The Organization for Economic Cooperation and Development (OECD) has released a revision of its 1980 Privacy Guidelines. The fundamental elements of the original guidelines, the Fair Information Practice Principles (FIPPs), remain in place, but the OECD recognizes the revolutionary changes in technology since the first OECD Guidelines, and the importance of the digital economy and trans-border data flows. Accordingly, there is significant emphasis on the interoperability of national privacy regimes and the need for greater international cooperation. There also is a focus on privacy management programs and the role of enforcement.
As explained by the OECD:
These new Guidelines constitute the first update of the original 1980 version that served as the first internationally agreed upon set of privacy principles.
Two themes run through the updated Guidelines. First is a focus on the practical implementation of privacy protection through an approach grounded in risk management. Second is the need for greater efforts to address the global dimension of privacy through improved interoperability. A number of new concepts are introduced, including:
• National privacy strategies. While effective laws are essential, the strategic importance of privacy today also requires a multifaceted national strategy co-ordinated at the highest levels of government.
• Privacy management programmes. These serve as the core operational mechanism through which organisations implement privacy protection.
• Data security breach notification. This provision covers both notice to an authority and notice to an individual affected by a security breach affecting personal data. (empahsis supplied)
The new Guidelines follow the work of a multi-stakeholder group of privacy professionals (in which Hogan Lovells’ Christopher Wolf was a member). This group was chaired by Canada’s Privacy Commissioner Jennifer Stoddart and Omer Tene, consultant to the OECD, served as rapporteur. On the basis of the work by the group, proposed revisions were developed by the OECD Working Party on Information Security and Privacy (WISP) and approved by the Committee for Information, Computer and Communications Policy (ICCP), before final adoption by the OECD Council.
The revised Guidelines come at a time when trade negotiators around the world are focusing on cross-border data flows and interoperability (e.g., in the talks over the Trans Pacific Partnership and the Transatlantic Trade and Investment Partnership) and the OECD’s carefully considered thinking is expecting to have an impact on the trade talks.