The Hon Michael Kirby AC CMG, former Justice of the High Court of Australia, serving from 1996 to 2009, has been appointed honorary member of Dansk Privacy Netværk (Danish Privacy Network). In his role as honorary member, Michael Kirby will advise the network on international privacy and human rights issues and joining Dansk Privacy Network in promoting the importance of privacy and data protection in a globalized world.
“Michael Kirby´s dedication and activism has over a sustained period of time made significant impact on human rights and privacy and for this he has been recognized worldwide. We are truly honored to have the pleasure to work with Michael Kirby in the future”, said Frederik Kortbæk, LL.M. and coordinator of Dansk Privacy Netværk.
As a contribution Michael Kirby is pleased to post one of his two speeches he gave at the OECD in Paris in March 2010, on the 30th anniversary of the OECD Guidelines on Privacy as follows:
THE OECD REVISITED
One does not normally think of the OECD as a sentimental organisation, afflicted by nostalgia. It was therefore a surprise to be invited back to the Chateau de la Muette to join in this reflection on the 30th anniversary of the adoption of the OECD Guidelines on Trans-border Data Flows and the Protection of Privacy of 1980 (the “Guidelines”).
I chaired the expert group established under DSTI/ICCP which was tasked with preparing the Guidelines in less than two years. The final meeting that adopted the Guidelines and recommended them, ultimately to the Council of the OECD, took place in this room of the Chateau. Before the magnificent new conference centre was built, adjoining the Chateau, we did not ordinarily meet in such congenial venues. Normally, we were consigned to a large meeting room in a dungeon in the Secretariat building. This isolated us from the beauties of Paris and civilisation, we had no alternative but to concentrate on our work and to get it completed as quickly as we could. When we concluded our work, it was like a scene from Fidelio. We were like prisoners, released into the sunlight of the Chateau, photographed on its steps and collected under the flags of the OECD nations, then fewer in number than is the case today. Essentially, at that time, the OECD was confined to the democratic market economies of Western Europe, North America, Japan and Australasia. So I return with pleasure to this room that is full of memories of the remarkable personalities who worked to achieve the success that the Guidelines have undoubtedly proved to be.
I am specially glad to return to this room and the meeting of the Working Party on Information Security and Privacy (WPISP), chaired by a fellow Australian, Keith Besgrove. I am not sure how he was elected to his high office. Indeed, I am not sure how that privilege fell to me. I was sent to Paris in 1978 because the Australian Law Reform Commission, of which I was then Chairman, was mandated by the Australian government to prepare new federal laws on privacy protection. Dialogue with experts from countries with similar legal and economic circumstances was considered useful to our task. That is how I made it to Paris. I can only assume that my election to chair the expert group came about because the member countries outside Western Europe were deeply suspicious of the bureaucratic tendencies of the European culture. For their part, the Europeans could not tolerate the idea of a non-European chair for the expert group, at least not one from a nation of significant economic and political power. I presume that that is how the choice fell to me. Perhaps like Chairman Besgrove, it is best not to enquire too closely as to how the electoral process in OECD delivered our respective names.
A trans-continental committee of experts thus began its enquiry 32 years ago. It was stimulated by outstanding assistance from the OECD Secretariat, led in this instance by Mr. Hanspeter Gassmann, assisted by Professor Peter Seipel (Sweden) as consultant, and by Miss Alice Frank, also of the Secretariat. I pay tribute to the assistance of the OECD officials. Since 1980, I have worked in many United Nations and international organisations. None can boast of a more talented team of officials than the OECD.
THE INTERNATIONAL BACKGROUND
Why did the OECD establish such a group? This is not generally an institution devoted to human rights concerns, such as the protection of individual privacy. Generally speaking, basic rights, the rule of law and democratic governance are broad assumptions upon which the OECD operates for the provision of technical advice and assistance, mainly on economic and technological issues. There have been exceptions, such as the important work of the Organisation to confront international corruption and to address issues of nuclear power and climate change. But, ordinarily, this is not a house concerned with human rights protection. That task is generally left to other bodies, including UNESCO, whose seat is established on the other side of this city. So why the sudden interest of the OECD in protecting privacy in the context of trans-border data flows (TBDF)?
