subject or by the authority of law.
Security safeguards. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.
Openness. There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available for establishing the existence and nature of personal data, and the main purposes of its use, as well as the identity and usual residence of the data controller.
Individual participation. An individual should have the right (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and in a form that is readily intelligible to him; (c) to be given reasons if a request is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed, or amended.
Accountability principle. A data controller should be accountable for complying with measures that give effect to the principles stated here.
In addition to these eight core principles of national application, the guidelines contain four basic principles of international application:
- Member countries should take into consideration the implications for other member countries of domestic processing and re-export of personal data.
- Member countries should take all reasonable and appropriate steps to ensure that transborder flows of personal data, including transit through a member country, are uninterrupted and secure.
- A member country should refrain from restricting transborder flows of personal data between itself and another member country except where the latter does not yet substantially observe the guidelines or where the re-export of such data would circumvent its domestic privacy legislation.
- Member countries should avoid developing laws, policies, and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data that would exceed requirements for such protection.
Member countries are also exhorted to support each other’s efforts to ensure that personal data is not deprived of protection as a result of its transfer to territories and facilities where control is slack or nonexistent. In addition, “Member countries should, where requested, make known to other Member countries details of the observance of the principles set forth in these Guidelines.” This suggests that Europe could ask the U.S. how it is observing some of the principles (even in particular cases) and the U.S. would be expected to respond. For example, Europe could ask how the U.S. Department of Justice was using the data it got from SWIFT, whether the data was passed on to third parties, how it was protected, and so on.14
The OECD Council also recommended that “Member countries agree as soon as possible on specific procedures of consultation and co-operation for the application of these guidelines.” It does not say how wideranging the “consultation” should be. But clearly some consultation has taken place because the OECD followed up with the Declaration of 1985 and other related guidelines.19,1920212,2324
The guidelines say the problems of developing safeguards for personal data cannot be solved exclusively at the national level. Even more explicitly, the guidelines urge member countries to “work towards the development of principles, domestic and international, to govern the applicable law in the case of transborder flows of personal data.” So the OECD recognized that, despite the guidelines, more work was needed to sort out the problems of transborder flows.
Impact of the Guidelines
The OECD Guidelines have been extraordinarily successful in inducing OECD member countries, and others too, to introduce legislation based on them. When the guidelines were adopted 30 years ago, only about one-third of member countries had privacy legislation. Today nearly all OECD member countries have laws—most of which follow the principles of the Guidelines—and authorities to enforce those laws.22,24 The principles also feature in the EC’s Data Protection Directive of 1995.12
Marc Rotenberg has observed “a remarkable convergence of privacy policies. Countries around the world, with very distinct cultural backgrounds and systems of governance, have adopted roughly similar approaches to privacy protection.3 Perhaps this is not so surprising as the guidelines were drafted by representatives from North America, Europe, and Asia. The OECD Guidelines reflect a broad consensus about how to safeguard the control and use of personal information in a world where data can flow freely across national borders—just as it does today on the Internet.”25
The OECD Guidelines continue to have influence. The U.S. Department of Homeland Security set out its privacy policy in a memorandum at the end of 2008. Included in that memo were eight principles that closely tracked those in the guidelines, although it also refers to the fair information practices in the Privacy Act of 1974. One important difference is the memo’s reference to auditing, which is not in the guidelines. The memo also says it has used the fair information practices to assess privacy when conducting privacy impact assessments.28
Actual implementation of the fair information practices and/or the eight OECD principles can vary widely at the statutory, regulatory, or data controller level depending on the country, the data controller, the type of data, conflicting goals, and other factors. For example, accountability can be met through many different mechanisms, including criminal or civil penalties; national or provincial supervisory officials; other administrative enforcement; various forms of self-regulation including industry codes and privacy seals; formal privacy policies; compliance audits; employee training; privacy officers at the data controller level; and other methods.13
While there is congruence in privacy laws, there are also differences, as the OECD itself has observed:
“If member country authorities share commonalities in terms of the powers they have and the scope of the laws they enforce, certain variations remain. Some authorities are charged with resolving individual complaints, others with supervising regulatory compliance, and many do both. Variations exist with respect to complaint-handling processes, the authority to investigate or audit, and the available sanctions and remedies for a breach. Some are independent authorities, some housed within government departments. Some cover the public sphere, others only the private sector, and many cover both. A few authorities are mandated to enforce privacy laws covering a particular economic sector, for example, telecommunications or financial services.”22
Although the OECD Guidelines do not include the principle of the establishment of a national supervisory data protection authority, the Data Protection Directive explicitly adopted this principle (Art. 28). This is all the more important as U.S. law does not include any constitutional or general requirement to set up a national data protection authority or authorities. On that point, the U.S. endorses the OECD Guidelines, while Europe provides for a more stringent principle.
