Transcript Document
Enforcement and Administration
of Privacy Laws
Privacy and Surveillance
Graham Greenleaf
Last revised September 2008
Enforcement & Administration
‘Responsive Regulation’
Enforcement pyramid
Objectives of enforcement
Complaints & remedies for
individual breaches
Investigation powers
Enforcement notices &
criminal offences
Compensation and other
remedies
Appeals and judicial review
Systemic aspects of
obtaining compliance
Publication of decisions &
Outcomes of complaints
Co-regulatory codes &
exemptions - alternative
compliance
Preventative powers: audits,
PIAs etc
Privacy Commissioners
Independence
Roles
‘Responsive regulation’?
ALRC wants ‘principles-based regulation’ (Ch 4): focus on
defining outcomes, not prescribing processes
aims to minimise the need for enforcement by ‘encouraging
organisations to understand the values behind the law and
change their behaviour accordingly
‘nurturing a culture of voluntary compliance with the law’
ALRC also wants ‘compliance-oriented regulation’ (4.62)
which places (equal??) emphasis on all 3 of:
‘Fostering compliance’ (heavy emphasis on
Commissioner providing guidance);
Monitoring compliance (recommends power to require
privacy compliance assessment)
Enforcing compliance - supports ‘enforcement pyramid’
approach.
Responsive regulation? (2)
CyberLPC IP sub 6-16 argues that
Comm in 2007 ‘is a failure at
implementing responsive regulation’.
Would current Comm practices + ALRC
reforms achieve this aim?
Another categorisation
A means of individual redress;
low-cost and non-public
Appropriate range of remedies, such as:
Access to and correction of records;
compensatory damages;
injunctions or orders to enforce compliance;
Criminal penalties for serious/repeated breaches
Judicial review of administrative errors;
Appeals by either party to the Courts
Preventative/educative powers of PCO, such as:
Publication of complaint examples and outcomes
Audits of data users;
Privacy Impact Assessments (PIAs) on new proposals
Power to require reports on existing practices
Complaints and compliance Cth Privacy Act
For a summary see Greenleaf & Bygrave
‘Enforcement aspects of Australia’s Privacy Act
1988 compared with European standards’
(confidential draft)
Complaints - Overview
Investigation - public and private sectors
Complaints only re ‘interferences with privacy’: breaches of
NPPs, IPPs etc (s36)
Representative complaints possible (s36(2), s38 - s39)
‘Own motion’ investigations possible (s40(2)
Comm must not investigate unless complaint first made to
respondent, unless inappropriate (s40(1A))
If Comm is considering a s52 determination, must give both
parties the opportunity of a hearing (s43(5))
Comm’s extensive powers to investigate (ss44-47)
Comm can refuse / close / defer investigation (s41)
No right of appeal to a Court or Tribunal against Comm’s s52
determination (except on quantum of damages)
s41 dismissal of complaints
Most complaints are dealt with under s41
Comm can refuse / close / defer investigation (s41) because
‘not an interference’ (1)(a); ‘lacking in substance’ (1)(d)
Another law ‘provides a more appropriate remedy’ ((1)(f))
Respondent has dealt adequately with complaint ((2)(a))
See examples of possibly excessive use of s41:
X v Cth Agency [2004] PrivCmr 4 - s41(2)(a) applies even if
complainant dissatisfied - 11(1) PLPR note
O v Credit Provider [2004] PrivCmrA 5 and N v Internet Service
Provider [2004] PrivCmrA 10 - refusal to investigate because O had
not raised every possible issue with respondent - 11(2) PLPR notes
S v Various Cth Agencies [2004] - despite refusals to correct
records, investigation refused on (1)(f) grounds - 11(2) PLPR note
Other issues of PLPR Vol 11 contain more examples
s41 dismissal of complaints
ALRC recommendations (2008)
R 49-1: More powers to Comm to dismiss
complaints under s41 where … ‘(c) an
investigation, or further investigation… is not
warranted having regard to all the circumstances’.
