OECD Privacy Guidelines Review
Review of OECD Privacy Guidelines
The OECD Guidelines on Privacy and Transborder Data Flows provide a foundational framework that has formed part of the basis for many of the world's data protection regimes. The OECD is undergoing a review of this seminal document, and has circulated a questionnaire to stakeholders. In its attempt to answer the OECD's questionnaire, Industry Canada has sought input from Canadian groups.
In its repsonse, CIPPIC recognized the need to facilitate cross-border data flows, but highlighted the need for this to be achieved by establishing an adequate level of privacy protection across all jurisdictions. The OECD should avoid trasnborder solutiosn adopted by other bodies such as APEC that seek to address transborder data flows by eroding privacy protections across the board, or normalizing protections at the lowest common denominator. Adopting such a solution would work to undermine the protection of privacy at a time when its protection has become increasingly tenuous and critical to individual empowerment, consumer protection and democratic principles.
Further, while some have called for a simplification of international privacy instruments, there is no need and little benefit in doing so. To begin with, the Guidelines consist of a set of high level principles. These are not overly complex or prescriptive to begin with. More importantly, in the 30 years since the Guidelines initial adoption, a robust and sophisticated international privacy dialogue has emerged, eliminating the possibility of confusion or overbroad application of privacy concepts and norms. In light of this, there is little need to simplify these princpiles as it is quite clear what they mean.
In addition, new principles should be adopted in order to bolster what has become a consent paradigm for privacy protection that often fails to attain truly meaningful consent. These include an explicit right to anonymity, a right of refusal, and over-arching reasonableness/proportionality criteria, and a privacy by default requirement.