There are significant developments these days on the subject of data protection. There are two circumstances influencing each other at an international level: on the one hand, spying scandals related to the Prism program, and on the other hand, the expected reforms of the main international instruments of data protection. Indeed, the Convention 108 of the Council of Europe and the EU Directive 98/45 are about to be modernised and, our issue at hand, the OECD's Guidelines from the early 80's has been updated this past July.
The fact that those Guidelines remain a non-binding instrument does not lead us to underestimate policies which could mutually influence the OECD States "and judges" decisions on data protection issues. Those provisions represent a political commitment and a global consensus, prefiguring a ground for a future international custom on data protection laws. The 34 Members States (including the USA) are therefore strongly expected to implement the Guidelines and put them into effect.
We can actually say that the basic rules of data protection, maintained in the new OECD's text (fairness of the processing, purposes limitation, rights to access and rectifi cation ...), receive a broad consensus. However, since personal data is now dispersed in multiple countries, recombined instantaneously and moved by individuals, risks have considerably increased. Therefore, the actual key point of data protection, and the aim of the Guidelines modernisation, is to prevent damages resulting from security breaches.
Indeed, as a part of the wide "privacy management programs" that all data controllers should now have in place, those controllers should notify significant security breaches to competent authorities and to data subjects. This program, similar to the "privacy impact assessment" of the draft EU Regulation, includes assessment of the risks, plans for responding to incidents and periodic update procedures.
Regarding trans-border flows, the new criterion of contractual prevention is recognised (enforcement mechanism), allowing transfers with third parties under the OECD's Guidelines. The EU "Binding Corporate Rules" could be relevant to implement sufficient contractual and security safeguards.
The new Guidelines also make the need for "privacy enforcement authorities" with more technical expertise more explicit. National privacy strategies should be effectively coordinated at the highest levels of government, and authorities' powers are extended to existing public regulators with, for example, a consumer protection mission.
Finally, on the model of the EU-US Safe Harbor framework, the Guidelines call for cross-border enforcement cooperation mechanisms. According to the explanatory memorandum, it should take concrete forms, such as breach notifications to multiple jurisdictions, since data breaches affect individuals living in different countries.
All those contributions reflect a more interoperable approach of risk prevention that both national and international data protection instruments are implementing.
To view the European Business Law Update, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
