AustLII Home | Databases | WorldLII | Search | Feedback

Journal of Law, Information and Science

Journal of Law, Information and Science (JLIS)
You are here:  AustLII >> Databases >> Journal of Law, Information and Science >> 2010 >> [2010] JlLawInfoSci 10

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

Kirby, Michael --- "The History, Achievement and Future of the 1980 OECD Guidelines on Privacy" [2010] JlLawInfoSci 10; (2010) 20(2) Journal of Law, Information and Science 1


The History, Achievement and Future of the 1980 OECD Guidelines on Privacy[*]

THE HON MICHAEL KIRBY AC CMG[**]

Abstract

Between 1978-80, the author chaired an expert group of the OECD which developed the OECD Privacy Guidelines. His work in this respect has previously been noted in this Journal ((1981) Vol.1 No.1, 1; (1992) Vol.3, No.1, 25; (1996) Vol.7, No.2, 137). This article offers a thirty-year retrospective on the OECD Guidelines, starting with historical descriptions of the clash of values that had to be resolved in the group. The article describes four main achievements by which the OECD Guidelines built on predecessors; added value; envisaged flexible implementation; and secured survival of basic privacy protection. The article closes with suggested lessons for the future from the Guidelines of 1980, given the huge technological changes that have occurred in informatics in the intervening thirty years, some of which are described.

Introduction

Thirty years ago, I served as the chairman of the expert group of the Organisation for Economic Co-Operation and Development (OECD) on trans-border data flows and the protection of privacy (1978-1980). This paper is aimed at giving contemporary observers an opportunity to reflect on the achievements of the Guidelines on Privacy (‘the Guidelines’), developed by the expert group. They were adopted by the Council of the OECD and recommended to OECD member countries in 1980. They have proved highly influential.

One normally thinks of the OECD as a body of sober economists, statisticians and technologists. One does not normally expect such people to be oozing with human rights sentiment. Yet the OECD Guidelines have proved to be one of the more effective international statements of recent times affording protections for a basic human right, privacy, as that right has come to be understood in the context of contemporary information technology.

One does not normally expect economists, statisticians and technologists to be sentimental about their institutional history. Yet it is a commonplace that those who forget their history are bound to repeat its mistakes. A Roundtable to mark the thirtieth anniversary was welcome. The chair of the Committee for Information, Computer and Communications Policy (ICCP) was Mr Jørgen Andersen. The Director of the Directorate for Science Technology and Industry (DSTI) was Mr Andrew Wyckoff. In 1980, I knew their predecessors who, in the case of ICCP, included Mr Johan Martin-Löff. He was also a distinguished telecommunications expert from Scandinavia.

The meeting room in the new OECD Conference Centre in 2010 was more salubrious that the dungeons in which the OECD expert group convened in 1978-1980. Beautiful surroundings present the risk that one might never want to leave them. That was certainly not true of the late 1970s dungeons. Yet my footsteps readily took me back to the OECD building complex. In 1980, there were no double metal barriers around the compound. Security was comparatively light. The intellectual environment was as intense as it is today. The shared institutional values of the participating nations meant that many irrelevant disputes were avoided. Meetings started on time. Productivity and efficiency were our standards.

In the OECD expert group, I learned, as every pupil at the Ecole Nationale d’Adminstration does, the Cartesian division of every problem into three parts. So it is that I have divided this article into three sections. I will recount some of the history of the expert group. I will describe some of the achievements of the Guidelines. And I will offer some reflections on the future, as these may be of assistance to those working today on information, computer and communications policy.

1 History

The way the OECD became involved in the project to draft guidelines on the protection of privacy in the context of trans-border data flows (TBDF) is worth recalling.

The meeting of the Working Party on Information Security and Privacy (WPISP) in March 2010 was chaired by a fellow Australian, Keith Besgrove. I am not sure how he was elected to his office. Indeed, I am not sure how that privilege fell to me in the expert group that convened in 1978. I was sent to Paris in 1978 because the Australian Law Reform Commission, of which I was then chairman, was mandated by the Australian government to prepare new federal laws on privacy protection. Dialogue with experts from countries with similar legal and economic circumstances was considered useful to the discharge of our task. I can only assume that my election to chair the expert group came about because the member countries outside Western Europe were deeply suspicious of the bureaucratic tendencies of the European administrative culture. For their part, the Europeans could not tolerate the idea of a non-European chair for the expert group, at least not one from a nation of significant economic and political power. I presume that that is how the choice fell to me. Perhaps like Chairman Besgrove, it is best not to enquire too closely as to how the electoral processes in OECD delivered our respective names.

