20 February 2007
What’s this project about?
The OECD is engaged in new work on privacy. It is focused on the enforcement of privacy laws, and more specifically on the cross-border challenges to effective law enforcement. The project began with an analysis of how OECD countries enforce their privacy laws and identified challenges that arise when enforcement bodies have to address cases or complaints with a cross-border dimension. Building on that analysis we are working to develop a policy framework to assist privacy enforcement authorities in co-operating in cross-border matters, to be accompanied by a set of tools of a more practical nature.
What’s the problem that needs to be addressed?
The dramatic growth of Internet services and the decentralisation of information processing arrangements during recent years have increased the flow of personal information across national borders. Global information transfers involving human resources, financial services, education, and health research – to name a few areas – are increasingly critical to the global economy. The development of an improved framework for privacy enforcement co-operation can help ensure that transborder data flow are not jeopardised by ineffective privacy protections.
It is questionable whether, in today's environment, it is useful to talk in terms of ‘transborder data flows’ at all. On one view, data today does not 'flow' across borders. It may be stored simultaneously in several jurisdictions and accessed from anywhere in the world. In that sense, the project can also be thought of as an attempt to ensure that personal information is protected, regardless of its location.
It’s true that we lack a robust set of indicators on how serious are the cross-border (or indeed national) problems of privacy breaches, and further work to develop such indicators would be helpful. Indeed, one expected result of this project is better co-ordinated information sharing about the kinds of privacy issues that should be seen as priorities for enforcement co-operation. But thinking more strategically, privacy is an area where public perceptions and fears can shift rapidly. Having in place co-operative mechanisms to address problems as they arise can only be a good thing. It can also help in building the trust needed to realise the potential for continued growth in electronic commerce.
Who is involved?
Although the project has been initiated by the 30 member countries of the OECD, it is clear that effective co-operation is a truly global issue. Thus, while the work is being developed through the usual OECD processes, the organisation hopes to associate as many non-OECD jurisdictions to the project as possible. This objective will be pursued in part through collaboration with international organisations like Asia Pacific Economic Cooperation, and the Council of Europe. Likewise, regular contacts with privacy law enforcement officials around the world has been sought through contacts with the International Conference of Data Protection and Privacy Commissioners, the International Working Group on Data Protection in Telecommunications, and the Asia Pacific Privacy Authorities Forum.
How is the work being carried out?
The OECD Working Party on Information Security and Privacy (WPISP) is developing the work, in part through the assistance of an expert group led by Canadian Privacy Commissioner Jennifer Stoddart. A questionnaire was developed to elicit information to understand current challenges present in cross-border co-operation and point towards promising directions to address those challenges. Responses to the questionnaire form the basis of a recent Report on the Cross-border Enforcement of Privacy Laws. This background work is helping to inform the development and negotiation of a policy framework.
What will the policy framework look like? Is this going to result in some sort of treaty?
Like other OECD enforcement co-operation instruments, the privacy enforcement framework is being developed as a non-binding Recommendation that will be submitted to the OECD Council for adoption. This type of process represents an important political commitment among OECD countries, though one without legal obligations. These instruments typically set forth a framework of key elements for co-operation, leaving the details of the co-operation to the enforcement bodies involved. Implementation efforts can include the development of bilateral memoranda of understanding (MOUs) or other co-operative arrangements, as well as updated domestic legislation and processes.
Why is the OECD well-placed to do this work?
The OECD has a long-standing interest and expertise in privacy, dating back to the 1980 Privacy Guidelines which continue to serve as a key international benchmark for effective privacy protection. More recently, the OECD has established an expertise in cross-border law enforcement challenges, developing co-operative frameworks for authorities charged with protecting consumers from fraud, enforcing laws against spam,and for competition regulators as well. By supplementing this expertise with the OECD’s usual practice of bringing together all key stakeholders – including business and civil society – the organisation should be well placed to help its membership address these challenges.
More than twenty-five years after their adoption, the OECD privacy guidelines remain a fundamental statement of the international consensus for privacy protection. In addition to the baseline principles they establish for data processing, the Guidelines call for the establishment of procedures for information exchange and mutual assistance in procedural and investigative matters. It is the latter point that serves as the starting point for the current project. When the Guidelines were adopted, only about one-third of OECD countries had privacy laws. Now nearly all do, and wide-spread law enforcement co-operation is a more realistic prospect.
The OECD has done work on the broader issue of compliance with privacy laws in the particular context of online privacy protection. It concluded this work in 2003 with the publication of a report highlighting the variety of mechanisms employed to encourage compliance. That project did not, however, focus on the challenges faced by enforcement authorities in addressing cross-border complaints and cases, which is the focus of the current project.
What work has been done elsewhere?
There is considerable international dialogue on privacy issues, but enforcement co-operation has not been a common theme. Some work has been done on a regional basis. In the EU, the 1995 Data Protection Directive provides that supervisory authorities shall co-operate with one another, by exchanging all useful information and exercising their powers, if necessary, on request of an authority of another Member state. However, a 2003 European Commission report highlighted the gap between law and practice with respect to enforcement of laws in connection with transborder data flows, noting “little or no sign of enforcement actions by supervisory authorities.” More recently, the Article 29 Working Party issued a declaration on enforcement, announcing plans for EU-wide synchronised investigations on common issues. The 1981 Council of Europe Convention 108 is also relevant in this respect, containing extensive provisions on mutual assistance.
The APEC privacy framework calls for co-operative arrangements covering (1) notification, (2) information sharing (3) investigative assistance (4) the establishment of co-operation priorities; and (5) the maintenance of confidentiality. These are all key elements for a successful enforcement co-operation regime, but it remains early days in work on implementation by APEC economies.
Other co-operative arrangements include the US-EU Safe Harbor Agreement, a 2005 MOU between the Spanish Data Protection Authority and the US Federal Trade Commission (on spam), and a recent MOU between the privacy commissioners of Australia and New Zealand. While these developments are promising, it is hoped that new OECD work in this area will bring a real boost to global co-operation efforts.
Cross-Border Privacy Law Enforcement