enforcement and administration of privacy laws
DESCRIPTION
Enforcement and Administration of Privacy Laws. Privacy and Surveillance Graham Greenleaf L ast revised September 2008. ‘ Responsive Regulation’ Enforcement pyramid Objectives of enforcement Complaints & remedies for individual breaches Investigation powers - PowerPoint PPT PresentationTRANSCRIPT
Enforcement and Administration of Privacy Laws
Privacy and Surveillance
Graham Greenleaf
Last revised September 2008
Enforcement & Administration ‘Responsive Regulation’
Enforcement pyramid Objectives of enforcement
Complaints & remedies for individual breaches
Investigation powers Enforcement notices &
criminal offences Compensation and other
remedies Appeals and judicial review
Systemic aspects of obtaining compliance
Publication of decisions & Outcomes of complaints
Co-regulatory codes & exemptions - alternative compliance
Preventative powers: audits, PIAs etc
Privacy Commissioners Independence Roles
‘Responsive regulation’? ALRC wants ‘principles-based regulation’ (Ch 4): focus on
defining outcomes, not prescribing processes aims to minimise the need for enforcement by ‘encouraging
organisations to understand the values behind the law and change their behaviour accordingly
‘nurturing a culture of voluntary compliance with the law’ ALRC also wants ‘compliance-oriented regulation’ (4.62)
which places (equal??) emphasis on all 3 of: ‘Fostering compliance’ (heavy emphasis on
Commissioner providing guidance); Monitoring compliance (recommends power to require
privacy compliance assessment) Enforcing compliance - supports ‘enforcement pyramid’
approach.
Responsive regulation? (2) CyberLPC IP sub 6-16 argues that
Comm in 2007 ‘is a failure at implementing responsive regulation’.
Would current Comm practices + ALRC reforms achieve this aim?
Another categorisation A means of individual redress;
low-cost and non-public Appropriate range of remedies, such as:
Access to and correction of records; compensatory damages; injunctions or orders to enforce compliance; Criminal penalties for serious/repeated breaches
Judicial review of administrative errors; Appeals by either party to the Courts
Preventative/educative powers of PCO, such as: Publication of complaint examples and outcomes Audits of data users; Privacy Impact Assessments (PIAs) on new proposals Power to require reports on existing practices
Complaints and compliance - Cth Privacy Act
For a summary see Greenleaf & Bygrave ‘Enforcement aspects of Australia’s Privacy Act 1988 compared with European standards’
(confidential draft)
Complaints - Overview Investigation - public and private sectors
Complaints only re ‘interferences with privacy’: breaches of NPPs, IPPs etc (s36)
Representative complaints possible (s36(2), s38 - s39) ‘Own motion’ investigations possible (s40(2) Comm must not investigate unless complaint first made to
respondent, unless inappropriate (s40(1A)) If Comm is considering a s52 determination, must give both
parties the opportunity of a hearing (s43(5)) Comm’s extensive powers to investigate (ss44-47) Comm can refuse / close / defer investigation (s41) No right of appeal to a Court or Tribunal against Comm’s
s52 determination (except on quantum of damages)
s41 dismissal of complaints Most complaints are dealt with under s41 Comm can refuse / close / defer investigation (s41) because
‘not an interference’ (1)(a); ‘lacking in substance’ (1)(d) Another law ‘provides a more appropriate remedy’ ((1)(f)) Respondent has dealt adequately with complaint ((2)(a))
See examples of possibly excessive use of s41: X v Cth Agency [2004] PrivCmr 4 - s41(2)(a) applies even if
complainant dissatisfied - 11(1) PLPR note O v Credit Provider [2004] PrivCmrA 5 and N v Internet Service
Provider [2004] PrivCmrA 10 - refusal to investigate because O had not raised every possible issue with respondent - 11(2) PLPR notes
S v Various Cth Agencies [2004] - despite refusals to correct records, investigation refused on (1)(f) grounds - 11(2) PLPR note
Other issues of PLPR Vol 11 contain more examples
s41 dismissal of complaints ALRC recommendations (2008)
R 49-1: More powers to Comm to dismiss complaints under s41 where … ‘(c) an investigation, or further investigation… is not warranted having regard to all the circumstances’.
Rejects CyberLPC submissions IP 6-16 and DP 72-142 that complainants should be given a right to require a s52 determination if there is a s41 dismissal (and that any extension of s41 is otherwise unsafe).
Conciliation / mediation Act currently does not specify anything about
conciliation role ALRC 2008 recommends
R 49-5(a) - if Comm considers successful conciliation ‘reasonably possible’, must attempt it
R 50–4: Comm should be able to accept an undertaking that an agency or organisation will take specified action to ensure compliance; if they breach undertaking, Comm can seek compliance order in Federal Ct
Right to s52 determination Currently no such right and Comm does not accept
that complainants have any right to a s52 determination
ALRC 2008 recommendations: R 49-5(b) - if conciliation fails ‘the complainant or respondent
may require that the complaint be resolved by determination’ Criticism: Any right under (b) to a s52 determination is
therefore dependant on Comm’s subjective decision under (b) that mediation is possible (CyberLPC submission was that any complainant should be able to so require)
S52 Determinations Determinations under s52 are the only
‘enforceable’ orders Comm can make Dismissing complaint
never used - s41 (ab)used instead That conduct should not be repeated
Never used Performance of reasonable acts
TICA determinations 2004/1-4: PC only identifies conduct in breach, refuses to specify acts to be performed
ALRC 2008 R 49–6 : Comm should be able to prescribe the steps that an agency or respondent must take to ensure compliance with the Act.
