and promote principles and best practices at the national, regional and international levels, and submit proposals and recommendations to the Human Rights Council in that regard, including with a view to particular challenges arising in the digital age;
d) participate in and contribute to relevant international conferences and events with the aim of promoting a systematic and coherent approach on issues pertaining to the mandate;
e) raise awareness concerning the importance of promoting and protecting the right to privacy, with a focus on particular challenges arising in the digital age, as well as concerning the importance of providing individuals whose right to privacy has been violated with access to effective remedy, consistent with international human rights obligations;
f) integrate a gender perspective throughout the work of the mandate;
g) report on alleged violations of the right to privacy, wherever they may occur, as set out in article 12 of the Universal Declaration of Human Rights and article 17 of the International Covenant on Civil and Political Rights, including challenges arising from new technologies, and to draw the attention of the Council and the United Nations High Commissioner for Human Rights to situations of particularly serious concern; and
h) submit an annual report to the Human Rights Council and to the General Assembly.
In March 2016, the Special Rapporteur prepared his fi rst report on the right to privacy, which was submitted to the Human Rights Council (A/HRC/31/64). The report describes his vision for the mandate and provides an insight into the state of privacy at the beginning of 2016 and a work plan for the fi rst three years of the mandate. In order to facilitate the process of further elaboration on the dimensions of the right to privacy and its relationship with other human rights the Special Rapporteur has developed an outline Ten Point Action plan.42
Strengths and limitations of the United Nations initiatives
Strengths of the UN initiatives include:
wide respect and global coverage;
a long history of promoting and protecting human rights; and
a recognition of privacy as a fundamental right.;
Limitations of the UN initiatives include:
the current treaty provisions are too ‘high level’ for day-to-day impact – the right to privacy needs to be translated into further detailed principles; and
the UN faces some signifi cant resource constraints.
B. THE COUNCIL OF
EUROPE CONVENTION 108
The Council of Europe Data Protection Convention of 1981 (usually referred to as Convention 108 or the CoE Convention) is the most prominent binding international agreement on data protection.
Although this Convention was established by the Council of Europe, its membership is open to any country, and several non-European countries have signed the Convention or are in the process of becoming members.
Forty-six of the forty-seven Council of Europe member States have ratifi ed the Convention and have implemented data protection laws that comply with the Convention (the exception is Turkey where ratifi cation is in progress, the Turkish parliament has recently passed a data protection law43). Uruguay was the fi rst non-European country to become party to the Convention in 2013. Four other countries are currently exploring membership (Mauritius, Morocco, Senegal and Tunisia).
The Convention differs from many other global initiatives in that it is binding on signatories.
Strengths and limitations of the CoE initiative
Strengths of the CoE Convention include: it provides comprehensive coverage;
there is wide acceptance of the principles contained in the Convention;
it provides the ability for any country to join;
the Convention works through a collaborative open process;
the binding nature of the agreement drives harmonization; and
the Convention has strong support from other initiatives (e.g. it is endorsed by the International
Data Protection Commissioners as the best global model available).
Limitations of the CoE Convention include:
it has a Eurocentric history (although it is now being rapidly expanded); and
it faces possible challenges in accommodating very different national schemes (most importantly the U.S.).
Overall, the CoE Convention is the most promising international development in a field where every initiative faces signifi cant challenges.
C. THE OECD
The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data were developed by OECD member states in consultation with a broad group of stakeholders. They were originally published
in 1980 but were revised and re-issued in 2013 (see box 8).44 The Guidelines can be followed by any country, not just OECD members.
The OECD itself has 34 members, 32 of which have previously implemented comprehensive data protection laws. In late March 2016, the Turkish parliament passed a data protection bill that is meant to harmonize the Turkish regime with that of the EU, which will leave the United States as the only exception (the U.S. utilizing a sectoral approach to data protection rather than a single law).
However, the real impact of the OECD Guidelines is their infl uence on the content of privacy laws around the world – well beyond the OECD’s member base.
The Guidelines contain eight privacy principles that form the backbone of the principles included in most national privacy laws.
Box 8. Summary of revisions made to the 1980 OECD Privacy Guidelines in 201345
The eight “basic principles” and key defi nitions remained intact while the rest of the text was updated. The main changes to the Guidelines included the introduction of new text, such as:
• a new section on accountability;
• an updated section on transborder data fl ows; and
• expanded sections on national implementation and international cooperation.
The revision concentrates on the practical implementation of privacy through an approach grounded in risk assessment and management. Risk assessment helps determine which safeguards are necessary and should be assessed through a process of identifying and evaluating the risks to an individual’s privacy.
Other new concepts to the revised Guidelines include:
• national privacy strategies signalling the increased importance of this policy area along with the need for good cross-department coordination within governments;
• privacy management programmes, which serve as the core operational mechanism through which organizations implement privacy protection;
• data security breach notifi cation, covering both notice to an authority and notice to an affected individual; and
• a new provision calling for ‘complementary measures’ including education and awareness, skills development, and technical tools. It recognizes that privacy laws are necessary but not suffi cient.
