Anne Carblanc

Main points

The Organisation for Economic Co-operation and Development (OECD) does not offer a single model, but rather a framework for countries to develop their own institutions and approaches in support of the three principles that bind its members-- pluralistic democracy, respect for human rights and open market economies.

At the last OECD Ministerial Conference in Ottawa (7-9 October 1998), OECD Ministers reaffirmed "their commitment to the protection of privacy on global networks in order to ensure the respect of important rights, build confidence in global networks, and to prevent unnecessary restrictions on transborder flows of personal data". In particular, they declared that they would "work to build bridges between the different approaches adopted by Member countries to ensure privacy protection on global networks based on the OECD Privacy Guidelines".

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data represent an international consensus on how best to balance effective privacy protection and the free flow of information.

The OECD Working Party on Information Security and Privacy, under the auspices of the Information, Computer and Communications Policy Committee, is taking forward the commitment made by Ministers at Ottawa. The Working Party has undertaken, in co-operation with industry, privacy experts and consumer groups, to provide practical guidance to Member countries on the implementation of the Guidelines in online environments.

The Working Party has adopted a pragmatic approach and decided to build an "html" experimental tool (OECD Privacy Policy Statement Generator) based on the OECD Privacy Guidelines. The aim of the project is to encourage the development among public and private organisations in the online environment of privacy policies and statements, and thus contribute to the online implementation of the Openness Principle in the OECD Privacy Guidelines¹. It is expected that the widespread display on Web sites of privacy policy statements based on an international instrument such as the OECD Privacy Guidelines, will foster education among Web site owners. It is also expected that the Generator will increase awareness among visitors about the privacy practices of Web sites which they browse.

The Working Party has also decided to examine the issues related to the use of transborder data flow contracts in the context of global networks, and in particular, questions such as which particular issues are most suited to be dealt with by contractual solutions in an online environment; how can a contract be most appropriately enforced; and what types of remedies could a contract provide to individuals outside their country.

Privacy in a Global Networked Society

The recent activities of the OECD in the field of privacy and personal data protection are conducted in the context of the development of the Global Information Society, and electronic commerce. The OECD"s activities in this area are limited to the online environment.

It is the objective of the OECD today, as it was in the past when the 1980 Privacy Guidelines were developed, to help ensure the protection of privacy at an international level, and prevent unnecessary restrictions on transborder flows of personal data between its 29 Member countries.

The OECD is an appropriate Forum

The OECD is an appropriate forum to address privacy issues in the context of Global Networks because its framework ensures that individual efforts complement and reinforce each other, and that experiences of what works and what does not are widely shared.

The OECD is also an appropriate forum because it has:

1. recognised worldwide experience in addressing legal, technological and policy issues related to privacy protection, security of information systems, the global information infrastructure and the global information society.
2. a large membership base. The OECD serves 29 Member countries (including the European Union Member states, Canada, USA, Japan, Australia etc.)
3. distinctive work procedures. In particular, the OECD co-operates with the private sector. This is particularly important in relation to those issues to be addressed in the context of global networks.

The importance of this third characteristic is emphasised by Jean-François ABRAMATIC in his recent report to the French Government entitled "Technical Development of the Internet": "In an environment which changes as much as that of the Internet, regulation is a permanent challenge. Dialogue, mediation, and experimentation are required before the direct application of rules conceived for a classic physical environment can be encouraged".

OECD Conferences on E-Commerce

The OECD started to focus on E-commerce, and privacy protection in the online environment, nearly three years ago.

At the Conference "Dismantling the Barriers to Global Electronic Commerce", held in Turku, Finland, Nov 1997, privacy protection emerged as one of the critical elements of consumer and user trust in the online environment and as a sine qua non condition for the development of electronic commerce.

At the Ministerial level Conference "A Borderless World: Realising the Potential of Global Electronic Commerce" held in Ottawa, Canada, Oct 1998, OECD Ministers adopted a Declaration on Privacy Protection on Global Networks and launched action in this area to be pursued over the next two years.

The next step is the OECD Paris Forum on Electronic Commerce which takes place in Paris on 12-13 October 99. It is the main goal of that conference to assess progress on the three Ottawa action plans which are:

1. the OECD Action Plan
2. the Report on International and Regional Bodies: Activities and Initiatives in Electronic Commerce
3. the Global Action Plan for Electronic Commerce prepared by Business with Recommendations for Government

Building Trust: the state of online privacy

Not only is online privacy protection part of the OECD"s program of work on e-commerce, but it is also one of the major elements for building trust in e-commerce. This means: instilling in the digital market-place an equivalent level of confidence to the one which is provided in the physical world.

Why is privacy protection necessary to build trust in the online environment?

Are not the potential substantial benefits allowed by E-commerce sufficiently attractive for consumers to browse the Web and buy online?

It seems the answer would be "no": a number of surveys have shown that many consumers rank concern about the privacy of their data as the main reason why they avoid E-commerce.