Rejects CyberLPC submissions IP 6-16 and DP
72-142 that complainants should be given a right
to require a s52 determination if there is a s41
dismissal (and that any extension of s41 is
otherwise unsafe).
Conciliation / mediation
Act currently does not specify anything about
conciliation role
ALRC 2008 recommends
R 49-5(a) - if Comm considers successful
conciliation ‘reasonably possible’, must attempt it
R 50–4: Comm should be able to accept an
undertaking that an agency or organisation will
take specified action to ensure compliance; if they
breach undertaking, Comm can seek compliance
order in Federal Ct
Right to s52 determination
Currently no such right and Comm does not accept
that complainants have any right to a s52
determination
ALRC 2008 recommendations:
R 49-5(b) - if conciliation fails ‘the complainant or respondent
may require that the complaint be resolved by determination’
Criticism: Any right under (b) to a s52 determination is
therefore dependant on Comm’s subjective decision under
(b) that mediation is possible (CyberLPC submission was
that any complainant should be able to so require)
S52 Determinations
Determinations under s52 are the only
‘enforceable’ orders Comm can make
Dismissing complaint
That conduct should not be repeated
never used - s41 (ab)used instead
Never used
Performance of reasonable acts
TICA determinations 2004/1-4: PC only identifies conduct
in breach, refuses to specify acts to be performed
ALRC 2008 R 49–6 : Comm should be able to prescribe
the steps that an agency or respondent must take to
ensure compliance with the Act.
S52 determinations (2)
Compensation - only one contested example
‘correction, deletion or addition to a record’
C v ACT Govt Solicitor [2003] PrivCmrACD 1 - $1,000
compensation
Can compensate ‘feelings or humiliation’
Never used
Reimbursement for ‘expenses reasonable
incurred’
[2003] PrivCmrACD 1 - $1,300 costs
Determinations in practice
Determinations practice to date
Determinations are published by the PCO and
republished by WorldLII
1989-2002: zero substantive determinations (2
fakes in 1993) Why none after that?
2003/1 - ACT govt (disclosure)
2004/1 - ACT govt (disclosure)
2004/2-5 - 4 x TICA (first re private sector)
2004-08 - None by the current Commissioner
Is this responsive regulation?
Determinations - enforcement
Enforcement of s52 determinations (ss 54-55B)
s55 - respondent must comply with determination
s55A - if respondent does not comply, must proceed de novo
in Fed Ct / Mag Ct for enforcement
s55B - Certified copy of Comm’s determination is prima facie
evidence of facts found by him
Has not occurred as yet
Evidence before Commissioner is admissable
Onus is on respondent to rebut facts
Onus is still on complainant to show breach of IPP/NPP
Is this biased in favour of respondents?
Consider different position of TICA parties
Review of Determinations /
Appeals against Commissioner
Complainant currently has no right of appeal
against determination
Respondent has de facto right of appeal
ALRC 2008 R 49–7: either party should be able to
apply to AAT for merits review of a determination
Complainant can seek judicial review
(of s41 dismissals or s52 determinations)
For errors of law or procedural errors
But not against the substance of the determination
How may complainants could understand (or
afford) judicial review? Appeals are simpler.
Injunctions
Privacy Act 1988, s98 - unique provision
Covers Cth public sector, private sector
allows ‘any person’, including P Comm, to seek injunction to
enforce IPPs and NPPs
Based on s80 Trade Practices Act
Against anyone ‘engaging or is proposing to engage’ in breach of
Act
Orders restraining breach or ‘requiring the person to do any act or
thing’
Risk of costs against party seeking injunction, and damages
(particularly in the case of interim injunctions) - not so in
complaints to P Comm
Also risk to respondent of costs against, but no provision for
Fed Ct to award damages for breach
Injunctions (2)
Channel 7 v MEAA [2004] FCA 637
See summary by Gunning
Rejected submission that only P Comm could enforce Act
under s52; distinguished Day v Lynn [2003] FCA 87 and
other cases
Injunction granted against MEAA and Connect for multiple
breaches of NPPs
Costs against MEAA $10,000
Despite only one injunction in 20 years, ALRC did not
make any recommendations
What orders will Channel 7 draft?