More Work Foreseen to Sort Out the Problems
Despite their evident success in influencing the construction of legislation around the world, the OECD Guidelines were proposed as minimum standards, capable of being supplemented by additional measures.
Furthermore, the guidelines were viewed as an interim measure, as indicated in various places in the guidelines. The OECD felt there had to be consensus on the fundamental principles on which protection of the individual must be based. Such a consensus would be the first step toward the development of more detailed, binding international agreements.
The Explanatory Memorandum that accompanies the guidelines cites several reasons why the regulation of the processing of personal data should be considered in an international context, two of which are still valid and important today: “The principles involved concern values which many nations are anxious to uphold and see generally accepted;… countries have a common interest in preventing the creation of locations where national regulations on data processing can easily be circumvented.” The memorandum also states there would be need for a continuing review of the guidelines, both by member countries and the OECD, that the guidelines should be brought to the attention of non-member countries and appropriate international organizations, and that the guidelines could serve as a starting point for the development of an international convention of a binding nature. But this issue remains contentious because there is an inherent conflict between the protection of personal data and the free transborder flow of personal data. Emphasis may be placed on one or the other, and interests in privacy protection may be difficult to distinguish from other interests relating to trade, culture, national sovereignty, and so forth. The guidelines attempt to balance the two values against one another: while accepting certain restrictions to transborder flows, they seek to reduce the need for such restrictions and thereby strengthen the notion of free information flows between countries. The Explanatory Memorandum rightly observes that “the task of balancing opposing interests is delicate and unlikely to be accomplished once and for all.”
Is There a Need for an International Convention?
The OECD contends that there still a need for a binding international convention as the guidelines. In 1985, it adopted a Declaration on Transborder Data Flows, in which member countries expressed their intention to “develop common approaches for dealing with issues related to transborder data flows and, when appropriate, develop harmonised solutions.”
One could argue that there already is an international convention, that is, the CoE convention, which is open for signature and ratification by any state. Being European is not a prerequisite, as Article 23 (Accession by non-member states) of the convention makes clear. However, no non-European state has ratified the convention as yet. Also, the convention has some limitations as mentioned here (it’s limited to automatic processing).
It could be argued that the EU Data Protection Directive has an extra-territorial impact in raising data protection standards beyond the borders of the European Union.
“It exercises considerable influence over other countries, not least because it prohibits (with some qualifications) the transfer of personal data to [third] countries unless they provide ‘adequate’ levels of data privacy (see Articles 2526 of the EU Directive)… Many non-European countries are passing legislation in order to meet this adequacy criterion at least partly. Furthermore, the EU Directive stipulates that the data privacy law of an EU state may apply outside the European Union in certain circumstances, most notably if a data controller, based outside the European Union, utilizes ‘equipment’ located in the state to process personal data for purposes other than merely transmitting the data through that state (see EU Directive Article 4[1][c]). All of these provisions give an impression that the European Union, in effect, is legislating for the world.”30
But the Data Protection Directive cannot really be regarded as an adequate substitute for an international convention, and the EU itself recognizes this by virtue of the fact it has participated in international efforts to address the shortfalls in existing law. Moreover, the extra-territorial impact of the Data Protection Directive has not been universally welcomed.
