The OECD Privacy Guidelines at 30

If you blinked, you missed it. Heaven knows, I did. The OECD privacy guidelines celebrated their 30th birthday on Thursday last week. They were introduced as a Recommendation by the Council of the Organization for Economic Cooperation and Development on September 23, 1980, and were meant to harmonize global privacy regulation.

Should we fete the guidelines on their birthday, crediting how they have solved our privacy problems? Not so much. When they came out, people felt insecure about their privacy, and demand for national privacy legislation was rising, risking the creation of tensions among national privacy regimes. Today, people feel insecure about their privacy, and demand for national privacy legislation is rising, risking the creation of tensions among national privacy regimes. Which is to say, not much has been solved.

In 2002—and I’m still at this? Kill me now—I summarized the OECD Guidelines and critiqued them as follows on the “OECD Guidelines” Privacilla page.

The Guidelines, and the concept of “fair information practices” generally, fail to address privacy coherently and completely because they do not recognize a rather fundamental premise: the vast difference in rights, powers, and incentives between governments and the private sector. Governments have heavy incentives to use and sometimes misuse information. They may appropriately be controlled by “fair information practices.”

Private sector entities tend to have a balance of incentives, and they are subject to both legal and market-punishments when they misuse information. Saddling them with additional, top-down regulation in the form of “fair information practices” would raise the cost of goods and services to consumers without materially improving their privacy.

Not much has changed in my thinking, though today I would be more careful to emphasize that many FIPs are good practices. It’s just that they are good in some circumstances and not in others, some FIPs are in tension with other FIPs, and so on.

The OECD Guidelines and the many versions of FIPs are a sort of privacy bible to many people. But nobody actually lives by the book, and we wouldn’t want them to. Happy birthday anyway, OECD guidelines.