Privacy Law and Policy Reporter
Office of the Information and Privacy Commissioner, Ontario
This article summarises a report to the 22nd International Conference of Data Protection Commissioners, Venice, Italy in September 2000 — General Editor.
The paper ‘Should the OECD Guidelines Apply to Personal Data Online?’ was prepared by the Office of the Information and Privacy Commissioner Ontario (the IPC) to continue the debate started by the Honourable Justice Michael Kirby at the 1999 International Conference on Privacy and Personal Data Protection in Hong Kong. Justice Kirby suggested the 1980 Organisation for Economic Co-operation and Development’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines) were showing signs of age and needed to be reviewed.
The central premise of the IPC paper is that while the Data Protection Commissioners annually debate the state of the OECD Guidelines, the online world continues to move ahead. The IPC argues that commercial and other organisations are setting and enforcing online privacy standards, not the Commissioners.
To balance the work of the OECD, the IPC paper outlines contrary points of view. Critics maintain that the OECD Guidelines are out of date and in urgent need of an overhaul or replacement. The paper highlights key weaknesses and omissions in the OECD Guidelines as argued by Justice Kirby, Colin Bennett, Graham Greenleaf, Roger Clarke and Robert Gellman.
Given the global nature of the internet and the local jurisdiction of the Data Protection Commissioners, the need for an international consensus regarding online privacy protection does not seem to be in dispute. The question seems to be what data protection standard should form the foundation upon which effective action can be built — the OECD Guidelines (as currently worded or amended), or some other standard entirely?
The IPC notes that in today’s environment, individuals and companies offering services or products to a global market through the internet are not generally aware of, or concerned with, the OECD Guidelines. Voluntary fair information practices are not utmost in the minds of start-up e-commerce ventures. If any awareness of the need to protect privacy online exists at all, the immediate concern is compliance with mandatory legislation, existing agreements and industry standards. The European Union’s Directive on Data Protection, the Safe Harbor Agreement, and legislation such as Canada’s new Personal Information Protection and Electronic Documents Act, have overtaken the OECD Guidelines in terms of relevance to online business.
Before the Data Protection Commissioners can significantly influence others, they must first agree upon an appropriate minimum online privacy standard. The IPC believes the OECD Guidelines can and do serve this purpose. The IPC has tried to put the minimum standards set by the OECD Guidelines into operation by developing our own set of online privacy ‘best practices.’
In its papers, the IPC stresses the need for Data Protection Commissioners to focus on how to actually apply these generally accepted fair information principles to the online world, rather than on continuing to debate the principles themselves. Accordingly, the IPC recommends the Commissioners accept the OECD Guidelines as the minimum standard for online privacy protection, arguing that this step is the essential foundation for any harmonised initiatives. The IPC also encourages the Commissioners to develop a co-ordinated educative and advocacy role for themselves in the area of online privacy.
The IPC’s intent in suggesting that Data Protection Commissioners agree upon a basic online privacy standard — the OECD Guidelines — is to encourage a move from reflection to action. It is the view of the IPC that time and resources are too limited for the international community of Data Protection Commissioners to make revisions to the OECD Guidelines their priority. Instead, the Commissioners need to focus on directly influencing the users, web sites, and those currently setting the online privacy agenda and standards.
The IPC argues that Commissioners can have a unified educative and advocacy voice. They can influence online companies and standards associations. They can influence technical standards and architecture, seal programs and organisational practices. They can focus on developing effective dispute resolution and enforcement mechanisms. Their diversity and sheer geographic scope can make them extremely pervasive and effective. However, they must recognise that in whatever they do to influence online privacy, they will be more effective as a collective voice than as solo Commissioners.
The IPC concludes by noting that the Data Protection Commissioners represent the public’s interest in privacy protection, and the public has indicated clearly, again and again, that it has significant online privacy concerns. The Commissioners have the knowledge, experience and passion to significantly influence the online world and the protection of privacy globally. But they must act, and act now.
The paper has extensive references and two exhibits: the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, and the Office of the Information and Privacy Commissioner Ontario Best Practices for Online Privacy Protection. The full paper and revised Best Practices are posted on the IPC web site at <http://www.ipc/english/pubpres/sum_pap/papers/oecd.htm> (HTML version) and <http://www.ipc/english/pubpres/sum_pap/papers/oecd.pdf (PDF version). Hard copies are available from that office at 80 Bloor Street West, Suite 1700, Toronto, Ontario, Canada, M5S 2V1.