S52 determinations (2) Compensation - only one contested example
C v ACT Govt Solicitor [2003] PrivCmrACD 1 - $1,000 compensation
Can compensate ‘feelings or humiliation’ ‘correction, deletion or addition to a record’
Never used Reimbursement for ‘expenses reasonable
incurred’ [2003] PrivCmrACD 1 - $1,300 costs
Determinations in practice Determinations practice to date
Determinations are published by the PCO and republished by WorldLII
1989-2002: zero substantive determinations (2 fakes in 1993) Why none after that?
2003/1 - ACT govt (disclosure) 2004/1 - ACT govt (disclosure) 2004/2-5 - 4 x TICA (first re private sector) 2004-08 - None by the current Commissioner
Is this responsive regulation?
Determinations - enforcement Enforcement of s52 determinations (ss 54-55B)
s55 - respondent must comply with determination s55A - if respondent does not comply, must proceed de
novo in Fed Ct / Mag Ct for enforcement Has not occurred as yet Evidence before Commissioner is admissable
s55B - Certified copy of Comm’s determination is prima facie evidence of facts found by him
Onus is on respondent to rebut facts Onus is still on complainant to show breach of IPP/NPP
Is this biased in favour of respondents? Consider different position of TICA parties
Review of Determinations / Appeals against Commissioner Complainant currently has no right of appeal
against determination Respondent has de facto right of appeal ALRC 2008 R 49–7: either party should be able to
apply to AAT for merits review of a determination Complainant can seek judicial review
(of s41 dismissals or s52 determinations) For errors of law or procedural errors But not against the substance of the determination How may complainants could understand (or afford)
judicial review? Appeals are simpler.
Injunctions Privacy Act 1988, s98 - unique provision Covers Cth public sector, private sector allows ‘any person’, including P Comm, to seek injunction to
enforce IPPs and NPPs Based on s80 Trade Practices Act
Against anyone ‘engaging or is proposing to engage’ in breach of Act
Orders restraining breach or ‘requiring the person to do any act or thing’
Risk of costs against party seeking injunction, and damages (particularly in the case of interim injunctions) - not so in complaints to P Comm
Also risk to respondent of costs against, but no provision for Fed Ct to award damages for breach
Injunctions (2) Channel 7 v MEAA [2004] FCA 637
See summary by Gunning Rejected submission that only P Comm could
enforce Act under s52; distinguished Day v Lynn [2003] FCA 87 and other cases
Injunction granted against MEAA and Connect for multiple breaches of NPPs
What orders will Channel 7 draft? Costs against MEAA $10,000
Despite only one injunction in 20 years, ALRC did not make any recommendations
Representative complaints Cth Act provides - s36(2)
ss38-39 - special conditions for rep. complaints See Connolly and Isaji ‘Representative
Privacy Complaints’ (2004) 10(8) PLPR 16 - survey
TICA Determinations #1 - #4: first example Most successful enforcement action yet under Act Would have been impossible for an individual
complainant (particularly tenants)
Own motion investigations Comm can carry out ‘own motion’
investigations (s40(2)) Currently can make any enforceable orders as a
result Does not disclose what investigations launched
ALRC 2008 recommends: R 50-1 Comm should be able to ‘issue a notice’
requiring ‘specified action’ to ensure compliance with Act, enforceable in Fed Ct or FMC.
This would differ from a s52 determination, no capacity to award compensation to individuals.
Criminal offences - Australia Federal Act
Public sector and private sector enforcement does not involve significant criminal enforcement
Part IIIA credit reporting does involve offences NSW PPIPA ss62-s63
breaches of DPPs do not constitute crimes offences of corrupt disclosure and use of personal
information by public officials offence of offer to supply personal information
disclosed unlawfully Cth and NSW cybercrime legislation relevant
Penalties for repeated breaches No current general penalty provisions
there are criminal offences in credit provisions Other jurisdictions (eg HK) rely on prosecutions for
enforcement, Australia relies on compensation etc ALRC 2008 recommends
R 50–2: Comm to be abel to seek a civil penalty in the Fed Ct or FMCA where there is a ‘serious or repeated interference with privacy’
An attempt to improve the ‘pointy end’ of the ‘enforcement pyramid’ / responsive regulation
R 50-1: Comm should develop and publish enforcement guidelines setting out the criteria for seeking civil penalties
Complaints and compliance - NSW Act
For a recent summary see Greenleaf & Bygrave ‘Data protection in New South
Wales – An assessment of strengths and weaknesses’
(Confidential draft)
Complaints - NSW Act - Overview see Jenner (2004) 10(9) PLPR 169 overview Commissioner can investigate any complaint (IPP or ‘non-IPP’) IPP complainants re NSW agencies have a choice of Pt 4
investigation or Pt 5 internal review / ADT Only ‘Part 5’ complaints to agencies can lead to the ADT and
enforceable remedies (after internal review) Only Privacy NSW can investigate (under Part 4):
Non-IPP complaints against NSW agencies Non-IPP private sector complaints Complaints against bodies / conduct exempt from Cth legislation
(will not investigate if NPPs cover)
Complaints - NSW Act - Pt 4 Investigations by P.Comm Investigation of complaints by P.Comm (Pt 4 Div 3)
See P. Comm’s Complaints Protocol can only conciliate and make recommendations (s49) (like old
Privacy Committee) has extensive powers, including compulsory conferences (s49) May investigate ‘own motion’ complaints (s45 ‘or by’) For IPP complainant to get to ADT, must first seek internal review
