Are the OECD guidelines at 30 showing their age?

Abstract

Three decades have passed since the Organisation for Economic Co-operation and Development (OECD) promulgated Guidelines on the Transborder Flows of Personal Data , and still the issue of transborder flows of personal data continues to plague policymakers, industry, and individuals who have no idea what happens to their data once that data is transmitted beyond their national jurisdictions. This article briefly reviews what happened in the 1970s, the factors that led to production of the guidelines, and some of the key points in them. We highlight the success of the guidelines, but also the shortcomings, and what is happening now to bridge the gap and ask whether an international binding convention or standard is needed. We conclude with a few modest suggestions for ensuring a new convention or standard has teeth. In the 1970s, the decade before the OECD Guidelines were promulgated, some countries had already begun to enact privacy laws applicable to the public and private sectors. The world's first data protection law was passed in the German Land of Hessen in 1970. In 1977, a Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG) followed. Sweden's Data Act of 1973 was the first comprehensive national act on privacy in the world. France's Data Protection Act, enacted in 1978 and amended in 2004, covers personal information held by government agencies and private entities. In the U.S., antecedents of the 1974 Privacy Act were the American Fair Credit Reporting Act of 1970 and a 1973 report of the Department of Health Education and Welfare (HEW) on fair information practices (FIP). In the seven-year stint between 1973 and 1980, one-third of the OECD's 30 Member countries enacted legislation intended to protect in dividuals against abuse of data related to them and to give individuals the right of access to data with a view to checking their accuracy and appropriateness. Some countries were enacting statutes that dealt exclusively with computers and computer-supported activities. Other countries preferred a more general approach irrespective of the particular data processing technology involved. The OECD became concerned that these disparities in legislation might "create obstacles to the free flow of information between countries." The OECD Council recognized that Member countries have a common interest in protecting privacy "and in reconciling fundamental but competing values such as privacy and the free flow of information." This persisting tension between data protection and the free flow of information is already obvious in the OECD Guidelines of 1980, which were intended to facilitate a harmonization of national legislation, without precluding the establishment of an international Convention at a later date. As it turned out, the Council of Europe (CoE), another international organization mainly concerned with the fostering of human rights and democracy in Europe, was working simultaneously in that direction---that of an international convention. As European countries began to adopt data protection laws, pressure grew for more uniformity of these laws. From a human rights perspective, the CoE began preparing an international convention on data protection that nevertheless also included provisions dealing with data processing abroad. Efforts were made to avoid unnecessary differences between the texts produced by the two organizations; thus, the set of basic principles of protection proposed by the OECD and the CoE are similar in many respects. On Sept. 17, 1980, the Committee of Ministers of the CoE adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the first legally binding international instrument in data protection. The convention sought to establish basic principles of data protection, to reduce restrictions on transborder data flows on the basis of reciprocity, and to bring about cooperation between national data protection authorities (DPAs). Parties to the convention are required to apply the principles in their domestic legislation. Six days later, on Sept. 23, 1980, the OECD Council adopted its guidelines on transborder data flows. Although efforts were made to minimize the differences, some do occur nevertheless. The OECD Guidelines are not legally binding, whereas the CoE convention is binding on those countries that ratify it. The CoE convention only applies to personal data that are "automatically" processed, whereas the guidelines are valid for the processing of data in general, irrespective of the particular technology employed. The OECD Guidelines, unlike the CoE convention, do not mention the need to establish national data protection authorities, a crucial requirement in European data protection rules. But, all in all, the principles formulated are similar. The OECD Guidelines and the CoE convention both recognize the need to harmonize data protection standards. Like the CoE convention, the OECD Guidelines aimed to prevent interruptions in the international flow of data, but are not to be construed as a set of general privacy protection principles per se. The guidelines explicitly say that invasions of privacy by candid photography, physical maltreatment, or defamation are outside their scope.