The Honourable Justice Michael Kirby appointed honorary member of Dansk Privacy Netværk

The Hon Michael Kirby AC CMG, former Justice of the High Court of Australia, serving from 1996 to 2009, has been appointed honorary member of Dansk Privacy Netværk (Danish Privacy Network). In his role as honorary member, Michael Kirby will advise the network on international privacy and human rights issues and joining Dansk Privacy Network in promoting the importance of privacy and data protection in a globalized world.

“Michael Kirby´s dedication and activism has over a sustained period of time made significant impact on human rights and privacy and for this he has been recognized worldwide.  We are truly honored to have the pleasure to work with  Michael Kirby in the future”, said Frederik Kortbæk, LL.M. and coordinator of Dansk Privacy Netværk.

As a contribution Michael Kirby is pleased to post one of his two speeches he gave at the OECD in Paris in March 2010, on the 30th anniversary of the OECD Guidelines on Privacy as follows:

One does not normally think of the OECD as a sentimental organisation, afflicted by nostalgia.  It was therefore a surprise to be invited back to the Chateau de la Muette to join in this reflection on the 30th anniversary of the adoption of the OECD Guidelines on Trans-border Data Flows and the Protection of Privacy of 1980 (the “Guidelines”).

I chaired the expert group established under DSTI/ICCP which was tasked with preparing the Guidelines in less than two years.  The final meeting that adopted the Guidelines and recommended them, ultimately to the Council of the OECD, took place in this room of the Chateau.  Before the magnificent new conference centre was built, adjoining the Chateau, we did not ordinarily meet in such congenial venues.  Normally, we were consigned to a large meeting room in a dungeon in the Secretariat building.  This isolated us from the beauties of Paris and civilisation, we had no alternative but to concentrate on our work and to get it completed as quickly as we could.  When we concluded our work, it was like a scene from Fidelio.  We were like prisoners, released into the sunlight of the Chateau, photographed on its steps and collected under the flags of the OECD nations, then fewer in number than is the case today.  Essentially, at that time, the OECD was confined to the democratic market economies of Western Europe, North America, Japan and Australasia.  So I return with pleasure to this room that is full of memories of the remarkable personalities who worked to achieve the success that the Guidelines have undoubtedly proved to be.

I am specially glad to return to this room and the meeting of the Working Party on Information Security and Privacy (WPISP), chaired by a fellow Australian, Keith Besgrove.  I am not sure how he was elected to his high office.  Indeed, I am not sure how that privilege fell to me.  I was sent to Paris in 1978 because the Australian Law Reform Commission, of which I was then Chairman, was mandated by the Australian government to prepare new federal laws on privacy protection.  Dialogue with experts from countries with similar legal and economic circumstances was considered useful to our task.  That is how I made it to Paris.  I can only assume that my election to chair the expert group came about because the member countries outside Western Europe were deeply suspicious of the bureaucratic tendencies of the European culture.  For their part, the Europeans could not tolerate the idea of a non-European chair for the expert group, at least not one from a nation of significant economic and political power.  I presume that that is how the choice fell to me.  Perhaps like Chairman Besgrove, it is best not to enquire too closely as to how the electoral process in OECD delivered our respective names.

A trans-continental committee of experts thus began its enquiry 32 years ago.  It was stimulated by outstanding assistance from the OECD Secretariat, led in this instance by Mr. Hanspeter Gassmann, assisted by Professor Peter Seipel (Sweden) as consultant, and by Miss Alice Frank, also of the Secretariat.  I pay tribute to the assistance of the OECD officials.  Since 1980, I have worked in many United Nations and international organisations.  None can boast of a more talented team of officials than the OECD.