by agency under Pt 5 (s53) Standards applied in Pt 4 investigations
Physical privacy - ‘US privacy tort’ standard (Morison Report, 1973) IPP complaints outside PPIPA - own ‘Data Protection Principles’
Complaints - NSW Act - representative complaints? No express provision for representative complaints to P.Comm
Cf Victorian Act s25(3) allows representative complaints but only with the consent of all the individuals concerned
No express requirements for ‘representative’ internal review or ADT findings
Recent cases on who is an ‘aggrieved person’ create some flexibility:
An aggrieved person is not necessarily the person who is the subject of the personal information
GA v Dept Ed & NSW Police (No 2) [2005] NSWADT 10 - GA not one where only acting previously on behalf of his sons - see 11(7) PLPR note
Complaints - NSW Act - Internal review and ADT Pt 5 complaints - agency internal review and ADT
Applicant must seek internal review of conduct by agency (s53) Agency must conduct internal but independent review (s53(4));
consider provision of the full range of remedies (7); and deal with the matter within 60 days of receipt (6); notify applicant in writing, including appeal rights (8)
Agency must inform P.Comm of review and its progress, and accept submissions from him (s54)
Dissatisfied applicant may apply to ADT for review (s55) ADT may award damages to $40,000 and other remedies (s55(2))
No s55(2) awards unless applicant has ‘suffered financial loss, or psychological or physical harm’ (s55(4))
Either party may apply to ADT Appeal Panel for further review Appeals from ADT go to Supreme Court
Complaints - NSW Act - litigation under NSW Act 26 reported cases (to 1/6/04) - 17 of them in
the previous 112 months Extensive legal interpretation (contra Cth) Note: Privacy NSW does case summaries No case has yet resulted in damages paid
Practice - see Jenner (2004) 10(9) PLPR 169 Note differing and limited roles of Privacy NSW in
internal reviews and before the ADT Note obligations on agencies in internal reviews Note checklists for complainants and advocates
Complaints and compliance - Hong Kong Ordinance
UNSW students may omit these materials
Complaints and compliance: Hong Kong
See ‘The Commissioner and enforcement of the Ordinance’ in McLeish & Greenleaf Chapter
Investigation Compliance orders Appeals and reviews Compensation Criminal offences
Hong Kong: InvestigationPt V: Inspections, Complaints and Investigations
Complaints (s37) must be by data subject against a specific data user
Jurisdictional conditions: s39(1)(d) makes any of the following sufficient:
(i)(A) complainant resident in HK; or (ii) in HK at the relevant time (i)(B) data user able to control ‘in or from Hong Kong’ the collection
etc of the data at the relevant time [complainant may be overseas] (iii) in PC’s opinion, the enforcement of a right or privilege ‘acquired
or accrued in HK by the complainant’ will by prejudiced - meaning? Will s39(1)(d) satisfy the EU re data transfers to HK?
(I)(B) will usually suffice to protect EU residents against acts in HK
Investigations: Hong Kong Representative complaints are allowed
S37(2) envisages one complainant making a complaint on behalf of all data subjects affected by a practice
But there is no equivalent in s66 (compensation) s37(1)) also covers the narrow sense of representatives
authorised in writing (see defn. ‘relevant person’) Could a lawyer or civil society group represent all affected data
subjects with the written permission of only one of them? Compare the Aust. Cth ‘class actions’ provisions and the TICA
determinations to see the significance of representative complaints and the role of civil society groups
Have there been any such complaints in HK? - apparently not - PCO Press Release re Flight Attendants Union does not admit possibility of representative complaints
Investigations: Hong Kong PC may refuse to investigate (s39(2)) if:
(a) Previous similar complaint dismissed (dangerous?) (b) trivial practice; (c) trivial/vexatious complaint (d) ‘any investigation or further investigation is for any
other reason unnecessary’ - Will often be because data user has (in the view of the
Commissioner) remedied problem Could be because parties have settled dispute - does PC
facilitate settlements? - anecdotal evidence is ‘no’ Could this cover ‘another remedy is available’???
See also s39(1)(a)-(c) for other standard reasons Refusals to investigate can be the subject of appeals to the
AAB, or judicial review (see later)
Investigations: Hong Kong Assistance to complainants, and mediation
PC obliged to assist to ‘formulate the complaint’ (s37(4)) No specific requirement to assist in mediation of a complaint,
or s8 power Refusal to investigate, and appeals
S39(3) - Where PC does not commence formal investigation, or suspends investigation under s39(2), must give complainant notice within 45 days
B&W 14.14 interpret this as a 45 day period for ‘informal resolution’
S39(4) gives complainant right of appeal to Administrative Appeals Board (AAB) when s39(3) notice is given
No further appeal to Courts, only judicial review
Hong Kong: Enforcement notices PC can issue enforcement notices (s50)
If data user ‘is contravening’ or has done so and it is likely that it will continue or be repeated
No notice possible if no further contravention likely requiring data user to ‘remedy the contravention’
Does not require any damage to complainant to be remedied 4 notices in 2000, 12 in 2001 PC can instead give warning notices (21 in 2000, 10 in 2001)
Failure to comply is a criminal offence Are there no adverse consequences for breaches, if
you promise not to do it again?
