REPORT ON THE CROSS-BORDER ENFORCEMENT OF PRIVACY LAWS
REPORT ON THE CROSS-BORDER ENFORCEMENT OF PRIVACY LAWS
FOREWORD
More than 25 years after the adoption of the OECD Privacy Guidelines, virtually all OECD countries have enacted privacy laws and empowered authorities to enforce those laws. However, the volume and characteristics of cross-border data flows have been evolving, elevating privacy risks, and raising crossborder enforcement challenges. This report describes the current attempts to address these challenges and highlights the need for a more global and systematic approach to cross-border privacy law enforcement cooperation.
The report was prepared by the Secretariat with the assistance of Francis Aldhouse, Malcolm Crompton, and Peter Ford, consultants. It was reviewed by a volunteer group of experts led by Jennifer Stoddart, Privacy Commissioner of Canada. The Working Party on Information Security and Privacy approved the report for submission to the Committee for Information, Computer and Communications Policy, which declassified it in October 2006.
The report is published under the responsibility of the Secretary-General of the OECD and available online at: www.oecd.org/sti/security-privacy.
MAIN POINTS
The volume and characteristics of cross-border data flows are evolving, elevating privacy risks and the need for improved law enforcement co-operation
Developments in global communication networks and business processes have increased the volume of transborder data flows. Data transfers in areas like human resources, financial services, education, e-commerce and health research – to name a few – are now an integral part of the global economy. Advances in technology mean that data can be transferred quickly and stored indefinitely. Data transfers enable a globally distributed approach to tasks which takes advantage of expertise in multiple locations around the world and around the clock.
In addition to bringing business efficiencies and convenience for users, however, changes to global data flows have also elevated the risks to privacy. Wrong-doers seek to exploit technology to expose data, sometimes for financial gain. In particular, problems related to data security breaches have come into focus recently, sometimes in cases with a cross-border dimension. Given the ease with which information can be instantly transferred at anytime to any place, the cross-border aspect of data breaches is likely to increase. As with spam and cross-border fraud, protecting privacy in a global environment depends on cross-border co-operation. Although the need for effective enforcement co-operation has been noted over the years, there is now renewed interest in working at the international level to address the outstanding challenges to effective law enforcement in a world where global data flows are widespread and continuous.
Privacy enforcement authorities are now widespread in OECD countries, sharing commonalities in the types of powers they possess and the substantive scope of their jurisdiction
When the OECD Privacy Guidelines were adopted more than 25 years ago, only about one-third of member countries had privacy legislation. Today nearly all OECD members have laws – most of which follow the principles of the Privacy Guidelines - and have established authorities to carry out enforcement responsibilities.
If member country authorities share commonalities in terms of the powers they have and the scope of the laws they enforce, certain variations remain. Some authorities are charged with resolving individual complaints, others with supervising regulatory compliance, and many do both. Variations exist with respect to complaint handling processes, the authority to investigate or audit, and the available sanctions and remedies for a breach. Some are independent authorities, some housed within government departments. Some cover the public sphere, others only the private sector, and many cover both. A few authorities are mandated to enforce privacy laws covering a particular economic sector, for example, telecommunications or financial services.
Privacy enforcement authorities face challenges in addressing cross-border cases
Although almost all authorities can act against a domestic data controller for the benefit of a foreign individual, many are limited in or uncertain about their authority to protect their own citizens from privacy breaches by a foreign controller. A majority indicate that they would benefit from improved powers to exchange information and carry out investigations either jointly with or at the request of a foreign authority. Finally, efforts by authorities in the cross-border context are sometimes limited by insufficient preventive or remedial powers, inconsistent legal regimes, and practical obstacles like resource constraints.
A number of regional instruments and other less formal arrangements already exist to facilitate cross-border enforcement co-operation, but none with a global reach.
Work by the Council of Europe, the European Union, and APEC has helped establish frameworks for enforcement co-operation among enforcement authorities on a regional basis. One result has been a recent move towards joint audit activity in Europe. More informal networking and information exchange occurs at the International Conference of Data Protection and Privacy Commissioners, Asia Pacific Privacy Authorities Forum, the International Working Group on Data Protection in Telecommunications, and the Iberoamerican Network of Data Protection. Co-operation among privacy enforcement authorities can also occur under a recently adopted OECD Recommendation on anti-spam law enforcement co-operation. Existing arrangements are not, however, sufficiently comprehensive or globally co-ordinated to adequately address the cross-border enforcement challenges.