Why did the OECD establish such a group?  This is not generally an institution devoted to human rights concerns, such as the protection of individual privacy.  Generally speaking, basic rights, the rule of law and democratic governance are broad assumptions upon which the OECD operates for the provision of technical advice and assistance, mainly on economic and technological issues.  There have been exceptions, such as the important work of the Organisation to confront international corruption and to address issues of nuclear power and climate change.  But, ordinarily, this is not a house concerned with human rights protection.  That task is generally left to other bodies, including UNESCO, whose seat is established on the other side of this city.  So why the sudden interest of the OECD in protecting privacy in the context of trans-border data flows (TBDF)?

The answer to that question can be derived from the historical background to the establishment of the expert group and the commonalities of the technology that lay behind the need for international guidelines.  So far as the background was concerned, it can be traced to the recognition, after the Second World War, in human rights instruments such as the Universal Declaration of Human Rights (Art.12), of the basic right to privacy.  Elaborations of that notion followed in the 1960s in academic writing (such as that of Alan Westin, Paul Sieghart and Professors Rule and Cate of the United States), and in official reports (such as those of Kenneth Younger (UK) and Bernard Tricot (France)) addressed to the particular problems of privacy in the context of the new technology for automated data processing.  The capacity of this technology to expand and expedite the analysis of personal data and to create connections not otherwise perceived was recognised as presenting new problems for privacy as that notion was to be understood in its wider, modern sense.  That recognition led to initiatives in various international bodies that provided the background for the OECD’s work:
 In the Nordic Council in 1971, where the Scandinavian member states of the OECD built upon the early work on legislation for privacy protection in Sweden, beginning in 1969, reported in 1972 and resulting in one of the first data protection laws in 1973;
 The Council of Europe, in turn, drew upon the foregoing in the development of ministerial resolutions in 1973 and 1974 and in the design of a Convention (No.108) addressed to the various consequences of automated personal data;
 The Commission of the European Economic Community (as the European Union was then named) also began work that would ultimately bear fruit as the influential European Union Directive on privacy; and
 Other international bodies also became interested, including UNESCO, and, by 2000, the Asia-Pacific Economic Co-Operation Organisation (APEC) with its Privacy Framework addressed to the member states in that fast-growing region of the world.

Some of the foregoing developments lay in the future as we met for the first time at OECD in 1978.  But this much was already clear.  The technology of informatics was fast changing.  Even by 1978, it was apparent that the technology was increasingly transnational.  Its social consequences could not be exhaustively dealt with by national laws.  TBDF were becoming an established feature of the application of informatics.  There was therefore a need for commonality in the approaches adopted by member states of the OECD.  Otherwise, the beneficial advantage of TBDF for freedom in the flow of facts and opinions and for creative ideas for economic and social development, might be impeded.

Within Western Europe, by 1978, it was possible to bind the approaches of member states of the Council of Europe to a binding treaty, agreed amongst those states to reflect the highest common denominator of their collective opinions.  But, by 1978, it was already obvious that the largest player in the processing of automated data (including for airlines, hotels, business, insurance and banking information) was the United States of America.  Securing the agreement of that major economic player to a binding treaty faced two apparently inseparable obstacles.  The first was the need, in the ratification of any such treaty, for the concurrence of the United States Senate, traditionally suspicious of such engagements.  And the second was the strong affirmation of free flows of information expressed in the First Amendment to the United States Constitution.  This provision created a bedrock of support for flows of data, to the largest extent possible, unimpeded by governmental regulation (“Congress shall make no law …”).  The possibility of the United States subscribing to a European Convention on this subject was bleak.  These realities defined the boundaries of any successful enterprise within the OECD, designed to encourage as high a level of consensus about the applicable principles as could be reached among the participants without resort to be a binding treaty.