Representative complaints
Cth Act provides - s36(2)
ss38-39 - special conditions for rep. complaints
See Connolly and Isaji ‘Representative Privacy
Complaints’ (2004) 10(8) PLPR 16 - survey
TICA Determinations #1 - #4: first example
Most successful enforcement action yet under Act
Would have been impossible for an individual complainant
(particularly tenants)
Own motion investigations
Comm can carry out ‘own motion’
investigations (s40(2))
Currently can make any enforceable orders as a
result
Does not disclose what investigations launched
ALRC 2008 recommends:
R 50-1 Comm should be able to ‘issue a notice’
requiring ‘specified action’ to ensure compliance
with Act, enforceable in Fed Ct or FMC.
This would differ from a s52 determination, no
capacity to award compensation to individuals.
Criminal offences - Australia
Federal Act
NSW PPIPA ss62-s63
Public sector and private sector enforcement does
not involve significant criminal enforcement
Part IIIA credit reporting does involve offences
breaches of DPPs do not constitute crimes
offences of corrupt disclosure and use of personal
information by public officials
offence of offer to supply personal information
disclosed unlawfully
Cth and NSW cybercrime legislation relevant
Penalties for repeated breaches
No current general penalty provisions
there are criminal offences in credit provisions
Other jurisdictions (eg HK) rely on prosecutions for
enforcement, Australia relies on compensation etc
ALRC 2008 recommends
R 50–2: Comm to be abel to seek a civil penalty in the Fed
Ct or FMCA where there is a ‘serious or repeated
interference with privacy’
An attempt to improve the ‘pointy end’ of the ‘enforcement
pyramid’ / responsive regulation
R 50-1: Comm should develop and publish enforcement
guidelines setting out the criteria for seeking civil penalties
Complaints and compliance NSW Act
For a recent summary see Greenleaf &
Bygrave ‘Data protection in New South
Wales – An assessment of strengths and
weaknesses’ (Confidential draft)
Complaints - NSW Act Overview
see Jenner (2004) 10(9) PLPR 169 overview
Commissioner can investigate any complaint (IPP or ‘non-IPP’)
IPP complainants re NSW agencies have a choice of Pt 4
investigation or Pt 5 internal review / ADT
Only ‘Part 5’ complaints to agencies can lead to the ADT and
enforceable remedies (after internal review)
Only Privacy NSW can investigate (under Part 4):
Non-IPP complaints against NSW agencies
Non-IPP private sector complaints
Complaints against bodies / conduct exempt from Cth legislation
(will not investigate if NPPs cover)
Complaints - NSW Act - Pt 4
Investigations by P.Comm
Investigation of complaints by P.Comm (Pt 4 Div 3)
See P. Comm’s Complaints Protocol
can only conciliate and make recommendations (s49) (like old
Privacy Committee)
has extensive powers, including compulsory conferences (s49)
May investigate ‘own motion’ complaints (s45 ‘or by’)
For IPP complainant to get to ADT, must first seek internal review
by agency under Pt 5 (s53)
Standards applied in Pt 4 investigations
Physical privacy - ‘US privacy tort’ standard (Morison Report, 1973)
IPP complaints outside PPIPA - own ‘Data Protection Principles’
Complaints - NSW Act representative complaints?