A trans-continental committee of experts thus began its enquiry 32 years ago. It was stimulated by outstanding assistance from the OECD Secretariat, led in this instance by Mr Hanspeter Gassmann, assisted by Professor Peter Seipel (Sweden) as consultant, and by Miss Alice Frank, also of the Secretariat. I pay tribute to the assistance of the OECD officials. Since 1980, I have worked in many United Nations and international organisations. None can boast of a more talented team of officials than the OECD.

Generally speaking, basic rights, the rule of law and democratic governance constitute the broad assumptions upon which the OECD operates for the provision of technical advice and assistance to member states, mainly on economic and technological issues. There have been exceptions, such as the important work of the Organisation on official international corruption and on issues of nuclear power and climate change. But, ordinarily, the OECD is not a house concerned with human rights protection. That task is generally left to other bodies, including the United Nations Educational, Scientific and Cultural Organisation (UNESCO), whose seat is established on the other side of Paris. So why the sudden interest of the OECD in protecting privacy in the context of trans-border data flows?

The answer to that question can be derived from the historical background to the establishment of the expert group and the commonalities of the technology that lay behind the need for international guidelines. So far as this background was concerned, it can be traced to the recognition, after the Second World War, in human rights instruments such as the Universal Declaration of Human Rights (Art.12), of the basic right to privacy. Elaborations of that notion followed in the 1960s in academic writing (such as that of Alan Westin, Paul Sieghart and Professors Rule and Cate of the United States), and in official reports (such as those of Kenneth Younger (UK) and Bernard Tricot (France)), addressed to the particular problems of privacy in the context of the new technology for automated data processing. The capacity of this technology to expand and expedite the analysis of personal data and to create connections not otherwise perceived was recognised as presenting new problems for privacy as that notion was to be understood in its wider, modern sense. That recognition led to initiatives in various international bodies which provided the background for the OECD’s work:

• In the Nordic Council in 1971, where the Scandinavian member states of the OECD built upon the early work on legislation for privacy protection adopted in Sweden in 1969. The Council reported in 1972 and its report resulted in one of the first data protection laws in 1973;

• The Council of Europe, in turn, drew upon the foregoing measures in the development of ministerial resolutions in 1973 and 1974 and in the design of a Convention (No 108) addressed to consequences of automated personal data;

• The Commission of the European Economic Community (as the European Union was then named) also began work that would ultimately bear fruit as the influential European Union Directive on privacy; and

• Other international bodies also became interested, including UNESCO, and, by 2000, the Asia-Pacific Economic Co-Operation Organisation (APEC) with its Privacy Framework addressed to the member states in that fast-growing region of the world.

Some of the foregoing developments lay in the future as we met for the first time at the OECD in 1978. But this much was already clear; the technology of informatics was fast changing. Even by 1978, it was apparent that the technology was increasingly transnational. Its social consequences could not be exhaustively dealt with by national laws. TBDF were becoming an established feature of the application of informatics. There was therefore a need for commonality in the approaches adopted by member states of the OECD. Otherwise, the advantages of TBDF for freedom in the flow of facts and opinions and for creative ideas for economic and social development, might be impeded.

Within Western Europe, by 1978, it was possible to bind the approaches of the member states of the Council of Europe into a binding treaty, agreed amongst those states to reflect the highest common denominator of their collective opinions. However, by 1978, it was already obvious that the largest player in the processing of automated data (including for airlines, hotels, business, insurance and banking) was the United States of America. Securing the agreement of that major economic player to a binding treaty faced two apparently immovable obstacles. The first was the need, in the ratification of any such treaty, for the concurrence of the United States Senate, traditionally suspicious of such engagements. The second was the strong affirmation of free flows of information expressed in the First Amendment to the United States Constitution. This provision created a bedrock of support for flows of data, to the largest extent possible, unimpeded by governmental regulation (‘Congress shall make no law ...’). The possibility that the United States would subscribe to a European Convention on this subject was small. These realities defined the boundaries of any successful enterprise within the OECD, designed to encourage as high a level of consensus about the applicable principles as could be reached among the participants without resort to be a binding treaty.