To the foregoing obstacles to progress had to be added other deep concerns, bordering on suspicions, which were often unexpressed; but every now and again came to the surface.  They revealed a chasm, seemingly deeper than the Atlantic Ocean, between the underlying values reflected in the developments occurring in Europe, on the one hand, and the legal and social culture of the non-European nations, especially the United States, on the other:
 For the European nations, the memory of the misuse of personal data by security police, the military and other officials in the mid-20th century was still fresh.  For them, this was not a theoretical problem. It was an urgent task to establish controls on the potential of the newly automated personal data to enhance the power of the over-mighty state and to diminish the liberties of ordinary citizens.  It must be remembered that in 1978, the world was still faced by the Cold War and the divisions symbolised physically by the Berlin Wall.  It is a privilege today to return to the OECD, with the Russian Federation sitting at the table of WPISP.  None of us should forget the contributions of the Red Army and the Soviet peoples in the Second World War to the defeat of fascism and to the creation of the circumstances in which Europe could flourish and democratic governance could emerge and expand;
 On the other hand, the United States experts, in particular, were deeply suspicious of some of approaches of the European nations, participating in the work of the Council of Europe.  In particular, they were anxious about the suggested inclination of the European states to create large bureaucracies empowered to impede TBDF.  Occasionally, they hinted darkly that these were initiatives with an ulterior motive.  This was to impede the all too obvious success of United States technology and to provide protective walls behind which the European technology of informatics might grow and compete.  The Europeans, for their part, sometimes speculated that the American devotion to free flows of data and First Amendment values was actually underpinned by the then current pre-eminence of United States information technology.

Finding a bridge between these competing attitudes, laws and interests was a great challenge.  It was a much greater challenge than that faced in securing common agreement within the Council of Europe or the European Communities.  It was the challenge which the OECD expert group accepted, addressed and eventually surmounted.