Hong Kong: Compliance orders No systematic publication of these serious
complaints resulting in orders S48 allows PCO to issue formal reports naming
data users (but not others), but has only done so once
‘Video Peeping Tom’ case (1997) - hidden video camera filmed female student in shared accommodation; undertaking given, but data user not named; victim apparently gained no other remedy
Hongkong Post pinhole camera case (2005) - see Materials - named but press had already shamed
PCO has therefore never used ‘name and shame’ power
Compliance orders compared Closest equivalents are:
Aust Cth - s52 determinations by Comm; injunctions by Fed Ct (no standing required)
NSW - only the ADT can make orders Vic - Comm can serve compliance notice
on an organisation but only if ‘flagrant’ or repeated breaches
Hong Kong Enforcement notices (s50)
Hong Kong: Appeal structure Appeals to AAB
S39(4) gives complainant right of appeal to Administrative Appeals Board (AAB) when s39(3) notice is given (would also apply if investigation suspended because no enforcement notice)
s50(7) gives data user 14 days to appeal against enforcement notice after it is served
No further right of appeal to a Court against AAB decision, only judicial review
Judicial review of PC decisions (2 in 2003)
Hong Kong: Compensation PCO or AAB cannot award damages (contra Australia, NZ, Korea) Compensation (s66) only by separate Court proceedings Applies to ‘an individual who suffers damage by reason of a
contravention’ (s66(1)); including damage to feelings (s66(3)) General defence in s66(4) where data user can show:
Reasonable care to avoid the contravention; or Is this fair?
If the contravention occurred because of inaccurate data, the data was received from a third party.
Is this fair? Complainant must risk costs against; must also risk disclosure of
identity; must also prove complaint ab initio even if already investigated by PCO
PC not able to assist complainants; HKLRC (2004) criticises this Only 1 reported case, and it was dismissed - not surprising?
Criminal offences Hong Kong
S64 creates criminal offences by data users Supplying false information Contravening enforcement notices, subject to defence of
due diligence to comply (s46(8) Contravening matching requirements Contravening any other provision of the Ordinance
without reasonable excuse (s64(10)) S64 creates offences by any person
Supplying false information Hindering Commissioner’s investigations
Part 2 - Systemic aspects of Enforcement & Administration
Enforcement & Administration Part 2 - Systemic aspects Assessing existing compliance
External audits Privacy Compliance Assessments (PCAs)
Privacy management planning Privacy Impact Assessments (PIAs) Privacy management plans
Accountability / Transparency Complaint outcomes Publication of decisions
Modifying / elaborating legislation Codes, exemptions and guidelines
Assessing existing compliance Current Australian practice
Federal Act empowers audits by PC re public sector but not private sector; however, PCO has abandoned all auditing (costs)
NSW - No audit power in Privacy NSW, but there are other controls (eg involvement in internal reviews; privacy management plans)
ALRC 2008 recommends 47–6 Comm to be empowered to conduct ‘Privacy
Performance Assessments’ of the records of PI maintained by organisations
Effectively, a new audit power re private sector
Assessing existing compliance• Hong Kong
• See McLeish & Greenleaf chapter ‘Assessing compliance’• Pt IV powers of ‘formal inspections’ by PCO (s36)
• Never used• PCo can report recommendations from inspections applying to
classes of data users (s48(1)); See table of improved practices• Also powers to require classes of users to submit ‘data user
returns’ (s14) - never used• Instead, informal ‘compliance checks’ of alleged practices
not complying with PD(P)O• Now proposing to promote voluntary internal audits or
‘Privacy Compliance Audits’ (PCAs)
Privacy Impact Assessments (PIAs)• See RG 9.9 for articles by Waters, Flaherty and Stewart
for comparable practices• Aimed at assessing future impact of proposed
information systems, not existing compliance• Requirements
• No current provisions in any Australian Acts• No provision in HK Ordinance
• PCO proposing to promote voluntary PIAs• Were some PIAs done on smart ID card
• Canada (2002) made PIAs mandatory for all Federal government institutions
•
Privacy Impact Assessments (2)
ALRC 2008 recommends: 47–4 Comm able to (a) direct an agency to
provide to it a PIA ‘in relation to a new project or development that [Comm] considers may have a significant impact on the handling of personal information; and (b) report to Minister if it does not.
Criticism: no requirement that PIA be made public Comm should publish PIA guidelines. Review in 5 years whether to include private
sector in PIA requirements.
Privacy Management Plans See RG 9.10
Where a whole organisation is required to publish how it will deal with privacy issues Sometimes has similar effect to a PIA
NSW PPIPA 1998 s33 Preparation and implementation of privacy management plans
Example: Anne Pickles 'Protecting exposures' (2000) 7 PLPR 61
No similar requirement in Cth or Vic Acts, but some agents have done so voluntarily
Publication - Importance Types of publication
Summaries of complaints Statistics of outcomes
Importance of both summaries and statistics Past remedies (‘tariff’) unknown Deterrent effect is lost No accountability for high public expenditure
For critiques of current practices, see CyberLPC submission on DP 72 ‘5.2. Transparency of the
Commissioner’s complaints function’ (in materials) CyberLPC submission on Issues Paper ‘Transparency and feedback –
Inadequacy of the Commissioner’s reporting practices’ Following slides are less up-to-date than these submissions
Complaint outcomes - Does anyone get a remedy? Do complainants actually get the remedies that
privacy laws make available in theory? Sources of evidence available?
