Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

OECD Joint Roundtable of the Committee for Information, Computer

advertisement 
OECD
Joint Roundtable of the Committee for Information, Computer and
Communications Policy (ICCP), and its Working Party on Information
Security and Privacy (WPISP)
30 YEARS AFTER: THE IMPACT OF THE OECD PRIVACY GUIDELINES
March 10, 2010
Address by Hans Peter Gassmann
former Head of the ICCP Division
Directorate for Science, Technology and Industrtry, OECD
Mr. President, dear Delegates,
It is a great honour for me to be invited to speak to this Roundtable to-day. It is also a great
day for me to see that 30 or even 40 years after our initial work on privacy protection, these issues
are still very much alive to-day, and that the OECD continues to play a role in this field.
My remarks will be as follows:
1) I want to give a short retrospective on some events which occurred 30 -40 years ago which
contributed to provide the impetus to draft the OECD Privacy Guidelines;
2) I want to give some examples how these Guidelines are still relevant to present-day events
and discussions;
3) I want to present some ideas and reflexions on how these Guidelines might be modernised.
1) Retrospective: Work by OECD on Privacy Protection and Transborder
Data Flows, 1968 – 1985, and some related events in Member countries.
March 1968 3rd Ministerial Meeting on Science of OECD Countries on
„Gaps in Technology“
June 1968
Committee on Science Policy decides that „Computer Utilisation“ should
be examined by OECD. Creation of a „Computer Utilisation Group“
October 1970
The first Data Protection Law ever is enacted for the Land of Hessen, a State
of Germany. It applies to the public secteor only
1971
1972
2 reports published in the Series „OECD INFORMATICS STUDIES:
No 1: Computerised data banks in public administration
No 2: Digital information and the privacy problem. In this report, the
Hessen Data Protection Law was translated and published in English
and French as an Annex.
The Computer Utilisation Group creates 2 „Panels“, the Data Bank
Panel and the Panel on Policy Issues of Computer/Communications
1
Interaction. Report No 3 on „Computer and Communications“ published
in 1973
1973
1973
January 1974
June 1974
„Watergate Scandal“ in the US
Swedish Data Act. This Act was the first Data Protection Law of a sovereign
country; it applies to the private and the public sector
US „Federal Privacy Act“ enacted. It applies to the Federal Government
only
OECD Seminar on Policy Issues in data protection and privacy
- Proceedings published in 1976 – In this report, the 1973 Swedish Data
Protection Law and the American Privacy Act of 1974 were reproduced in the
Annex. This seminar brought together major decision makers from OECD
Member countries to present facts, exchange views and debate ways
forward . After the death on President Pompidou in 1974, an article was
published by the newspaper Le Monde “ La chasse aux Francais“ , the Hunt
of the French, through the interconnexion of giant government data banks.
Scandal, the spectre of George Orwell's Big Brother haunted the French
public. The Messmer government set up a Study Commission
„Informatique et Liberté“. Almost all its members took part in the OECD
seminar, which had the great advantage to present all papers in English and
French, so it became an important input into the preparation of the relevant
legislative work of the French Parliament. The notion of „Transborder Data
Flows“ was debated for the first time at this seminar in one of the 4 sessions.
February 1975
Conference on Computer/Communications Policy, OECD, Paris
August 1976
Informatique et Liberté Projet de Loi (Bill) in France. Its
Exposé des motifs stated that „the bill takes also into account the
initiatives taken by international organisations.... especially of the OECD,
which reflexions on the technological, economic and policy aspects of
information technology have a determining international influence „
September 1977
Symposium on Transborder Data Flows and the Protection of Privacy,
Hofburg, Vienna
early 1978
Beginning of work of an OECD Expert Group on Drafting Guidelines
governing the Protection of Privacy and Transborder Data Flows of
Personal Data.
About one third of OECD Member countries have adopted Privacy Protection
Laws
In his State of the Union Address, President Carter in mentioning his
government's privacy program, stated that “International Guidelines are
needed to protect the privacy of personal information transferred from one
country to another, while avoiding disruption of needed information flows.
We have sprearheaded work in the Organisation for Economic Cooperation
and Development toward this end, and guidelines have been drafted for
adoption this year.“
1977 – 1980
January 1980
September 1980
Final Adoption by the OECD Council of a Recommendation concerning
Guidelines on the Protection of Privacy and Transborder Flows of
2
1983
Personal Data. This recommendation contains 8 basic Princples for
national application, and 4 principles of international application, providing a
balance between free flow and legitimate restrictions.
Council of Europe Convention 108 on the Protection of Privacy is
adopted. It enters into force when a minimum of 5 countries have ratified it.
Then it will be binding on the signataries.
