Unattended Consequences of OECD Privacy Protection Guidelines

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data was created in 1980 to prevent economic barriers to international business when dealing with personal information.  The proliferation of disparate data privacy policies among nations threatened to hinder the efficiency at which nations interact as they each try to respect their own domestic laws regarding data privacy.  More than 30 years later we are still struggling to implement these guidelines as they have shown to have various unattended consequences.

First, the intention of the guidelines to improve economic exchange can be seen with the recent passage of the Personal Data Protection Bill in Singapore.  The law “is expected to strengthen Singapore’s reputation as a business hub, especially for transactions with European countries, which require more stringent data protection measures.”  However, it also touches on the consequences of how opening up to one market can close access to others.  For if the standards are too restrictive, countries with less restrictive standards could prevent them from doing business with Singapore.

This is indeed occurring with India and its relationship with the EU.  India is pushing for data secure status because their growth in the outsourcing sector is being hampered.  Some countries, like India, do not have the same resources as those in the OECD to implement the required guidelines or to do so in a reasonable amount of time.  So the very framework created to prevent a hindrance on economic trade is creating its own barriers as countries perform a balancing act dealing with nations at different stages and abilities of compliance.  India is further complicating matters by using their leverage in ongoing Free Trade talks to gain data secure status, blocking economic exchanges unrelated to data privacy.

The Singapore Law also reflects the issue of poor self-regulation as it only proposes forming an enforcement committee.  Part four of the guidelines just encourages self-regulation.  Adding an explicit requirement for a regulating framework would increase trust among nations and provide a stronger incentive for domestic companies to protect data.  Even a minor act of negligence can result in serious consequences in this age of digital information.  This was recently shown in the UK when the Scottish Borders Council was caught violating the Security Safeguards Principle by failing to monitor a third party company it was outsourcing its data to [Link].

More dire consequences are prevalent beyond just the implementation of the guidelines to the guidelines themselves. For instance, the British Bankers’ Association has found itself at odds with the Security Safeguards Principle when trying to comply with the Participation Principle.  In doing so they have set a precedent for denying rights afforded by the guidelines.  In this case it was denying responding to data subject requests by email as they justifiably claim it is not a secure communication medium.

A more obvious example where the guidelines are setup for abuse is in the carte blanche offered to the law when specifying exceptions to the Use Limitation Principle.  We are currently seeing the effects of this since the passage of the FISA Amendments Act, which is up for renewal this year.  The Act, among other things, “allows the government to electronically eavesdrop on Americans’ phone calls and e-mails without a probable-cause warrant.”  This guideline exception allows for the violations of the Openness and Collection Limitation Principles.  Although it is understandable for the law to violate the guidelines within certain contexts, without any mention of narrowly tailoring this power, the goals of the guidelines are too easily compromised.

Perhaps it is time to revisit the guidelines with remedying these consequences in mind.