No express provision for representative complaints to P.Comm
Cf Victorian Act s25(3) allows representative complaints but only
with the consent of all the individuals concerned
No express requirements for ‘representative’ internal review or
ADT findings
Recent cases on who is an ‘aggrieved person’ create some
flexibility:
An aggrieved person is not necessarily the person who is the
subject of the personal information
GA v Dept Ed & NSW Police (No 2) [2005] NSWADT 10 - GA not
one where only acting previously on behalf of his sons - see 11(7)
PLPR note
Complaints - NSW Act Internal review and ADT
Pt 5 complaints - agency internal review and ADT
Applicant must seek internal review of conduct by agency (s53)
Agency must conduct internal but independent review (s53(4));
consider provision of the full range of remedies (7); and deal with
the matter within 60 days of receipt (6); notify applicant in writing,
including appeal rights (8)
Agency must inform P.Comm of review and its progress, and
accept submissions from him (s54)
Dissatisfied applicant may apply to ADT for review (s55)
ADT may award damages to $40,000 and other remedies (s55(2))
No s55(2) awards unless applicant has ‘suffered financial loss, or
psychological or physical harm’ (s55(4))
Either party may apply to ADT Appeal Panel for further review
Appeals from ADT go to Supreme Court
Complaints - NSW Act litigation under NSW Act
26 reported cases (to 1/6/04) - 17 of them in
the previous 112 months
Extensive legal interpretation (contra Cth)
Note: Privacy NSW does case summaries
No case has yet resulted in damages paid
Practice - see Jenner (2004) 10(9) PLPR 169
Note differing and limited roles of Privacy NSW in
internal reviews and before the ADT
Note obligations on agencies in internal reviews
Note checklists for complainants and advocates
Complaints and compliance Hong Kong Ordinance
UNSW students may omit these
materials
Complaints and compliance:
Hong Kong
See ‘The Commissioner and enforcement of the
Ordinance’ in McLeish & Greenleaf Chapter
Investigation
Compliance orders
Appeals and reviews
Compensation
Criminal offences
Hong Kong: Investigation
Pt V: Inspections, Complaints and Investigations
Complaints (s37) must be by data subject against a specific
data user
Jurisdictional conditions: s39(1)(d) makes any of the following
sufficient:
(i)(A) complainant resident in HK; or (ii) in HK at the relevant time
(i)(B) data user able to control ‘in or from Hong Kong’ the collection
etc of the data at the relevant time [complainant may be overseas]
(iii) in PC’s opinion, the enforcement of a right or privilege ‘acquired
or accrued in HK by the complainant’ will by prejudiced - meaning?
Will s39(1)(d) satisfy the EU re data transfers to HK?
(I)(B) will usually suffice to protect EU residents against acts
in HK
Investigations: Hong Kong
Representative complaints are allowed
S37(2) envisages one complainant making a complaint on
behalf of all data subjects affected by a practice
s37(1)) also covers the narrow sense of representatives
authorised in writing (see defn. ‘relevant person’)
But there is no equivalent in s66 (compensation)
Could a lawyer or civil society group represent all affected data
subjects with the written permission of only one of them?
Compare the Aust. Cth ‘class actions’ provisions and the
TICA determinations to see the significance of
representative complaints and the role of civil society groups
Have there been any such complaints in HK? - apparently
not - PCO Press Release re Flight Attendants Union does
not admit possibility of representative complaints
Investigations: Hong Kong
PC may refuse to investigate (s39(2)) if:
(a) Previous similar complaint dismissed (dangerous?)
(b) trivial practice; (c) trivial/vexatious complaint
(d) ‘any investigation or further investigation is for any other
reason unnecessary’
Will often be because data user has (in the view of the
Commissioner) remedied problem
Could be because parties have settled dispute - does PC facilitate
settlements? - anecdotal evidence is ‘no’
Could this cover ‘another remedy is available’???
