On July 13, 2010, the influential Article 29 Working Party (Working Party), consisting of all the European Union’s national data privacy regulators, adopted Opinion 3/2010 on the principle of accountability (Opinion). This is an important contribution to the European Commission’s review of the European Data Protection Directive 95/46/EC (Data Protection Directive), a draft of which is now expected some time in late 2011.
The Opinion builds on good practice in the area of global regulatory compliance, advocating the introduction of a “principle of accountability” in the revised Data Protection Directive that “would explicitly require data controllers to implement appropriate and effective measures to put into effect the principles and obligations of the [Data Protection] Directive and demonstrate this on request.”Accountability is an established concept in global compliance terms, and the Opinion clearly signals that it is a concept whose time has come given the “‘data deluge’ effect” facing controllers, regulators and the general public alike, from exponential growth in the amount of personal data processed and transferred, increased technological developments and user interaction with such technologies, and increased risks of data breaches as more data is available and travels across the globe
Data controllers will need to take a strategic, risk-based approach when determining effective and appropriate measures based on the nature of the personal information being processed and the risks represented by such processing.
The accountability principle first appeared in international guidelines on data protection published by the Organisation for Economic Cooperation and Development (OECD) nearly 30 years ago, and it also features in the Asia-Pacific Economic Cooperation Privacy Framework as well as Canada’s Federal Privacy law and numerous legal and academic texts and treatises on the subject. Accountability was most recently included in the Madrid Resolution of 2009 adopted by the International Conference of Data Protection and Privacy Commissioners, consisting of 80 data protection authorities from 42 countries around the world, including members of the Working Party.
Accountability – what does it mean in practical terms?
While the Working Party recognises that defining “accountability” is not straightforward, its aim is to encourage the development and adoption of:
- Practical and concrete measures defined at the level of the controller
- Controllers’ responsibility to demonstrate the effectiveness of such measures
- Transparency to both individuals and the general public
by controllers taking appropriate and effective measures to implement data protection principles and demonstrating upon request that such measures have been taken.
When implementing the kind of measures envisaged – for example, a policy and process for dealing with subject access requests – the Opinion makes it clear that the “assignment of responsibilities” and the “training of staff involved in the processing operations” are indispensible to ensuring that the responsibilities at different levels of the organisation are fulfilled.
When it comes to demonstrating the effectiveness of such measures, the Opinion refers monitoring, internal and external audits, and other control and oversight mechanisms familiar to organisations, based on established compliance programs in other regulatory fields; for example, SOX or FCPA compliance.
The Opinion sets out a non-exhaustive list of “common accountability measures” for consideration, which begins with establishing internal procedures and developing effective measures prior to any new processing of personal data, and suggests appointment of a responsible data protection officer with sufficient resources allocated for privacy management, training and awareness.
Accountability ensures that data protection is built into all strategic decisions of an organisation and assesses the risk and seeks the involvement of all levels of an organisation by advocating that controllers conduct privacy impact assessments and other “proactive measures”, such as:
- Data loss/breach detection/prevention policies and procedures
- Using “Privacy by Design” to develop and implement new technologies
- Binding policies and procedures that measure compliance
- Response plans that draw on lessons learned, mitigate harm and avoid future breaches
The Working Party envisages preparing general guidance setting out “a baseline of necessary elements for a standard data controller” and for large organisations “a model data compliance program.”
Looking (and Planning) Ahead
It is going to be several years before any revised Data Protection Directive is agreed and in force throughout Europe. In the meantime, organisations are encouraged to follow the lead of an increasing number of data controllers who are taking responsibility for their data privacy obligations through the adoption of robust data privacy compliance programs. In so doing, they are holding themselves accountable to their stakeholders, including data protection authorities and data subjects, for that commitment to good practice.
The Working Party suggests that not only are such organisations more likely to be in compliance with the law, but, in the event of a data protection violation, data protection authorities also “could give weight to the implementation (or lack of it) of measures and their verification in considering sanctions.”