Annual Reports - only significant public source Websites?
Stats provided often only show what is in Annual Reports Reported cases can be searched for types of remedies
FOI requests would only work if a ‘document’ was available Only some jurisdictions considered
Privacy Comms - Australian Fed; NSW ; HK; NZ; Canada Information Commissioners not considered - mainly access,
some correction, some broader
Outcomes - Hong Kong PC See 03-04 & 04 -05 Annual Report (Materials #4)
Analysis in McLeish & Greenleaf chapter (‘Complaints and enquiries’ and ‘Reporting outcomes’)
PC Annual Report 2000/01 (01/02 is similar) 789 complaints (up 39%);
68% vs private sector;14% vs government;18% vs 3rd Ps Over 50% allege breaches of DPP 3 (use)
52 formally investigated (14% of 531 finalised) 26 (50%) found to involve contravention of PD(P)O 10 warning notices; 12 enforcement notices - but no idea what
actions required, or what results 4 referrals to Police for prosecution but in 3 Police found
insufficient evidence; one unresolved
Outcomes - Australian Fed PC 2000-01 AR included some outcome stats
133 closed complaints; uncertain % breaches found 9 cases in AR involved $52,000 compensation
Was prior to reporting case summaries on website No information about other remedies
2001-02 Annual Report - no statistics! Complaints tripled with private sector coverage (611) AR contains summaries of 11 complaints, of which one
resulted in $5000 compensation No statistics given of complaint outcomes at all
Outcomes - Australian Fed PC (2) 2002-2003 Annual Report
225 breaches of the Act found NPPs 127; IPPs35; Pt IIIA 63
No specific details of remedies, just a few vague comments not even compensation total as in 2000/1
No example cases (replaced by 2 per month on web) No details of complaints dismissed (and no use of s52)
Is everybody happy? All 225 breaches found were ‘adequately dealt with’ (in the
Commissioner’s view) Lack of s52 determinations No appeal right; No substantive case on the Act ever before a Court
for judicial review X v Commonwealth Agency [2004] PrivCmrA 4 - PCO admits complainant is
not happy, but still dismisses complaint under s41(2)(a) despite breach
Outcomes - NSW PC Annual Report 2002/3 (pgs 19-23)
for the first time, some outcomes of complaints given % of complaints resulting in adverse findings (but not actions) 24% referred to internal review
Annual Report 2001/2 - Details of complaints analysed in every possible way except by the outcomes received by complainants
‘Quick Stats’ 2000-03 provided on web In 2002/3, 219 complaints, and 39 internal reviews, finalised No statistics of complaint mediation outcomes No complaint mediation case-studies
Reviews by the NSW ADT (enforceable) See previous slide - now at 16 reported cases p/a But no damages awards yet (may be settlements)
Comparison - 4 PCs Annual Reports ‘Will I get a remedy - and if so, what?’ is largely
unanswered - evidence is not there Some evidence of the % of successful complainants Little evidence of what remedies result Compensation? - a few examples from Aus and NZ All of the PCs are below ‘best practice’ A systematic and comparable standard of reporting is
needed Asia-Pacific PCs could develop standards
55
Will I get a remedy? Evidence from Privacy Commissioners Annual Reports 2001/02(see web page for explanatory notes) √= yes; ?= can’t tell
Aus NZ HK Can
Complaints opened/complete √ / √ √ / √ √ / √ √ / √
Type of complaint/respondent ? (√ / √) √ / √ √ / √ √ / √
Respondent name (‘Top 10’) ? (no) √ no √
% formal finding 0% (0%) 8% 10% 72%
% found breaches - mediated / awarded
? (√ / √) (? / -)
? / ? √ / √25 / 46
√ / √59 / 63
% success in Court N/A √ (0%) ? ?
Remedies - mediated / awarded
?(31 / 0)
? / ? 4 egs
? / ? ? / ?
Damages - mediated / awarded
?(9 / 0)
? / ? 4 egs
? / 0 ? / ?
Publication of Commissioners’ decisions (‘complaint summaries) For detailed criticisms of reporting practices:
Greenleaf ‘Reforming reporting of privacy cases’ <http://www2.austlii.edu.au/~graham/publications/2003/Reforming_reporting/>
Bygrave ‘Where have all the judges gone?’ (2000) European Commissioners were little better - improved?
