David Wright
Abstract
Three decades have passed since the Organisation for Economic Co-operation and Development (OECD) promulgated Guidelines on the Transborder Flows of Personal Data, and still the issue of transborder flows of personal data continues to plague policymakers, industry, and individuals who have no idea what happens to their data once that data is transmitted beyond their national jurisdictions. This article briefly reviews what happened in the 1970s, the factors that led to production of the guidelines, and some of the key points in them. We highlight the success of the guidelines, but also the shortcomings, and what is happening now to bridge the gap and ask whether an international binding convention or standard is needed. We conclude with a few modest suggestions for ensuring a new convention or standard has teeth.
In the 1970s, the decade before the OECD Guidelines were promulgated, some countries had already begun to enact privacy laws applicable to the public and private sectors. The world's first data protection law was passed in the German Land of Hessen in 1970. In 1977, a Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG) followed. Sweden's Data Act of 1973 was the first comprehensive national act on privacy in the world. France's Data Protection Act, enacted in 1978 and amended in 2004, covers personal information held by government agencies and private entities.
In the U.S., antecedents of the 1974 Privacy Act were the American Fair Credit Reporting Act of 1970 and a 1973 report of the Department of Health Education and Welfare (HEW) on fair information practices (FIP).
In the seven-year stint between 1973 and 1980, one-third of the OECD's 30 Member countries enacted legislation intended to protect in dividuals against abuse of data related to them and to give individuals the right of access to data with a view to checking their accuracy and appropriateness. Some countries were enacting statutes that dealt exclusively with computers and computer-supported activities. Other countries preferred a more general approach irrespective of the particular data processing technology involved. The OECD became concerned that these disparities in legislation might "create obstacles to the free flow of information between countries."
The OECD Council recognized that Member countries have a common interest in protecting privacy "and in reconciling fundamental but competing values such as privacy and the free flow of information." This persisting tension between data protection and the free flow of information is already obvious in the OECD Guidelines of 1980, which were intended to facilitate a harmonization of national legislation, without precluding the establishment of an international Convention at a later date.
As it turned out, the Council of Europe (CoE), another international organization mainly concerned with the fostering of human rights and democracy in Europe, was working simultaneously in that direction---that of an international convention. As European countries began to adopt data protection laws, pressure grew for more uniformity of these laws. From a human rights perspective, the CoE began preparing an international convention on data protection that nevertheless also included provisions dealing with data processing abroad. Efforts were made to avoid unnecessary differences between the texts produced by the two organizations; thus, the set of basic principles of protection proposed by the OECD and the CoE are similar in many respects.
On Sept. 17, 1980, the Committee of Ministers of the CoE adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the first legally binding international instrument in data protection. The convention sought to establish basic principles of data protection, to reduce restrictions on transborder data flows on the basis of reciprocity, and to bring about cooperation between national data protection authorities (DPAs). Parties to the convention are required to apply the principles in their domestic legislation.
Six days later, on Sept. 23, 1980, the OECD Council adopted its guidelines on transborder data flows. Although efforts were made to minimize the differences, some do occur nevertheless. The OECD Guidelines are not legally binding, whereas the CoE convention is binding on those countries that ratify it. The CoE convention only applies to personal data that are "automatically" processed, whereas the guidelines are valid for the processing of data in general, irrespective of the particular technology employed. The OECD Guidelines, unlike the CoE convention, do not mention the need to establish national data protection authorities, a crucial requirement in European data protection rules. But, all in all, the principles formulated are similar.
The OECD Guidelines and the CoE convention both recognize the need to harmonize data protection standards. Like the CoE convention, the OECD Guidelines aimed to prevent interruptions in the international flow of data, but are not to be construed as a set of general privacy protection principles per se. The guidelines explicitly say that invasions of privacy by candid photography, physical maltreatment, or defamation are outside their scope.
- 29th International Conference of Data Protection and Privacy Commissioners. Resolution on the urgent need for global standards for safeguarding passenger data to be used by governments for law enforcement and border security purposes (Montreal, Sept. 26--28, 2007); http://www.privacyconference2008.org/index.php?page_id=142/Google Scholar
- 30th International Conference of Data Protection and Privacy Commissioners. Resolution on the urgent need for protecting privacy in a borderless world, and for reaching a joint proposal for setting International Standards on Privacy and Personal Data Protection. (Strasbourg, Oct. 17, 2008); http://www.privacyconference2008.org/index.php?page_id=197/Google Scholar
- Bennett, C. Regulating Privacy. Cornell University Press, Ithaca, NY, 1992.Google Scholar
- Bennett, C.J., and Raab, C.D. The Governance of Privacy. The MIT Press, Cambridge, MA, 2006.Google ScholarDigital Library
