Concerns about the cross-border flow of personal data come in two flavors. First, there is the concern international transfers of data could allow private actors to side-step local or regional data protection rules, using the global internet to avoid local accountability. This has led to the establishment of data localization rules, but also mechanisms to enable trusted commercial data flows, such as the voluntary but enforceable Cross-Border Privacy Rules. Second is the concern that data flows can facilitate government access to personal data for law enforcement or national security purposes, which may exceed local norms and expectations.

The latter concern was the subject of the Court of Justice of the European Union case known as “Schrems II.” Accordingly, the recent EU-U.S. Data Privacy Framework focused on shoring up practices related to the proportionality of U.S. government access and redress mechanisms available to EU individuals. Since commercial practices were not at issue in the decision, the new framework does not impact the commitments that U.S. businesses must make to legally transfer data — that is, once the European Commission grants adequacy to the framework.

At the same time, voices on both sides of the Atlantic and beyond have recognized that bilateral agreements like the DPF are not enough. Instead, establishing uniform standards for government access in democratic societies should be a top priority. Last month, the Organisation for Economic Co-operation and Development announced a major milestone toward reaching this goal, the promulgation of “guidelines on the protection of privacy and transborder flows of personal data.” As the OECD explained:

“One basic concern at the international level is for consensus on the fundamental principles on which protection of the individual must be based. Such a consensus would obviate or diminish reasons for regulating the export of data and facilitate resolving problems of conflict of laws. Moreover, it could constitute a first step towards the development of more detailed, binding international agreements.”

The OECD guidelines endeavor to do just this, setting out basic principles for the protection of personal data along with recommendations for how governments can ensure their protection. The foundational principles are straightforward and should be familiar to any privacy professional, as they echo the fair information practice principles: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation and accountability. But the core of the guidelines come into play in parts 4 and 5, which describe how countries should establish rules to meet the principles and facilitate international cooperation. Specifically:

“Member countries should establish legal, administrative or other procedures or institutions for the protection of privacy and individual liberties in respect of personal data. Member countries should, in particular, endeavor to:

  1. adopt appropriate domestic legislation;
  2. encourage and support self-regulation, whether in the form of codes of conduct or otherwise;
  3. provide for reasonable means for individuals to exercise their rights;
  4. provide for adequate sanctions and remedies in case of failures to comply with measures which implement the principles set forth in Parts Two and Three; and
  5. ensure that there is no unfair discrimination against data subjects.”

The adoption of such standards by the OECD represents a major milestone for the future of international cooperation on trusted data flows. Reading the five bullet points above, it is hard not to hear echoes of the decades-old bilateral dialogue between the EU and the U.S. An agreement on these first principles is a necessary initial step toward creating guardrails for government access that transcend bilateral relationships.

Putting these into practice will be difficult but starting from a uniform foundation will help. After all, you can’t use an old map to explore a new world.

Here's what else I’m thinking about:

  • The legislative session ended without a privacy bill. Once the 118th Congress gets its footing, we will be watching closely for the first privacy legislation of the new term. All the headliners are likely to make a comeback, from the American Data Privacy and Protection Act to the Kids Online Safety Act and Children's Online Privacy Protection Act 2.0. Whether they will pass this term under a divided Congress is another question entirely. Of course, at the state level, legislators are already busy, with four comprehensive privacy bills introduced so far in 2023.
  • The Democratic minority leadership in the House Energy and Commerce Committee hired new subcommittee staff. Ranking member Rep. Frank Pallone, D-N.J., announced he is promoting Jennifer Epperson to be the Communications and Technology Subcommittee’s chief Democratic counsel and hiring Lisa Hone to serve the same role for the Consumer Protection and Commerce Subcommittee. Hone spent over a decade each at the Federal Communications Commission and Federal Trade Commission before serving as the White House National Economic Council’s Senior Broadband and Technology Policy Adviser.
  • President Biden re-nominated Gigi Sohn for the vacant FCC commissioner seat. Sohn’s nomination has been in limbo for more than six months. The re-shuffled Senate will be more likely to act to confirm the nomination.
  • Joe Jones crossed the pond. The U.K.’s former “top data flows official,” as Politico described him, has joined IAPP as our Director of Research and Insights.

Under Scrutiny

  • MSG Entertainment, owner of iconic New York City events venues, is the subject of an investigative article by the New York Time’s Kashmir Hill and Corey Kilgannon about its use of facial recognition technologies to enforce an “attorney exclusion list,” after enrolling faces using public images from law firm websites.

Upcoming happenings

  • Jan. 18 at 11 a.m. EST, the IAPP hosts a LinkedIn Live, Privacy in Practice: Our top 3 for 2023 (virtual).
  • Jan. 25 at 3 p.m. EST, the IAPP hosts a LinkedIn Live, Data Privacy Day and 2023 Predictions virtual).
  • Jan. 24 at noon EST, the Center for Democracy and Technology hosts a webinar, Protecting Civil Rights in the World of Automated Employment Decisions (virtual).
  • Jan. 28 is Data Privacy Day, or Data Protection Day, if you prefer.
  • Jan. 31 at 10 a.m. EST, the U.S. Equal Employment Opportunity Commission hosts a hearing, Navigating Employment Discrimination in AI and Automated Systems: A New Civil Rights Frontier (virtual).
  • Jan. 31 at 10 a.m. EST, Social Movement Technologies hosts a virtual training, Mastodon How-To for Activists, Organizations, Movements and Journalists.

Please send feedback, updates and multilateral proposals to cobun@iapp.org.