30th Anniversary of the OECD Privacy Guidelines
Remarks of Marc Rotenberg
OECD
Paris, France
10 March 2010
Mr. Chairman, ladies and gentleman, thank you for the opportunity to speak
with you today about the 30th Anniversary of the OECD Privacy Guidelines. This is a
wonderful occasion and I am grateful for the opportunity to participate.
OECD officials and national representatives have said much today about the
importance of the Privacy Guidelines, but it is difficult to overstate the significance
of this influential policy framework. If you do a quick online search for the phrase
“OECD Guidelines,” it is the OECD Privacy Guidelines that come up first. If you search
for “Privacy Guidelines,” it is the OECD framework again at the top. It could be
reasonably argued that the OECD Privacy Guidelines are the most influential
international framework for privacy ever established, as well as one of the most
significant contributions of the OECD to the development of international policies
for a global economy.
As earlier speakers have also noted, the OECD Privacy Guidelines led directly
to the adoption of national laws in many countries, new business practices, and
professional codes of conduct. The OECD Guidelines also provided the basis to
resolve a pending trade dispute between the European Union and the United States
in the 1990s, to build a bridge between the EU and the US that enabled the free flow
of information and the emergence of online commerce. And more recently, the OECD
Guidelines provided the basis for the policy framework for transborder data flows in
the APEC region.
The actual experience in the United States is worth discussing for a moment,
though it is not generally well understood. The clearest example of the
implementation of the OECD Privacy Guidelines in the US can be found in the
“privacy subscriber provisions” of the Cable Communications Act of 1984, adopted
not long after the Guidelines were finalized. This law, which anticipates many of the
opportunities but also the privacy risks of interactive digital services, incorporates
almost all of the elements of the Privacy Guidelines – use limitations, purpose
specifications, and collection limitations, among others.
The US cable privacy law, based on the OECD principles, also had this
remarkable consequence: because of the very clear limitations on the collection and
use of personally identifiable information, companies were forced to find innovative
Rotenberg
1
Remarks on the 30th Anniversary
of the OECD Privacy Guidelines
ways to communicate with customers without building detailed profiles. Techniques
for deidentification and anonymization emerged in the cable service field because
companies understood that their use of personally identifiable information could
subject them to liability. So, they found new solutions and developed new business
practices.
This is precisely the effect that a good privacy law should have. It should
make companies innovative in the best sense – delivering products and services
while minimizing the risks to privacy.
Unfortunately, the US moved away from the approach of the OECD Privacy
Guidelines, and substituted “notice and choice” for the Fair Information Practices set
out by the OECD. The legal framework that once encouraged innovative
technologies that would come to be known as “Privacy Enhancing Techniques” was
replaced. Notice and choice simply put online the old-fashioned opt-out and led to
the building of detailed profiles on consumers. This was an unfortunate detour that
ultimately leads to a dead end. It explains, in part, the serious problems that the
United States now confronts with security breaches and identity theft, and the
growing public concern about the misuse of personal data.
I remain hopeful that the US will soon be back on track with the OECD
Privacy Guidelines, a framework that the United States played a very large role in
developing, strongly endorsed at the outset, and that provided an initial glimpse of
how a smart legal regime could promote innovation and competition and safeguard
consumer privacy.
But I am not here today to jeopardize my US passport or to be subject to body
scanners. I would like to highlight the key factors that I believe contributed to the
success of the OECD Privacy Guidelines around the world.
1. The OECD Guidelines were forward-looking. There were bold and ambitious.
They took on an emerging problem that was not well understood by the
general public.
2. The Guidelines were narrow in scope and focused on a particular problem. The
OECD combined the human rights interest in data protection and the
commercial interest in promoting transborder flows of personal data in an
increasingly global economy.
3. The Guidelines were intellectually coherent. Many international instruments
contain a list of aspirational statements or a hodge-podge of competing goals
tied together in a single text. There is a basic elegance in the articulation of
the privacy principles set out in the OECD Guidelines. The piece fit together.
The structure is clear. The annex enriches the meaning. Theory is anchored
in application.