The answer to that question can be derived from the historical background to the establishment of the expert group and the commonalities of the technology that lay behind the need for international guidelines. So far as the background was concerned, it can be traced to the recognition, after the Second World War, in human rights instruments such as the Universal Declaration of Human Rights (Art.12), of the basic right to privacy. Elaborations of that notion followed in the 1960s in academic writing (such as that of Alan Westin, Paul Sieghart and Professors Rule and Cate of the United States), and in official reports (such as those of Kenneth Younger (UK) and Bernard Tricot (France)) addressed to the particular problems of privacy in the context of the new technology for automated data processing. The capacity of this technology to expand and expedite the analysis of personal data and to create connections not otherwise perceived was recognised as presenting new problems for privacy as that notion was to be understood in its wider, modern sense. That recognition led to initiatives in various international bodies that provided the background for the OECD’s work:
In the Nordic Council in 1971, where the Scandinavian member states of the OECD built upon the early work on legislation for privacy protection in Sweden, beginning in 1969, reported in 1972 and resulting in one of the first data protection laws in 1973;
The Council of Europe, in turn, drew upon the foregoing in the development of ministerial resolutions in 1973 and 1974 and in the design of a Convention (No.108) addressed to the various consequences of automated personal data;
The Commission of the European Economic Community (as the European Union was then named) also began work that would ultimately bear fruit as the influential European Union Directive on privacy; and
Other international bodies also became interested, including UNESCO, and, by 2000, the Asia-Pacific Economic Co-Operation Organisation (APEC) with its Privacy Framework addressed to the member states in that fast-growing region of the world.
Some of the foregoing developments lay in the future as we met for the first time at OECD in 1978. But this much was already clear. The technology of informatics was fast changing. Even by 1978, it was apparent that the technology was increasingly transnational. Its social consequences could not be exhaustively dealt with by national laws. TBDF were becoming an established feature of the application of informatics. There was therefore a need for commonality in the approaches adopted by member states of the OECD. Otherwise, the beneficial advantage of TBDF for freedom in the flow of facts and opinions and for creative ideas for economic and social development, might be impeded.
Within Western Europe, by 1978, it was possible to bind the approaches of member states of the Council of Europe to a binding treaty, agreed amongst those states to reflect the highest common denominator of their collective opinions. But, by 1978, it was already obvious that the largest player in the processing of automated data (including for airlines, hotels, business, insurance and banking information) was the United States of America. Securing the agreement of that major economic player to a binding treaty faced two apparently inseparable obstacles. The first was the need, in the ratification of any such treaty, for the concurrence of the United States Senate, traditionally suspicious of such engagements. And the second was the strong affirmation of free flows of information expressed in the First Amendment to the United States Constitution. This provision created a bedrock of support for flows of data, to the largest extent possible, unimpeded by governmental regulation (“Congress shall make no law …”). The possibility of the United States subscribing to a European Convention on this subject was bleak. These realities defined the boundaries of any successful enterprise within the OECD, designed to encourage as high a level of consensus about the applicable principles as could be reached among the participants without resort to be a binding treaty.
MUTUAL DOUBTS AND CONCERNS
To the foregoing obstacles to progress had to be added other deep concerns, bordering on suspicions, which were often unexpressed; but every now and again came to the surface. They revealed a chasm, seemingly deeper than the Atlantic Ocean, between the underlying values reflected in the developments occurring in Europe, on the one hand, and the legal and social culture of the non-European nations, especially the United States, on the other:
For the European nations, the memory of the misuse of personal data by security police, the military and other officials in the mid-20th century was still fresh. For them, this was not a theoretical problem. It was an urgent task to establish controls on the potential of the newly automated personal data to enhance the power of the over-mighty state and to diminish the liberties of ordinary citizens. It must be remembered that in 1978, the world was still faced by the Cold War and the divisions symbolised physically by the Berlin Wall. It is a privilege today to return to the OECD, with the Russian Federation sitting at the table of WPISP. None of us should forget the contributions of the Red Army and the Soviet peoples in the Second World War to the defeat of fascism and to the creation of the circumstances in which Europe could flourish and democratic governance could emerge and expand;
On the other hand, the United States experts, in particular, were deeply suspicious of some of approaches of the European nations, participating in the work of the Council of Europe. In particular, they were anxious about the suggested inclination of the European states to create large bureaucracies empowered to impede TBDF. Occasionally, they hinted darkly that these were initiatives with an ulterior motive. This was to impede the all too obvious success of United States technology and to provide protective walls behind which the European technology of informatics might grow and compete. The Europeans, for their part, sometimes speculated that the American devotion to free flows of data and First Amendment values was actually underpinned by the then current pre-eminence of United States information technology.
