In November, the 31st International Conference of Data Protection and Privacy Commissioners will approve a resolution that will include an international standard for privacy protection called the “Joint Proposal for a Draft of International Standards on the Protection of Privacy with regard to the processing of Personal Data.” The standard will be submitted to the United Nations as the basis for a treaty. This is not the conference’s first attempt to reach consensus on an international standard, but it is the first to include robust processes that will begin to narrow the issues that divide nations on data protection law.
The standard is being developed under the leadership of the Spanish Data Protection Agency, working with a committee of data protection authorities through a process that has included participation by outside experts such as a Hunton & Williams partner and the Centre for Information Policy Leadership. A third draft of the standard now has been circulated to which clearly the Spanish Data Protection Agency incorporated comments they received from fellow commissioners, businesses and the consumer advocacy community. The first draft was based on the European Union Privacy Directive with added obligations from the APEC Privacy Framework and national laws outside Europe.
The third draft recognizes the concepts of organizational responsibility and accountability. It replaces the data protection concept of “data controller” with the term “responsible person,” which is defined as “any natural person or organization, public or private that, in accordance with national law, decides on the existence of the [data] processing.” The responsible person is, pursuant to the accountability principle, required to assure observance of all the principles and obligations set out in the standards document. For example, data may only be transferred to a state or organization that affords a level of protection substantially similar to that provided by the standard; responsible persons who expect to carry out an international transfer must exercise “reasonable diligence” in making that assessment. This aspect of the standard is very close to guidance regarding data transfers that was provided by the Canadian Federal Commissioner earlier this year. The standard recognizes that organizations, rather than only states, may provide an adequate level of data protection, which is a major step forward in establishing that organizational accountability is a practical hook to facilitate transfers of data with appropriate obligations attached.