See also s39(1)(a)-(c) for other standard reasons
Refusals to investigate can be the subject of appeals to the AAB, or
judicial review (see later)
Investigations: Hong Kong
Assistance to complainants, and mediation
PC obliged to assist to ‘formulate the complaint’ (s37(4))
No specific requirement to assist in mediation of a complaint,
or s8 power
Refusal to investigate, and appeals
S39(3) - Where PC does not commence formal investigation,
or suspends investigation under s39(2), must give
complainant notice within 45 days
B&W 14.14 interpret this as a 45 day period for ‘informal
resolution’
S39(4) gives complainant right of appeal to Administrative
Appeals Board (AAB) when s39(3) notice is given
No further appeal to Courts, only judicial review
Hong Kong: Enforcement notices
PC can issue enforcement notices (s50)
If data user ‘is contravening’ or has done so and it is likely
that it will continue or be repeated
requiring data user to ‘remedy the contravention’
No notice possible if no further contravention likely
Does not require any damage to complainant to be remedied
4 notices in 2000, 12 in 2001
PC can instead give warning notices (21 in 2000, 10 in 2001)
Failure to comply is a criminal offence
Are there no adverse consequences for breaches, if
you promise not to do it again?
Hong Kong: Compliance orders
No systematic publication of these serious
complaints resulting in orders
S48 allows PCO to issue formal reports naming
data users (but not others), but has only done so
once
‘Video Peeping Tom’ case (1997) - hidden video camera
filmed female student in shared accommodation;
undertaking given, but data user not named; victim
apparently gained no other remedy
Hongkong Post pinhole camera case (2005) - see
Materials - named but press had already shamed
PCO has therefore never used ‘name and shame’ power
Compliance orders compared
Closest equivalents are:
Aust Cth - s52 determinations by Comm;
injunctions by Fed Ct (no standing
required)
NSW - only the ADT can make orders
Vic - Comm can serve compliance notice
on an organisation
but only if ‘flagrant’ or repeated breaches
Hong Kong Enforcement notices (s50)
Hong Kong: Appeal structure
Appeals to AAB
S39(4) gives complainant right of appeal to
Administrative Appeals Board (AAB) when s39(3)
notice is given (would also apply if investigation
suspended because no enforcement notice)
s50(7) gives data user 14 days to appeal against
enforcement notice after it is served
No further right of appeal to a Court against AAB
decision, only judicial review
Judicial review of PC decisions (2 in 2003)
Hong Kong: Compensation
PCO or AAB cannot award damages (contra Australia, NZ, Korea)
Compensation (s66) only by separate Court proceedings
Applies to ‘an individual who suffers damage by reason of a contravention’
(s66(1)); including damage to feelings (s66(3))
General defence in s66(4) where data user can show:
Reasonable care to avoid the contravention; or
If the contravention occurred because of inaccurate data, the data was
received from a third party.
Is this fair?
Is this fair?
Complainant must risk costs against; must also risk disclosure of
identity; must also prove complaint ab initio even if already investigated
by PCO
PC not able to assist complainants; HKLRC (2004) criticises this
Only 1 reported case, and it was dismissed - not surprising?