Furthermore, the OECD has said that “Existing arrangements are not, however, sufficiently comprehensive or globally coordinated to adequately address the cross-border enforcement challenges.”22 Global data flows have elevated the risks to privacy, according to the OECD. However, the biggest difficulty with a binding convention is getting countries to agree to it and ratify it.
High-Level Contact Group
In November 2006, the EU and U.S. established an informal, high-level, advisory group (the so-called High Level Contact Group, HLCG) to discuss personal data protection in the context of the exchange of information for fighting terrorism and serious transnational crime. The group was composed of senior officials from the European Commission, the Council Presidency and the U.S. Departments of Justice, Homeland Security and State. The HLCG submitted its final report to the EU-U.S. Summit of June 12, 2008.
The group agreed upon a set of core principles, acceptable as minimum standards when processing personal data for law enforcement purposes.7 These principles covered:
- Purpose specification or limitation;
- Integrity and data quality;
- Proportionality;
- Information security;
- Special categories of personal information (sensitive data);
- Accountability;
- Independent and effective oversight;
- Individual access and rectification;
- Transparency and notice;
- Redress;
- Automated individual decisions; and
- Restrictions on onward transfers to third countries.
The group differed on the principle of redress. Both sides agreed that an aggrieved data subject should be provided an effective remedy and what types of actions constitute effective redress. However, they disagreed over the scope of judicial redress. The EU side asserted that every individual in the EU has the right to redress before an impartial and independent tribunal regardless of his or her nationality or place of residence, whereas some U.S. laws—such as the Privacy Act of 1974—treat nationals differently. In the U.S., an individual may generally challenge government actions, including the handling of personal information, before a judicial tribunal, but the individual must exhaust all agency remedies before applying to a court.
The HLCG identified several issues for further consideration:
- Consistency in private entities’ obligations during data transfers;
- Equivalent and reciprocal application of privacy and personal data protection law;
- Preventing undue impact on relations with third countries;
- Specific agreements regulating information exchanges and privacy and personal data protection; and
- Issues related to the institutional framework of the EU and U.S.
Text was agreed upon for those five points in an addendum to the final report in October 2009, although the issue of redress still remains open.
Both sides agreed that a binding international convention obliging both the EU and the U.S. to apply the agreed common principles in trans-Atlantic data transfers is desirable for use in any future agreements relating to the exchange of specific law enforcement information. The HLCG said non-binding international legal instruments—or “soft law”—and a political declaration would be another option, but would provide less certainty and transparency, and was thus a less desirable solution.
Despite their evident success in influencing the construction of legislation around the world, the OECD Guidelines were proposed as minimum standards, capable of being supplemented by additional measures.
Peter Hustinx, the European Data Protection Supervisor (EDPS), shares the report’s preferred option for the adoption of a legally binding instrument for the sake of legal certainty. But he criticized the agreement for not being negotiated in the open. Stakeholders were not consulted on the draft text. Hustinx was reported to want more interest groups involved in the discussion between the interested parties as well as a greater involvement of the European Parliament. He believes transparency is necessary during the future debates as until now the HLCG has been working behind closed doors.10
Peter Schaar, German data protection commissioner and former chairman of the Article 29 Data Protection Party, has also criticized the agreement. He said he found no “clear rules on purpose limitation” or on the storage period. “First, which data is of concern is not really completely clear. Second, who are the competent authorities on the U.S. side? Third, and most important, there is a lack of independent supervision in the United States over data protection.”17
Following agreement of the addendum, in November 2009, the U.S. Department of Homeland Security announced the U.S. and EU had “achieved a major milestone in data protection and data sharing,” that they had completed a set of common principles that “unite our approaches to protecting personal data when exchanging information for law enforcement and security purposes,” and that the next step was “negotiating a binding international EU-U.S. agreement based on these common principles.”29 A few months before this, the European Comission emphasized the need for an international data protection standard, and said the work on data protection conducted with the U.S. could serve as a basis for future agreements.d
So from the foregoing, we can see there is interest in a binding international convention, but the negotiation needs to be open and stakeholders need to be consulted. Furthermore, other countries also need to be involved.
