On June 12, 2007, the Organisation for Economic Co-operation and Development (OECD) Council adopted the OECD Recommendation on Cross-Border Co-operation in the Enforcement of Laws Protecting Privacy, which updates OECD guidelines on privacy and trans-border data flows, first published in 1980. The recommendation was developed by the OECD Committee for Information, Computer and Communications Policy (ICCP), through its Working Party on Information Security and Privacy (WPISP). The work of the Committee was led by Jennifer Stoddart, Canada’s Privacy Commissioner.
McCarthy Tétrault Notes:
Events Leading Up to the Recommendation
In 2006, the OECD undertook a re-examination of privacy risks and cross-border challenges associated with cross-border data flows, including circulation of a questionnaire to OECD member countries. The results of the re-examination were published in the OECD’s Report on the Cross-Border Enforcement of Privacy Laws in 2006.
The OECD initiative was driven by concerns about the privacy risks associated with growing cross-border data flows. Globalization, offshore outsourcing, Internet use, the decentralization of information-processing arrangements and decreasing communication costs have all contributed to increased cross-border data flows.
The report states that the majority of respondents found that restrictions on information-sharing were a specific obstacle to effective cross-border enforcement of privacy laws. Other challenges included difficulties in identifying a contact point in member countries, differing enforcement priorities, insufficient preventive or remedial powers, inconsistent legal regimes and practical obstacles such as resource constraints.
The recommendation was borne out of the report and further roundtable discussions. Its adoption reflects a commitment by OECD member governments to increase international co-operation and communication in order to enhance cross-border privacy protection.
The recommendation explicitly recognizes the benefits, including business efficiency and user convenience, that the increase in international flows of data has brought to organizations and individuals.
But the recommendation also highlights that such flows have raised new challenges and concerns with respect to the protection of privacy and effective enforcement of privacy laws.
In May 2007, Commissioner Stoddart submitted her 2006 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA). The report includes the following statements:
When personal information moves across borders, it may become subject to different legal regimes. Individuals may lose some of their privacy rights, such as the ability to request access to the information or seek redress if the information is unlawfully used or disclosed.
Countries around the globe are recognizing the need to make the protection of personal data as it crosses borders as seamless as possible. With greater awareness of the threats associated with increased trans-border data flows, consensus is emerging around the importance of promoting closer co-operation among privacy enforcement authorities in different countries.
While PIPEDA’s "Accountability Principle" makes an organization responsible for personal information under its control, without distinguishing between domestic and cross-border transfers of data, the report concludes there is room for improvement in investigation and enforcement activities.
Investigations by the Office of the Privacy Commissioner (OPC) regarding international data transfers in 2006 included the transfer of financial information about individual Canadians to US authorities through the Society for Worldwide Interbank Financial Telecommunication (SWIFT). The OPC launched an investigation to determine whether SWIFT was improperly disclosing personal information to foreign authorities. OPC found SWIFT did not contravene PIPEDA when it complied with lawful subpoenas served outside Canada and disclosed Canadians’ personal information to foreign authorities. However, the report also observes that:
the disclosure process could have been more transparent if the government bodies involved had used existing information-sharing mechanisms, which have privacy protections built in. We have asked Canadian officials to work with their US counterparts to encourage them to use these mechanisms, rather than the subpoena route, to obtain information in the future.
Based on this and other experiences with international data transfer investigations, the report recommends that the Privacy Commissioner be given specific authority to share investigation information with international counterparts, while co-operating on investigations of mutual interest.
The OECD Recommendation can facilitate this type of co-operation.
Key Points of the Recommendation
The recommendation recognizes that, although regional instruments are in place, a more global and comprehensive approach to cross-border co-operation is desirable. Its main focus is the authority and enforcement activity of any public body responsible for enforcing laws protecting privacy (Privacy Enforcement Authorities). It also highlights and maintains a focus on co-operation with respect to privacy law violations that are most serious in nature.
The recommendation sets out three main goals: improving domestic measures to enable cross-border co-operation, improving international co-operation and creating a procedure in which member countries can request the assistance of other member countries. Specifically, it recommends that:
- member countries develop and maintain effective domestic measures that enable Privacy Enforcement Authorities to co-operate effectively with both foreign and other domestic Privacy Enforcement Authorities;
- member countries ensure that Privacy Enforcement Authorities have the necessary authority to prevent and act in a timely manner against violations of laws protecting privacy committed from their territory or that cause effects in their territory;
- member countries should provide their Privacy Enforcement Authorities with mechanisms to share relevant information with foreign authorities relating to possible violations of laws protecting privacy;
- member countries should enable their Privacy Enforcement Authorities to provide assistance to foreign authorities relating to possible violations of their laws protecting privacy;
- requests for assistance should include the purpose for which the information requested will be used as well as sufficient information for the requested Privacy Enforcement Authority to take action; and
- Privacy Enforcement Authorities should take appropriate steps to maintain the confidentiality of non-public information exchanged and respect any safeguards requested by the Privacy Enforcement Authority that provided the information.
Initiatives to implement the recommendation are already underway. The OECD has developed two model forms to facilitate privacy law enforcement co-operation. The first is a form to assist in the creation of a list of contact points in each country to co-ordinate requests for assistance. The second form is to be used by authorities requesting assistance from another country. Authorities must specify the privacy principle(s) at issue (e.g., data quality, security safeguards or transparency), as well as possible violations of law and potential sanctions.
The recommendation was introduced at the 29th International Conference of Data Protection and Privacy Commissioners, which was hosted by Commissioner Stoddart in Montréal at the end of September 2007. The OECD also introduced the recommendation at the 2007 Asia Pacific Economic Cooperation privacy meeting and intends to do the same at several other regional events.