Thursday, January 15, 2009

Launching another "global" forum to talk about privacy

There is a new buzz these days in privacy circles: the idea of global standards seems to be gaining momentum.  On January 12, privacy commissioners, and a handful of invited academics, advocates and CPO's, met in Barcelona for an inaugural meeting to launch work on a "Joint Proposal for a Draft of International Standards for the Protection of Privacy and Personal Data."  

There have been several very serious attempts at developing international, or regional, privacy standards.  The oldest, and perhaps most successful, was the OECD Privacy Guidelines from 1980.  Essentially all privacy laws in the world today derive from the OECD's work.  The OECD was so successful, because it maintained the privacy guidelines at a sufficiently high-level that they were not rendered obsolete by technological developments.  And the OECD refrained from mixing implementation issues into its guidelines, wisely recognizing that its member countries have very different legal and regulatory regimes.  

The EU Data Protection Directive of 1995 is probably the most complete and detailed set of regional privacy laws in the world.  Because the Directive was very focused on European Common Market issues, it took great strides to harmonize pan-European regulatory and implementation issues.  Since many of these implementation issues, such as the mandatory creation of an "independent" data protection authority, are unique to the European legal and regulatory context, the Directive itself is not suitable for broad global adoption, except in countries with European colonial traditions, like Hong Kong.  

APEC continues its work on a Privacy Framework, building on the OECD Privacy Guidelines and adding new and effective concepts of "accountability" and "harm".  APEC is the most exciting initiative underway anywhere in the world in terms of new thinking about how to move forward on global privacy standards.  Singapore, as this year's revolving host country, will host further meetings to build on the strong progress that's been made in past years.  

I attended most of this week's meeting in Barcelona.  It's too early to tell if this initiative, sponsored by the Data Protection Commissioners, will have legs in terms of moving forward the debate.  The inaugural meeting on January 12 was mostly attended by Europeans.  The documents that it cited as reference points were mostly European.  The overwhelming majority of participants were European data protection authorities, who naturally are very familiar with the EU Data Protection Directive, and come to the table imbued with the European approach.  A sprinkling of North Americans rounded out the participants, which left me thinking that this "global" meeting represented countries with something like 10% of the global population.   This particular initiative will sadly fail in the international arena, if it simply turns into an exercise of European commissioners to try to convince the rest of the world to adopt something like the EU Data Protection Directive.  They've already been doing that for over a decade, so there's little incremental benefit from continuing down that path.  

I think the world needs minimum international privacy standards, as I've blogged many times before. OECD and APEC are also promising forums to advance the debate.  In parallel, Europe will continue its reflections on how to modernize its own data protection concepts, and perhaps, streamline some of its rather inefficient bureaucracy.  Europe would certainly be more credible as a global leader, if it got its own data protection house more up to date and efficient.  [I'll be contributing to that effort in a separate forum.]  In the meantime, if I were from a country with no pre-existing tradition of privacy laws, I would be looking to the OECD and APEC for inspiration.  In any case, competition is good, even in the sphere of privacy policy thinking.  


Suresh Ramasubramanian said...

APECTEL ( specifically. They have worked with OECD earlier - such as in their joint work on malware, since 2005.

I referenced that quite extensively in my work on the ITU botnet mitigation toolkit (

Anonymous said...

I agree with your comments Peter. I would rather see revised OECD principles if there is to be a true international approach with any hope of consensus. I wish they would call it a convention rather than a standard as the term standard suggests something aimed at business rather than at national level. I guess they are really talking about an international instrument like a convention. If they want a business standard they should look to ISO for help.