EU: Gallway Project on accountability in Data Protection

The Gallway Project is a working group of the "Center for Information Policy Leadership at Hunton & Williams LLP," which has dealt with the question of accountability for data protection in view of the rapidly progressing development and complexity of international data transfer.

The working group of leading companies and data protection organizations concludes that national laws alone are no longer sufficient to adjust adequately to the requirements for data protection in an increasingly networked world. Rather, according to the project group, data protection must emanate from the accountability of data processing offices and function across state jurisdictions.

The Gallway Project has highlighted five central aspects for accountability in data protection:

1. Organisation commitment to accountability and adoption of internal policies consistent with external criteria.

2. Mechanisms to put privacy policies into effect, including tools, training and education.

3. Systems for internal, ongoing oversight and assurance reviews and external verification.

4. Transparency and mechanisms for individual participation.

5. Means for remediation and external enforcement.

Unlike the purely regulating approach of data protection legislation, the approach to accountability discussed here also offers the opportunity to establish in the process aspects such as general data protection principles and "best practice" solutions related to business areas for the requirements for a company's own need to protect personal data.

Unlike in a statutory regulation regime (for example, the Federal Data Protection Act or even the nationally non-binding Art. 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms), in the approach to accountability in data protection there are also options available for data processors regarding data for which, for reasons of urgency, direct consent from a concerned party is not possible.

In the opinion of the Gallway Project, this can be achieved only through transparency. Thus, even if the data has been placed in the care of the data processor, a party concerned has the option at any time of viewing his or her data and limiting or even completely prohibiting the processing of his or her data.

Against the backdrop of varying national data protection regulations, the approach of accountability for personal data is quite sensible. The protection level of the processed data must be directed at a standard that is not internationally established, but is nevertheless a generally applicable moral standard that respects the right to self-determination in information matters.