Subsequent OECD work and milestones
The most recent OECD achievement is the Recommendation on Digital Security Risk Management for Economic and Social Prosperity adopted by the OECD Council in September 2015. It highlights that digital risk should no longer be treated as a technical issue, but as an economic risk. Further, digital risk should therefore be an “integral part of an organization’s overall risk management and decision making.” The OECD Privacy Guidelines and this Recommendation complement each other, and together represent the evolutionary shift towards a more holistic public policy approach to digital risk management. Like the OECD Privacy Guidelines, this Recommendation calls for national strategies and strengthened international cooperation and mutual assistance to tackle increasing digital risk and harness the benefi ts offered by digital innovation.
Source: OECD
CHAPTER II : Global developments and lessons learned 27
Strengths and limitations of the OECD initiative
Strengths of the OECD Privacy Guidelines include: they have a long and respected history;
the core Principles are widely accepted;
they have a focus on achieving balance between data fl ows and data protection; and
they have broad support from a diverse group.
Limitations of the OECD Privacy Guidelines include:
the absence of a proportionality (or data minimization) principle;
the non-binding nature of the Guidelines; and
the developed world focus of the OECD (although in practice the principles are widely infl uential).
D. INTERNATIONAL DATA PROTECTION COMMISSIONER’S INITIATIVES
The fi nal data protection initiative with a near-global reach is the work of the international Data Protection authorities. Their main role is the regulation of national data protection laws, but because their work involves more international disputes, they have started to involve themselves in the global privacy debate.
Their three main initiatives are: 1) an annual meeting and conference; 2) a system for cooperating in international and cross-border complaints; and 3) a statement on global privacy principles.
This third initiative is of the greatest interest.
At their 2005 meeting, the International Data Protection Commissioners issued a statement titled: The protection of personal data and privacy in a globalized world: a universal right respecting diversities (usually cited as the Montreux Declaration).45
The Declaration called for the development of an international convention on data protection, and it is one of the most signifi cant efforts to harmonize data protection laws around the globe.
Specifi cally, the Declaration stated:
The Data Protection and Privacy Commissioners express their will to strengthen the international recognition of the universal character of these
principles. They agree to collaborate in particular with the governments and international and supra-national organisations for the development of a universal convention for the protection of individuals with regard to the processing of personal data.
To this end, the Commissioners appealed:
a. to the United Nations to prepare a legal binding instrument that clearly sets out in detail the rights to data protection and privacy as enforceable human rights;
b. to every Government in the world to promote the adoption of legal instruments of data protection and privacy according to the basic principles of data protection, and also to extend it to their mutual relations; and
c. to the Council of Europe to invite, in accordance with article 23 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, known as Convention 108, non-member States of the Council of Europe that already have a data protection legislation to accede to this Convention and its additional Protocol.
Strengths and limitations of the IDPC initiative
Strengths of the International Data Protection Commissioner’s initiatives include: the signifi cant global infl uence and profi le of the DPCs;
their real world experience and insight into current issues; and
the emphasis on the CoE Convention as a global platform (rather than proposing something completely new).
Limitations of the International Data Protection Commissioner’s initiatives include:
a lack of formal structure or follow-up; and
the non-binding nature of the declaration.
Lessons learned from the global initiatives These four global initiatives have demonstrated some welcome consistency in the underlying privacy principles - there is a good crossover between the CoE and OECD Principles, with perhaps just some minor concerns regarding the principle of ‘proportionality’.
However, only the CoE has had a signifi cant ‘real world’ impact to date. The other initiatives have infl uenced the development of some laws, but they have not driven effective interoperability. The CoE Convention 108 is the most signifi cant development and sets a benchmark for baseline data protection legislation. The CoE also welcomes engagement with developing nations, and offers the most promise of a global solution.
It is important to note that the U.S. stands slightly aside from these global developments. The U.S.
appears unlikely to join any international agreement unless substantial efforts are made to accommodate
their very different approach to privacy protection.
However, as we will see in the next chapter, they are more closely engaged with some important regional initiatives.
The following table shows the position of each of the four global initiatives on a ‘spectrum’ for each of the key challenges identifi ed in this study.
Table 2. Strengths and limitations of the main global initiatives in addressing key challenges in the development and implementation of data protection laws
Table 2. Strengths and limitations of the main global initiatives in addressing key challenges in the development and implementation of data protection laws
Very weak Weak Moderate Strong
Addressing gaps in coverage
IDPC OECD
UN CoE Convention
Addressing new
technologies IDPC
UN
CoE Convention
OECD
Managing cross border data transfer restrictions
OECD IDPC
UN
CoE Convention
Balancing surveillance and data protection IDPC
OECD CoE Convention UN
Strengthening enforcement
OECD UN IDPC
CoE Convention
Determining jurisdiction OECD IDPC
UN CoE Convention
Managing the compliance burden
IDPC UN
CoE Convention
OECD
Source: UNCTAD