OECD
Joint Roundtable of the Committee for Information, Computer and Communications Policy (ICCP), and its Working Party on Information Security and Privacy (WPISP)
30 YEARS AFTER: THE IMPACT OF THE OECD PRIVACY GUIDELINES
March 10, 2010
Address by Hans Peter Gassmann
former Head of the ICCP Division
Directorate for Science, Technology and Industrtry, OECD
Mr. President, dear Delegates,
It is a great honour for me to be invited to speak to this Roundtable to-day. It is also a great day for me to see that 30 or even 40 years after our initial work on privacy protection, these issues are still very much alive to-day, and that the OECD continues to play a role in this field.
My remarks will be as follows:
1)I want to give a short retrospective on some events which occurred 30 -40 years ago which contributed to provide the impetus to draft the OECD Privacy Guidelines;
2)I want to give some examples how these Guidelines are still relevant to present-day events and discussions;
3)I want to present some ideas and reflexions on how these Guidelines might be modernised.
1) Retrospective: Work by OECD on Privacy Protection and Transborder
Data Flows, 1968 – 1985, and some related events in Member countries.
March 19683rd Ministerial Meeting on Science of OECD Countries on
„Gaps in Technology“
June 1968Committee on Science Policy decides that „Computer Utilisation“ should be examined by OECD. Creation of a „Computer Utilisation Group“
October 1970The first Data Protection Law ever is enacted for the Land of Hessen, a State of Germany. It applies to the public secteor only
19712 reports published in the Series „OECD INFORMATICS STUDIES:
No 1: Computerised data banks in public administration
No 2: Digital information and the privacy problem. In this report, the Hessen Data Protection Law was translated and published in English and French as an Annex.
1972The Computer Utilisation Group creates 2 „Panels“, the Data Bank Panel and the Panel on Policy Issues of Computer/Communications Interaction. Report No 3 on „Computer and Communications“ published in 1973
1973„Watergate Scandal“ in the US
1973Swedish Data Act. This Act was the first Data Protection Lawof a sovereign country; it applies to the private and the public sector
January 1974US „Federal Privacy Act“ enacted. It applies to the Federal Government only
June 1974OECD Seminar on Policy Issues in data protection and privacy
- Proceedings published in 1976 – In this report, the 1973 Swedish Data Protection Law and the American Privacy Act of 1974 were reproduced in the Annex. This seminar brought together major decision makers from OECD Member countries to present facts, exchange views and debate ways forward . After the death on President Pompidou in 1974, an article was published by the newspaper Le Monde “ La chasse aux Francais“ , the Hunt of the French, through the interconnexion of giant government data banks. Scandal, the spectre of George Orwell's Big Brother haunted the French public. The Messmer government set up a Study Commission „Informatique et Liberté“. Almost all its members took part in the OECD seminar, which had the great advantage to present all papers in English and French, so it became an important input into the preparation of the relevant legislative work of the French Parliament. The notion of „Transborder Data Flows“ was debated for the first time at this seminar in one of the 4 sessions.
February 1975Conference on Computer/Communications Policy, OECD, Paris
August 1976Informatique et Liberté Projet de Loi (Bill) in France. Its Exposé des motifs stated that „the bill takes also into account the initiatives taken by international organisations.... especially of the OECD, which reflexions on the technological, economic and policy aspects of information technology have a determining international influence „
September 1977 Symposium on Transborder Data Flows and the Protection of Privacy, Hofburg, Vienna
early 1978Beginning of work of an OECD Expert Group on Drafting Guidelines
governing the Protection of Privacy and Transborder Data Flows of Personal Data.
1977 – 1980About one third of OECD Member countries have adopted Privacy Protection Laws
January 1980In his State of the UnionAddress, President Carter in mentioning his government's privacy program, stated that “International Guidelines are needed to protect the privacy of personal information transferred from one country to another, while avoiding disruption of needed information flows. We have sprearheaded work in the Organisation for Economic Cooperation and Development toward this end, and guidelines have been drafted for adoption this year.“
September 1980Final Adoption by the OECD Council of a Recommendation concerning Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This recommendation contains 8 basic Princples for national application, and 4 principles of international application, providing a balance between free flow and legitimate restrictions.
October 1980Council of Europe Convention 108 on the Protection of Privacy is adopted. It enters into force when a minimum of 5 countries have ratified it. Then it will be binding on the signataries.