To the foregoing obstacles to progress had to be added other deep concerns, bordering on suspicions, which were often unexpressed; but every now and again came to the surface in the expert group. When this happened, it revealed a chasm, seemingly deeper than the Atlantic Ocean, between the underlying values reflected in the developments occurring in Europe, on the one hand, and the legal and social culture of the non-European nations, especially the United States, on the other:

• For the European nations, the memory of the misuse of personal data by security police, the military and other officials in the mid-20th century was still fresh. For them, this was not a theoretical problem. It was an urgent imperative to establish controls on the potential of the newly automated personal data to enhance the power of the over-mighty state and to diminish the liberties of ordinary citizens. In 1978 the world was still faced by the Cold War whose divisions were symbolised in Europe by the Berlin Wall. Today the Russian Federation sits at the table of WPISP and Russia may soon be a member state of the OECD. None of us should forget the contributions of the Red Army and the Soviet peoples in the Second World War to the defeat of fascism and to the creation of the circumstances in which Europe could flourish and democratic governance and efficient economies could emerge and expand;

• On the other hand, the United States experts, in particular, were suspicious of some of the approaches of the European nations participating in the work of the Council of Europe. In particular, they were anxious about the suggested inclination of the European states to create large bureaucracies empowered to impede TBDF. Occasionally, they hinted darkly that these were initiatives with an ulterior motive. This was to impede the all too obvious success of United States technology and to provide protective walls behind which the European technology of informatics might grow and compete. The Europeans, for their part, sometimes speculated that the American devotion to free flows of data and First Amendment values was actually underpinned by the then current pre-eminence of United States information technology.

Finding a bridge between these competing cultural attitudes, laws and economic interests was a great challenge. It was a much greater challenge than that faced in securing agreement within the Council of Europe or the European Communities, large as that was. It was the challenge which the OECD expert group accepted, addressed and eventually surmounted.

There is one additional explanation for the emergence of the OECD expert group. It is to be found in the initial title of the group. This addressed its attention to ‘trans-border data barriers and the protection of privacy’. It was the fear of new ‘barriers’ that afforded the initial focus of the work of the expert group and of the interest of the OECD. Then, as now, the OECD was an organisation concerned with economic efficiency and with the generally free sharing of information essential to the proper operation of democratic governance and free market economies. It was the potential of TBDF to occasion restrictions, regulations and even conflicting treaty obligations within the community of free markets and for these to impose ‘barriers’ on the free flow of data that aroused the interest of the OECD. Specifically these considerations enlivened the Organisation’s mission to contribute to (and defend) free flows deemed suitable to market information economies.

The OECD’s central concern was therefore that the response of European nations (and European regional institutions) to the challenges of TBDF for privacy protection might potentially erect legal and economic barriers against which it was essential to provide effective exceptions. Given the different perspectives, especially on opposite sides of the Atlantic, the resolution of this quandary lay not in the direction of an international treaty, but in the adoption of broad general principles. If those principles were introduced into, or reflected in, domestic law, it was hoped that they would contribute to the reduction of ‘barriers’ that would otherwise result in inefficiencies and obstacles to the attainment of the fundamental institutional objectives of the OECD.

At the heart of the trans-Atlantic disagreement that led to the establishment of the OECD expert group lay different approaches to the regulation of data flows so as to provide protection for privacy. For European member countries, impairment of personal privacy was not a theoretical danger. It was one deeply remembered from the misuse of personal data by security and military officials during the Second World War.

The suspicion that several non-European countries had was that the European treaty approach to protecting privacy was heavy-handed with bureaucracy; potentially expensive to implement and maintain; insufficiently sensitive to the values of free flows of data; and (even possibly) motivated by economic protectionism so as to strengthen the European technology of informatics behind legally established data protection walls. The suspicion of the Europeans was that the non-European member states would insist on a ‘toothless tiger’. They would give the appearance of agreement; but without any real or practical effectiveness.

