Even policies which are perfect in theory fail when they are not effectively supported in practice. The 'Accountability Concept', whereby accountability for privacy protection follows the date flow, is key development in making privacy policies more robust internationally.
In past blog postings, I have tracked the emergence of theaccountability concept in the delivery of effective privacy protection globally as it has rapidly gone from obscurity to prominence. This is no accident. It is the result of purposeful driving forward to develop the concept and apply it. It has been led by a number of very determined and persistent people, but no more so than the folk at the Center for Information Policy Leadership.
For too long, we have spent too much of the policy making energy on what comprises a suitable set of privacy principles. We have not spent enough energy on how to give effect to any set of privacy principles, especially when information flows have no respect for borders and jurisdictional limits. That is not to say that we shouldn’t make sure we have a good set of principles, but an ordinary set of principles well supported by compliance and enforcement processes will have vastly greater impact every time compared with a perfect set of principles without teeth.
Accountability may be deeply rooted in the longest standing sets of privacy principles, including the 1980 OECD Guidelines, but over the last couple of years, it has become the new buzzword in the realm of international dialogue about privacy governance. This could not have come at a better time when personal information has become ‘the new currency’ in this day and age.
When it comes to effective privacy compliance and enforcement, the greatest emerging concern is the internationalisation of data flows, facilitated by developments such as the outsourcing of IT services, the activities of multi-national corporations, the advent of cloud computing and the enormous growth of internet usage in general.
This is why the recent discussion paper by the Center for Information Policy Leadership on the EU’s renewed efforts to provide personal data protection is so important. In the paper, the Center makes the case for reforming the regime for international transfers by far the most pressing priority for reform of the EU Data Protection Directive.
CIPL is a US-based think tank at the forefront of global thought leadership and policy development for privacy and information security issues. It convened the Accountability Project in 2009 – currently in Phase II – to define the contours of accountability and to provide a new way to tackle data protection.
The CIPL’s discussion paper – A New Approach to International Transfers – introduces Binding Global Codes (BGCs), a new framework based on the Accountability principle, the essential elements of which are:
- Organisational commitment to custom-made internal policies which elaborate the general data protection principles.
- Mechanisms to develop and put policies into effect, including procedures, technologies, training and education.
- Systems for ongoing oversight, assurance reviews and external verification.
- Focus on risks and outcomes.
- Readiness to demonstrate the chosen approach to compliance.
I am very pleased about this paper, for two reasons.
Firstly, it indicates a judgment that the EU is ready for a proposal like this. Previously, I have argued for an accountability approach to transborder data flows, noting the flaws of the “adequacy of laws” approach of which the EU has long been a strong proponent. The EU is to be commended for being open to looking at options for change and seeking the best practice possible.
Furthermore, given its goal of developing policy from a business-process perspective, such a proposal by CIPL must imply that its members (ie, large US multi-nationals) are also willing to go with the proposed model. This would be very significant indeed.
Secondly, I feel that the current emphasis on accountability highlights something I have been saying for a long time – good data protection cannot arise from laws, rules and procedures alone. There needs to be a privacy framework built around developing trust in the system, based on rethinking about how risk is managed and allocated.
Accountability fits in beautifully here, because demonstrating that compliance is working effectively in practice is a key component to demonstrating trustworthiness and from which sufficient trust in the organisation can be developed. An organisation’s accountability for data protection also means that the risk is shifted away from individuals who, in light of increasingly complex technologies and business models, will find it difficult to make well-informed privacy decisions and seek their enforcement.
As part of the APEC Data Privacy Sub-Group, I am proud to have contributed to the Cross-Border Privacy Rules in the APEC Privacy Framework. At the very beginning of this, APEC renewed the focus on accountability by establishing accountability should follow the data as a privacy principle. This idea has subsequently being taken up by the ALRC in its recommendations for the Australian Government as well as the EU’s Data Protection Working Party mentioned earlier.
Next month, I will be in Washington DC to attend the IAPP annual Privacy Summit, which promises to be the biggest privacy gathering in history. It also provides the opportunity to participate in the next phase of the Accountability project, Phase III — The Madrid Project– with its focus on validation of compliance claims within an accountability framework.
I hope to have more to report on the Accountability project after that.