Privacy Law and Policy Reporter
The International Conference of Privacy and Data Protection Commissioners, held in Paris in September 2001, established a process and criteria for recognising the credentials of data protection authorities for the purposes of the international conference. The core resolution of the conference adopted four principles which need to be satisfied for a commissioner or institution to be internationally recognised as a data protection authority. Other parts of the resolution established a Credentials Committee to scrutinise applications and recommend to the conference which authorities should be recognised and settled procedures for voting on resolutions.
The conference elected Bruce Slane (New Zealand), Elizabeth France (UK) and Michel Gentot (France) as the first Credentials Committee. This committee has the major task of scrutinising the credentials of all authorities currently participating in the conference. At the Paris conference alone, there were 30 countries with data protection authorities represented.
The principles, which represent an important milestone in the developing international standards for the institutions involved in privacy and data protection, are set out in full below. The comments are part of the resolution adopted by the conference but are intended to be explanatory of the basic principles rather than binding on the Credentials Committee.
Accredited data protection authorities will, by virtue of their broad functions and depth of experience, be the premier experts on the principles and practice of data protection and privacy in their jurisdiction. They will have a clear mandate to promote and protect data protection and privacy across a wide sphere of activity and all the necessary legal powers to carry out the task.
The data protection authority must be a public body established on an appropriate legal basis.
Comment: The legal basis upon which an authority is established underpins its independence and ability to perform functions, and demonstrates a jurisdiction’s commitment to effective protection of personal data. The legal basis should be of the type normally associated with significant public bodies dealing with citizens’ rights in that jurisdiction. Typically, this will be primary legislation enacted by the legislature, such as a statute, but depending upon local traditions a suitable Executive instrument may be appropriate. The legal basis should be transparent and have sufficient permanence that it cannot be revoked or changed without reference to the legislature.
The data protection authority must be guaranteed an appropriate degree of autonomy and independence to perform its functions.
Comment: Autonomy requires that an authority be empowered, both in a legal and practical fashion, to initiate and undertake appropriate action without having to seek others’ permission. Independence is important for agencies to be able to operate free from political or governmental interference and to withstand the influence of vested interests. Typical guarantees include:
The law under which the authority operates must be compatible with the principal international instruments dealing with data protection and privacy.
Comment: The principal international instruments are the OECD Guidelines (1980), Council of Europe Convention No 108 (1981), UN Guidelines (1990), the EU Directive (1995) and, as far as they are relevant, the UN Principles relating to the Status and Functioning of National Institutions for the Protection and Promotion of Human Rights (1991).
The authority must have an appropriate range of functions with the legal powers necessary to perform those functions.
Comment: A data protection authority will have a range of functions in areas such as compliance, supervision, investigation, redress, guidance and public education. An authority must not merely be advisory but must have supervisory powers with legal or administrative consequence.
Blair Stewart, Assistant Privacy Commissioner, New Zealand.