Accountability Without Liability: ‘To Whom’ and ‘With What Consequences’? (Questions for the 2019 OECD Privacy Guidelines Review)

Abstract

The concept of accountability, though present in international data protection agreements since the 1980s, has gained more prominence since its elaboration in the 2013 revision of the OECD privacy Guidelines and the 2016 EU General Data Protection Regulation (GDPR). In the GDPR art. 24 ‘demonstrable accountability’ has become an additional and separate obligation on data controllers. If a controller fails to so demonstrate compliance, the supervisory authority can order it to bring its processing operations into compliance, and/or impose an administrative fine. The GDPR implementation can be described as ‘accountability with liability’. The wording of the 2013 revisions of the OECD Guidelines new Part Three ‘Implementing Accountability’ leaves a number of matters ambiguous that would benefit from clarification in the revision of the Guidelines, so as to move from ‘accountability without liability’, to ‘accountability with liability’. This paper proposes three revisions. APEC (Asia Pacific Economic Cooperation)’s Cross-border Privacy Rules system (CBPRs), is regarded as a leading non-legislative implementations of ‘accountability’, including in the 2013 revision of the Guidelines. I argue that it is a very unsuccessful implementation, which should not be followed, nor promoted by the Guidelines. There are three main reasons: • After being in operation for seven years, only two countries – the USA and Japan – participate fully, in that they have nominated an AA and that AA certifies companies. Even the participation of these two countries should be classified as a failure, since on 24 US companies have been certified since 2013, and 3 Japanese companies since 2015. • There are a few aspects of the operation of APEC’s CBPRs (removal of certification, referrals to PEAs, and anonymised case notes) which go directly to the questions of whether either its Accountability Agents (AAs), or the companies they certify, really are ‘accountable’ in the sense of having any liability for failure to comply with CBPRs rules. Despite six years as the USA’s AA, TrustArc’s web pages do not contain any information at all about any of these matters. • The potential for ‘interoperability’ between CBPRs and other international instruments concerning data protection, is mentioned in Background Papers and the Guidelines themselves. The Guidelines are too low a standard to suit this purpose, as the EU has recognized in it adequacy decision concerning Japan. In conclusion, five recommendations are made to address accountability gaps in the OECD Privacy Guidelines, including removal of misleading references to APEC CBPRs.