International Conference of Data Protection and Privacy Commissioners
The International Conference of Data Protection and Privacy Commissioners has been pursuing similar goals as the HLCG, but in a more open process. The International Conference has become an important forum for discussions and resolutions on international transfers of personal data.
At its 29th meeting, held in Montreal in September 2007, it adopted a resolution calling upon governments to be open and transparent about the purposes for which passenger data is collected and used and to make sure all passengers, regardless of their citizenship or country of origin, are provided with access to their personal information and appropriate redress mechanisms. It also said any government programs using passenger data should provide for data minimization;e explicit limits on use, disclosure and retention appropriate to the purpose of the program; data accuracy, rights of access and correction and independent review. It said if governments do not take an approach that correctly weighs data protection concerns, there is a real danger they will undermine the very fundamental freedoms they are seeking to protect.1
We can applaud the success of the OECD Guidelines, but as its authors said 30 years ago, more work is needed to deal with the problem of transborder flows of personal data.
At its 30th meeting, held in Strasbourg, in October 2008, the International Conference unanimously adopted a resolution to establish a working group to submit a “proposal for setting international standards on privacy and personal data protection” and to formulate the essential guarantees for better international transfers of data. These standards and guarantees would not be less rigorous than those that prevail in Europe. The proposal is expected to fulfill the following criteria:
- To draw on the principles and rights related to the protection of personal data in the different geographic environments of the world, with particular reference to legal and other texts that have attracted a wide degree of consensus in regional and international forums.
- To elaborate a set of principles and rights which, while reflecting and complementing existing texts, aim to achieve the maximum degree of international acceptance ensuring a high level of protection.
- To assess the sectors in which these principles and rights are applicable, including alternatives focused on harmonizing their scopes of application.
- To define, taking into account the diverse legal systems, the basic criteria that guarantee their effective application.
- To examine the role to be played by self-regulation.
- To formulate the essential guarantees for better and flexible international transfers of data.2
The working group, which includes academics, DPAs, industry, international organizations, and NGOs, among others, was set up in Barcelona in January 2009. Its first draft was sent to about 400 contacts for comments. A second draft version was discussed at the working group’s meeting in Bilbao on June 11. A final draft from that meeting was submitted to the 31st Conference held in Madrid in November 2009. The result was a Joint Proposal for a Draft of International Standards on the Protection of Privacy with regard to the processing of Personal Data (“the Madrid Resolution”) that “provides a set of principles, rights, obligations, and procedures that any legal system of data protection and privacy should strive to meet.” The resolution was aimed at ensuring that “the processing of personal data in the public and private sector would be performed in a more internationally uniform approach.” It was billed as a “new step toward the development of a binding intnertational instrument.”15
In addition to this initiative, the International Conference has made some overtures to the International Organization for Standardization (ISO) in the context of setting privacy standards. This resolution specifically mentions and suuports action taken within APEC, OECD and other regional and international fora to develop effective means to promote better international standards of privacy and data protection.
The International Conference clearly wants more forceful efforts, policies and instruments to address the issue of transborder flows. As it represents the largest annual gathering of data protection authorities, it is in an influential position to press for changes and to further harmonize approaches to data protection issues. It is also helpful that its annual conferences are open—more than 600 experts participated in the Strasbourg meeting—as a way of promoting a shared understanding of data protection issues and approaches to dealing with them.
