Introductory remarks to the Workshop on Data Protection within International Organizations hosted by the OECD from 17-18 June 2019. The workshop was attended by experts from the UNHCRC, the International Committee of the Red Cross, the World Intellectual Property Organization, the European Commission, the European Securities and Markets Authority, the International Organization for Migration, Interpol, and the International Finance Corporation.
It is my pleasure to welcome this distinguished group of data protection experts.
Let me first acknowledge the efforts of the European Data Protection Supervisor (EDPS), and particularly Giovanni Buttarelli and Wojciech Wiewiórowski (“Voy-chi Viviroski”), for their leadership in bringing together this community, which the OECD is pleased to host this year.
The digital revolution is bringing great opportunity to improve people’s lives and promote inclusion.
For those who are connected (which is still only half of the world population), the possibilities brought by digitalization are touching almost every aspect of our lives, facilitating social and business connectivity. New technologies are transforming how we engage with the labour market, with society and with public services.
Recent OECD research has found that around one-half of all people across the OECD have accessed public services or health information online, and one quarter of people use new technologies to work remotely.
But there are also challenges: displaced and changing jobs, competition, tax policy, and, of course, data governance and protection. If we do not manage these problems adequately we risk exacerbating inequalities, eroding public trust, and endangering the privacy of individuals around the world.
People need to know their rights, and have a say on how their data is used. We cannot harness the digital economy to improve people’s lives without ensuring the trust of citizens in digital technologies. But we must move forward together.
Digitalisation is an inherently cross-border challenge, which calls for deepened international co-operation and engagement. This is why last month’s Ministerial Council Meeting, which welcomed 135 ministers and heads of delegation, focused on the challenges and opportunities of digitalization.
At the MCM we made important progress towards multilateral solutions, including the adoption of a new Council Recommendation on Artificial Intelligence to help ensure that AI is trustworthy and human-centred. We initiated phase 2 of our horizontal Going Digital project and we continue to advance in addressing the tax challenges raised by the digital economy.
Despite the many divides and tensions currently affecting the multilateral community, thankfully one thing on which we all agree is that safeguarding personal data and privacy is fundamental to promoting trust in digital, and ensuring it is a motor for innovation, opportunity and inclusive growth.
OECD research has shown that privacy is a top priority for citizens. For example, in 2016 more than 70% of Internet users in the EU provided personal information online, with many also performing actions to control access to these data.
This caution is certainly warranted. In 2015, around 3% of all Internet users across OECD countries for which data are available reported having experienced a privacy violation in the three months prior to being surveyed. Keep in mind, this is the figure for reported violations.
In countries such as Norway, Portugal, Sweden and Turkey, there was a notable increase in privacy violations as reported by individuals between 2010 and 2015. In 2016, 64% of individuals in the United States experienced or had been notified of a significant data breach pertaining to their personal data or accounts.
Although caution with regard to online behavior is advisable, without institutions and regulations to address these public worries, we risk eroding public trust. We are already seeing evidence of this: in 2018, 18% of EU28 citizens chose not to submit forms to public authorities, 20% of them citing concerns about the protection of personal data as the reason.
Policymakers have to listen to these concerns and be mindful of these risks, which means constantly staying at the leading edge of a rapidly changing sector.
The EU’s 2018 reform of data protection rules (General Data Protection Regulation – GDPR) aims to provide people with more control over their personal data and to create a more level playing field for business. Some felt these were too stringent, but then crises like the Cambridge Analytica scandal showed how cautious we have to be. And as a result of these changes, people understand better their rights.
The OECD is also a leader in this field. We have been working on privacy for almost 40 years. In 2013 our Members agreed to update the cornerstone of that work: the OECD Privacy Guidelines. Digital security and privacy is a moving target, and there are also emerging threats to contend with.
This is why we are looking at online protection of children and reviewing our 2012 Recommendation on the Protection of Children Online. Since then, more children than ever are online, and their usage has evolved to mobile devices and interacting on social media, making them more vulnerable to privacy risks and to cyber bullying.
As part of this work, we have identified a clear need for better measurement and indicators of risks, so that we can base policies on sound evidence. This goes to the heart of our forward looking roadmap on digital which we launched at the Going Digital Summit last month, the Going Digital Integrated Policy Framework. Social prosperity, inclusion, well-being and building trust in the digital age are key pillars of our approach.
This also means practicing what we preach. Last month we launched an overhaul of our internal approach to protecting personal data. It follows elements of the 2013 OECD Guidelines as well as other international best practice.
The new regime includes updated rules for processing, with broader rights for individuals. These rights apply not just to staff but extend to any individual whose data we process.
We also put in place a robust governance framework, with the introduction of the roles of Data Protection Officer and Data Protection Commissioner, as well as a mechanism to settle individual claims.
Billy Hawkes, our new Commissioner, is here with you for this event, as well as our Data Protection Officer, Michael Donohue.
Getting the new regime established was the first step. Now we are busy rolling it out across the organization:
First, there is no privacy without good security. Our digital security team works very closely with the new data protection function.
The second aspect relates to effecting organisational change. We are developing an experimental, behaviorally-informed approach to implement our new data protection rules.
For example, we are raising awareness among staff about phishing emails and this included an experiment in which we randomly sent different variations of the same message to staff and recorded differences in response rates.
This is yielding interesting results, which our security team in the Executive Directorate are analysing and will soon share. We hope that this way of using behavioural science and experimentation will help us improve digital security and data protection.
One dimension that we must keep at the top of our minds is that that there are implementation challenges and legal issues that are unique to international organisations. We are not like corporations or even national administrations. Our independence and immunities are part of our DNA.
We learn from domestic approaches, and draw on best practices, but are ultimately subject to our own rules.
One issue of concern to many international organisations relates to personal data transfers. We fully appreciate that our Members and partners have to comply with domestic laws, so we need mechanisms and approaches that embed data protection into these flows. However, these mechanisms must also respect our international character.
We look forward to hearing how our colleagues in other organisations are addressing these and other issues and to sharing our best practices.
I’d like to finish by thanking you for your engagement on this issue which protects us all. I look forward to hearing about the outcomes of you discussions.