There is considerable scope for a more global and systematic approach to cross-border privacy law enforcement co-operation
Privacy is an area where public perceptions and fears can shift rapidly. The twin goals of the 1980 OECD Guidelines - protecting privacy and individual liberties, while avoiding the creation of unjustified obstacles to transborder flows of personal data – remain relevant today. Indeed, they may now be seen as more so given the growth in the volume of data crossing borders. An important element in maintaining that balance is having in place a framework allowing for co-operative enforcement actions to address problems when they do arise. In addition, greater transparency about how privacy enforcement works would be helpful for business compliance and user trust in global privacy protection. The overall goal of any effort to improve enforcement co-operation should be to safeguard the personal information of individuals, no matter where it is located.
TABLE OF CONTENTS
XXX
INTRODUCTION: TRANSBORDER DATA FLOWS, PRIVACY RISKS, AND LAW ENFORCEMENT CO-OPERATION
The challenge of ensuring the protection of personal information when it crosses national borders is by now well known. The history of efforts to address privacy protection at the international level dates back to at least the late 1970s when the OECD and Council of Europe launched their landmark work in the area. While much has been accomplished during the intervening years to increase privacy protection across the world, the growth of the Internet and related changes in the volume and characteristics of global flows of personal data have heightened privacy risks. These developments highlight the need for more structured enforcement co-operation globally to ensure privacy protection.
This report examines the law enforcement authorities and mechanisms that have been established to protect privacy, with a particular focus on how they operate in the cross-border context. It describes the current challenges to effective enforcement, as well as existing arrangements for addressing those challenges. It concludes by identifying a number of issues for further consideration, aimed at helping those charged with enforcing privacy laws to protect personal information wherever it may be located.
A. International frameworks for privacy protection
The OECD Privacy Guidelines were developed because of concerns about the consequences of competing national data protection laws. One aim was to ensure that the spread of national data protection laws should not cut off transborder data flows to the prejudice of economic growth. At the same time the Guidelines emphasised that OECD countries have a common interest in protecting privacy and individual liberties. Faced with the twin concerns about threats to personal privacy by the more intensive use of personal data and the risk to the global economy of restrictions on the flow of information, the OECD produced what has come to be recognised as one of the principal statements of the core privacy protection principles.
The adoption of the OECD Privacy Guidelines in 1980[1] represented a significant step in the international protection of personal privacy. The 1981 Council of Europe Convention[2] (Convention 108) and subsequently, the European Union Directive 95/46/EC (the EU Directive) marked further stages in the development of privacy law and policy. In particular, the EU Directive developed rules to ensure that the standard of privacy protection afforded within Europe was not weakened by the transfer of data between Europe and other countries. In 1990, the United Nations General Assembly adopted guidelines that reflect the principles to be found in the OECD Guidelines and Convention 108, but with a greater human rights emphasis.[3] More recently, the Asia Pacific Economic Cooperation economies (APEC) have finalised the APEC Privacy Framework. It introduces an approach focused on the prevention of harm from the misuse of personal information along with a principle of accountability where data moves across borders. The Framework was endorsed by APEC Ministers in 2004.[4]
B. Open economies and communications networks
Changes in global information flows
Continuous technical innovation and societal evolution in the Internet environment have changed the landscape for global communications and information flows. When the OECD Privacy Guidelines were adopted in 1980, cross-border flows of personal data could be considered discrete events, with data traveling in bulk between identified parties. Data transfers would occur, for example, in large batches by means of physical devices like tapes for processing. International data banks were just emerging, and the Internet was still in its infancy with commercial usages prohibited.
Precise estimates of today’s volume of information flowing across borders are hard to come by, but related data is instructive. The overall number of Internet users is now approaching 1 billion, with the penetration of broadband subscribers having quadrupled between 2001 and 2005.[5] Capacity for international Internet traffic continues to grow, with, for example, capacity in hubs like San Francisco or Tokyo more than doubling between 2002 and 2003, and nearly doubling again in 2004.[6] Likewise, the prices for international transit have dropped dramatically, with some estimating that what might have cost USD 1 000 per Mbps per month in 1995 may cost USD 15 per Mbps per month in 2005.[7] Though not a direct measure of the volume of transborder data flows, these figures help illustrate an inter-connected world where information flows are fluid and decentralised, and cross-border data exchange is routine. Moving data around the world or across the corridor now requires the same “click”.
This major feature of today’s environment has been emphasised by several commentators. Information “flows more freely, knows fewer national attachments, and indeed represents one of the significant forces behind the processes of globalisation,” according to one.[8] For another, information “has become the new raw material of the world economy.”[9] Or, as described in the US-EU Safe Harbour materials, “[d]ata transfers are the life blood of many organizations and the underpinnings for all of electronic commerce. Multinational organisations routinely share among their different offices a vast array of personal information.”[10] And indeed, more and more business, government and individual activities are migrating to the global “always on” broadband IP-based networks. Cross-border flows of personal data occur for any number of reasons: e-commerce, e-government, online banking, human resources management, distance education, online gambling, community activities or health research – to name a few areas.
Individuals routinely connect with others around the world, share profiles and preferences, blog, rate music and buy from other individuals on online auction sites.[11] They make purchases and travel arrangements with foreign businesses over the Internet. Sophisticated financial networks and messaging services facilitate the use of credit and debit cards throughout the world. Multinationals transfer personal information about their customers and employee records across borders. Governments increasingly provide for the electronic delivery of government services to both improve their internal operations and offer better services to the private sector and to citizens. Governments also exchange personal information for various reasons, such as border control.
Organisations have updated their businesses processes, managing their operations wherever it makes the most sense. A number of different agents may participate in the collection and transfer of data, sometimes on behalf of the company, sometimes in the name of another party. Formerly centralized functions like payment processing, credit verification, customer service, or technical support can be distributed globally to take advantage of expertise across multiple locations. The outsourced processing of credit card transactions, telephone bills, and medical records to offshore sites to take advantage of lower costs and specialised expertise is frequent. Many businesses have established offshore customer service centres to respond to the expectations of their customers that assistance should be available “real time.” Responding to inquiries 24/7 may mean moving data to some place where it is normal working hours for support personnel, in line with a “follow the sun” model.
Looking ahead, cable, telecommunication and mobile networks are converging towards the Internet Protocol (IP) – next-generation networks (NGN) to enable voice, video and data to be carried over the same infrastructure. The deployment of networked RFIDs and sensors may soon make communications channels even more pervasive, fostering further exponential growth in round-the-clock data flows.[12]
[1].Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (23 September 1980), OECD, Paris, ISBN 92-64-19719-2.
[2].Council of Europe (CoE) (1981) The Convention for the Protection of Individuals with regard to Automatic rocessing of Personal Data. Strasbourg, CoE. European Treaty Series No 108.
[3]. United Nations Guidelines Concerning Computerized Personal Data Files adopted by the General Assembly on 14 December 1990.
[4].See, http://www.apec.org/apec/news___media/2004_media_releases/201104_apecminsendorseprivacyfrmwk.ht
ml.
[5].See OECD, Broadband Statistics, December 2005, available at:
http://www.oecd.org/document/39/0,2340,en_2649_37441_36459431_1_1_1_37441,00.html.
[6].TeleGeography Research, Internation Internet Statistics” (2005) http://www.itu.int/dms_pub/itud/
md/02/isap2b.1.1/c/D02-ISAP2B.1.1-C-0025!!PDF-E.pdf
[7].OECD, Internet Traffic Exchange: Market Developments and Measurement of Growth (2006), p.13
http://www.oecd.org/dataoecd/25/54/36462170.pdf.
[8].Colin Bennett and Charles Raab, The Governance of Privacy (MIT, Cambridge Mass 1996) p. xvi.
[9].Christopher Kuner, European Data Privacy Law and Online Business (Oxford U. Press 2003), p. ix.
[10].U.S. Dept. of Commerce, “Safe Harbor Workbook,” available at:
http://www.export.gov/safeharbor/sh_workbook.html
[11].According to one study, sixty-one percent (61%) of teens reveal their contact information on their blogs by disclosing their email address (44%), instant messenger name (44%), or a link to a personal home page (30%). Fifty-nine percent (59%) reveal their location in terms of a city or state. Thirty-nine percent (39%) of teen bloggers provide their birth date, and twenty percent (20%) disclose their full name. See David Huffaker, “Teen Blogs Exposed: The Private Lives of Teens Made Public” (2006), available at http://www.soc.northwestern.edu/gradstudents/huffaker/papers/Huffaker-2006-AAAS-Teen_Blogs.pdf.
[12].See, e.g., Elliot Maxwell, “Some Reflections on The Future: Dipping A Toe in the Datastream;” presentation to the OECD Foresight Forum on Radio Frequency Identification (RFID) Applications and
Public Policy Considerations, Paris, 5 October 2005, available at: http://www.oecd.org/dataoecd/60/20/35466861.pdf.
