University of New South WalesFaculty of Law - Information Technology Law

C y b e r s p a c e - l a w

An International Standard for privacy?

Chris Connolly

(Published in (1997) 4 Privacy Law & Policy Reporter 90)

  • Background
  • Outcomes
  • Conclusion
  • Annexure - An ISO Standard: Some Common Questions and Answers

  • The International Standards Organisation (ISO) has established a working group to consider the potential development of a standard for the protection of personal information. The group is known as the Ad Hoc Advisory Group on Privacy (AHAG) and is made up of representatives from national standards organisations from around the world.

    The Standards Australia representatives on this group are Chris Connolly (representing Consumers' Federation of Australia) and Chris Smith (the Manager of Consumer and Government Affairs for Readers Digest in Australia and New Zealand). The Privacy Commissioner, Moira Scollay, also attended one meeting. At this stage representatives participate on the basis that they are advising in their individual capacities, and are not required to represent the views of their supporting organisations.

    This process is not complete and specific details of the group's work remain confidential. This article provides a general outline of the issues and the process involved.

    There have been several reports in the media suggesting that the International Standards Organisation (ISO) is writing a privacy standard. There have also been several reports suggesting that compliance with such a standard will ensure compliance with the European Union Directive on Data protection. These reports are inaccurate.

    The ISO has taken the first steps towards consideration of the need and practicality of a standard on the protection of personal information. That is all. The European Union has made no comment on the relationship between the Directive and any potential standard.

    Having said that, it is easy to understand why these inaccurate reports have been published. The work of the ISO to date has, through necessity, taken place behind closed doors, and the ISO is a very complex organisation. This article aims to explain the general context of ISO's work in this field and to provide some insight into the processes involved.

    A more open and participatory process will take place in the event that ISO decides to proceed with the development of a standard.


    The development of a standard is a very complicated process, based on the development of an international consensus through committees of specialists.

    The issue of establishing an international standard for the protection of personal data and privacy was first advanced in the report of a privacy working group at the 1996 annual meeting of ISO's Consumer Policy Committee (COPOLCO). COPOLCO passed a unanimous recommendation to the ISO General Assembly that ISO proceed with the establishment of a technical committee to write standards in the area of protection of personal data and privacy.

    The ISO General Assembly referred the COPOLCO resolution to the ISO Technical Management Board (TMB) for appropriate action. At its meeting in January 1997 in Geneva, the TMB accepted a proposal advanced by the Standards Council of Canada to establish an ad hoc advisory group (AHAG) to examine this issue in further depth. The terms of reference of the AHAG are:

    To advise the Technical Management Board on the desirability and practicality of ISO undertaking the development of International Standards relevant to the protection of personal information, and, if so, to recommend a future course of action.

    The AHAG has met twice and uses an Internet discussion forum to develop briefing papers and recommendations.

    The group's most recent meeting was held over two days at the Canadian Mission in Brussels. The meeting included a private briefing from Mr. Ulf Bruehann from the European Commission who discussed the likely impact of the EU Directive on Data Protection, but did not offer a formal view on the relationship between the Directive and a potential standard.


    The Committee is working towards a general consensus on the need for ISO to produce a standard on the protection and management of personal information. This specific wording has been developed in recognition of the likelihood that the term privacy may give the wrong impression. The members of the group have discussed the need to exclude certain contentious matters from this work (such as media privacy).

    A great deal of time has also been spent resolving important terminology and scoping issues.

    A recommendation is to be made to the ISO Technical Management Board (TMB) in January 1998. The TMB will have the final say on whether or not the development of a standard should proceed.

    The exact nature of the Standard may not be resolved until a later stage in the process (ie. whether it should be a technical standard, a management standard, or a set of principles), and the relationship between the potential standard and the European Union Directive on Data Protection may not be clarified for some time.

    The outcome of this process may also be more limited than some countries may have anticipated - countries expecting the development of a 'global privacy law' are likely to be disappointed.

    Relevance for Australia

    The position for Standards Australia is complicated by the existence of competing processes within Australia to codify the protection of personal information. Standards Australia therefore expects to continue to liaise with the Privacy Commissioner and other interested parties in this field, while at the same time participating in any international process which develops.

    The ISO is cognisant of the different approaches that countries are currently taking to the protection of personal information, and has discussed the possible creation of umbrella values or fairness principles with room for accommodation with respect to specific countries, issues or sectors.

    There may also be a willingness to accommodate specific 'sub' or 'micro' standards.


    It is important to note that the ISO does not envisage or support the development of a standard which would have as its aim the protection of privacy in general. The term "privacy" is so broad, and means so many different things in different cultures that achieving such a goal may be impossible. However, there may be room to consider a standard which outlines commonsense procedural principles for how personal information about an identifiable individual should be collected, used and disclosed.

    If the AHAG recommends further work on an international standard in this field, and if the TMB agrees, work will then commence on the structure and content of the standard. During this process there would be an opportunity for input from Australian business and the general community.

    Chris Connolly is a consumer advocate specialising in new technologies. He is the director of the Policy Network,

    Annexure - An ISO Standard: Some Common Questions and Answers

    Is the ISO writing a standard on privacy?

    Not at this stage. The ISO has just asked a small advisory group to consider whether or not ISO has any role to play in this field. A recommendation from that group will be made in January 1998.

    Will compliance with the ISO standard meet the European Union's 'adequacy' test?

    The European Union has not made any formal comment on the relationship between a potential standard and the EU Directive. The standard has not yet been written, and the nature of conformity assessment has not yet been determined.

    Will the ISO standard be based on the Canadian standard?

    There has been some input from Canada to the advisory group, but many other countries are also represented. ISO may draw from a number of sources for the content of the standard.

    When will the standard be issued?

    Standards are only issued after careful consideration and debate. Draft standards are circulated for comment, and a standard can only be published after a vote requiring 75% of member countries' endorsement. This process may take some time to complete. No work has commenced on the content of a standard at this stage.

    How are standards enforced?

    Standards are flexible documents that can be enforced in many ways by individual countries or even industry sectors. In Australia, compliance with standards is voluntary unless a standard is incorporated into a law or regulation (about 2400 standards have become mandatory in this way). Companies can usually apply to display a logo or trademark if they comply with a standard, although this is subject to independent tests and audits (known as conformity assessment).