In a closed session on November 5, 2009, the 31st International Conference of Data Protection and Privacy Commissioners adopted the International Standards on the Protection of Personal Data and Privacy (the “Standards”). Although the document is advisory in nature and is not legally binding, it offers guidance to States that have not yet adopted comprehensive data protection laws. The Spanish Data Protection Agency, which acted as the secretariat for drafting the Standards, held two meetings that included more than fifty privacy enforcement agencies, privacy advocates and businesses before hosting a final drafting session that was reserved for recognized data protection authorities.
The Standards advise States without comprehensive data protection laws to (1) recognize privacy as a fundamental human right, (2) require organizations to follow traditional fair information practice principles, and (3) create supervisory authorities for data protection that “shall be impartial and independent, and will have technical competence, sufficient powers and adequate resources … .” In addition, the Standards allow for data transfers to States that meet the requirements set forth in the document as well as transfers based on organizational accountability.
This new framework outlined in the Standards marks a departure from the EU requirement that States establish “independent agencies” to be recognized as “adequate” under the data protection directive. This difference in tone, as well as the openness in the drafting process and inclusion of new concepts, signal the potential for greater harmonization over the next decade and may be a significant step forward toward global interoperability.