The current OECD Privacy Guidelines are based on the Council's Recommendation of July 11, 2013, "Guidelines on the Protection of Privacy and the Transboundary Transfer of Personal Data" (C(2013)79).1This is an annex. Within it, "Part 2: Basic Principles for Domestic Application" is particularly famous as the so-called "OECD Eight Principles." The provisional translation of the annex was done by Professor Horibe, Professor Shinbo, and Ms. Nomura (JIPDEC).Click HereIt is available to read. Therefore, I thought it would be good to introduce it, but unfortunately, the recommendation itself is missing. Furthermore, the "Background Information" chapter is also omitted. (There are reasons for newly translating the annex section, which will be explained later.)
The recommendation itself takes the form of a Western resolution, using phrases like "considering," "recognizing," and "recommending." (Actually, GDPR)2It has a similar structure, and that section spans 39 pages. When reading texts like this, this part is quite important. So, with the help of Claude.ai, I have created a provisional translation of the main text of this recommendation.
Also, I've translated the appendix section as well. This differs in many ways from the JIPDEC provisional translation. The main differences are: "should" has been standardized to "beki" (should), and "data subject" has been changed from "data subject" to "data target person."3This includes translating omitted words (e.g., "relevant to," the recently popular term "relevance"). I've tried to maintain the original's tone as much as possible, using a literal translation style without making it sound unnatural in Japanese. I hope this is helpful.
"The Board's Recommendation on Guidelines for the Protection of Privacy and the Cross-Border Transfer of Personal Data"
The Board:
Article 5(b) of the Organisation for Economic Co-operation and Development Convention of December 14, 1960Consider,
グローバルネットワーク上のプライバシー保護に関する閣僚宣言〔C(98)177附属書1〕、情報システム及びネットワークのセキュリティに関するガイドラインについての理事会勧告〔C(2002)131/FINAL〕、プライバシー保護法の執行における国境を越えた協力に関する理事会勧告〔C(2007)67〕、インターネット経済の将来に向けた宣言(ソウル宣言)〔C(2008)99〕、インターネット政策立案の原則に関する理事会勧告〔C(2011)154〕、子どものオンライン保護に関する理事会勧告〔C(2011)155〕及び規制政策とガバナンスに関する理事会勧告〔C(2012)37〕をConsider,
Member states share a common interest in promoting and protecting fundamental values such as privacy, individual liberties, and the free global flow of information.Recognize,
While the broader and more innovative use of personal data brings significant economic and social benefits, it also increases privacy risks.Recognize,
The continuous flow of personal data through global networks is increasing the need for improved interoperability between privacy frameworks and enhanced cross-border cooperation among privacy enforcement authorities.Recognize,
Risk assessment is important in developing policies and safety measures to protect privacy.Recognize,
The challenges of securing personal data in an open and interconnected environment where personal data is becoming an increasingly valuable asset.Recognize,
To further promote the free flow of information among member states and to avoid creating undue barriers to the development of economic and social relations among member states.Determined,
Based on the proposal of the Information, Computer and Communications Policy Committee,
I.The following to member states:Recommend :
- Demonstrate a commitment to protecting privacy and ensuring the free flow of information at the highest levels of government;
- Implement the guidelines contained in the Annex, which constitutes an integral part of this Recommendation, through a process involving all relevant stakeholders;
- This recommendation should be disseminated to the entire public and private sectors;
II.The Council is calling on non-member states to participate in this Recommendation and to cooperate with member states in its cross-border implementation.求 め る.
III.The Board of Directors has instructed the Information, Computer and Communications Policy Committee to monitor the implementation of this recommendation, review the information, and report to the Board within five years of its adoption and thereafter as appropriate.Give instructions.
This recommendation amends the Council Recommendation of September 23, 1980, on Guidelines for the Protection of Privacy and the Cross-Border Flow of Personal Data [C(80)58/FINAL].
Annex
Guidelines on the Protection of Privacy and the Cross-Border Flow of Personal Data
Part 1: General Provisions
Definition
1. In these guidelines:
a) “Data controller” means any person who has the authority to make decisions regarding the content and use of personal data under domestic law, regardless of whether such controller or their agent collects, retains, processes, or provides such data;
b) “Personal data” means all information relating to an identified or identifiable individual (data subject);
c) “Privacy Protection Law” means any national law or regulation whose enforcement is effective in protecting personal data in accordance with these Guidelines;
d) “Privacy Enforcement Authority” means a public body designated by each Member State that is responsible for enforcing privacy laws and has the authority to conduct investigations or carry out enforcement procedures;
e) "Cross-border traffic of personal data" refers to the transfer of personal data across national borders.
Scope of application of the guidelines
2. These guidelines apply to personal data, whether from the public or private sector, that poses a risk to privacy and individual freedom in light of how it is processed, its nature, or the context in which it is used.
3. The principles set forth in these guidelines are complementary and should be read as a whole. These principles should not be interpreted as follows:
a) preventing the application of different safeguards to different categories of personal data depending on the nature of the personal data and the context in which it is collected, stored, processed, or distributed; or
b) Anything that unduly restricts freedom of expression.
4. Exceptions to these guidelines, including those relating to national sovereignty, national security, and public order ("ordre public"), are:
a) To minimize as much as possible, and
b) It should be disclosed to the public.
5. In special cases such as federal states, the separation of powers within a federal system may affect compliance with these guidelines.
6. These guidelines should be positioned as minimum standards and may be supplemented by additional measures that may affect the cross-border flow of personal data in order to protect privacy and individual liberties.
Part Two: Basic Principles of Domestic Application
Collection Restriction Principles
7. Restrictions should be placed on the collection of personal data, and such data should be collected through lawful and fair means, and, where appropriate, with the knowledge or consent of the data subject.
Data Quality Principles
8. Personal data should be relevant to the purpose of use and should be kept accurate, complete, and up-to-date to the extent necessary for that purpose.
Principle of clarity of purpose
9. The purpose for which personal data is collected should be specified at the latest by the time of data collection, and its subsequent use should be limited to achieving that purpose, or other purposes that are not inconsistent with that purpose and are specified each time the purpose changes.
Principles of Usage Restrictions
10. Personal data should not be disclosed, provided, or otherwise used for purposes other than those specified in accordance with Section 9, except in the following cases:
a) When the data subject has given their consent; or
b) When permitted by law.
Principles of safety precautions
11. Personal data should be protected by reasonable security measures against risks such as loss or unauthorized access, destruction, use, alteration, or disclosure of data.
Principle of openness
12. General disclosure policies should be established regarding the development, practices, and policies concerning personal data. Means for verifying the existence and nature of personal data, its primary uses, and the identity and usual location of the data controller should be readily available.
The principle of individual participation
13. Individuals should have the following rights:
a) Requesting the data controller or other party to confirm whether or not the data controller holds data about oneself;
b) Regarding data about oneself,
i. Within a reasonable period of time;
ii. Free of charge or with reasonable fees;
iii. In a reasonable manner; and
iv. In an easily understandable format;
To be made known;
c) If a claim under a) and b) is denied, the reasons for that denial will be explained, and that an objection may be raised against such denial; and
d) The right to object to data relating to oneself, and, if the objection is accepted, the data to be deleted, corrected, supplemented, or modified.
Principle of responsibility
14. Data controllers should be responsible for ensuring compliance with measures to make the above principles effective.
Part Three: Fulfillment of Responsibilities
15. Data administrators should do the following:
a) Establish a privacy management program that meets the following requirements:
i. To implement these guidelines effectively with respect to all personal data under control;
ii. It must be appropriately designed in accordance with the structure, scale, volume, and sensitivity of the work;
iii. Take appropriate security measures based on a privacy risk assessment;
iv. Integrate it into the governance structure and establish an internal control mechanism;
v. Includes a plan for responding to inquiries and incidents;
vi. To be updated based on continuous monitoring and periodic evaluation;
b) Preparing to demonstrate that the privacy management program is being properly implemented, in particular at the request of the relevant privacy enforcement authority or the agency responsible for promoting compliance with the code of conduct or other similar arrangements that give binding force to these guidelines; and
c) In the event of a significant security breach affecting personal data, notify privacy enforcement authorities or other relevant authorities as necessary. If such breach is likely to adversely affect data subjects, the data controller should notify the affected data subjects.
Part 4: Fundamental Principles of International Application: Free Flow and Justifiable Restrictions
16. Data controllers remain responsible for personal data under their control, regardless of where the data is located.
17. Member States should refrain from restricting the cross-border flow of personal data between themselves and the other country if (a) the other country is substantially complying with these Guidelines, or (b) sufficient security measures exist, including effective enforcement mechanisms and appropriate measures taken by the data controller, to ensure a continuing level of protection in line with these Guidelines.
18. Any restrictions on the cross-border flow of personal data should be proportional to the risks involved, taking into account the sensitivity of the data and the purpose and context of its processing.
Part 5: Domestic Implementation
19. In implementing these guidelines, Member States should:
a) Develop a national privacy strategy that reflects a coordinated, cross-agency approach;
b) Adopting a privacy protection law;
c) Establish and maintain a privacy enforcement body with the necessary governance, resources, and technical expertise to effectively exercise its authority and make decisions based on objective, fair, and consistent standards;
d) Encouraging and supporting self-regulation, whether in the form of a code of conduct or other;
e) Providing individuals with reasonable means to exercise their rights;
f) To establish appropriate sanctions and remedies in case of non-compliance with privacy protection laws;
g) Consider adopting complementary measures, including promoting education and awareness-raising, capacity building, and technological measures that contribute to privacy protection;
h) Consider the roles of actors other than data managers in an appropriate manner according to their individual roles; and
i) Ensure that no unfair discrimination occurs against data subjects.
