Sept. 12 --The Organisation for Economic Co-operation
and Development has released updated privacy guidelines with an increased focus on
implementation and enforcement and a new risk-management approach to
accountability for companies and public organizations, practitioners told
Bloomberg BNA Sept. 11.
Posted on the OECD's website Sept. 9, the
updated guidelines replace the 33-year-old original guidelines. The new
guidelines maintain the 1980 version's goal of protecting privacy as a
fundamental condition for cross-border data flows, but they are “modernized”
and “take account of a very important shift, to a data-driven economy in the
world,” said Anne Carblanc, head of OECD's Information, Communications and
Consumer Policy Division.
“In 30 years, we've seen a huge change in
scale in the way these privacy principles have to function, because of the
volume and variety of data, the value that personal data brings to
organizations today, and the number of transactions that individuals are
expected to negotiate and control involving their own data,” said Michael
Donohue, an OECD policy analyst on privacy.
Among other things, the
document calls for national governments to make data privacy strategies a top
priority and for public organizations and companies to be more accountable for
protecting privacy, such as by data breach notification, Carblanc and Donohue
Brussels-based attorney at Field Fisher Waterhouse LLP, said one of the most
significant changes to the guidelines is a new Part III on “implementing
accountability,” introducing the concept that an organization's data controller
must have a data “privacy management program” and be prepared to demonstrate it
is appropriate at the request of a privacy enforcement authority.
program is similar to the data protection correspondents program that France's
data protection authority (CNIL) has implemented in recent years, said
Carblanc, who previously served as the CNIL's secretary-general (12 PVLR 526,
Proust said the guidelines introduce the concept of a “privacy
risk assessment,” echoing the “privacy impact assessment” required under
Chapter IV of the draft European Union data protection regulation.
The European Commission has proposed updating the EU data protection regime
to, among other things, increase cooperation on enforcement of EU privacy law
by EU member state authorities. The Commission, the EU's executive arm,
proposed in January 2012 to replace the bloc's 1995 Data Protection Directive
(95/46/EC) with a regulation (11 PVLR 178, 1/30/12).
The OECD guidelines
include a reference to “privacy enforcement authorities,” which did not exist
explicitly under the 1980 version, specifying they should have the “governance,
resources and technical expertise necessary to exercise their powers
effectively and to make decisions on an objective, impartial and consistent
accountability section states that data controllers should “provide notice,
where appropriate, to privacy enforcement authorities or other relevant
authorities where there has been a significant security breach affecting
Contrary to the draft EU regulation, the OECD's
guidelines take a more risk-based approach by limiting the notification
requirement to significant security breaches, Proust said. “The idea is to
avoid over-burdening data controllers and DPAs, and to guarantee the
effectiveness of data breach notification rules,” he said.
this provision could influence the draft EU data protection regulation's final
wording on data breach notification, “given that the EU Council of Ministers
has also proposed to limit the notification requirement to breaches that are
“likely to severely affect the rights and freedoms of individuals.”
Christopher Wolf, a Washington-based partner at Hogan Lovells US LLP and a
member of the OECD volunteer group of privacy experts asked to consult on the
revised guidelines, welcomed the final text's “practical focus on a risk
management approach to protecting privacy,” an approach that “makes great sense
and is the only realistic option in a data-laden economy.”
Wolf said the guidelines' provision on data security breach
notification reflects “the contribution this U.S.-originated concept has made
to the protection of privacy.”
For data breaches affecting individuals
living in different countries, the guidelines call for cross-border enforcement
cooperation mechanisms for breach notifications to multiple jurisdictions,
He said this provision is in line with the European
Commission's newly adopted Regulation No. 611/2013 on measures applicable to data
breach notification under the amended 2009 EU e-Privacy Directive
(2009/136/EC). The regulation imposes on national authorities a duty to inform
one another and to cooperate when a data breach affects the personal data of
individuals located in several EU member states (12 PVLR 1507, 9/2/13).
Practitioners said the OECD guidelines do not
include language on a “right to forget,” a concept that is in the draft EU data
protection regulation, and that French courts have recognized (11 PVLR 619,
“This was not seriously considered” by the working party that
revised the guidelines, Donahue said.
In the EU, “there are some
tensions between the right to forget as it's being contemplated now and the
freedom of speech, so this probably wouldn't work very well for all of our
member countries,” he said.
Carblanc said the
guidelines are nonbinding but represent political commitments by the OECD's 34
OECD will present the new guidelines at the 35th International Conference of Data Protection and Privacy
Commissioners, scheduled for Sept. 23-26 in Warsaw, she said.
important objective for the revised guidelines is to help non-OECD countries
that don't have advanced privacy protections to establish such protections,
such as in China, India, elsewhere in Asia, South America and Africa, she
This is how the guidelines can accomplish things that the EU data
privacy regime cannot do, Carblanc said.
To contact the reporter on
this story: Rick Mitchell in Paris at firstname.lastname@example.org.
To contact the editor
responsible for this story: Katie W. Johnson at email@example.com.
The updated 2013 OECD
Privacy Guidelines are available at http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf.
To view additional stories from Privacy & Data Security Law
Resource Center™ register for a free trial now