In particular, a privacy study undertaken by Pr Culnan, Mcdonough, School of Business, Georgetown University, and presented to the FTC at the beginning of June 1999 shows that if more than one third of surfers still say that the Net is a "serious threat to their privacy", this figure rises to 50 percent of people between the ages of 18 to 29.

The OECD"s approach to Privacy Protection

"Day and Night" masterpiece by M.C. Escher, a contemporary artist from the Netherlands depicts black birds flying towards a daylight landscape, and white birds flying towards a dark night-time landscape.

Because this picture reveals itself when it is read from left to right, and then from right to left, it is an excellent illustration of the OECD"s approach to privacy protection on Global Networks. The OECD"s approach is to recognise different interpretations or "readings", different cultures for privacy protection based on law or on self- regulation, with the aim of building bridges between these approaches on a commonly accepted basis: the OECD Privacy Guidelines.

Brief Overview: 1997-1998

The first steps taken by the OECD to build bridges between different approaches to privacy protection have been the followings.

In October 1997, OECD Member Countries reaffirmed that the OECD Privacy Guidelines are applicable with regard to any technology, and that their online implementation is a key element for building trust.

In February 1998, a joint OECD-Private Sector Workshop on Privacy Protection in a Global Networked Society looked at how the OECD Privacy Guidelines may be implemented on Global Networks. The conclusions of the Workshop lead to two studies being carried out in Sept 98:

1. an analysis of the privacy policy practices of 50 Web sites in the OECD zone, and subsequent suggestions on how the OECD Privacy Guidelines may be implemented online. The contribution of a consultant, Serge Gauthronet, was interesting to the work of the OECD, even if not adopted by OECD Member countries.
2. an Inventory of Instruments and Mechanisms to implement the OECD Privacy Guidelines on Global Networks which identifies the legal and self-regulatory privacy instruments which have been adopted on international, regional and national levels, and the various practices, techniques and technologies that are in use or are being developed to implement and enforce privacy on Global Networks.

All documents are available on the OECD Web site.

OECD Ministerial Privacy Declaration, Ottawa, October 1998

The Ottawa Conference was an important step for the OECD"s work on Privacy Protection. In their Declaration, OECD Ministers:

1. reaffirmed their commitment to the protection of privacy on Global Networks in order to ensure the respect of important rights, build confidence in global networks, and to prevent unnecessary restrictions on transborder flows of personal data;
2. declared that they would work to build bridges between the different approaches adopted by Member countries -- based on law and self- regulation -- to ensure privacy protection on global networks based on the OECD Privacy Guidelines;
3. affirmed their determination to take the necessary steps, within the framework of their respective laws and practices, to ensure that the OECD Privacy Guidelines are effectively implemented in relation to global networks;
4. recognised the need to co-operate with industry and business as well as relevant regional and international organisations;
5. agreed for the OECD to provide practical guidance to Member countries on the implementation of the Privacy Guidelines in online environments, drawing on the experiences of Member countries and the private sector;
6. decided to review the progress made in furtherance of the objectives of the Declaration within a period of two years.

The Ottawa Ministerial Declaration sets the framework of the OECD ongoing activities for 1999/2000 in the field of online privacy protection.

1999: Work in Progress (1)

The first part of the OECD"s ongoing activities deals with the use of contractual solutions to the protection of privacy in online transborder data flows.

Among other mechanisms for protecting privacy in the context of global networks, contracts have their place. This is particularly so in the case of transborder flows of personal data between countries which have adopted different approaches to privacy protection based on a statutory framework or on effective self- regulation.

Contracts are agreements enforceable in law, they may complement and/or support compliance with a self-regulatory framework or statutory regime. They may also be a practical substitute in the absence of a data protection law or effective self-regulation. Contracts may build bridges between the different approaches to privacy protection in order to provide coherent and effective privacy protection on a global level.

OECD Report on the use of TBDF Contracts in the context of Global Networks

The OECD is currently preparing a report on the use of contractual solutions for TBDF in the online environment. This report to be discussed next December should focus on the OECD Privacy Guidelines, reflect the diversity and complexity of the issue of using contracts in a global environment, and take into account other work on this issue (e.g. carried out by the European Union, the Council of Europe, the International Chamber of Commerce etc.).

OECD Member countries want to have some questions answered such as how can a contract be most appropriately enforced; or what types of remedies could a contract provide to individuals outside their country.

The report will examine, for Business to Business (B to B) contracts, as well as for Consumer to Business (C to B) contracts, issues such as content of contracts; certification and labelling; rights of data subjects. It will reference existing models (TBDF Model Clauses), and identify possible alternative(s). Finally, the report will examine dispute resolution mechanisms and enforcement, such as mediation, arbitration, litigation, enforcement and remedies

1999: Work in Progress (2)

The second OECD ongoing project is related to the use of privacy policy statements in the online environment. This project aims to:

1. encourage the widespread display on Web sites of privacy policy statements based on an international instrument such as the OECD Privacy Guidelines
2. foster education among Web site owners, and
3. increase awareness among visitors about the privacy practices of Web sites which they browse.