1981Creation of the Information, Computer and Communications Committee (ICCP) by the OECD Council
1983Symposium on Transborder Data Flows, Churchhouse, London
1984Conference on „1984 and Beyond“ in the Reichstag, Berlin
April 1985Adoption by the OECD Council of a Declaration on Transborder Data Flows
2) Relevance of the OECD Privacy Guidelines to-day
In some respects, these Guidelines seem to be outdated. They clearly come from a pre-internet-age. The notion of Transborder data flows seems obsolete in the age of instant, worldwide web-connections, where the ubiquitiousness of the sender and receiver is taken for granted.
On the other hand, the Guidelines were expressly drafted in a technology-neutral way, and not specifically for „ADP“ (Automatic Data Processing). Therefore the Principles are still by and large valid, even if their interpretation and information technology has changed. In 1978-1980 several European Member countries representatives had doubts about the usefulness of such non-binding Guidelines, and even questioned whether the OECD was the right place to draft such Guidelines. They clearly preferred the Council of Europe Convention, which was much more „solid“ in their eyes, because it was legally binding. On the other hand, it became clear that such „soft law“ in the form of Recommendations of good practice was quite useful for all OECD member countries, with their wide spectrum of legal systems. They provided a sort of flexible bridge between the European approach to „Data Protection“, and the more general view of „Privacy Protection“ in non-European Member countries. They certainly contributed to a certain international harmonisation, if not standardisation, of principles in the legislative approaches of Member countries and even of non-Member countries. Imitation effects are always a powerful stimulus to the spread of new approaches.
Privacy protection issues had, over the years, up and downs. Sometimes these issues were high on the government agendas (ex. the French example, the Watergate scandal, etc), and sometimes just routine matters. There always was a delicate balance between privacy protection and national security concerns. For example, in Germany during the 1980s the years of terrorism by the RAF group made indents in data protection; similarly, after September 2001 the global fight against terrorism made privacy protection issues secondary, and in many Member countries new national security laws were enacted which to a certain extent eroded privacy protection. At present, it seems that privacy protection is against in the upswing. Two examples illustrate this:
The SWIFT issue between the United States and the European Community. The US government had reached an agreement last year with the European Commission for a right of access to certain financial flows on the SWIFT international bank transaction network in the name of national security concerns and the global fight against terrorism. This agreement was overturned by the European Parliament in February 2010 on the grounds that privacy protection issues were not sufficiently taken care of in this agreement. A new agreement needs to be negotiated soon, where issues of reciprocity may well play a role. Clearly paragraphs 15-18 on Basic Principles of international application: Free flow and legitimate restrictions of the OECD Privacy Guidelines very much apply here, although the issue of access to content was not expressly dealt with.
The German Supreme Constitutional Court ruled on March 2, 2010 that the general automatic storage of all telecommunications transaction data by telecommunications carriers in Germany for a minimum of 6 months was unconstitutional, except in some well defined specific cases. That means that the relevant German law needs to be amended. But this brings up another difficulty: The European Union directive 2006/24/EG specifies in Article 6 that these telecommunications transaction data (not their content) should be stored automatically for a minimum of 6 months and a maximum of 2 years. Several EU member countries have not implemented this Directive, and Sweden has even been condemned by the European Court of Justice for not doing so. Again, the massive, automatic collection of telecommunications transaction data may infringe on the privacy of consumers and citizens by creating user profiles. This is clearly dealt with by para 7 , the Collection Limitation Principle of the OECD Privacy Guidelines.
3) Some reflexions on the modernisation of the Guidelines
In re-reading the Guidelines, and especially the Explanatory Memorandum, it becomes quickly clear that several issues hotly debated to-day are treated only in a passing way or missing. Some of these are:
Access: Who has access to stored personal data? National security agencies? Private persons unknown to the data subject? Do data controllers hide information they pass on to third parties?
Storage limitation in time: In the purpose specification principle, there is mention to the destruction or erasure of data, but only en passant.
Right to oblivion (droit à l'oubli). The French Secrétaire d'Etat Nathalie Kosciusko-Morizet is very keen on this issue. In her recent book „Tu viens?“ ( Do you follow me?) she argues that we have to face a paradox: the more we use electronic media, computer, internet, cellphones, GPS, electronic credit-, health- and other cards, the more we realise how we can be tracked, how information about us is stored, and there is a fear of losing our freedom. She also points out how there is a big generation gap: the elders, (including myself), have a tendency to be discrete, to keep things to ourselves, to shun publicity. I may add that this may be a reflex from times of war, of the Big Brother syndrome, of police states. The young generation on the contrary has a tendency to show off, to find it cool to put on their micro-blogs exuberant expressions, to impress their friends or peers with crazy or even indecent pictures. This may be cool, but later on young people may regret to have such data (and pictures are also digital files with millions of pixels) out in the web, since there is no possibility to call them back. Once they are out, they are out. This may well be an impediment for their future careers. This is not Big Brother, it is Small Brother. It may well be that we will need new rules about „automatic wipe-off“ after a certain time of storage.