Creation of the Information, Computer and Communications Committee
(ICCP) by the OECD Council
Symposium on Transborder Data Flows, Churchhouse, London
1984
Conference on „1984 and Beyond“ in the Reichstag, Berlin
April 1985
Adoption by the OECD Council of a Declaration on Transborder Data
Flows
October 1980
1981
2) Relevance of the OECD Privacy Guidelines to-day
In some respects, these Guidelines seem to be outdated. They clearly come from a preinternet-age. The notion of Transborder data flows seems obsolete in the age of instant, worldwide
web-connections, where the ubiquitiousness of the sender and receiver is taken for granted.
On the other hand, the Guidelines were expressly drafted in a technology-neutral way, and
not specifically for „ADP“ (Automatic Data Processing). Therefore the Principles are still by and
large valid, even if their interpretation and information technology has changed. In 1978-1980
several European Member countries representatives had doubts about the usefulness of such nonbinding Guidelines, and even questioned whether the OECD was the right place to draft such
Guidelines. They clearly preferred the Council of Europe Convention, which was much more
„solid“ in their eyes, because it was legally binding. On the other hand, it became clear that such
„soft law“ in the form of Recommendations of good practice was quite useful for all OECD
member countries, with their wide spectrum of legal systems. They provided a sort of flexible
bridge between the European approach to „Data Protection“, and the more general view of „Privacy
Protection“ in non-European Member countries. They certainly contributed to a certain international
harmonisation, if not standardisation, of principles in the legislative approaches of Member
countries and even of non-Member countries. Imitation effects are always a powerful stimulus to
the spread of new approaches.
Privacy protection issues had, over the years, up and downs. Sometimes these issues were
high on the government agendas (ex. the French example, the Watergate scandal, etc), and
sometimes just routine matters. There always was a delicate balance between privacy protection and
national security concerns. For example, in Germany during the 1980s the years of terrorism by the
RAF group made indents in data protection; similarly, after September 2001 the global fight against
terrorism made privacy protection issues secondary, and in many Member countries new national
security laws were enacted which to a certain extent eroded privacy protection. At present, it seems
that privacy protection is against in the upswing. Two examples illustrate this:
The SWIFT issue between the United States and the European Community. The US
government had reached an agreement last year with the European Commission for a right of access
to certain financial flows on the SWIFT international bank transaction network in the name of
national security concerns and the global fight against terrorism. This agreement was overturned by
the European Parliament in February 2010 on the grounds that privacy protection issues were not
3
sufficiently taken care of in this agreement. A new agreement needs to be negotiated soon, where
issues of reciprocity may well play a role. Clearly paragraphs 15-18 on Basic Principles of
international application: Free flow and legitimate restrictions of the OECD Privacy Guidelines
very much apply here, although the issue of access to content was not expressly dealt with.
The German Supreme Constitutional Court ruled on March 2, 2010 that the general
automatic storage of all telecommunications transaction data by telecommunications carriers in
Germany for a minimum of 6 months was unconstitutional, except in some well defined specific
cases. That means that the relevant German law needs to be amended. But this brings up another
difficulty: The European Union directive 2006/24/EG specifies in Article 6 that these
telecommunications transaction data (not their content) should be stored automatically for a
minimum of 6 months and a maximum of 2 years. Several EU member countries have not
implemented this Directive, and Sweden has even been condemned by the European Court of
Justice for not doing so. Again, the massive, automatic collection of telecommunications
transaction data may infringe on the privacy of consumers and citizens by creating user profiles.
This is clearly dealt with by para 7 , the Collection Limitation Principle of the OECD Privacy
Guidelines.
3) Some reflexions on the modernisation of the Guidelines
In re-reading the Guidelines, and especially the Explanatory Memorandum, it becomes
quickly clear that several issues hotly debated to-day are treated only in a passing way or missing.
Some of these are:
Access: Who has access to stored personal data? National security agencies? Private persons
unknown to the data subject? Do data controllers hide information they pass on to third parties?
Storage limitation in time: In the purpose specification principle, there is mention to the
destruction or erasure of data, but only en passant.
Right to oblivion (droit à l'oubli). The French Secrétaire d'Etat Nathalie Kosciusko-Morizet is
very keen on this issue. In her recent book „Tu viens?“ ( Do you follow me?) she argues that we
have to face a paradox: the more we use electronic media, computer, internet, cellphones, GPS,
electronic credit-, health- and other cards, the more we realise how we can be tracked, how
information about us is stored, and there is a fear of losing our freedom. She also points out how
there is a big generation gap: the elders, (including myself), have a tendency to be discrete, to keep
things to ourselves, to shun publicity. I may add that this may be a reflex from times of war, of the
Big Brother syndrome, of police states. The young generation on the contrary has a tendency to
show off, to find it cool to put on their micro-blogs exuberant expressions, to impress their friends
or peers with crazy or even indecent pictures. This may be cool, but later on young people may
regret to have such data (and pictures are also digital files with millions of pixels) out in the web,
since there is no possibility to call them back. Once they are out, they are out. This may well be an
impediment for their future careers. This is not Big Brother, it is Small Brother. It may well be that
we will need new rules about „automatic wipe-off“ after a certain time of storage.