Before and during the work of the expert group, numerous seminars and conferences were held in Paris and elsewhere concerned with aspects of the problems that led to the creation of the group and pre-occupied it in its work. One of these was a large conference in Paris attended by the then President of the French Republic (Mr Valéry Giscard d’Estaing). In the course of the conference, to which I contributed, the powerful feeling that lay behind the European response to the dangers to privacy was expressed in a vivid way. During a session devoted to public participation, an audience member leapt to his feet. I knew that his contribution would be unusual. His appearance was arresting. He had a long beard and his eyes gleamed as he spoke:

“Why, Mr President, did so many refugees and Jews in France survive during the War? Why did so few resistance fighters and Jews survive in The Netherlands?”, he said. “It happened because, in the 1930s, The Netherlands government, with typical efficiency, had devised an identity card with a metal bar installed through the photograph. This was then the latest in secure technology. In France, we had an ordinary photograph, pasted on cardboard. It was easily imitated. Upon that difference hung the lives of thousands of good people. In France, they survived. In The Netherlands they perished. Efficiency is not everything. A free society defends other values. Personal control over data is one such value.”

It was a powerful intervention. I have never forgotten it. It made a good point. Not to promote inefficiency, as such, but to remind the listeners of the importance of keeping both governmental and private power under legal control, and of ensuring that the individual remained in charge of most of the personal data concerning that individual. The memory of the misuse of data by officials was too fresh in mind to enlarge official power and especially given the growth of multi-national corporations often insusceptible to local regulation.

My own legal training and tradition in Australia was sympathetic to the emphasis placed by the United States participants in the expert group on the value of TBDF. However, the reminder from the heart of Europe, of the importance of democratic values and individual integrity was equally important and timely.

So the task of the OECD expert group was to build on the work previously undertaken within the Nordic Council, the Council of Europe, the European Economic Community and in academic writing. It was to bring the principles that were by then emerging into an intercontinental application so that they would extend, as far as agreed, without a treaty, to other member countries of the OECD, such as the United States, Canada, the United Kingdom, Japan, Australia and New Zealand.

To tackle this task, the members of the expert group had the assistance of brilliant officials, and an excellent consultant, provided by the OECD Secretariat. Mr Hanspeter Gassmann, who attended the Roundtable in March 2010, led the Secretariat team. He enjoyed established expertise in information technology and policy. He was assisted by Miss Alice Frank who was a brilliant drafter. One of the first professors of information technology and the law, Professor Peter Seipel (Sweden) was appointed consultant to the expert group. He revealed not only intellectual brilliance but also great skill in drafting. He played the leading role in the preparation of the explanatory memorandum that accompanied the OECD Guidelines. I pay a tribute to each of these colleagues. Nothing that the expert group achieved would have been possible without their input.

The appointed members of the expert group were all people of great intelligence and devotion to the task. The Deputy Chairman was Mr Louis Joinet, leader of the French experts. Before him lay a distinguished career in the Cabinet of President François Mitterrand and (like myself) in United Nations human rights activities. To the task of the expert group, he brought enormous skill, integrity and eloquence. He spoke from the standpoint of the civil law tradition. Throughout, he insisted on conceptual approaches to the problems that we faced. He was assisted by Mr Philippe Lemoine and by other fine members of the French delegation. They became the primary advocates of the viewpoint of the European countries. They were supported in this respect by very experienced Scandinavian experts. These included Mr Jan Freese (Sweden), the first head of the Swedish Data Protection Authority, Mr Hans Corell (later General Legal Counsel to the United Nations) (Sweden), and Professor Jon Bing (professor of law and head of the Norwegian data protection body). Many of the future global leaders in informatics and the law cut their teeth in the policy debates of the OECD expert group.

The expert from Italy was Professor Stefano Rodota, later a member of the Italian Parliament and long-time advocate of privacy protection. Professor Spiros Simitis brought to his contribution trail-blazing work in one of the first data protection agencies in one of the Länder of Germany. The Canadian delegation was especially strong. It included Ms Alice Desjardins, later a federal judge, and Ms Inger Hansen (later Canadian Privacy Commissioner).

If every important argument needs a thesis and antithesis, the clash of ideas was provided in the expert group by Mr William Fishman, then an official of the Department of Commerce in the United States. He was as brilliant in oral debate as was Mr Louis Joinet. He was supported by Ms Lucy Hummer (of the US State Department). Between them, they ensured that no proposition was left unchallenged which the repeated American advocacy of TBDF required. Out of the clash of these values emerged the OECD Guidelines.