Why reporting of Commissioners is needed Few court decisions means Commissioners’ views in
complaint resolutions are the de facto law Identifying non-compliance is more valuable (and difficult)
that ‘feel good’ exhortations to comply
Importance of complaint summaries
Publication of complaint summaries is possible Requires anonymisation in most cases Exceptions should not be the rule
Adverse consequences of lack of availability Interpretation unknown to parties / legal advisers No privacy jurisprudence is possible Privacy remains ‘Cinderella’ of legal practice Deficiences in laws do not become apparent Commissioners can ‘bury their mistakes’ Justice is not seen to be done
Publication - Hong Kong PCO Complaint summaries on Commissioner’s website
have been updated for 2004 but still not complete for 2005 Can’t check currency - not listed in date order No known criteria for systematic reporting of significant complaints
Only 6 (01/02) or 8 (00/01) brief complaint summaries in Annual Rep - about 0.5 per month
Details of cases before other tribunals AAB complaint summaries are in AnRep, and now on website; not
yet available on Internet in full text Judicial review cases also summarised in Annual Report No reporting of s66 cases in AnRep or website - There are none
Now also included in WorldLII Privacy Law Project 39 PCO complaint summaries 1998-2004; 8 per year 21 AAB summaries 1997-2003; 3 per year
Publication - Australian Federal Privacy Commissioner
AnRep had a few small ‘media grab’ summaries No other mediation details published 1988-2002 Comm avoids making binding Determinations (2 1993, 1
2003) despite powers to do so Dismisses matters under s40 - publication not required
Since Dec 2002, 13 useful summaries of mediations and determinations published on web
2x2002, 12x2003 (incl 1 determination); 9 x 6/2004 (include 5 determinations) - still not much more than 1/month
Now receiving 100 complaints/month - reporting 1% Rate id only 1.1 per month - not 2/month as planned
Publication - NSW Privacy Commissioner Almost no mediated complaint summaries
Privacy NSW 2001/2 Annual Report has 4 complaint summaries, 3 concerning the private sector (2000/1 AR has 2); 2002/3 has 3 only - little change, trivial number
Internal review results also unavailable AR 2001/2 has extensive details (identified) of 2 special
reports to Parliament, both involving political disputes No summaries of mediated complaints on web
ADT decisions 26 decided & reported as yet - compare Cth! 37 lodged in 2003 - reported cases will increase Decisions are on LawLink and AustLII Privacy NSW also prepares summaries (also on AustLII)
Publication - NZ P Comm Av 2 per month (03) reasonably detailed
mediation summaries on website Selection criteria uncertain Website gives few details of cases on appeal
or their outcome; not available elsewhere on web; P Comm publishes occasional compendiums
Overall, difficult for most people to get an overall view of the law
Publication - Canadian PC Av 5 detailed PIPEDA case mediation
summaries per month on website best practice of PCs, but not Info Comms
Few Privacy Act cases on website, but usually 12 or so in AnnRep
Summaries of cases before Courts are in AnnRep (but not linked to mediation summaries) - difficult to obtain overview
Publication - 7 recommendations More reporting than 2/month (% goal)
statistics on reported / resolved ratio Publicly stated criteria of seriousness
confirmation of adherence in each AnRep Complainants can elect to be named In default, name public sector respondents; private sector respondents
only exceptionally Report sufficient detail for a full understanding of legal issues, and the
adequacy of the remedy Report regularly rather than in periodic batches 'One stop' reporting including reviews of Commissioner’s decisions Encourage 3rd-P re-publication + citation standards
Publication - A central locationWorldLII Privacy Law Project <http://www.worldlii.org/int/special/privacy/>
All specialist privacy and/or FOI databases located on any Legal Information Institute (LII)
Current coverage (all searchable in one search) Australian Federal Privacy Commissioner Cases (AustLII) New South Wales Privacy Commissioner ADT summaries (AustLII) Canadian Privacy Commissioner Cases (CanLII) New Zealand Privacy Commissioner Cases (AustLII) Nova Scotia FOI & Privacy Review Office (CanLII) Queensland Information Comm. Decisions (AustLII) Western Australian Information Commissioner (AustLII) Privacy Law & Policy Reporter (AustLII) EPIC ALERT (WorldLII) Victorian Privacy Commissioner NZ HRRT Hong Kong Privacy Commissioner and AAB Korean Mediation committee
More are being added, particualarly European and Canadian cases
A seach for ‘disclos* near medical’
Co-regulatory codes An alternative form of (I) standard setting and / or (ii)
compliance mechanism Many different versions of codes
Australian private sector - can be full co-regulation Cth public sector - amended principles only NSW public sector - amended principles only HK - merely a rebuttable presumption that compliance is
required See commentaries by Waters
‘Codewatch’ (2003) 10(5) PLPR 90; ‘Codewatch’ (2004) 11(1) PLPR and parts of APF submission re NSW Act
A characteristic of the ‘Asia-Pacific model’ ??
Codes - Hong Kong See McLeish and Greenleaf Chapter ‘Modifying compliance…’ S12 and s13 (Pt III) - Codes of practice PC can issue codes drawn up by self or others (s12(1)) PC must consult with data users and others as he sees fit (s12(9)) Breach of Code is not itself a breach of a DPP but raises a
rebuttable presumption thereof (s13) Pt III is silent on whether compliance with a Code constitutes
compliance with Ordinance - It doesn’t but it would influence PCO in considering enforcement, or Ct considering penalty
As elsewhere, no demand for special industry codes Only 2 HK codes, both for special reasons: ID and credit PCO was to issue Code on workplace surveillance but reduced this
to Guidelines instead - why so?
