Resolution on Data Protection and International Organisations

25th International Conference of Data Protection & Privacy Commissioners Sydney, 12 September 2003

This resolution was adopted on Friday 12 September 2003

Proposer: Privacy Commissioner, New Zealand

Co-sponsors:

Data Protection Commissioner, Ireland
Commission Nationale de l'Informatique et des Libertes, France
Privacy Commissioner for Personal Data, Hong Kong SAR
Federal Data Protection Commissioner, Germany

Resolution

That the 25th International Conference of Privacy and Data Protection Commissioners resolve:

That the conference calls upon:

international and supra-national bodies to formally commit themselves to abiding by principles that are compatible with the principal international instruments dealing with data protection and privacy;
international and supra-national bodies that hold or process personal data to establish appropriate mechanisms to ensure compliance with applicable data protection principles, such as the establishment of internal but operationally independent supervisory authorities with control powers;
international and supra-national bodies that have a role in promulgating standards, rules or common practices which affect personal data handling within the jurisdictions of their constituent members to develop and adopt suitable mechanisms to ensure that data protection considerations are effectively taken into account, such as the use of privacy impact assessments and consultation with recognised data protection authorities; and requests the host of the 25th International Conference to draw this resolution to the attention of the relevant bodies.

Explanatory note

The International Conference, now in its 25th year, primarily consists of national data protection and, in federal and devolved jurisdictions, their sub-national counterparts. Building upon preliminary work at the 21st and 22nd conferences, the 23rd conference resolved to establish a process and criteria for recognising the credentials of data protection authorities. The Paris resolution explicitly anticipated data protection authorities within international and supra-national bodies. The conference will, this year, be called upon to consider for the first time the accreditation of authorities at international and supra-national level.

There are data protection rules applying to some key institutions, arrangements and databases at the international or supra-national level but many new information sharing arrangements are being initiated through a variety of international bodies. Not all of these bodies have previously had much exposure to data protection approaches and the issues are often being considered, if at all, very late in international standard setting processes.

Many law enforcement initiatives come to mind in this context. However, also consider, for example, the following current examples of initiatives from specialist bodies having having widespread effects:

significant initiatives to add biometrics to passports will flow from standard setting by the International Civil Aviation Organisation.
a sports drug testing code and associated standards recently issued by the World Anti-Doping Agency, includes new obligations regarding the sharing of information about individual athletes' whereabouts.
the ENUM proposals to combine telephone numbers and email addresses arise from a working group of the Internet Engineering Task Force and International Telecommunications Union.

Even international organisations which have been involved in data protection in one capacity may lose their awareness if they lack an institutional check on their practices. For example, the "privacy notice" on the United Nations website does not mention the UN's own Guidelines concerning Computerised Data Files (1990) adopted by the General Assembly.

Appropriate data protection of information held by international and supra-national organisations cannot be achieved solely by national laws and data protection commissioners. International organisations need themselves to adopt appropriate standards, policies and principles and to establish mechanisms to ensure that they are carried into effect. This resolution encourages such steps to be taken in a manner which accords with internationally recognised practice. Furthermore, international bodies are responsible for promulgating both "hard law" and, increasingly, "soft law" at international level which must then be carried forward at national level. While such international standard setting is often to be welcomed, it can cause particular difficulties at national level if the data protection dimension has not been considered within the international standard setting. By adopting this resolution, it is hoped to encourage better awareness and compliance within international institutions which may, almost as a by-product, better inform those bodies when undertaking international standard setting (including setting up effective mechanisms to consult existing data protection authorities on matters affecting their jurisdictions).

The Conference host is requested to draw the attention of relevant international bodies to the resolution. He may wish to consult with the sponsors of the resolution in relation to that task. It is anticipated that a short report on the outcome of that process would be submitted to the 26th conference.