Thursday, May 21, 2009

Rand Report

With the Rand Report finally published, some observations on a few points:

1) Common interpretations of certain provisions of the [Data Protection] Directive (charter for effective interpretation) was needed to ensure that its functions optimally in the future. In particular, reference was also made to the Swedish model, which established a set of regulations using a risk based approach (misuse-orientated approach) without undermining the Directive. According to the report, the “Swedish regulator was convinced that such a route remains legally acceptable without violating the current provisions of the Directive”. The report further commends the Swedish model, by recommending that the Charter should encourage the use of a risk-based approach to the application of the rules focusing on acts of data processing where harm can reasonably expected [read Seipel's commentary on Swedish developments in Nordic Data Protection Law and short commentary here]

2) Recommendation 2: improving the effectiveness of the Adequacy rule and facilitate the use of alternatives to the adequacy rule (it is all about “contracts” to enable the transfer of personal information from one organisation to another in a non-EEA country) [Only criticism is that this should not impact on the everyday processing such as the internet (uploading of files containing peripheral personal information such as news report; book or article should not be brought within Art. 25; even if the interpretation should be stretched, then the exemptions under Art. 26 ought to be embraced]

3) Develop more suitable privacy policies – in particular, reference is made to encouraging clearer guidelines for data controllers on communicating their policies to data subjects with reference to Creative Commons model of intellectual property right licences. In a Creative Commons model, certain standard types of licences are developed which can be communicated to end users through short, easy to understand descriptions (e.g. “attribution”, “non-commercial”, “no derivative works”,...). A comparable approach could be adopted with regard to privacy policies, by providing summary notices based on such standardised descriptions. These should be relatively easy for interested consumers to understand [on this note, any privacy policies ought to complement the existing Data Protection Directive and national Data Protection Acts 1998 - for those unfamiliar with a Privacy Commons model, a short commentary]

4) The Chief Privacy Officer role may be identified as an alternative to a privacy policy, there mainly to provide for accountability within an organisation. Regulations should be designed that would make Chief Privacy Officers personally responsible and/or criminally liable for willingly engaging in risky, unscrupulous or irresponsible behaviour by their organisations regarding the use of personal data. This would be comparable to the model of the Chief Privacy Officer in certain organisations in the US, which hold real decision making and enforcing power and are highly respected both within their organisations and by regulators and DPAs [on this recommendation, whilst making CPOs accountable, yet verging onto “criminally liable” is one which would be considered too onerous a measure and would likely inhibit “would be” Privacy Officers (data protection officers in the UK). Furthermore, the level of responsibilities by Privacy Officers in an organisation may be varied and it is unclear whether they would be considered to be solely responsible only for the oversight of privacy rules. In other words, CEOs, Directors may also play a role].

See also Commentary from:

No comments: