December 29, 2009


By Abu Bakar Munir

At the conclusion of the 31st International Conference of Data Protection and Privacy Commissioner in Madrid on 6 November 2009, over 50 countries adopted and approved “Madrid Resolution” on international privacy standard. The Madrid Resolution brings together all the multiple approaches possible in the protection of this right, integrating legislation from all five continents.

The approved resolution includes a series of principles, rights and obligations that any privacy protection legal system must strive to achieve. One of the most relevant chapters of the document is the one that refers to proactive measures, whereby States are encouraged to promote a better compliance with the laws applicable on data protection matters, and the need to establish authorities to guarantee and supervise the rights of citizens.

A group of 10 large companies (Oracle, Walt Disney, Accenture, Microsoft, Google, Intel, Procter & Gamble, General Electric, IBM and Hewlett-Packard) has signed a declaration in which they proudly welcome the initiative from the 31st International Conference for exploring frameworks to achieve an improved global coordination of the different privacy policies. In this declaration, the signing companies encourage Data Protection and Privacy Authorities to continue insisting and collaborating in the development of transparent systems that will allow the taking on of responsibilities and that will provide accurate information to the citizen, granting him/her the power to decide.

According to the Director of the Spain Data Protection Agency (AEPD), Artemi Rallo, these standards are a proposal of international minimums, which include a set of principles and rights that will allow the achievement of a greater degree of international consensus and that will serve as reference for those countries that do not have a legal and institutional structure for data protection. Even though the approved resolution is not directly binding at an international level, Artemi Rallo has pointed out that this document will have “immediate value” as a reference tool and, moreover, as a starting point for those countries that still lack legislation on the matter, and for the corporate world and international companies. He said that Madrid Resolution will, thus, become a “soft law” tool, widely demanded mainly by international companies, in order to respect the minimum privacy needs of citizens worldwide.

In existent, there are already several international instruments (binding and non-binding) which set up privacy standards to be observed by countries and companies around the world. They are the OECD Guidelines 1980, Council of Europe Convention 1981, EU Data Protection Directive 1995, EU E-Privacy Directive 2002, and APEC Privacy Framework 2004. Agreeably, the EU Data Protection Directive has set a very high privacy standard. Arguably, the APEC Privacy Framework provides the weakest standard of all the instruments. Where does the Madrid Resolution stand? Is it a step towards a universally binding privacy treaty?

The Madrid Resolution is available HERE.


  1. Dear Professor Abu Bakar,

    Happy New Year to you.

    Im my humble opinion, and as I have read vide the UK's mixed practitioners' reactions, Madrid Resolution is just another attempted soft approach towards global privacy accord. Much needs to be done from the EU states and sectorial sides. It is suggested that there should be aggressive model(s) to interact with the stakeholders, instead of, promulgating new or extending any privacy approaches. Some stakeholders, until today, are quite mixed up what's their data protection rights are.

    Noriswadi Ismail

  2. Many thanks for your coments.Yes, I agree that consultations with all stakeholders are vital and crucial to ensure compliance.

    Happy New Year to you too. I pray for you success.

    Abu Bakar Munir