My task as chairman was to uphold the disciplined work ethic of the expert group. But in this group that was not a special challenge. We worked hard in our dungeons. The intellectual rewards were great. In the end, the Guidelines emerged. They have proved influential over thirty years when so much else in law, politics and technology has proved ephemeral.

2 The Achievement

The achievement of the Guidelines fell into four main areas:

1. Building on predecessors: We did not set out to reinvent the wheel or to alter needlessly the sensible approaches adopted by our predecessors. We derived much assistance from academic writing (especially of Alan Westin and David Flaherty, fathers of privacy analysis). We drew on governmental reports including that of the Department of Health Education and Welfare in the United States (HEW); the Younger report in the United Kingdom; and the report of Mr Bernard Tricot in France. Above all, we drew on the regional work of the Nordic Council, the Council of Europe and the European Communities Commission. At most meetings of the expert group, we had the assistance of Mr Frits Hondius, long-time official of the Council of Europe. He was an outstanding theorist on many subjects, including data protection and data security. He assisted the experts to draw upon the Council’s work as we translated the earlier recommendations into an inter-continental context.

2. OECD value added: There were at least seven features of the Guidelines that constituted the ‘value added’ that the OECD offered in its project:

i The Guidelines were expressed in technologically neutral terms. They were not confined to automated data nor to any particular information systems. This feature has helped the Guidelines to survive the intervening three decades notwithstanding the huge technological developments they have seen;

ii The Guidelines were expressed as non-binding. They did not adopt the language or character of a treaty. The verb used throughout was ‘should’. The coercive element in the Guidelines came from their demonstrated utility and the sense of self-interest on the part of OECD member countries;

iii The Guidelines also adopted a broad ambit. They were not confined to the public or private sectors. They did not resolve all issues over their application. However, they were expressed in very broad terms so as to have maximum influence;

iv The Guidelines acknowledged the intrinsic economic and social value of TBDF. Not only did this reflect the common democratic culture and free market values of the OECD member countries. It was essential to securing the participation and support of the United States with its strong commitment to First Amendment values;

v The Guidelines added the ‘accountability principle’ (para 14). As such, that principle had not been included in the earlier European work. It reinforced the individual participation principle (para 13) contained in the OECD Guidelines. It sought to identify a duty-bearer so that there would be no doubt as to who had the obligation to comply with the Guidelines in particular cases. The passive voice and subjunctive mood of hortatory language can sometimes weaken the power of its instruction. Yet, the value of the ‘accountability principle’ is that it contemplates elaboration and the identification of the duty-bearer. This was important for the effective implementation of the Guidelines;

vi The Guidelines also called on the OECD member countries to implement the principles of the Guidelines and to co-operate with other member countries in such implementation so that gaps would not arise as between their operation in different nation states. Such gaps were a practical danger against which the European participants frequently warned the expert group. The haemorrhaging of personal information through TBDF was a major consideration that urged all of us on to a successful conclusion; and

vii Above all, the simple conceptual language of the Guidelines strengthened their influence in the succeeding years. In a field of endeavour that is beset by technological complexity and verbal obscurity, the OECD Guidelines shine forth as an example of clear and simple writing. Much of the credit for this must be shared by Peter Seipel, Hanspeter Gassmann and Louis Joinet. They are all distinguished conceptualists. They could even make the English language seem clear and simple. Which, of itself, was a major achievement.

3. Flexible implementation: A reason for the special success of the OECD Guidelines is the way in which they envisage that national implementation will observe their own regulatory cultures. This had been a large potential obstacle standing in the way of success because of the concern in non-European countries about what they saw as the expensive and intrusive bureaucratic tradition of European date protection. Invoking domestic procedures for regulation and protection was both wise and necessary. It has meant that the European countries could continue on the path of their data protection agencies while other countries could embrace a looser system, one harmonious with their own institutional traditions. This flexibility helps to explain the way in which the OECD Guidelines have influenced subsequent developments in privacy law, principle and practice in countries as diverse as the Russian Federation, Mexico, South Africa, Turkey and nations of the APEC region. This influence, which is itself a contribution to the objective of TBDF, might not have happened without the express provision of the Guidelines envisaging respect for the differing implementation traditions of the member countries of the OECD.

