There are significant developments these days on the subject of data protection. There are two circumstances influencing each other at an international level: on the one hand, spying scandals related to the Prism program, and on the other hand, the expected reforms of the main international instruments of data protection. Indeed, the Convention 108 of the Council of Europe and the EU Directive 98/45 are about to be modernised and, our issue at hand, the OECD's Guidelines from the early 80's has been updated this past July.
The fact that those Guidelines remain a non-binding instrument does not lead us to underestimate policies which could mutually influence the OECD States "and judges" decisions on data protection issues. Those provisions represent a political commitment and a global consensus, prefiguring a ground for a future international custom on data protection laws. The 34 Members States (including the USA) are therefore strongly expected to implement the Guidelines and put them into effect.
We can actually say that the basic rules of data protection, maintained in the new OECD's text (fairness of the processing, purposes limitation, rights to access and rectifi cation ...), receive a broad consensus. However, since personal data is now dispersed in multiple countries, recombined instantaneously and moved by individuals, risks have considerably increased. Therefore, the actual key point of data protection, and the aim of the Guidelines modernisation, is to prevent damages resulting from security breaches.
Indeed, as a part of the wide "privacy management programs" that all data controllers should now have in place, those controllers should notify significant security breaches to competent authorities and to data subjects. This program, similar to the "privacy impact...