- Council of Europe. Convention for the protection of individuals with regard to automatic processing of personal data. CETS108; http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=108&CM=1&DF=4/29/2009&CL=ENG/Google Scholar
- Council of Europe. Additional protocol to the convention for the protection of individuals with regard to automatic processing of personal data regarding supervisory authorities and transborder data flows (Strasbourg, Nov. 8, 2001). CETS 181; http://conventions.coe.int/Treaty/EN/Treaties/HTML/181.htmGoogle Scholar
- Council of the European Union. Final report by EU-US high-level contact group on information sharing and privacy and personal data protection. Note from the Council Presidency to COREPER (Brussels, May, 28 2008); http://www.dhs.gov/xlibrary/assets/privacy/privacy_intl_hlcg_report_02_07_08_en.pdf.Google Scholar
- De Hert, P. and Bellanova, R. Data Protection from a Transatlantic Perspective: The EU and U.S. Move Toward an International Data Protection Agreement? Study requested by the European Parliament's Committee on Civil Liberties, Justice and home Affairs (Brussels, Oct. 2008); http://www.europarl.europa.eu/activities/committees/studies/download.do?file=22973Google Scholar
- Dhont, J., Asinari, M.V.P and Poullet, Y.(with the assistance of J.R. Reidenberg and L.A. Bygrave). Safe Harbour Decision Implementation Study. Study for the European Commission. (Namur, Apr. 19, 2004); http://ec.europa.eu/justice_home/fsj/privacy/docs/studies/safe-harbour-2004_en.pdf.Google Scholar
- EDRI-gram. The EDPS opinion on the US-EU data exchange agreement. (Nov. 19, 2008); http://www.edri.org/edri-gram/number6.22/us-eu-data-edpsGoogle Scholar
- European Commission. A comprehensive approach on personal data protection in the European Union. Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions (COM (2010), 609 final. Brussels 11.4.2010.Google Scholar
- European Union. Directive 95/46/EC of the European Parliament and of the Council of Oct. 24,1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L281/31 of 11.23.95.Google Scholar
- Gellman, R. Fair Information Practices: A Basic History. Ver. 1.6 (Dec. 31, 2008); http://bobgellman.com/rg-docs/rg-FIPshistory.pdfGoogle Scholar
- Gonzalez-Fuster, G. De Hert, P. and Gutwirth, S. SWIFT and the vulnerability of transnational data tranfers. International Review of Law, Computers & Technology 22, 1/2, (Mar. 2008), 191--202. Google ScholarDigital Library
- Gutwirth, S. Privacy and the Information Age. Rowman & Littlefield., Lanham, MD, 2002.Google Scholar
- International Conference of Data Protection and Privacy Commissioners, Joint Proposal for a Draft of International Standards on the Protection of Privacy with regard to the processing of Personal Data (the "Madrid Resolution"), Madrid 11.5.2009; http://www.agpd.es/portalweb/canaldocumentacion/conferencias/common/pdfs/31_conferencia_internacional/estandares_resolution_madrid_en.pdf.Google Scholar
- Nakashima, E. U.S. seeks data exchange. Washington Post (July 8, 2008); http://www.washingtonpost.com/wp-dyn/content/article/2008/07/07/AR2008070702459.html/Google Scholar
- Organisation for Economic Co-operation and Development (OECD). Guidelines on the Transborder Flows of Personal Data (Paris, Sept. 23,1980). http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.htmlGoogle Scholar
- OECD. Declaration on Transborder Data Flows (Adopted by the Governments of OECD Member countries on Apr. 11,1985; http://www.oecd.org/document/25/0,3343,en_2649_34255_1888153_1_1_1_1,00.html/Google Scholar
- OECD. Ministerial Declaration on the Protection of Privacy on Global Networks. Declaration made by OECD Ministers at A Borderless World: Realising the Potential of Global Electronic Commerce (Ottawa, Canada, Oct. 7--9, 1998); http://www.oecd.org/LongAbstract/0,3425,en_2649_34255_1840058_1_1_1_1,00.html/Google Scholar
- OECD. Privacy Online: OECD Guidance on Policy and Practice (Nov. 2003); http://www.oecd.org/document/49/0,3343,en_2649_34255_19216241_1_1_1_1,00.html/Google Scholar
- OECD. Report on the Cross-Border Enforcement of Privacy Laws (2006); http://www.oecd.org/LongAbstract/0,3425,en_2649_34255_37558846_119666_1_1_1,00.html/Google Scholar
- OECD. Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy (June 12, 2007); http://www.oecd.org/document/60/0,3343,en_2649_34255_38771516_1_1_1_1,00.html/Google Scholar
- Privacy International. Privacy and Human Rights 2006: An International Survey of Privacy Laws and Developments (London, 2006); http://www.privacyinternational.org/article.shtml?cmd{347}=x-347-559487/Google Scholar
- Rotenberg, M. Fair information practices and the architecture of privacy (What Larry doesn't get). Stanford Technology Law Review 1, 2001; http://stlr,stanford.edu/pdf/rotenberg-fair-info-practices.pdf/Google Scholar
- U.K. Information Commissioner's Office. Privacy Impact Assessment Handbook (London, 2007); http://www.ico.gov.uk/upload/documents/pia_handbook_html/html/1-intro.html/Google Scholar
- U.S. Department of Health, Education and Welfare. Records, Computers and the Rights of Citizens: Report of the Secretary's Advisory Committee on Automated Personal Data Systems (July 1973); http://epic.org/privacy/hew1973reportGoogle Scholar
- U.S. Department of Homeland Security. Privacy Policy Guidance Memorandum 2008-01 from Hugo Teufel III, Chief Privacy Officer (Dec. 29, 2008); http://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdfGoogle Scholar
- U.S. Department of Homeland Security (DHS). U.S. and EU agree on data protection principles. Leadership Journal (Nov. 3, 2009).Google Scholar
- Waldo, J., Lin, H.S. and Millett, L.I. Engaging Privacy and Information Technology in a Digital Age. Computer Science and Telecommunications Board. National Academies Press, Washington, D.C., 2007. Google ScholarDigital Library
Index Terms
- Are the OECD guidelines at 30 showing their age?
Recommendations
Does research output cause economic growth or vice versa? Evidence from 34 OECD countries
The causal relation between research and economic growth is of particular importance for political support of science and technology as well as for academic purposes. This article revisits the causal relationship between research articles published and ...
Comments