Criminal offences
Hong Kong
S64 creates criminal offences by data users
Supplying false information
Contravening enforcement notices, subject to defence of
due diligence to comply (s46(8)
Contravening matching requirements
Contravening any other provision of the Ordinance
without reasonable excuse (s64(10))
S64 creates offences by any person
Supplying false information
Hindering Commissioner’s investigations
Part 2 - Systemic aspects of
Enforcement & Administration
Enforcement & Administration
Part 2 - Systemic aspects
Assessing existing compliance
Privacy management planning
Privacy Impact Assessments (PIAs)
Privacy management plans
Accountability / Transparency
External audits
Privacy Compliance Assessments (PCAs)
Complaint outcomes
Publication of decisions
Modifying / elaborating legislation
Codes, exemptions and guidelines
Assessing existing compliance
Current Australian practice
Federal Act empowers audits by PC re public sector but
not private sector; however, PCO has abandoned all
auditing (costs)
NSW - No audit power in Privacy NSW, but there are other
controls (eg involvement in internal reviews; privacy
management plans)
ALRC 2008 recommends
47–6 Comm to be empowered to conduct ‘Privacy
Performance Assessments’ of the records of PI
maintained by organisations
Effectively, a new audit power re private sector
Assessing existing compliance
•
Hong Kong
•
•
See McLeish & Greenleaf chapter ‘Assessing compliance’
Pt IV powers of ‘formal inspections’ by PCO (s36)
•
•
•
•
•
Never used
PCo can report recommendations from inspections applying to
classes of data users (s48(1)); See table of improved practices
Also powers to require classes of users to submit ‘data user
returns’ (s14) - never used
Instead, informal ‘compliance checks’ of alleged practices
not complying with PD(P)O
Now proposing to promote voluntary internal audits or
‘Privacy Compliance Audits’ (PCAs)
Privacy Impact Assessments (PIAs)
•
•
•
See RG 9.9 for articles by Waters, Flaherty and
Stewart for comparable practices
Aimed at assessing future impact of proposed
information systems, not existing compliance
Requirements
•
•
No current provisions in any Australian Acts
No provision in HK Ordinance
•
•
•
•
PCO proposing to promote voluntary PIAs
Were some PIAs done on smart ID card
Canada (2002) made PIAs mandatory for all
Federal government institutions
Privacy Impact Assessments (2)
ALRC 2008 recommends:
47–4 Comm able to (a) direct an agency to
provide to it a PIA ‘in relation to a new project or
development that [Comm] considers may have a
significant impact on the handling of personal
information; and (b) report to Minister if it does not.
Criticism: no requirement that PIA be made public
Comm should publish PIA guidelines.
Review in 5 years whether to include private
sector in PIA requirements.
Privacy Management Plans
See RG 9.10
Where a whole organisation is required to publish
how it will deal with privacy issues
Sometimes has similar effect to a PIA
NSW PPIPA 1998 s33 Preparation and implementation of
privacy management plans
Example: Anne Pickles 'Protecting exposures' (2000) 7 PLPR
61
No similar requirement in Cth or Vic Acts, but some agents
have done so voluntarily
Publication - Importance
Types of publication
Importance of both summaries and statistics
Summaries of complaints
Statistics of outcomes
Past remedies (‘tariff’) unknown
Deterrent effect is lost
No accountability for high public expenditure
For critiques of current practices, see
CyberLPC submission on DP 72 ‘5.2. Transparency of the
Commissioner’s complaints function’ (in materials)
CyberLPC submission on Issues Paper ‘Transparency and feedback –
Inadequacy of the Commissioner’s reporting practices’
Following slides are less up-to-date than these submissions
Complaint outcomes Does anyone get a remedy?
Do complainants actually get the remedies that
privacy laws make available in theory?
Sources of evidence available?
Annual Reports - only significant public source
Websites?
Stats provided often only show what is in Annual Reports
Reported cases can be searched for types of remedies
FOI requests would only work if a ‘document’ was available
Only some jurisdictions considered
Privacy Comms - Australian Fed; NSW ; HK; NZ; Canada
Information Commissioners not considered - mainly access,
some correction, some broader
Outcomes - Hong Kong PC
See 03-04 & 04 -05 Annual Report (Materials #4)
Analysis in McLeish & Greenleaf chapter (‘Complaints and
enquiries’ and ‘Reporting outcomes’)
PC Annual Report 2000/01 (01/02 is similar)
789 complaints (up 39%);
68% vs private sector;14% vs government;18% vs 3rd Ps
Over 50% allege breaches of DPP 3 (use)
52 formally investigated (14% of 531 finalised)
26 (50%) found to involve contravention of PD(P)O
10 warning notices; 12 enforcement notices - but no idea what
actions required, or what results
4 referrals to Police for prosecution but in 3 Police found
insufficient evidence; one unresolved
Outcomes - Australian Fed PC
2000-01 AR included some outcome stats
133 closed complaints; uncertain % breaches found
9 cases in AR involved $52,000 compensation
Was prior to reporting case summaries on website
No information about other remedies
2001-02 Annual Report - no statistics!