By inviting a reflection on the 1980 Guidelines, and their impact on the development of law and policy in so many countries, not only within the OECD, it must be assumed that a purpose was to derive lessons for the current work of WPISP and indeed of DSTI and ICCP within the OECD.  Looking back at the achievements and influence of the OECD Guidelines on privacy of 1980, what are some of the lessons that I can suggest?
 International principles:  Well into the latter part of the twentieth century, law was basically a discipline of nation states.  Ordinarily, it applied within their geographic limitations.  International law, and international principles and policy, were sometimes important for nation states in dealings with one another.  But they were rarely of significance to the natural and legal persons operating within such states.  All of this has now changed.  The growth of the impact of international law and policy on the legal discipline is the greatest change that has come upon the law in my professional lifetime.  A development encouraging this advance has been the spread of global technology.  With that technology have come new problems that cross borders and are sometimes insusceptible to effective local solutions.  It is this phenomenon that has stimulated the need for international law, principles and policy to fill the gaps left in the spaces between the operation of national regulation.  Today, even the most powerful nation states recognise this.  It was already recognised as we entered the OECD in 1978 to embark on the task of preparing the Guidelines on privacy;
 Conventions and guidelines:  Part of the response to such international needs has been evidenced by the growth of treaty law and of international customary law which binds member states.  Yet in some instances, the development of treaty law is difficult, painstaking and extremely slow.  Meantime, the technological and other problems race ahead.  To do nothing is to make a decision.  Recognising the near impossibility, certainly in the short run, of securing adherence of the United States of America (and other non-European nations) to a binding convention on TBDF, imposed on the OECD expert group the discipline of looking to another solution.  That solution was the elaboration of guidelines that would help import into non-European practice such of the transnational principles that were being developed in Europe as were also accepted in the democratic market economies of non-European OECD member countries;
 Information policy:  It was also recognised, virtually at the outset, that there was a special problem of regulating national practice in respect of information policy in the United States.  This was because of the First Amendment values that lie deep in the responses of United States politicians, officials and lawyers to any regulation that endeavours to impose restrictions on free flows of information.  As well, the European tendency to create data protection authorities with large vetting and pre-authorisation powers, ran into two specific problems within the expert group.  The first was the general inclination of common law countries to avoid bureaucratic solutions of that kind and to rely instead upon a remedial structure, utilising broad principles established as precedents by the decisions of superior courts.  By 1978, there were also moves in the democratic debates of North America, Japan and Australasia to reduce the expansion of government and to contain the growth of bureaucracy.  These developments made the adoption of recommendations for the creation of large data protection authorities outside Europe, effectively unthinkable.  They demanded that the mode of implementation of the principles agreed in the Guidelines should be left by the OECD to the local legal tradition and culture;
 TBDF and their implications:  It was the international character of TBDF that afforded the OECD, at once, its challenge and its opportunity.  A European Convention was important.  But of its nature, it could only go so far.  Countries outside the European area would be influenced by its rules.  But not bound by them outside the European sphere.  Securing a means of addressing the international character of data flow provided the stimulus for an intercontinental solution.  Effectively, only the OECD could provide this.  And provide it, it did.
 General guidelines:  Obviously, the adoption of “soft” international principles rather than binding international law meant that any product of the OECD would lack the precision and immediate effectiveness of a binding treaty.  On the other hand, because on an inter-continental level, such a binding treaty was out of the question (certainly in the short term) guidelines became the best that could be achieved.  To the extent that such guidelines influenced local law, official policy and business practice, they could help harmonise the European system of law with the legal regimes applicable in advanced economies outside Europe.  In this way, the guidelines solution (and their use of the verb “should” rather than “shall”), became a positive strength of the OECD Guidelines.  The Guidelines (in para.19) left it to member countries to “establish legal, administrative and other procedures and institutions for the protection of privacy and individual liberties in respect of personal data” in the various ways mentioned and encouraged them to engage in international co-operation (para.20-22).  They therefore imposed duties of imperfect obligation.  But they were duties nonetheless.  And, on the whole, have been taken seriously by the countries that are parties to the OECD Convention.  The commonalities between those countries in matters of governance and economic co-operation have helped to promote what seemed, on their face, to be weak general rules into a substantial stimulus to legislative, executive and judicial action.  In this way, the Guidelines have provided an important impetus to harmonisation of the law, policy and practice.  This was the result envisaged by the participants in the OECD expert group.
 Don’t give up on privacy:  Finally, although the OECD Guidelines have had a considerable influence in the thirty years since they were adopted, it must be accepted that technological developments that were not then known have added to the complexity of the world in which the Guidelines must now operate.  1980 was a time before the emergence of the internet, with its huge implications for the distribution of personal information.  Ahead lay the many technological developments that would add to the challenges to privacy protection:  including biometrics; smart cards; location detection technology; social networks; use of radio frequencies and so.  I do not pretend that the OECD Guidelines solve every problem that this new technology presents.  Indeed, I concede that some of the capacities of information technology since 1980 present new challenges that we did not consider or even know of when we drafted the Guidelines and adopted them in 1980.

In particular, the use limitation principle in para.10 of the Guidelines may need re-consideration.  That paragraph states:
“10. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with paragraph 9 except:
a) With the consent of the data subject; or
b) By the authority of law.”

In para.9, it is provided that personal data should be collected by reference to specified purposes and subsequently used only for those purposes or others compatible with them.  This was an accurate privacy principle at the time of its adoption.  However, the capacity of search engines to utilise old, even very old, personal data for a purpose quite different from that for which the information was originally collected and provided, presents a difficulty in treating those paragraphs as a full explanation of the governing principle or policy.

No-one could suggest that search engines and the internet, with their marvellous capacity to enhance human knowledge, should be forbidden or pre-controlled.  Certainly not by OECD member countries.  However, there may be a need to reconsider how the purpose specification and use limitation principles in paras.9 and 10 of the 1980 Guidelines are to apply in a new century utilising radically new technology.  As well, the notion of “consent” referred to in para.10 needs a lot of attention.  To what extent does the data subject truly have a power to consent or to withhold consent where, as is now often the case, the data subject is so heavily dependent on the internet for the provision of goods, services and government facilities?