Finding a bridge between these competing attitudes, laws and interests was a great challenge. It was a much greater challenge than that faced in securing common agreement within the Council of Europe or the European Communities. It was the challenge which the OECD expert group accepted, addressed and eventually surmounted.
LESSONS FROM THE GUIDELINES
By inviting a reflection on the 1980 Guidelines, and their impact on the development of law and policy in so many countries, not only within the OECD, it must be assumed that a purpose was to derive lessons for the current work of WPISP and indeed of DSTI and ICCP within the OECD. Looking back at the achievements and influence of the OECD Guidelines on privacy of 1980, what are some of the lessons that I can suggest?
International principles: Well into the latter part of the twentieth century, law was basically a discipline of nation states. Ordinarily, it applied within their geographic limitations. International law, and international principles and policy, were sometimes important for nation states in dealings with one another. But they were rarely of significance to the natural and legal persons operating within such states. All of this has now changed. The growth of the impact of international law and policy on the legal discipline is the greatest change that has come upon the law in my professional lifetime. A development encouraging this advance has been the spread of global technology. With that technology have come new problems that cross borders and are sometimes insusceptible to effective local solutions. It is this phenomenon that has stimulated the need for international law, principles and policy to fill the gaps left in the spaces between the operation of national regulation. Today, even the most powerful nation states recognise this. It was already recognised as we entered the OECD in 1978 to embark on the task of preparing the Guidelines on privacy;
Conventions and guidelines: Part of the response to such international needs has been evidenced by the growth of treaty law and of international customary law which binds member states. Yet in some instances, the development of treaty law is difficult, painstaking and extremely slow. Meantime, the technological and other problems race ahead. To do nothing is to make a decision. Recognising the near impossibility, certainly in the short run, of securing adherence of the United States of America (and other non-European nations) to a binding convention on TBDF, imposed on the OECD expert group the discipline of looking to another solution. That solution was the elaboration of guidelines that would help import into non-European practice such of the transnational principles that were being developed in Europe as were also accepted in the democratic market economies of non-European OECD member countries;
Information policy: It was also recognised, virtually at the outset, that there was a special problem of regulating national practice in respect of information policy in the United States. This was because of the First Amendment values that lie deep in the responses of United States politicians, officials and lawyers to any regulation that endeavours to impose restrictions on free flows of information. As well, the European tendency to create data protection authorities with large vetting and pre-authorisation powers, ran into two specific problems within the expert group. The first was the general inclination of common law countries to avoid bureaucratic solutions of that kind and to rely instead upon a remedial structure, utilising broad principles established as precedents by the decisions of superior courts. By 1978, there were also moves in the democratic debates of North America, Japan and Australasia to reduce the expansion of government and to contain the growth of bureaucracy. These developments made the adoption of recommendations for the creation of large data protection authorities outside Europe, effectively unthinkable. They demanded that the mode of implementation of the principles agreed in the Guidelines should be left by the OECD to the local legal tradition and culture;
TBDF and their implications: It was the international character of TBDF that afforded the OECD, at once, its challenge and its opportunity. A European Convention was important. But of its nature, it could only go so far. Countries outside the European area would be influenced by its rules. But not bound by them outside the European sphere. Securing a means of addressing the international character of data flow provided the stimulus for an intercontinental solution. Effectively, only the OECD could provide this. And provide it, it did.
