Recent international privacy developments
There have been two rounds of meetings in 2012 of the OECD Committee for Information, Computer and Communications Policy (ICCP) and some of its working parties – in May and October 2012, with further meeting of two working parties in December. A ‘foresight forum’ on the ‘big data’ theme was held on 22 October. Civil society interest in the ICCP work programme is formalised through the Civil Society Information Society Advisory Council (CSISAC).
The Working Party on Information Security and Privacy (WPISP) has progressed its review of the 1980 OECD Privacy Guidelines. The October 2012 meetings considered draft revised Guidelines, and a Supplemental Explanatory Memorandum, and further revisions will be made with a view to finalising texts for consideration by the ICCP Committee in April 2013. The approach currently under consideration would leave the eight 1980 Principles unchanged, adding a new Part on Accountability, fleshing out Principle 8. Outstanding issues still under discussion include the reference to ‘independence’ of privacy enforcement authorities and the wording for the Part of the Guidelines dealing with cross border data transfers. Civil society has provided input both through a Volunteer Expert Group and through CSISAC, and broadly supports the likely outcomes, subject to acceptable resolution of the cross border transfer and DPA independence issues. Civil society regards it as essential to maintain a strong emphasis on compliance monitoring and enforcement by strong DPAs, and to retain the discretion for both individual members and regional groupings such as the EU and Council of Europe to require higher standards of data protection, including strong controls on cross border transfers. The proposed new accountability provisions are welcome provided they are interpreted as additional obligations and not an alternative to compliance with and enforcement of the Principles.
Terms of reference have been agreed for a review of the 2002 Security Guidelines, with a new Volunteer Expert Group being established to report to the April 2013 meetings. Work continues on the relationship between these and wider OECD work on Cybersecurity and the protection of critical information infrastructures.
A paper on Improving the Evidence Base For Information Security and Privacy will be publicly released soon, and work continues on the Economics of Personal Data – in relation to the latter, civil society has expressed concerns about the limitations of applying conventional economic analysis to privacy protection, which must be seen as a fundamental human right not just a commodity susceptible to monetary valuation and trading.
The work under ICCP auspices on the role of Internet Intermediaries remains controversial, in the context of the Internet Policy Principles adopted by the OECD in 2011 (civil society supported the final principles but declined to endorse an earlier communique, in part because of the weight given to commercial and intellectual property interests). Also of note is that the ICCP Committee is planning a substantial work item in 2013-14 on ‘big data’ issues, including privacy, and has agreed to organise a ministerial meeting on Internet-related issues in 2015 or 2016.
International Commissioners’ events
This year’s International Conference of Data Protection and Privacy Commissioners (ICDPPC) was held in Uruguay in late October. A two-day open conference preceded two days of closed sessions, and future conferences will emphasise the closed sessions, leaving the hosts to organise an associated open event only if they wish and have the capacity. For the fourth successive year, there was also a valuable Public Voice civil society-organised one-day event before the ICDPPC meeting, this time with the support from the Uruguayan authorities.
Apart from the usual discussion of the range of current privacy ‘challenges’, much of the proceedings at the public events ‘danced around’ two big unresolved issues. The first is the ability of privacy laws and regulators to accommodate the ever-increasing variety of business models which rely on exchange of personal information, increasingly across jurisdictions – so called ‘big data’, and also the growing role of individuals as data controllers/publishers, particularly through social media. An important related issue is whether de-identified data which can nevertheless be used to target individuals for customised attention – for instance in on-line behavioural advertising – does or should fall within the definition of regulated ‘personal data’.
The second big issue is the continuing tension between the so-called ‘European’ model of data protection and an alternative approach preferred by business groups and the US government. The latter approach places greater reliance on data controller accountability, industry codes of practice and a primary role for intermediaries such as trustmark schemes, with backstop enforcement which can be based on sectoral or trade practices/consumer protection law as an alternative to general privacy law. The ‘European’ model (now also adopted by many jurisdictions outside Europe) places greater emphasis on universal application of more prescriptive rules, with at least the potential for strong enforcement by independent Data Protection Authorities (DPAs). Speakers clearly identified the difficulties posed by ‘big data’ and social media, and the significant differences between the two regulatory models, but not surprisingly failed to provide many solutions. Perhaps for diplomatic reasons, key speakers were optimistic about the prospects for resolving the political differences, but without much evidence that any compromise is on the horizon.