This month, the Organisation for Economic Cooperation and Development (OECD) published its first ever revision to the original 1980 guidelines on the protection of privacy and transborder flows of personal data. It has been over 20 years since the OECD published the first internationally agreed set of privacy principles, and now they seem armed and ready to tackle the modern challenges of the international privacy world. But what is the real impact of these provisions?
The primary aim of the Revised Guidelines is to increase organisations' accountability for data security practices through a number of new mechanisms including an obligation on data controllers to implement a robust privacy management programme. There is also a shift to a more risk-based approach, with the guidelines focusing on 'risk' and 'proportionality'.
The guidelines also introduce a number of other new provisions including: the implementation of national privacy strategies that are effectively coordinated at the highest levels of government; an obligation for member countries to support international arrangements promoting global interoperability and an obligation to notify authorities and individuals of data security breaches.
The revisions are a clear indication of the OECD's attempt to modernise their approach to international data flows and to strengthen privacy enforcement. They have also attempted to tighten their link with the EU regime by including 'good practice' references to different collaborative approaches taken by EU data protection authorities as a way of emphasising to its members the need for increased interoperability.
But perhaps the most significant revision is the obligation to implement a robust privacy management programme. This is the first time that members of the OECD around the world will be uniformly required to implement a comprehensive programme. In addition, they will be required to ensure the privacy programme:
- gives effect to the Revised Guidelines for all personal data under its control;
- is tailored to the structure, scale, volume and sensitivity of its operations;
- provides for appropriate safeguards based on privacy risk assessment;
- is integrated into its governance structure and establishes internal oversight mechanisms;
- includes plans for responding to inquiries and incidents; and
- is updated in light of ongoing monitoring and periodic assessment.
The OECD's proposal attempts to align with the EU's approach of ensuring privacy mechanisms are properly documented and are supported by effective procedures. Will this be the catalyst that motivates organisations and data protection authorities around the world to adopt a uniform approach to data privacy? We shall see.