Reciprocity: Not much is said in the Guidelines about reciprocity. There is only general language about „a standard of equivalent protection“ in the case of transborder data flows. It is recommended that there should be information exchange related to these Guidelines, and mutual assistance in the procedural and investigative matters involved. It may be that given the nature of legally not binding Guidelines, the notion of reciprocity would not have made much sense. Yet this is becoming quite important, as we can see in the SWIFT case.
Self-regulation: The Guidelines do recommend to support self-regulation. This is more important than ever especially for the private sector actors. National laws increasingly are inadequate to regulate or even to sanction failings in a global web situation. There are many lawsuits already where private persons or users feel their privacy invaded by data controllers.
Some examples:
August 2009, California: Lawsuit by users against improper release of personal data by Facebook; it is alleged that Facebook engages in data mining and harvesting without fully disclosing these practices to its users.
November 2009, Germany: Lawsuit against Wikipedia
November 2009, Switzerland: Lawsuit against Google Street View online service. There is a feeling that this service with its 2,75 meters high cameras is a privacy invasion especially in quiet neighborhoods, as it can view over fences or walls.
What are the remedies?
In early 2009, The United Sates Congress held hearings on the stricter update of principles for self-regulation in online data collection for advertising purposes. There is much concern that people are tracked too much online. In respose to this, the U.S. Advertising Industry published in July 2009 a report on „Self-regulatory Principles for Online Behavioral Advertising“. There is also increased pressute by the US Federal Trade Commission on the online marketing world. But already 30 years ago self-regulation was considered by many experts to be a sort of fig-leaf, with not much teeth, since control of compliance always was a problem.
In November 2009, an international conference was held in Madrid to try to obtain a consensus on an international standard for privacy protection on Internet.
All these efforts show that it is increasingly difficult for national governments to maintain control of the borderless and de-centralised internet web and issue regulsations on its use.
Self-regulation is fine, and necessary, but there must be also a proof on compliance by the data controllers.
Challenge to OECD
This points to a challenge to OECD. Through updated and modernised Privacy Protection Guidelines, and in co-operation with the private sector, both data controllers and private users, it could establish rankings or lists of those data controllers who comply with the strict criteria laid down by international consensus. And those who do not. This is a field the OECD has been good at in other areas: widely publicise best practices in a comparative way based on commonly agreed principles, and make public and disseminate how they are complied with. The Internet is an instrument to invade our privacy? Use it widely to protect us consumers and users, by disseminating knowledge and create transparence on who complies with the Principles of Data Protection and who does not. A general policy as often mentioned by data controllers in their home-pages is too generic: more evidence on compliance is needed.
4) Honours
At the end of my remarks, I want to honour some persons who significantly contributed to the development and spread of data privacy 40 or 30 years ago, and the drafting of the OECD Privacy Guidelines, with my apologies to those I do not mention:
Spiros Simitis, Germany, drafter of the worldwide first Data Protection Act of Hessen;
Jan Freese , Sweden, father of the Swedish Data Protection Act, the first comprehensive Privacy Protection Law of a sovereign country;
Michael Kirby, then Chairman of the Australian Law Reform Commission, our Conductor of the Expert Group which drafted the OECD Privacy Guidelines;
Louis Joinet, France, then secretary of the Tricot Commission, drafter of the French Informatique et Liberté bill;
Peter Seipel, Sweden, who as a consultant to OECD helped draft the Privacy Guidelines and their Explanatory Memorandum;
Russell Pipe, United States, who as a consultant to OECD developed the concept of Transborder Data Flows;
Oswald Ganley, United States, who was instrumental for Secretary of Commerce Baldridge sending a letter to the 500 largest US firms, enterprises, banks and insurance companies inviting them to implement the OECD Privacy Guidelines on a voluntary basis;
Frits Hondius, Council of Europe, who was the spiritus rector behind the Council of Europe Data Protection Recommendations and subsequently Convention No 108 on Data Privacy Protection;
Alice Frank, OECD Secretariat, who held the pen in the meticulous preparation of the various drafts of the OECD Privacy Guidelines.
1