Codes - Australian private sector Codes are regulated by Part IIIAA Privacy Act
Overview Only 3 so far (insurance; Qld clubs; Market and social research), 3
in queue (Biometrics; Internet Industry Association; Casino Association)
If includes complaint handling, shifts costs to private sector Little interest by industry groups, despite government boosting
IPP standards & scope Must incorporate ‘all the NPPs’ or ‘obligations that overall are at
least the equivalent’ of the NPPs (s18BB(2)) No Parliamentary disallowance, so could only proceed against
Commissioner for ultra vires decision re overall equivalence Must specify who is bound (or a way of determining them), and be
with their consent (s18BB(2)). Can be limited by information, activity, or industry sector (s18BB(7))
Codes - private sector (2) Code formation procedures
On application by an ‘organisation’ (s18BA) Commissioner may consult anyone (s18BB(1)) and must
provide ‘adequate opportunity’ for public comment (s18BB(2)(f))
See Water’s criticisms of adequacy of publicity/consultation Commissioner approves Codes and keeps a Register (3 as
yet) Codes are not gazetted - no disallowance by Parliament Similar processes for variation and revocation (ss18BD-
18BE)
Codes - private sector (3) Complaint resolution procedures
Code may include complaint procedures Only the Insurance industry code does so
Procedures must comply with s18BB(3): ‘prescribed standards’ (Regs) and Comm’s Guidelines (a) ‘Independent adjudicator’ (b) Same determination powers as Comm (d) Organisations bound by Code are required to ‘co-operate’ (f), (g)
But adjudicator has no investigative powers Detailed reporting requirements (h)-(k), including of individual complaints
resolved, including by ‘non-determination’ (ka) A ‘determination’ [but not other findings] by a Code adjudicator can be
reviewed by the Commissioner (s18BI) Comm can make a s52 determination to replace it No judicial review available of ‘non-determinations’ - can Code
adjudicators dismiss complaints ‘adequately dealt with’?
Codes - Private sector practice See Waters ‘Codewatch’ (2004) 11(1) PLPR
Only 3 so far (insurance; Qld clubs; Market and social research), 3 in queue (Biometrics; Internet Industry Association; Casino Association)
Considerable differences in effectiveness of consultation Insurance Industry Code
Only one with its own complaints procedure General Insurance industry privacy code Insurance Enquiries & Complaints Limited
Two (of 21) complaints referred to external Complaints Committee; one referred to PCO, other unresolved
Reports give statistics of 19 resolved complaints (internal reviews) Major insurers not yet signatories No auditing to assess how NPPs applied (s18BH allows, but
unlikely); relies on appeals to PCO - but PCO has published no details yet
Codes - Cth public sector PIDsPart VI Privacy Act (Cth)
Comm can waive IPP if public interest in exemption outweighs adherence ‘to a substantial degree’ (s72)
Public consultation required, hearings have been held PIDs are disallowable instruments (s80)
Senate Regs & Ordinances C’tee threatened disallowance of PID #2 until Comm O’Connor reissued it
10 made since 1988 - has not been a means of wholesale exemption
No separate complaints procedure PCO maintains Register of Public Interest Determinations
listing 10 current Determinations, none temporary and none pending
Codes - NSW - Pt 3 CodesPart 3 of NSW Act covers Codes
Overview of Codes under Pt 3 Codes only modify IPPs, and do not contain complaint procedures More like Cth PID procedure for agencies
Standards for codes Codes are ‘for the purpose of protecting the privacy of individuals’
(s29(1)); otherwise, few standards set they can ‘modify’ the application of IPPs (s30) - ‘exempting’
agencies or classes of agencies Must not be any higher than NSW IPPs (s29(7)(b)) Must not be so low as to endanger data imports (s29(7)(a)) How far can Codes be lower than IPPs? - s30 v s29(1)? See the APF submission for a general critique
Codes - NSW - Pt 3 Codes (2) Code formation and review
P.Commissioner or agency can propose codes (s31) Agencies must consult Comm, who may consult anyone - criticised for
lack of consultation Minister (A-G) ‘makes’ codes proposed under s31 (but cannot modify
a proposed Code) 11 codes to date, 9 in queue - does not appear to be abused Codes are not statutory rules, so no procedure for Parliamentary
disallowance (contrast Cth PIDs) Types of Codes
Multi-agency eg Privacy Code of Practice (General) 2003: covers disclosures between various agencies, and exemptions for various public registers
Single agency (most) eg NSW Health: Privacy Code of Practice For any NSW agency, must check if a Code applies before
concluding there is a breach
Codes - NSW - s41 Directions S41 Exemptions (‘directions’) by Commissioner
P.Comm can also grant exceptions where public interest in doing so outweighs public interest in upholding the IPP (s41)
Similar to Cth PIDs, but no provision for disallowance No consultation requirements; little has occurred 9 current directions in force, all expiring by 31/12/04; 6 previous
have expired; no requirement in Act that they be temporary Main use is to provide a temporary exemption until an agency can
go through the procedures to obtain a permanent Code. Must be checked before finding a breach by a NSW agency See Australian Privacy Foundation (APF) submission re need for
one uniform exemption procedure
Privacy Commissioners - Independence & Functions
Independence of Privacy Commissioners Studies of roles of Commissioners
Blair Stewart ‘A comparative study of data protection authorities: Pt 1 - Form and Structure’ (2004) 11 PLPR 46; ‘Pt 2: Independence and functions’ (2004) 11(3) PLPR 81
C Bennet & C Raab The Governance of Privacy Ch5 ‘Legal Instruments and Regulatory Agencies’, Ashgate 2003
Independence crucial, given role as check on government power Factors include method of appointment and dismissal, reporting
lines, and control over budget EU Directive A28 requires that Commissioners ‘act with complete
