The OECD Heralds the Arrival of the Privacy Profession
Despite a sea change in the technological and societal backdrop, the guidelines, which were framed in concise, technology-neutral language, have proven remarkably adaptable to the new landscape. Indeed, the Volunteer Group of Privacy Experts (Expert Group) assembled by the OECD to review the guidelines recommended not to revise the set of high level principles in Part Two of the guidelines. These principles, comprising collection limitation, data quality, purpose specification, use limitation, security, openness, individual participation and accountability, remain sound. Instead, the Expert Group resolved to set forth a roadmap for implementation of the principles in the form of privacy management programs and privacy enforcement authorities. (Full disclosure: I served as rapporteur to the Expert Group, which was chaired by Canada’s Federal Privacy Commissioner Jennifer Stoddart and led by Michael Donohue of the OECD Secretariat.)
This shift from debating lofty principles to considering their implementation on the ground reflects the maturing of privacy from a set of aspirational goals into a full-fledged profession. As keenly observed by Kenneth Bamberger and Deirdre Mulligan, at the end of the day, individual rights are protected less by privacy on the books than by privacy on the ground. And privacy on the ground is assembled from the trenches—by embedding sound data practices at all level of the organizational structure, from call centers and inventory warehouses up to senior management and the board, and not just by privacy professionals but also by HR teams, IT specialists, data security personnel and more.
To this end, the revised guidelines call on organizations to establish privacy management programs with “appropriate safeguards based on privacy risk assessment” that are “integrated into (their) governance structure and (establish) internal oversight mechanisms.” The explanatory text adds: “Ensuring the availability of sufficient resources and staff, as well as training programs, may also improve the effectiveness of the program. Privacy officers may play an important role in designing and implementing a privacy management program.” OECD member countries are instructed to take action to advance “education and awareness-raising, skills development and the promotion of technical measures which help to protect privacy.”
Moreover, the revised guidelines require member countries to “establish and maintain privacy enforcement authorities with the governance, resources and technical expertise necessary to exercise their powers effectively and to make decisions on an objective, impartial and consistent basis.” This reflects the realization that a new field of regulation requires oversight by a new class of regulators, steeped not only in law but also in the technological knowhow so critical for engagement with data management scenarios.
The OECD recommendations are not only forward-looking but also reflect the reality already manifest on the ground. Consider the day-to-day activities of the IAPP, which develops and offers programs for training, certification and education of a new generation of data management pros. Another example is the initiative of the UK Information Commissioner’s Office, which launched a public consultation on a code of practice for conducting privacy impact assessments—comments are due November 5—and commissioned a detailed 267 page report by Trilateral Research & Consulting, documenting existing practice in hundreds of organizations and providing resources, benchmarks and case studies for conducting PIAs.
The integration of sound data management practices into organizational structures is also one of the pillars of the draft European General Data Protection Regulation (GDPR). As official Brussels returns from summer holidays and resumes negotiations over the GDPR together with heated discussion over the repercussions of the Snowden revelations, expect a period of intensive cross-Atlantic privacy debates. This article, by Cedric Burton and Anna Pateraki, provides an informative overview on where these political processes stand. Where the European regulation winds up may be the first indication of whether the updated set of OECD guidelines are as persuasive as the original set of guidelines were 30 years ago.
About the Author
Omer Tene is Vice President of Research and Education at the IAPP where he administers the Westin Fellowship program and fosters ties between the industry and academia. He is also Vice Dean of the College of Management School of Law, Rishon Le Zion, Israel; an Affiliate Scholar at the Stanford Center for Internet and Society; and a Senior Fellow at the Future of Privacy Forum. He has published extensively in US and European law reviews about big data, online tracking, and international privacy law.