General guidelines: Obviously, the adoption of “soft” international principles rather than binding international law meant that any product of the OECD would lack the precision and immediate effectiveness of a binding treaty. On the other hand, because on an inter-continental level, such a binding treaty was out of the question (certainly in the short term) guidelines became the best that could be achieved. To the extent that such guidelines influenced local law, official policy and business practice, they could help harmonise the European system of law with the legal regimes applicable in advanced economies outside Europe. In this way, the guidelines solution (and their use of the verb “should” rather than “shall”), became a positive strength of the OECD Guidelines. The Guidelines (in para.19) left it to member countries to “establish legal, administrative and other procedures and institutions for the protection of privacy and individual liberties in respect of personal data” in the various ways mentioned and encouraged them to engage in international co-operation (para.20-22). They therefore imposed duties of imperfect obligation. But they were duties nonetheless. And, on the whole, have been taken seriously by the countries that are parties to the OECD Convention. The commonalities between those countries in matters of governance and economic co-operation have helped to promote what seemed, on their face, to be weak general rules into a substantial stimulus to legislative, executive and judicial action. In this way, the Guidelines have provided an important impetus to harmonisation of the law, policy and practice. This was the result envisaged by the participants in the OECD expert group.
Don’t give up on privacy: Finally, although the OECD Guidelines have had a considerable influence in the thirty years since they were adopted, it must be accepted that technological developments that were not then known have added to the complexity of the world in which the Guidelines must now operate. 1980 was a time before the emergence of the internet, with its huge implications for the distribution of personal information. Ahead lay the many technological developments that would add to the challenges to privacy protection: including biometrics; smart cards; location detection technology; social networks; use of radio frequencies and so. I do not pretend that the OECD Guidelines solve every problem that this new technology presents. Indeed, I concede that some of the capacities of information technology since 1980 present new challenges that we did not consider or even know of when we drafted the Guidelines and adopted them in 1980.
In particular, the use limitation principle in para.10 of the Guidelines may need re-consideration. That paragraph states:
“10. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with paragraph 9 except:
a) With the consent of the data subject; or
b) By the authority of law.”
In para.9, it is provided that personal data should be collected by reference to specified purposes and subsequently used only for those purposes or others compatible with them. This was an accurate privacy principle at the time of its adoption. However, the capacity of search engines to utilise old, even very old, personal data for a purpose quite different from that for which the information was originally collected and provided, presents a difficulty in treating those paragraphs as a full explanation of the governing principle or policy.
No-one could suggest that search engines and the internet, with their marvellous capacity to enhance human knowledge, should be forbidden or pre-controlled. Certainly not by OECD member countries. However, there may be a need to reconsider how the purpose specification and use limitation principles in paras.9 and 10 of the 1980 Guidelines are to apply in a new century utilising radically new technology. As well, the notion of “consent” referred to in para.10 needs a lot of attention. To what extent does the data subject truly have a power to consent or to withhold consent where, as is now often the case, the data subject is so heavily dependent on the internet for the provision of goods, services and government facilities?
Most of us today have internet profiles, available to varying extents for use by others who make decisions concerning our lives. In 1980, it was still substantially possible to “live down” erroneous public attacks or false allegations. In the print media of those times, it was often said that false accusations would be wrapping the fish and chips in the following week. But no more. Electronic personal data will, ordinarily, exist forever unless the law imposes limitations because of the risks of use of out-of-date, false and damaging materials or unless technology itself affords new means of effective expungement of such data.
The fundamental principle of the OECD Guidelines, expressed in para.13, was the right of the individual to retain control over the data penumbra concerning himself or herself. If that core principle is kept in mind, it should be possible to develop additional guidelines, practices or elaborations to make sure that the basic idea of personal autonomy and self-control that lay behind the 1980 Guidelines is preserved in the context of radically different technology of today.
I thank this working party for providing an opportunity to recount something of the history of the OECD Guidelines of 1980. It was a privilege to be part of their development. I pay tribute to the OECD Secretariat and to my colleagues on the expert group. Their spirits are alive in the Chateau today as we remember this notable achievement of the OECD.
Download the speech as PDF here.