This post was written by Cynthia O’Donoghue.

The international free flow of information has become fundamental in a data-driven economy. Yet the increasingly extensive use and movement of personal data creates greater privacy risks for an individual’s digital data trail; and while nearly 99 countries worldwide have some form of data privacy laws, the legal disparities can hinder transborder data flow. Acknowledging the need for a unified standard, the Organisation for Economic Co-Operation and Development (OECD) has published a revised version of the 1980 Guidelines on the ‘protection of privacy and transborder flows of personal data.’

The original guidelines informed and became the basis for many countries’ data protection laws, including those in Europe. Fundamentally, the revised version leaves the original privacy principles unchanged, and are widely familiar:

  • Fair, lawful and limited collection of personal data obtained with the knowledge and consent of the individual
  • Data is relevant for purpose collected, is complete, and kept up to date
  • Use of data for new purposes must either be compatible with the original purpose and new uses, or disclosures require consent
  • Use of reasonable security safeguards to protect data and accountability of any data controller
  • Individual right of access to data held, and the right to have data erased, rectified or amended

Data controller accountability is reinforced in the revised guidelines, regardless of data location, and regardless of whether it remains within their own operations, those of its agents, or is transferred to another data controller. The OECD recommends the use of tailored privacy management programs and privacy impact assessments to manage the risk of data breach. The OECD also encourages contractual provisions requiring compliance with a data controller’s privacy policy, notification protocols in the event of a security breach, and response plans for data breaches and data subject inquiries.

The OECD guidelines suggest that to manage global privacy risks, there must be improved interoperability, with national strategies between states co-ordinated at government level, and cross-border co-operation between privacy enforcement authorities.