On September 9, 2013, the Organization for Economic Cooperation and Development (“OECD”) published its revised guidelines governing the protection of privacy and transborder flows of personal data (the “Revised Guidelines”), updating the OECD’s original guidelines from 1980 that became the first set of accepted international privacy principles.
Two themes run through the Revised Guidelines: (1) the need for a practical, risk management-based approach to the implementation of privacy protection; and (2) the need to enhance privacy protection on a global level through improved interoperability. The OECD encourages member countries to improve global interoperability of privacy frameworks by entering into international arrangements that give practical effect to the Revised Guidelines. It references recent initiatives that have been undertaken to bring together different approaches to privacy protection, such as data protection authorities working together in the context of the EU’s binding corporate rules and the APEC Cross-Border Privacy Rules System.
Although the original “Basic Principles” of the guidelines remain intact, several new concepts have been introduced in the Revised Guidelines. According to the OECD, these include:
- National privacy strategies. Effective laws are essential, but the strategic importance of privacy today also requires a multifaceted national strategy coordinated at the highest levels of government.
- Privacy management programs. These serve as the core operational mechanism through which organizations implement privacy protection.
- Data security breach notification. This provision covers both notice to an authority and notice to an individual affected by a security breach affecting personal data.
Other revisions seek to strengthen privacy enforcement and modernize the OECD’s approach to international data flows. For example, the Revised Guidelines include references to “risk” and “proportionality.” This signals a focus on a risk-based approach. The OECD recommends that any restrictions on transborder data flows imposed by member countries should be proportionate to the privacy risks associated with the personal data (i.e., taking into account the sensitivity of the data, the purpose and context of the processing).
Finally, Part 3, Section 15 of the Revised Guidelines encourages organizations to be accountable through their privacy management program by ensuring that the program:
- gives effect to the Revised Guidelines for all personal data under its control;
- is tailored to the structure, scale, volume and sensitivity of its operations;
- provides for appropriate safeguards based on privacy risk assessment;
- is integrated into its governance structure and establishes internal oversight mechanisms;
- includes plans for responding to inquiries and incidents; and
- is updated in light of ongoing monitoring and periodic assessment.