Rotenberg
2
Remarks on the 30th Anniversary
of the OECD Privacy Guidelines
4. The Guidelines were technologically neutral. The OECD took on a challenge
infused with technology and, rather than attempting to define, describe, or
regulate the technology, chose instead to focus on the rights and
responsibilities of the various participants in the collection and use of
personal data. The Guidelines work for networks based on mainframe
computers and acoustic couplers as they do for mobile devices and
broadband Internet.
5. The Guidelines have an institutional home. The OECD’s sponsorship of the
undertaking, its work to publicize the outcomes, and its efforts to renew
interest in the Guidelines has provided an ongoing presence and helped to
maintain the stature of the Guidelines. It is not obvious that a similar set of
principles without a significant host institution would have become as
influential.
6. There was at the outset broad participation from countries around the world.
Europe played a central role in the development of the Guidelines, but the
United States was an active participant as was Japan. And an Australian
chaired the committee.
7. The Guidelines had a champion. Many experts contributed to the work of the
OECD, but Michael Kirby, as chairman, played a critical role. Not only was he
able to move the OECD committee forward, his status as a jurist and human
rights champion gave the Guidelines greater weight. The Guidelines were
more than the outcome of an intergovernmental agency; they reflected the
passion and commitment of the committee chair.
8. Expertise of Committee. Credit for the success of the Guidelines must also go
to the Committee members and the OECD secretariat who managed to
produce a purposeful and durable articulation of privacy in the modern era,
with a particular emphasis on practical application. Many committees have
since tried to the replicate the success of the OECD Privacy Committee but
none has reached the mark. Part of the reason must be the expertise and
determination of the original Committee members.
9. The Guidelines had the right level of specificity. In this respect, the Guidelines
passed the Goldilocks test; they were neither “too hot” nor “too cold.” A more
specific statement could have been too confusing. A more general statement
would have been too vague and lacked practical effects.
Up to this point, it is worth noting that none of these characteristics are directly
related to privacy. These factors could describe a successful strategy for the
development of international policy frameworks in many fields.
Rotenberg
3
Remarks on the 30th Anniversary
of the OECD Privacy Guidelines
But the tenth key to success of the OECD Privacy Guidelines is very much tied to
the essential purpose of privacy protection, a principle that rejects the “balancing”
approach of many policy frameworks and recognizes the essential paradox of
privacy protection:
10. The Guidelines reflect the central goal of protecting privacy to enable the free
flow of information. Jan Frees said this famously many years ago, and it is still
the best way to understand the relationship between data protection and the
free flow of information. Privacy enables the trust and confidence that
enables consumers to participate in new networks environments, to reveal
information that they otherwise are reluctant to share. In the absence of
privacy protection, information would flow less freely. It appears as paradox;
to many it is counter-intuitive. It remains still the core principle of an
effective privacy framework.
One further comment on the freedom of information issue since it has
recently received a great deal of attention. It is critical when invoking this claim to
ask simply: whose freedom are we describing? It is the freedom of the person’s
whose information is provided or is it the freedom of the company that has obtained
the personal data? A brief reflection on this simple point should clear up much of the
confusion.
In adopting the Guidelines, the OECD helped make possible the necessary
preconditions for the success of online commerce and the emergence of the global
market. Before the Internet was widely available, the OECD had set out a
remarkably prescient framework that would be the starting point for how
thousands of companies would later develop and articulate their own privacy
policies. And it would help safeguard the privacy interests of hundreds of millions of
consumers around the globe.
It is quite possible that the OECD Privacy Guidelines represent the best
articulation of privacy in our modern era that can be conceived. It is difficult to
imagine that circumstances that would lead to a dramatic change even as some
modest changes are incorporated.
These comments are not to suggest that the Guidelines are without flaws or
that implementation and enforcement do not remain critical challenges. But the
significance for privacy is clear and the possibility that the success of the OECD can
be replicated in other fields is very real.
Thank you for your attention.
Rotenberg
4
Remarks on the 30th Anniversary
of the OECD Privacy Guidelines