Revised OECD Privacy Guidelines Focus On Accountability, Notification of Breaches

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Rick Mitchell  

Sept. 12 --The Organisation for Economic Co-operation and Development has released updated privacy guidelines with an increased focus on implementation and enforcement and a new risk-management approach to accountability for companies and public organizations, practitioners told Bloomberg BNA Sept. 11.

Posted on the OECD's website Sept. 9, the updated guidelines replace the 33-year-old original guidelines. The new guidelines maintain the 1980 version's goal of protecting privacy as a fundamental condition for cross-border data flows, but they are “modernized” and “take account of a very important shift, to a data-driven economy in the world,” said Anne Carblanc, head of OECD's Information, Communications and Consumer Policy Division.

“In 30 years, we've seen a huge change in scale in the way these privacy principles have to function, because of the volume and variety of data, the value that personal data brings to organizations today, and the number of transactions that individuals are expected to negotiate and control involving their own data,” said Michael Donohue, an OECD policy analyst on privacy.

Among other things, the document calls for national governments to make data privacy strategies a top priority and for public organizations and companies to be more accountable for protecting privacy, such as by data breach notification, Carblanc and Donohue said.

Implementing Accountability

Olivier Proust, Brussels-based attorney at Field Fisher Waterhouse LLP, said one of the most significant changes to the guidelines is a new Part III on “implementing accountability,” introducing the concept that an organization's data controller must have a data “privacy management program” and be prepared to demonstrate it is appropriate at the request of a privacy enforcement authority.

The program is similar to the data protection correspondents program that France's data protection authority (CNIL) has implemented in recent years, said Carblanc, who previously served as the CNIL's secretary-general (12 PVLR 526, 3/25/13).

Proust said the guidelines introduce the concept of a “privacy risk assessment,” echoing the “privacy impact assessment” required under Chapter IV of the draft European Union data protection regulation.

The European Commission has proposed updating the EU data protection regime to, among other things, increase cooperation on enforcement of EU privacy law by EU member state authorities. The Commission, the EU's executive arm, proposed in January 2012 to replace the bloc's 1995 Data Protection Directive (95/46/EC) with a regulation (11 PVLR 178, 1/30/12).

The OECD guidelines include a reference to “privacy enforcement authorities,” which did not exist explicitly under the 1980 version, specifying they should have the “governance, resources and technical expertise necessary to exercise their powers effectively and to make decisions on an objective, impartial and consistent basis.”

Notification for 'Significant' Breaches

The guidelines' accountability section states that data controllers should “provide notice, where appropriate, to privacy enforcement authorities or other relevant authorities where there has been a significant security breach affecting personal data.”

Contrary to the draft EU regulation, the OECD's guidelines take a more risk-based approach by limiting the notification requirement to significant security breaches, Proust said. “The idea is to avoid over-burdening data controllers and DPAs, and to guarantee the effectiveness of data breach notification rules,” he said.

Proust said this provision could influence the draft EU data protection regulation's final wording on data breach notification, “given that the EU Council of Ministers has also proposed to limit the notification requirement to breaches that are “likely to severely affect the rights and freedoms of individuals.”

Christopher Wolf, a Washington-based partner at Hogan Lovells US LLP and a member of the OECD volunteer group of privacy experts asked to consult on the revised guidelines, welcomed the final text's “practical focus on a risk management approach to protecting privacy,” an approach that “makes great sense and is the only realistic option in a data-laden economy.”

Cross-Border Breaches

Wolf said the guidelines' provision on data security breach notification reflects “the contribution this U.S.-originated concept has made to the protection of privacy.”

For data breaches affecting individuals living in different countries, the guidelines call for cross-border enforcement cooperation mechanisms for breach notifications to multiple jurisdictions, Proust said.

He said this provision is in line with the European Commission's newly adopted Regulation No. 611/2013 on measures applicable to data breach notification under the amended 2009 EU e-Privacy Directive (2009/136/EC). The regulation imposes on national authorities a duty to inform one another and to cooperate when a data breach affects the personal data of individuals located in several EU member states (12 PVLR 1507, 9/2/13).

No 'Right to Forget.'

Practitioners said the OECD guidelines do not include language on a “right to forget,” a concept that is in the draft EU data protection regulation, and that French courts have recognized (11 PVLR 619, 4/2/12).

“This was not seriously considered” by the working party that revised the guidelines, Donahue said.

In the EU, “there are some tensions between the right to forget as it's being contemplated now and the freedom of speech, so this probably wouldn't work very well for all of our member countries,” he said.

What's Next

Carblanc said the guidelines are nonbinding but represent political commitments by the OECD's 34 member countries.

OECD will present the new guidelines at the 35th International Conference of Data Protection and Privacy Commissioners, scheduled for Sept. 23-26 in Warsaw, she said.

A very important objective for the revised guidelines is to help non-OECD countries that don't have advanced privacy protections to establish such protections, such as in China, India, elsewhere in Asia, South America and Africa, she said.

This is how the guidelines can accomplish things that the EU data privacy regime cannot do, Carblanc said.

To contact the reporter on this story: Rick Mitchell in Paris at

To contact the editor responsible for this story: Katie W. Johnson at

The updated 2013 OECD Privacy Guidelines are available at

Request Bloomberg Law: Privacy & Data Security