Most of us today have internet profiles, available to varying extents for use by others who make decisions concerning our lives.  In 1980, it was still substantially possible to “live down” erroneous public attacks or false allegations.  In the print media of those times, it was often said that false accusations would be wrapping the fish and chips in the following week.  But no more.  Electronic personal data will, ordinarily, exist forever unless the law imposes limitations because of the risks of use of out-of-date, false and damaging materials or unless technology itself affords new means of effective expungement of such data.

The fundamental principle of the OECD Guidelines, expressed in para.13, was the right of the individual to retain control over the data penumbra concerning himself or herself.  If that core principle is kept in mind, it should be possible to develop additional guidelines, practices or elaborations to make sure that the basic idea of personal autonomy and self-control that lay behind the 1980 Guidelines is preserved in the context of radically different technology of today.

I thank this working party for providing an opportunity to recount something of the history of the OECD Guidelines of 1980.  It was a privilege to be part of their development.  I pay tribute to the OECD Secretariat and to my colleagues on the expert group.  Their spirits are alive in the Chateau today as we remember this notable achievement of the OECD.

Download the speech as PDF here.

OECD´s retningslinjer om beskyttelse af privatlivets fred og grænseoverskridende overførsel af personoplysninger fylder 30 år i år

23. september 1980 blev OECD’s retningslinjer om beskyttelse af privatlivets fred og grænseoverskridende overførsel af personoplysninger (OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data) vedtaget. I den forbindelse er der 10. marts 2010, som en første af tre arrangementer til festligholdelse af jubilæet, afholdt en konference i Paris med titlen “30 år efter: konsekvenserne af OECD`s privacy retningslinjer”.

Allerede tilbage i begyndelsen af 1970´erne var man i OECD klar over, at en større og større forskel i nationale love udgjorde en risiko for den frie udveksling af oplysninger mellem landene (trans border data flow i det følgende benævnt TBDF). I 1978 gik man i gang med at udarbejde fælles retningslinjer i tæt samarbejde med Europarådet, som var ved at forberede konventionen om beskyttelse af det enkelte menneske i forbindelse med elektronisk databehandling af personoplysninger. Ved at sikre visse minimumsstandarder for beskyttelse af privacy og de individuelle frihedsrettigheder med hensyn til personlige data, var det håbet at mindske behovet for regulering af eksport af persondata samt minimere problemer i forbindelse med lovkonflikter.

En række internationale eksperter har givet deres bud de historiske udfordringer og de spørgsmål, der motiverede udviklingen af retningslinjerne. Af særlig interesse kan fremhæves en keynote af The Hon. Michael Kirby AC CMG, der i din tid var formand for OECD Expert Group on Transborder Data Barriers and Privacy Protection. Michael Kirby fratrådte som højesteretsdømmer i Australien i 2009, men er stadig en meget aktiv fortaler for menneskerettigheder og privacy. Han modtog tidligere i år Electronic Privacy Information Centers Privacy Champion Award som anerkendelse for sine meritter.

Michael Kirby fremhæver indledningsvis, at det var interessen for den fri udveksling af data som drivkraft for  økonomisk effektivitet og dermed for demokrati og god regeringsførelse og den fri markedsøkonomi, der i første omgang tiltrak OECD´s opmærksomhed.  OECD´s analyse var, at europæiske regeringers og institutioners bekymring for privacy ville indebære en retslig og økonomisk hindring for en fri grænseoverskridende informationsudveksling, som i høj grad blev promoveret af USA. I Europa var brud på privacy ikke blot en teoretisk fare med erfaringer under 2. verdensskrig om misbrug af persondata fra myndighedernes side stadig i 1978 i stærk erindring. På den anden side anså mange ikke-europæiske lande, at traktatvejen til beskyttelse af privacy var bureaukratisk, dyr at gennemføre, hæmmende for TBDF samt muligvis udtryk for protektionisme. Løsningen på dette dilemma blev, at man i stedet for at udarbejde en traktat, ville opstille generelle principper, som basis for national lovgivning med det håb, at disse principper vil bidrage til en reduktion af  hindringer for gennemførelsen af OECD´s formål.    

