Two circumstances influence each other at the international level of data protection: on the one hand, the famous spying scandals related to the Prism program, and on the other hand, the expected reforms of the main international instruments of data protection. The Convention 108 of the Council of Europe and the EU Directive 98/45 are indeed about to be modernized and, our issue at hand, the OECD’s Guidelines from the early 80’s have been updated this July.
The basic rules of data protection have been maintained in the new OECD’s text (fairness of the processing, purposes limitation, rights to access and rectification, transborder flows basic compliance), but because large amounts of data are now dispersed in multiple countries, risks have increased considerably. The aim of the Guidelines modernization, focused on the concept of risk, is to concretely prevent damages resulting from security breaches.
All data controllers should now have in place a wide “privacy management program,” similar to the “privacy impact assessment” of the draft EU Regulation. This program should include assessment of the risks, plans for responding to incidents, documents to prepare and to present at the authorities’ request, and periodic updated procedures. As a consequence, controllers should notify significant security breaches to competent authorities and to data subjects. The implementation of a “privacy management program” is the main change in those updated Guidelines.
Regarding transborder flows in the Guidelines, the new criterion of contractual prevention is recognized in the form of an “enforcement mechanism,” allowing transfers with third parties. The EU “Binding Corporate rules” and the “Standard Contractual Clauses” seem adequate to implement this type of sufficient contractual and security safeguard.
The new Guidelines also make explicit the need for “privacy enforcement authorities.” They should be effectively coordinated at the highest levels of government, since their powers could be extended to existing public regulators with, for example, a consumer protection mission.
Finally, on the model of the EU-US Safe Harbor framework, the Guidelines call for cross-border “enforcement cooperation” mechanisms. More specifically, this cooperation could cover situations where a breach localized in one jurisdiction affects individuals living in a different jurisdiction, or where individuals are affected by breaches covering multiple jurisdictions. According to the explanatory memorandum attached to the Guidelines, those mechanisms could take the form of breach notifications from States to States in order to meet the global needs of companies and individuals.
Those Guidelines remain a non-binding instrument. But it does not lead us to underestimate a text which could mutually influence the States’ and judges’ decisions. It represents a strong political commitment. The 34 Members States (including the USA) are therefore strongly expected to put them into effect.
But above all, the OECD Guidelines are in line with the latest international legal standards. They include the components of the widest global consensus, prefiguring a ground for a future custom. While being precise and consistent, they remain a short, simple and practical framework. Therefore, our most important concern is not their legal nature, but their concrete content, which simply represent the best uniform guidance to ensure data protection compliance at a corporate and international level. We warmly recommend our clients to use them in this way.