4. Survival of the Guidelines: Against the foregoing background, the survival of the Guidelines, and their continuing utility thirty years later is remarkable but perhaps understandable. In that thirty years, we have seen the development of the internet and worldwide web; of search engines; of the technology for location detection; of social networking which challenges the very concept of what is ‘private’ and what is secret; and of biometrics and other technologies. These developments undoubtedly raise questions about the OECD Guidelines. But the basic principles that the Guidelines established remain an efficient foundation for the operation of global information systems.

3 The Future

What of the future? Given the astonishing developments of information technology in the intervening 30 years, can we really expect that the OECD Guidelines will continue to be relevant and influential in the future? To answer this question, it is necessary to face once again the difficulties that the OECD expert group faced in 1980:

1. Realism: It is important to tackle issues presented to information, computer and communications policy with realism. That realism must be founded in the recognition of the objective value of TBDF, something which the Guidelines specifically recognise and assert. TBDF undoubtedly have great value to the economies and societies of OECD member states. The value has extended to individuals, corporations and society as a whole. Prosperity is dependent on these characteristics. Of course, there is an extent to which the advance of information technology reduces the ability of the individual to control his or her information. This is the aspect of individual privacy that is placed at risk by informatics. That risk must be candidly acknowledged in measuring the value of the technology to the lives of all people living in a modern community. Putting it in terms that would be understood in the OECD, there is an ultimate economic question to be considered by policy-makers as they reflect on the continuing utility of the OECD Guidelines in today’s world. That question can be expressed thus: does the marginal utility of attempting to limit or control TBDF, so as to protect attributes of individual privacy, outweigh the marginal costs involved in any such interference in the operation of TBDF. It is necessary to face this quandary candidly and to discuss it openly so that decisions about it are made transparently. The use limitation principle in the OECD Guidelines (para 10) is an example. The social networks that have arisen in the past decade are an illustration. To what extent would the utility of endeavouring to impose individual control over data in such information systems outweigh the cost of erecting impediments or providing controls? These are abiding questions. They remain applicable today, although the technology that presents them for resolution changes all the time.

2. Protecting privacy: Having acknowledged the inevitability of some erosion of personal control over data and individual privacy, it is important not to give up on protection of this value. It is a value that lies deep in the desires of the human person. It affects the dignity and integrity of that person. Privacy as a human value is not something dreamed up by the OECD. It was recognised as a basic human right in the Universal Declaration of Human Rights (art 12) and in the International Covenant on Civil and Political Rights (art 17). Accordingly, there is much good sense in the Madrid Privacy Declaration of November 2009. In that declaration, civil society organisations, convening in conjunction with the annual meeting of the Privacy and Data Protection Commissioners’ Conference, re-asserted the centrality of fair information practices; of principled decision-making; of effective and enforceable protection; of international implementation of universal values such as privacy; and of accessible remedies for individuals. Uncritical technological euphoria is not an appropriate response to the challenge for privacy presented by new technology and changing public use of it. This is not a subject where ‘anything goes’;

3. Importance of empiricism: One feature of the work of the OECD expert group in 1980 was its insistence that the Guidelines, and all policy and law in this area, should be based on an accurate and thorough understanding of how the relevant technology worked. Any acquaintance with that technology teaches that failure to take action can sometimes amount to making a decision. That decision permits technology, developed generally for profit, to take the user and society where the technology leads. The intervention of law and principle and of effective protective practices are needed to afford safeguards for fundamental human rights and defence of the integrity of information systems;

4. Reconceptualising issues: To some extent, in the three decades since the OECD Guidelines were adopted, policy developments have been confined to particular areas of information, computer and communications policy. Thus, treaties or guidelines have been adopted to deal with the special problems of spam; cybercrime; malware; worms and viruses and other attributes of modern informatics. The OECD should endeavour to link these issues in conceptual terms and to ensure that separated responses operate in harmony with each other and in a way that defends interlinked values. It may be that the responses to the foregoing issues can be seen, with privacy protection, as an endeavour of the global community to preserve the benefits of information technology while guarding users and others affected from anti-social conduct. The OECD should constantly be on the alert, as the expert group was in 1978-1980, against a fractured approach to what are basically integrated social and ethical problems. If there is one organisation in the global community that has the legitimacy and mandate to maintain this conceptual approach, it is the OECD. It can derive encouragement, and instruction, from the way in which the expert group developed the 1980 Guidelines within the broader context of information, computer and communications policy;