Kirby gør det klart, at det ikke har været ekspertudvalgets opgave at “opfinde den dybe tallerken igen”, men at bygge videre på tidligere bidrag af Nordisk Råd, Europarådet, EU samt akademia  og indarbejde de fra denne kontekst nye principper i en interkontinental applikation, der omfatter andre af OECD´s medlemslande, som f.eks. USA, Canada, Storbritannien, Japan, Australian og New Zealand.

Resultaterne af OECD´s retningslinjer falder ifølge Michael Kirby i 4 kategorier:

  • de bygger oven på tidligere arbejde
  • merværdi tilført af OECD, f.eks. teknologineutralitet og klar ansvarstildeling
  • fleksibel implementering
  • deres overlevelse   

Til sidst stiller Michael Kirby spørgsmålet: “hvad med fremtiden?” Skal retningslinjerne fortsat have relevans og betydning, så lægger Kirby vægt på, at man skal være realistisk. Samtidig med at man bør anerkende den objektive værdi af TBDF, skal man være bevidst om, at ” fordelene ved informationsteknologien selvfølgelig kan nå et omfang som forringer det enkelte menneskes mulighed for at kontrollere sin  egen penumbra [læs: sfære] af information.” Et spørgsmål man i relation til OECD bl.a. kan stille er: “Vil den marginale nytteværdi af at forsøge at hindre TBDF, med henblik på at beskytte privacy, opveje de marginale omkostninger ved en sådan indblanding i driften af  TBDF ?”. Det er nødvendigt at forholde sig oprigtigt til dette dilemma og diskutere det åbent, så beslutninger kan træffes i fuld åbenhed. Selvom det må erkendes, at der er visse begrænsninger i den personlige kontrol over data og privacy, så er det vigtigt ikke at opgive beskyttelsen af privacy, “som er en værdi, der dybt rodfæstet i mennesket og som påvirker dets værdighed og integritet”. Betydningen af empiri fremhæves også, fordi retningslinjerne og øvrig lovgivning og rutiner kun kan være effektive, såfremt de    baseres på en præcis og grundig forståelse af den relevante teknologis operation. Derudover er der  spørgsmål om rekonceptualisering. Hermed menes, at OECD påtager sig en rolle med at sikre, at den løbende tilgang til specielle problemer som spam, cybercrime, malware osv. er i harmoni med hinanden og være på vagt overfor en fragmenteret tilgang til hvad der dybest set er integrerede sociale og etiske problemer.  Endelig peges der på nye udfordringer i forhold til masseovervågning, biometri, RFID tags, krop scannere osv. og at privacy-fortalere hele tiden bør være på udkig efter PET-løsninger (privacy enhancing technologies). Som de sidste 3 punkter omtales værdien af det grænseoverskridende samarbejde,  nødvendigheden af slutbruger læring og uddannelse for at opretholde samfundets bevidsthed om værdien af privacy samt spørgsmålet om hvad OECD bør gøre for at inkludere repræsentative holdninger om privacy  fra verdens udviklingslande ?

Afslutningsvis roser Michael Kirby NGO`ere, offentlige institutioner, forskere og enkeltpersoner der arbejder med privacy og informationssikkerhed, fordi graden af  kontrol over den enkeltes personoplysninger i fremtiden vil afhænge af deres indsats.

Download hele talen her.

Jeg er meget enig i Michael Kirby´s synspunkter og fremtidsvurderinger både i forhold til OECD´s position og i forhold til beskyttelse af privacy i almindelighed. OECD er et magtfuldt organ og den måde man har håndteret privacy på er prisværdigt og visionært. Det er uomtvisteligt, at retningslinjerne, der med start i 2011 vil blive gået efter i sømmene i henhold til den såkaldte Seoul Declaration fra 2008, har haft og vil få stor central betydning for privacy og persondatabeskyttelse i fremtiden, forudsat at man betræder erfaringens sti og ikke mister sine  pejlemærker.