As we noted in the first post of our accountability series, the principle of accountability has become a global privacy paradigm.  In this post, we discuss the evolution of this principle and how it got to be where it is today.

Accountability In The Early Days

The accountability principle has featured in international data protection instruments for 35 years making its debut in 1980 when it was included in the original OECD Guidelines.  It was taken-up 25 years later by the 2005 APEC Privacy Framework but throughout all those years led a very quiet existence without receiving much attention or making an impact in practice.

In essence, those early codifications of the accountability principle state that data controllers should be accountable for complying with measures which give effect to the other codified data protection principles.  They were understood as clarifying that, under domestic law, accountability for complying with privacy protection rules and decisions remains with the data controller even where the processing is carried out by a third party processor. 

Accountability Today

The notion of accountability is no longer what it used to be.  It has been pulled out of the dark by academics, policymakers, legislators, regulators and the like.  To give just a few examples, in 2009, the Global Information Accountability Project was initiated and since then accountability has repeatedly been a hot topic at the annual International Conference of Data Protection and Privacy Commissioners

Pen was put to paper in 2013, when the revised OECD Guidelines emerged.   While retaining the accountability principle in its original form, crucially, the 2013 OECD Guidelines contain a new “Part Three - Implementing Accountability” which fleshes out the accountability principle by stating that data controllers should:

  • have in place a privacy management program (PMP);
  • be prepared to demonstrate their PMP as appropriate, in particular at the request of a competent privacy enforcement authority; and
  • notify significant security breaches to enforcement or other relevant authorities, as well as affected data subjects where the breach is likely to adversely affect data subjects.

Part Three goes even further to provide that:

  • PMPs need to be tailored to the structure, scale, volume and sensitivity of the controller’s operations, integrated into the controller’s governance structure and routinely reviewed and updated; and
  • essential elements of PMPs include appropriate safeguards based on privacy risk assessments, mechanisms ensuring that third parties maintain appropriate safeguards when processing data on behalf of the controller, plans for responding to incidents and inquiries and internal oversight mechanisms.

In February 2015, APEC’s Electronic Commerce Steering Group endorsed a plan to update the APEC Framework essentially in line with the changes made to the OECD Guidelines.   From the information that has emerged so far, we can expect the future APEC Framework to include the concept of PMPs and breach notification obligations very similar to the 2013 OECD Guidelines. 

There is also another noteworthy development.  The often overlooked (but legally binding) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108) -  currently silent on accountability - is being updated to newly include additional obligations in respect of accountability, privacy impact assessments and privacy by design. 

Outlook

Even though non-binding, both the OECD Guidelines and the APEC Framework play a highly influential role in shaping privacy regulation and policy across the globe.  Their new take on accountability is highly likely to be reflected in future in national privacy laws, which so far are mostly silent on accountability.  If Convention 108 will eventually include additional obligations regarding accountability, Convention parties will be legally required to transpose these into their domestic laws in one way or another.  As will be seen in our next posts, privacy regulators around the world are starting to embrace this new interpretation of the accountability principle pushing organisations to implement and demonstrate the existence of detailed PMPs.