A Few Modest Suggestions
Thirty years after the OECD Guidelines were issued, the setting of data protection and privacy standards in a broadly, if not universally, accepted binding international legal instrument is still at stake. Although there is no doubting the success of the OECD Guidelines as one of the main initiators of an international approach to address the issue of transborder flows of personal data, today’s networked world is still in need of a refined, more effective, globally agreed set of binding international standards. The change in the technological context over the last three decades might explain the wear of the guidelines, but a more important factor is the differences between the political approaches to data protection on opposite sides of the Atlantic, notably relating to data minimization and the existence of independent supervisory data protection authorities.
Unlike the U.S., the EU insists on both principles in a tradition stemming from the 1950 European Convention on Human Rights (ECHR). Any future internationally binding legal instrument on data protection will have to build a bridge between these divergent views. While the principles of data minimization and independent supervision must be part of the core standards of any international or global regime of data protection and transborder data flows, that does not mean that such legally endorsed standards must be met by the same means everywhere. If effective supervision of the respect for standards can be realized through regular audits and certified transparency or if effective remedies can be provided in the framework of self-regulation, such paths could be explored. The HLCG and the International Conference of Data Protection and Privacy Commissioners are obviously working along these lines, which is good news. It is clear that a positive outcome of the process of establishing binding international standards would be an improvement over the current Safe Harbor agreement.f
However, the trouble with many “solutions” has been the lack of consultation with stakeholders. Such consultation should take place in the context of a privacy impact assessment (PIA). One could envisage a PIA being carried out at a global level with regard to the transfer of personal data for a particular project, service, system, application or even for law enforcement. The project (or whatever) would be subjected to the analysis undertaken as part of a PIA. The PIA would include consultation with stakeholders and the third countries involved in the project.g Open working groups of experts and interested or concerned stakeholders should be involved as part of the PIA, with the task of examining safeguards, data minimization, purpose limitation, and so on. The project sponsor (which could be a government agency or a multinational) would be encouraged to keep an open mind with regard to the possible outcomes of the PIA and, if so, the exercise could lead to effective solutions without necessarily requiring new legislation. Almost certainly, the parties involved in the project would need to agree to independent supervision and/or audits and some independent arbitration in the event of disputes.
PIAs have yet to be applied to international transfers of personal data and the views of stakeholders, including the government agencies and companies who have or want the personal data, about such a procedure are unknown. One could imagine they might be reluctant to undergo such scrutiny, especially if the data was deemed to be sensitive (for example, for investigating criminals or terrorists). However, those reluctant to undergo a PIA shouldn’t be surprised if some interpret their reluctance as a wish to hide what they are doing with personal data.
Some metrics would also help to inform stakeholders about how successful measures are in protecting personal data once the data has been transferred. For example, it would be useful to measure the number of requests for access to personal data held in third countries, the time it takes to get access, the costs involved, the number of corrections made, how often or the number of instances in which personal data is passed on to other organizations, and so on.
Further empirical research is needed to assess how companies are using and protecting personal exported data, how procedurally easy or difficult it is for citizen-consumers to have access to their data and to correct it, on the repurposing of data by government and industry, and how citizens can determine who has their data.
The privacy community is rather large—there are lots of data protection authorities, experts, academics, and privacy advocacy groups as well as technologists writing about privacy-enhancing technologies. There are also many international conferences and workshops dealing with privacy issues. So the information exchange is extensive. Still, there seems to be a need for sharing best practices in privacy and data protection involving international transfers of personal data.
We can applaud the success of the OECD Guidelines, but as its authors said 30 years ago, more work is needed to deal with the problem of transborder flows of personal data.h A binding international convention and/or standard would go a long way to addressing a problem that has come to seem intractable. A binding convention and/or standard should be accompanied by privacy impact assessments, audits, and metrics. Thirty years ago, the response of some stakeholders (the ones manipulating our data) was easily predictable, but today their response could well be more nuanced, as even they have come to place more value on earning the public’s trust and confidence without which many new applications, such as e-government and e-commerce, will not reach their full promise. It’s time for some changes.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment