Where are we converging? What progress are we making toward common standards?
It is 50 years since the first recognisable data protection law, the Datenschutzgesetz of the German State of Hessen was enacted, and then in force in 1970. It is 40 years since development of the first two international agreements in relation to data protection, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (‘OECD Guidelines’) and the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’), both completed in 1980.
Both international instruments responded to a fundamental question with which we still grapple today: how can the flow of personal data between countries be guaranteed, or at least facilitated, by minimum standards for data protection agreed between groupings of countries – members of the OECD and the Council of Europe respectively. Their required data protection principles were substantially similar, but slightly higher in Convention 108.
Forty years later, 136 countries have enacted data privacy laws which meet the shared standards of these 1980s instruments. Although there has also been a modest increase in membership of the OECD, and of accessions to Convention 108 by countries outside Europe, most countries with data protection laws are not yet included.
However, there have also been further international instruments which deal with the same issues of establishing minimum data protection standards in order to allow flows of personal data, in regions such as the European Union, west Africa, the African Union, and the member economies of APEC. Latin America Data Protection Authorities, have also established their own recommended standard, at the request of their governments. New subsidiary instruments have also been developed, such as Standard Contractual Clauses and Binding Corporate Rules.
What are considered to be the necessary ‘minimum standards’ that must be met have also risen, most notably with the EU’s recent General Data Protection Regulation, and the revised ‘Convention 108+’, but also to a much lesser extent with the OECD and APEC instruments.
Meanwhile, the extent which the international economy and modern life utilises and relies upon cross-border transfers of personal data has increased exponentially since the 1980s. But the core issue remains: the necessity for minimum standards of data protection to be agreed, and for international flows of personal data to be consistent with them.
The first panel of the Conference’s Open Session addresses this issue in a positive way, seeking to bring together perspectives from each of the main regions of the globe that are developing instruments and techniques to deal with issue, in order to identify convergence of approaches, and to suggest how they can be further strengthened into common standards.
My own suggestion is to start by looking at the principles actually enacted in 136 countries to date, with more soon to come. They are of consistently increasing strength, and they usually require something equivalent before international flows of personal data can be ‘free’ of transaction costs and impediments. Convergence on higher standards, in agreements with greater global coverage, will ultimately be effective even if some countries stand outside it with resulting higher transaction costs for their own economies.
But there are obstacles to convergence on higher standards, on which today’s panellists might comment:
- Adequacy decisions are slow arriving – and the first one under the GDPR has not added much to our understanding of what ‘adequate’ means. Can’t the EU do better?
- The existing Convention 108 had moderate success in attracting 8 non-European Parties. BUT how many countries are likely to be able to ratify the modernised Convention 108Plus, with its higher standards?
- The OECD Guidelines have had little development toward higher standards in 40 years since 1980, and the APEC Framework is similar. How can they lead anywhere?
- APEC’s Cross-Border Privacy Rules has only two countries fully involved after 7 years – the USA and Japan – and only tiny numbers of companies certified. Isn’t it dead?
- Will the African Union data protection and cybercrime Convention ever obtain enough ratifications to come into force? AND will Latin America ever develop an enforceable Convention?
For more information about ICDPPC 2019 visit www.privacyconference2019.info
Graham Greenleaf AM, Professor of Law & Information Systems, UNSW Australia. Mr Greenleaf is the moderator of ‘Panel I: Global convergence in data protection law’, Open Session, 41st International Conference of Data Protection and Privacy Commissioners, Tirana, Albania.