Reciprocity: Not much is said in the Guidelines about reciprocity. There is only general language
about „a standard of equivalent protection“ in the case of transborder data flows. It is
recommended that there should be information exchange related to these Guidelines, and mutual
assistance in the procedural and investigative matters involved. It may be that given the nature of
legally not binding Guidelines, the notion of reciprocity would not have made much sense. Yet this
is becoming quite important, as we can see in the SWIFT case.
4
Self-regulation: The Guidelines do recommend to support self-regulation. This is more important
than ever especially for the private sector actors. National laws increasingly are inadequate to
regulate or even to sanction failings in a global web situation. There are many lawsuits already
where private persons or users feel their privacy invaded by data controllers.
Some examples:
August 2009, California: Lawsuit by users against improper release of personal data by Facebook; it
is alleged that Facebook engages in data mining and harvesting without fully disclosing these
practices to its users.
November 2009, Germany: Lawsuit against Wikipedia
November 2009, Switzerland: Lawsuit against Google Street View online service. There is a feeling
that this service with its 2,75 meters high cameras is a privacy invasion especially in quiet
neighborhoods, as it can view over fences or walls.
What are the remedies?
In early 2009, The United Sates Congress held hearings on the stricter update of principles
for self-regulation in online data collection for advertising purposes. There is much concern that
people are tracked too much online. In respose to this, the U.S. Advertising Industry published in
July 2009 a report on „Self-regulatory Principles for Online Behavioral Advertising“. There is also
increased pressute by the US Federal Trade Commission on the online marketing world. But
already 30 years ago self-regulation was considered by many experts to be a sort of fig-leaf, with
not much teeth, since control of compliance always was a problem.
In November 2009, an international conference was held in Madrid to try to obtain a
consensus on an international standard for privacy protection on Internet.
All these efforts show that it is increasingly difficult for national governments to maintain
control of the borderless and de-centralised internet web and issue regulsations on its use.
Self-regulation is fine, and necessary, but there must be also a proof on compliance by the
data controllers.
Challenge to OECD
This points to a challenge to OECD. Through updated and modernised Privacy Protection
Guidelines, and in co-operation with the private sector, both data controllers and private users, it
could establish rankings or lists of those data controllers who comply with the strict criteria laid
down by international consensus. And those who do not. This is a field the OECD has been good at
in other areas: widely publicise best practices in a comparative way based on commonly agreed
principles, and make public and disseminate how they are complied with. The Internet is an
instrument to invade our privacy? Use it widely to protect us consumers and users, by disseminating
knowledge and create transparence on who complies with the Principles of Data Protection and who
does not. A general policy as often mentioned by data controllers in their home-pages is too
generic: more evidence on compliance is needed.
4) Honours
At the end of my remarks, I want to honour some persons who significantly contributed to
the development and spread of data privacy 40 or 30 years ago, and the drafting of the OECD
Privacy Guidelines, with my apologies to those I do not mention:
5
Spiros Simitis, Germany, drafter of the worldwide first Data Protection Act of Hessen;
Jan Freese , Sweden, father of the Swedish Data Protection Act, the first comprehensive Privacy
Protection Law of a sovereign country;
Michael Kirby, then Chairman of the Australian Law Reform Commission, our Conductor of the
Expert Group which drafted the OECD Privacy Guidelines;
Louis Joinet, France, then secretary of the Tricot Commission, drafter of the French Informatique
et Liberté bill;
Peter Seipel, Sweden, who as a consultant to OECD helped draft the Privacy Guidelines and their
Explanatory Memorandum;
Russell Pipe, United States, who as a consultant to OECD developed the concept of Transborder
Data Flows;
Oswald Ganley, United States, who was instrumental for Secretary of Commerce Baldridge
sending a letter to the 500 largest US firms, enterprises, banks and insurance companies inviting
them to implement the OECD Privacy Guidelines on a voluntary basis;
Frits Hondius, Council of Europe, who was the spiritus rector behind the Council of Europe Data
Protection Recommendations and subsequently Convention No 108 on Data Privacy Protection;
Alice Frank, OECD Secretariat, who held the pen in the meticulous preparation of the various
drafts of the OECD Privacy Guidelines.
6
Related documents
National Strategies for Digital Identity Management
National Strategies for Digital Identity Management
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
at this link
at this link
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Instance Based Social Network Representation
Instance Based Social Network Representation
What lies ahead - IFA-UK
What lies ahead - IFA-UK
Download
advertisement