5. New challenges: Many new challenges face any organisation that is addressing contemporary computer and communications policy. Some of the challenges include:

i The development and implementation of new systems of mass surveillance, including facial recognition, whole body imaging, biometric identifiers and imbedded Radio-frequency identification (RFID) tags which the Madrid Declaration suggests should not be implemented without ‘a full and transparent evaluation by independent authorities and democratic debate’;

ii Privacy protectors must ever be on the lookout for privacy enhancing technology (PET) so that technology itself can be invoked to afford better privacy protection to the individual;

iii Cross-border co-operation in drafting, implementing and enforcing laws for privacy protection is a daily challenge. It is one that attracts responses. Such responses were envisaged by the provision in the 1980 Guidelines (para 20) for measures of international co-operation. These included (para 21) information exchanges and mutual assistance in any procedural and investigative matters involved;

iv End-user education may be necessary to sustain community awareness about the value of privacy. The social networks that have grown up in recent years are often used by young persons who may not be fully aware of the way in which their personal data, disclosed today, may return to affect their lives in years or decades to come. Balancing individual freedom against personal immaturity may sometimes require new responses and some impediments to TBDF, at least for vulnerable users. These need to be developed in conformity with the basic objectives of the OECD Guidelines which continue to provide a framework for resolving such issues; and

v Beyond the OECD, even as its membership has expanded in the decades since 1980, lie the overwhelming majority of nation states and peoples of the world. Inevitably, (in default of any other global principles) the OECD Guidelines have come to affect the privacy of individuals in the developing world. But are the values of the Guidelines in harmony with the values of people living in such countries? Are those people really concerned about values such as privacy as we understand that concept? What should the OECD do to include opinions from developing countries in the expression of the values that should affect global technology? Given the already rapid advance of information technology in most developing countries, these are valid questions. They present important dilemmas for the OECD as it takes forward its work on information, computer and communications policy.

4 Re-Assurance

If there are difficulties in getting common ground within the OECD and beyond on the issues of privacy, data protection and data security, they pale in significance beside the larger problem of tackling other global problems, such as the changes necessary to protect the biosphere against global warming or nuclear catastrophe or a global epidemic such as HIV/AIDS whose vectors include sexual activity, drug use and whose vulnerable populations include sex workers, drug users, homosexuals and women. At least in information policy, it may be hoped that an agreed, rational and empirical approach will prevail. In other challenges, considerations of power, fear and religious belief can intrude to obstruct or delay logical responses.

I mention these facts to remind the OECD that its tasks, although substantial and difficult, are basically manageable. Information technology is shared. The challenges can generally be addressed without giving predominance to non-objective factors. From this, the OECD and its committees can take encouragement. As they can from the work of the expert group thirty years ago, the success of that work and its utility in the intervening decades.

I invoke the spirit of the late Jan Freese and the late Frits Hondius. I invoke the debt that is owed to Louis Joinet and Hanspeter Gassmann, who participated with me in the 2010 Roundtable. I pay tribute to Peter Seipel, Bill Fishman, Hans Corell, Inger Hansen, Stefano Rodata and all the others who worked on the 1980 Guidelines. Above all, I pay respects to those who continue to work in the field of privacy protection and security of information, whether in the OECD or in national privacy data protection authorities or in civil society organisations such the Electronic Privacy Information Center (EPIC), the Centre for Information Policy Leadership (CIPL) and leaders in relevant public institutions and academic life.

The level of control which the individual will maintain over personal data in the future will depend on the efforts made today by these bodies and individuals. They are guardians of a fundamental attribute of the human personality. They deserve support and acknowledgement. The OECD does well to take stock, to reflect on its achievements and to derive strength for the still greater challenges that lie ahead.


[*] Based on the talks delivered by the author at the Organisation for Economic Co-Operation and Development, Paris, to the Working Party on Information, Security and Privacy (WISP) on 9 March 2010 and to a Roundtable of the Committee for Information, Computer and Communications Policy (ICCP) on 10 March 2010.

[**] Chairman of the OECD Expert Group (1978-1980), Justice of the High Court of Australia (1996-2009).


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/2010/10.html