independence’; CoE Convention similar; APEC Framework does not require a Commissioner (nor does OECD)
See Stewart Pt 2 on measures needed to ensure full independence, beyond appointment and removal
Commissioners’ Independence: Cth
Australian Commonwealth Commissioner Appointed (in effect) by A-G for 5 year renewable term
1st (O’Connor) not renewed after 2 terms; 2nd (Scollay) changed jobs after 1; 3rd (Crompton) resigned after 1 term; 4th (Curtis) now in office
S25 Grounds of dismissal - misbehaviour etc No longer a HREOC Commissioner
rejected suggestion of being an officer of Parlt like Ombudsman or Auditor-General
Can make special and annual Reports direct to Parlt, and public statements on most matters
Budget depends on Govt - pressure to keep on reasonable terms with current Govt
Budget reduced 2003-4 despite increase in private sector complaints
Commissioners’ Independence: NSW
NSW Privacy Commissioner Similar appointment and dismissal as Cth
1st Comm (Puplick) resigned after repeated public clashes with Ministers (and misconduct allegation), stating could not continue without the Premier’s confidence - see article (2002) 9(2) PLPR 133
No appointment of 2nd Commissioner after 2 years; acting part-time Comm on short-term contracts
Similar budget dependence as Cth NSW PCO budget increased early 2003 Proposed 25% staff cut 2004 - not finalised
Bill to abolish Commissioner defeated 2003 Intended to transfer powers to Ombudsman See Greenleaf & Waters critique
Commissioner’s Roles - Cth Cth Commissioner - S27 specifies functions
Broad, and broadened further in early 90s during extension of TFN powers
(b), (k) and (r) give broad powers/duties to make public statements and criticise proposals
Guidelines under (e) can be to 2 types of conduct: ‘ interferences with …privacy’ ie breaches of IPPs, NPPs ‘may otherwise have any adverse effects on … privacy’ -
ie only ‘best practice’ Guidelines Commissioner fails to distinguish them - eg PKI G/Ls Effect of IPP G/Ls on complaints uncertain - contra HK
where breach of G/Ls = prima facie breach of Ordinance
Commissioner’s roles: NSW NSW Commissioner
s36 broad functions generally not tied to breaches of IPPs (‘protection of
personal information’) but also cover ‘the privacy of individuals’
General power to make public statements (h), and to publish reports and recommendations (j)
Power to make special report to Parlt (s65) Exercised twice, re a local Council and re Minister of
Education - very strong political reaction
The big Q: ‘Watchdog or lapdog’? What is the objective role of a PC? At least 2: ‘Watchdog’: The stated role is to limit
invasions of privacy ‘Lapdog’: Do they also legitimate extensions
of surveillance? ‘The Commissioner is being kept informed’ Inability or unwillingness to conflict with
government programs or legislative proposals
‘Watchdog or lapdog’?
Possible HK examples of legitimation function Extended use of HK ‘dumb’ ID card, then ‘smart’
card Extension of credit reporting to all financial
institutions, and then conversion into positive reporting
See McLeish and Greenleaf Chapter for details
What powers do Commissioners need?
What powers do they need to help prevent undesirable losses of privacy? How important are:
Powers to prevent undesirable information systems even being built, or close them?
Power to award damages?; or to prosecute? Audit powers? (and resources) Privacy Impact Assessments (PIAs)? A specific power (duty?) to make public statements?
Commissioners’ Independence : Hong Kong
5 year term appointed by CE, renewable +5 more (s3) First Commissioner, S Lau (1996-2001), not reappointed 2nd Commissioner, R Tang (2001-05) became Equal Opportunities
Commissioner after 3.5 years 3rd Commissioner, R Woo, former Law Society head, appointed
2005 Can only be removed by CE with LegCo approval for (i) inability
to perform office; or (ii) misbehaviour (s5(5)(b)) Is not a public servant or government agent (except for anti-
corruption purposes) (s5(8),(9)) On Stewart’s criteria, must look at additional matters …
Hong Kong - Other measures to support Commissioner’s independence (Stewart)
Ability to report directly to head of Govt or Legislature None in PD(P)O; submissions sometimes invited by LegCo
Ability to make public statements S8(1)(d) power to examine proposed legislation and report to proposer;
comments are often made to Bills C’tee of LegCo; AR 2003-04 Appendix II - summaries of 9/19 comments on proposed legislative changes
no explicit role of public comment (eg little on smart ID card) Occasional public statements made on website 3 ‘Issues of public concern’ in 2003-04 AR
Statutory direction to act independently None; but not a servant or agent of govt (s3(8))
Administrative structure of independent agency Corporation sole (s3(2)) Do other HK agencies have a more independent structure?
Hong Kong - Other measures to support Commissioner’s independence (Stewart) (2)
Funding mechanism recognising independence Funds appropriated by LegCo for purpose of Comm, plus others
provided by Govt (Sch 2) Budget of HK$40M p/a for 39 staff (2004-05)
Immunity against personal actions re duties Comm does not enjoy ‘immunities of the govt.’ (s8) No other immunities in PD(P)O - any elswhere?
No financial conflicts of interest Commissioner to hold no other office, unless approved by CE (s6)
Guaranteed remuneration Determined by CE (s6)
[Add?] Guarantee of position beyond Office Should a PC have a guaranteed ‘soft landing’ after completion?
Commissioners’ roles: Hong Kong Functions (s8(1)) include:
Supervise compliance with DPPs (a) - no explicit mention of mediation in complaints
Assist with preparation of s12 Codes (b); and publish Guidelines (s8(5))
Promote awareness (c) Examine proposed legislation and report to proposer (d) - no
explicit role of public comment (eg smart ID card) ‘carry out inspections’ of govt. data users (e) - not a specific
audit power Monitor technology developments (f)
Some other functions re data matching