Part 6: International Cooperation and Interoperability
20. Member states should take appropriate measures to promote cross-border cooperation in enforcing privacy laws, particularly by strengthening information sharing among privacy enforcement authorities.
21. Member States should encourage and support the development of international arrangements that promote interoperability among privacy frameworks to make these Guidelines effective.
22. Member states should be encouraged to develop internationally comparable indicators that will aid in policy-making processes concerning privacy and the cross-border flow of personal data.
23. Member states should disclose details of their compliance with these guidelines.
Background information
The Recommendations on Guidelines for the Protection of Privacy and the Cross-Border Flow of Personal Data were adopted by the Council of the OECD on September 23, 1980, based on a proposal by the Committee on Information, Computer and Communications Policy (now the Committee on Digital Policy [DPC]), and revised on July 11, 2013. These Recommendations encourage participating countries to implement the guidelines contained in the Annex, which forms an integral part of the Recommendations (commonly known as the "OECD Privacy Guidelines").
The OECD Privacy Guidelines are the first internationally agreed-upon framework of privacy principles, developed to address concerns about the protection of privacy and individual liberties (often collectively referred to as "privacy" in everyday language for convenience) in the face of increasing use of personal data, as well as the risks to the global economy posed by restrictions on the cross-border flow of personal data. Since their adoption, they have had a broad influence on legislation and policy in OECD member countries and other nations.
OECD initiatives on privacy and cross-border data flows
For decades, the OECD has played a vital role in promoting respect for privacy as a fundamental value and fostering the free flow of personal data across borders based on trust. The OECD Privacy Guidelines are the cornerstone of this effort and are positioned as the minimum global standard for privacy and data protection. Composed of concise and technology-neutral language, they have demonstrated outstanding adaptability to technological and social changes.
Through the Data Policy Committee (DPC) and its subsidiary, the Data Governance and Privacy Working Group (DGP), the OECD works with countries and experts to examine trends in privacy and data protection and provides practical guidance for implementing privacy guidelines in the ever-changing digital environment.
Comprehensive process for developing and revising OECD Privacy Guidelines
The importance of information and communication technology and cross-border data flows, and their implications for privacy, first attracted the attention of the OECD in 1969, and the 1980 OECD Privacy Guidelines were the result of several years of analysis and consultation. In 1974, a seminar was held to examine issues such as citizens' right to access personal data and rules for cross-border data flows. Following a large-scale symposium in 1977, a group of experts chaired by the esteemed Australian Judge Michael Kirby was convened to develop the guidelines. The result embodied the consensus among OECD member countries regarding the handling and protection of personal data.
The 2013 revision was also the result of several years of analytical work. To support the revision process, a volunteer group of experts from government, privacy enforcement authorities (PEAs), academia, industry, civil society, and the internet technology community was organized. This work concluded that a fundamental revision of the 1980 Guidelines was not necessary, but that updating the OECD Privacy Guidelines was appropriate. The 2013 revision focused on the practical implementation of privacy protection through a risk management approach and the need to strengthen responses to the global aspects of privacy. New concepts such as national privacy strategies, privacy management programs, and notifications of security breaches involving personal data were introduced, along with revisions aimed at modernizing the OECD's approach to data flows, primarily through enhanced accountability and privacy enforcement.
The original 1980 OECD Privacy Guidelines included an explanatory memorandum, and in 2013, a supplementary explanatory memorandum was created to support the implementation of the revised sections.
Scope of application of OECD Privacy Guidelines
The OECD Privacy Guidelines apply to personal data, whether in the public or private sector, that poses a risk to privacy and individual liberties in light of how it is processed, its nature, or the context in which it is used. This recommendation aims to promote and protect the fundamental values of privacy, individual liberties, and the free global flow of personal data, and to foster the development of economic and social relations among OECD member countries.
The OECD Privacy Guidelines, in Part II, establish eight fundamental principles for national application: collection limitations, data quality, purpose clarification, use limitations, security measures, transparency, individual participation, and accountability. The validity and appropriateness of these principles were reaffirmed in both the 2013 revision and the 2021 Implementation Report. Part III, added in the 2013 revision, provides guidance on the implementation of the principle of accountability. Furthermore, the OECD Privacy Guidelines include sections on international application and legitimate restrictions on the free flow of personal data (Part IV), national means of implementing the fundamental principles (Part V), and international cooperation and interoperability (Part VI).
For more information,https://www.oecd.org/sti/ieconomy/privacy.htm Please refer to.Contact: dataandprivacy@oecd.org
footnote
- OECD. (2013). Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. C(2013)79. https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0188
- EU. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679
- The word "subject" does not mean "agent" or "subject." If you wanted to use "principal," you would use "principal."