Here, the OECD has adopted a pragmatic approach and decided, in co-operation with industry, privacy experts and consumer groups, to build an "html" Privacy Policy Statement Generator based on the OECD Privacy Guidelines.

Why post a Privacy Policy Statement?

Developing a privacy policy and posting a privacy statement that informs visitors to a Web site of an organisation"s privacy policy is a positive step towards gaining consumer trust, provided that the statement is accurate. Accurate privacy statements also ensure that consumers are provided with the necessary information to make informed choices regarding their personal data.

In other words, posting a Privacy Policy Statement is good business, and many big Companies have said that they will not advertise on any site that does not clearly state its privacy policy (IBM, Microsoft, more recently Walt Disney etc).

OECD Privacy Policy Statement Generator

The OECD Privacy Policy Statement Generator is a valuable tool since its use as a global educational process is endorsed by all 29 OECD Member countries. When an organisation posts its privacy statement on a Web site, the statement will be available to, and relied on by visitors globally.

It is not a labelling procedure.

How can this tool be educational?

The Generator is made freely available by the OECD to all private and public organisations in order to provide guidance on how to implement the OECD Privacy Guidelines on global networks.

Again, the Generator is not made available to "label" any Web site as compliant with these Guidelines. The OECD cannot guarantee that any personal privacy statement generated by an organisation through the use of the Generator meets applicable legal or self-regulatory requirements or accurately reflects the organisation"s data protection practices.

Developing an Online Privacy Policy: first step of the educational process

An organisation in the process of developing a privacy policy must examine its data needs, analyse its actual data practices and establish clear guidelines regarding the use of collected personal data.

From these guidelines a privacy statement can be generated.

Organisations must then take the necessary steps to ensure that their posted privacy statement and privacy policy are consistent with their data practices, applicable laws and self-regulatory requirements.

The Generator provides guidance on the policy and practical issues involved in the development (or refinement) of an organisation"s privacy policy and statement. Important considerations are highlighted such as applicable national privacy requirements, substance and scope of policy statements, procedure to deploy and enforce them, or legal (and other) consequences of displaying such a statement.

Advice on conducting an internal review and links to existing resources for the development of an organisation"s privacy policy are also provided.

Creating a Privacy Policy Statement: second step of the educational process

Once an organisation"s privacy policy is clearly defined, Webmasters are invited to answer a serious of questions which are grouped into 10 sections. The content of the sections build on the OECD Privacy Guidelines as well as additional material from the Convention 108 of the Council of Europe and the EU Data Protection Directive (95/46 EC).

Throughout all of the Generator, Help notes provide organisations and Web sites with guidance about the applicable privacy principles and useful definitions. In instances where an answer may be given which is not consistent with the principles set out in the OECD Privacy Guidelines, guidance alerts them to that fact.

The Generator then automatically produces a draft Privacy Policy Statement. The generated draft privacy statement is pre-formatted and must be edited by the organisation or Web site in order to accurately reflect its own privacy policy.

Posting a Privacy Policy Statement: third step of the educational process

Before posting their edited privacy policy statement online, organisations and Web sites are urged to check for:

1. Legality. They must ensure that their statement complies with applicable national, regional or international law or self-reg. Contact details of Government agencies, non-governmental organisations and private bodies are provided to help organisations and Web sites find further information regarding applicable regulation.
2. Accuracy. They must ensure that the statement reflects their real data practices and that their org is prepared to follow through on procedures represented in the policy. Once a privacy policy has been posted on its Web site, an organisation will face certain legal responsibilities
3. Comprehension. They must ensure that their statement reads smoothly and that any errors are amended.

It is finally recommended that questions including accessibility, visitor assistance, education, and implications are also considered.

OECD Privacy Policy Statement Generator: Beta Version Public Testing

The OECD Privacy Policy Statement Generator has been made available on the OECD Web site end of last August for a two-month testing period by the public. After this period, a revised version will be prepared which will take into account comments received from the public. This third final version will be examined by the OECD and Member countries next December.

The Generator is accessible through links on the OECD Web site at notably at the following address: http://www.oecd.org/scripts/PW/PWHome.ASP [LINK]

A special e-mail account has been set up to receive all comments on the Generator, which is accessible through links on the Generator.

2000: Future Work

Looking at the Ministerial Declaration two other main issues remain to be considered in a near future:

1. enforcement and dispute resolution mechanisms to address non-compliance with privacy principles and policies, and to ensure access to redress;
2. Privacy-enhancing technologies.

There is no need to stress the importance of these issues, especially the first one, in terms of reaching the objective of the OECD Ministerial Declaration to ensure effective privacy protection on global networks.

OECD Member countries, namely the Working Party on Information Security and Privacy which works under the auspices of the Committee for Information, Computer and Communications Policy will adopt its programme of work for 2000 next December.

¹ 09/09/99 The Openness Principle in the Guidelines states that "there should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller".