In the first update of its 1980 Recommendation Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (“Guidelines”), the Organisation for Economic Co-operation and Development (the “OECD”) released a revised version of the Guidelines on 11 July 2013. The Guidelines were internationally recognised and formed the basis for much of the data protection legislation in the EU, US and Asia. The revision was made to take into account technological advancements and the increased importance of personal data in the globalised digital economy.
In the review process, the OECD identified two key elements that needed to be emphasised:
- The need for a practical, risk management-based approach to the implementation of privacy protection; and
- The need to enhance privacy protection on a global level through improved interoperability.
While the basic principles of the Guidelines remain intact, aspects of the Guidelines, such as accountability, transborder data flows and privacy enforcement, were updated and expanded. In addition, entirely new concepts were introduced, including:
- National privacy strategies involving a coherent regulatory approach at all levels of government;
- Privacy management programmes operating at an organisational level functioning as the mechanism by which privacy protection is implemented; and
- Data security breach notification requiring data controllers to inform individuals and / or authorities when a security breach has occurred.
Since the revision of the Guidelines, data protection issues have been excluded from the negotiations of the Transatlantic Trade Investment Partnership between the EU and the US as a result of widely diverging approaches to data privacy. This serves to highlight the necessity of a common approach between different jurisdictions. Whether or not this will become relevant to the EU Commissions review of the Safe Harbor Framework remains to be seen.