On 13 July 2010, the influential Article 29 Working Party adopted Opinion 3/2010 on the principle of accountability.
This is an important contribution to the European Commission’s review of the European Data Protection Directive 95/46/EC (Data Protection Directive), a draft of which had been expected later this year, but is now expected some time in late 2011.
In essence, the Opinion builds on good practice in the area of global regulatory compliance, advocating the introduction of a ‘principle of accountability’ in the revised Data Protection Directive that ‘would explicitly require data controllers to implement appropriate and effective measures to put into effect the principles and obligations of the [Data Protection] Directive and demonstrate this on request’. The Working Party objective is to ‘encourage data protection in practice’ by requiring data controllers to take a strategic, risk-based approach when determining effective and appropriate measures based on the nature of the personal information being processed and the risks represented by such processing.
Accountability – background
Accountability is an established concept in global compliance terms, and the Opinion clearly signals that it is a concept whose time has come given the ‘data deluge effect’ facing controllers, regulators and the general public alike, from:
- the exponential growth in the amount of personal data processed and transferred
- increased technological developments and user interaction with such technologies and
- increased risks of data breaches as more data is available and travels across the globe.
The accountability principle first appeared in international guidelines on data protection published by the Organisation for Economic Cooperation and Development nearly 30 years ago, and it also features in the Asia-Pacific Economic Cooperation Privacy Framework as well as Canada’s Federal privacy law and numerous legal and academic texts and treatises on the subject. Accountability was most recently included in the Madrid Resolution of 2009 adopted by the International Conference of Data Protection and Privacy Commissioners, consisting of 80 data protection authorities from 42 countries around the world, including members of the Article 29 Working Party.
Accountability – what does it mean in practical terms?
While the Working Party recognises that defining ‘accountability’ is not straightforward, its aim is to encourage the development and adoption of:
- practical and concrete measures defined at the level of the controller
- controllers’ responsibility to demonstrate the effectiveness of such measures
- transparency, for both individuals and the general public
by controllers taking appropriate and effective measures to implement data protection principles and demonstrating upon request that such measures have been taken.
When implementing the kind of measures envisaged – for example, a policy and process for dealing with subject access requests – the Opinion makes it clear that the ‘assignment of responsibilities’ and the ‘training of staff involved in the processing operations’ are indispensable to ensuring that the responsibilities at different levels of the organisation are fulfilled.
When it comes to demonstrating the effectiveness of such measures, the Opinion refers to monitoring, internal and external audits, and other control and oversight mechanisms familiar to organisations, based on established compliance programs in other regulatory fields; for example, SOX or FCPA compliance.
The Opinion sets out a non-exhaustive list of ‘common accountability measures’ for consideration, which begins with establishing internal procedures and developing effective measures prior to any new processing of personal data, and suggests the appointment of a responsible data protection officer with sufficient resources allocated for privacy management, training and awareness.
Accountability ensures that data protection is built into all strategic decisions of an organisation and assesses the risk and seeks the involvement of all levels of an organisation by advocating that controllers conduct privacy impact assessments and other ‘proactive measures’, such as:
- data loss/breach detection/prevention policies and procedures
- using ‘Privacy by Design’ to develop and implement new technologies
- binding policies and procedures that measure compliance
- response plans that draw on lessons learned, mitigate harm and avoid future breaches.
The Working Party envisages preparing general guidance setting out ‘a baseline of necessary elements for a standard data controller’ and for large organisations ‘a model data compliance program’.
Looking (and planning) ahead
It is going to be several years before any revised Data Protection Directive is agreed and in force throughout Europe. In the meantime, organisations are encouraged to follow the lead of an increasing number of data controllers who are taking responsibility for their data privacy obligations through the adoption of robust data privacy compliance programs. In so doing, they are holding themselves accountable to their stakeholders, including data protection authorities and data subjects, for that commitment to good practice.
The Working Party suggests that not only are such organisations more likely to be in compliance with the law, but, in the event of a data protection violation, data protection authorities also ‘could give weight to the implementation (or lack of it) of measures and their verification in considering sanctions.’
The Opinion is an important output of the Working Party and provides a clear indication of how the European data protection authorities view the real-world challenges facing data controllers.
Cynthia O’Donoghue is a Partner in the European Corporate Group at Reed Smith and a core member of the firm’s multi-disciplinary Outsourcing Group. Cynthia specialises in large, complex IT and business process outsourcing transactions.
Nick Tyler is a Senior Associate in the Data Security, Privacy & Management Practice of the Global Regulatory Enforcement Group at Reed Smith. Nick previously worked for AstraZeneca as Global Privacy Counsel and, before that, at the Information Commissioner’s Office (the UK’s data privacy and freedom of information regulator) where he was Chief Legal Adviser.