Complaints tripled with private sector coverage (611)
AR contains summaries of 11 complaints, of which one
resulted in $5000 compensation
No statistics given of complaint outcomes at all
Outcomes - Australian Fed PC (2)
2002-2003 Annual Report
225 breaches of the Act found
No specific details of remedies, just a few vague comments
NPPs 127; IPPs35; Pt IIIA 63
not even compensation total as in 2000/1
No example cases (replaced by 2 per month on web)
No details of complaints dismissed (and no use of s52)
Is everybody happy?
All 225 breaches found were ‘adequately dealt with’ (in the
Commissioner’s view)
Lack of s52 determinations
No appeal right; No substantive case on the Act ever before a
Court for judicial review
X v Commonwealth Agency [2004] PrivCmrA 4 - PCO admits complainant is not
happy, but still dismisses complaint under s41(2)(a) despite breach
Outcomes - NSW PC
Annual Report 2002/3 (pgs 19-23)
Annual Report 2001/2 - Details of complaints analysed in
every possible way except by the outcomes received by
complainants
‘Quick Stats’ 2000-03 provided on web
for the first time, some outcomes of complaints given
% of complaints resulting in adverse findings (but not actions)
24% referred to internal review
In 2002/3, 219 complaints, and 39 internal reviews, finalised
No statistics of complaint mediation outcomes
No complaint mediation case-studies
Reviews by the NSW ADT (enforceable)
See previous slide - now at 16 reported cases p/a
But no damages awards yet (may be settlements)
Comparison - 4 PCs Annual Reports
‘Will I get a remedy - and if so, what?’ is largely
unanswered - evidence is not there
Some evidence of the % of successful complainants
Little evidence of what remedies result
Compensation? - a few examples from Aus and NZ
All of the PCs are below ‘best practice’
A systematic and comparable standard of reporting is
needed
Asia-Pacific PCs could develop standards
Will I get a remedy?
Evidence from Privacy Commissioners Annual Reports
2001/02
(see web page for explanatory notes) √= yes; ?= can’t tell
Aus
NZ
HK
Can
√/√
√/√
√/√
√/√
Type of complaint/respondent ? (√ / √)
√/√
√/√
√/√
Respondent name (‘Top 10’)
? (no)
√
no
√
% formal finding
0% (0%)
8%
10%
72%
% found breaches mediated / awarded
? (√ / √) ? / ?
(? / -)
√/√
25 / 46
√ / √
59 / 63
% success in Court
N/A
√ (0%)
?
?
Remedies mediated / awarded
?
(31 / 0)
?/?
4 egs
?/?
?/?
Damages mediated / awarded
?
(9 / 0)
?/?
4 egs
?/0
?/?
Complaints opened/complete
55
Publication of Commissioners’
decisions (‘complaint summaries)
For detailed criticisms of reporting practices:
Greenleaf ‘Reforming reporting of privacy cases’
<http://www2.austlii.edu.au/~graham/publications/2003/Refo
rming_reporting/>
Bygrave ‘Where have all the judges gone?’ (2000)
European Commissioners were little better - improved?
Why reporting of Commissioners is needed
Few court decisions means Commissioners’ views in
complaint resolutions are the de facto law
Identifying non-compliance is more valuable (and difficult)
that ‘feel good’ exhortations to comply
Importance of complaint summaries
Publication of complaint summaries is possible
Requires anonymisation in most cases
Exceptions should not be the rule
Adverse consequences of lack of availability
Interpretation unknown to parties / legal advisers
No privacy jurisprudence is possible
Privacy remains ‘Cinderella’ of legal practice
Deficiences in laws do not become apparent
Commissioners can ‘bury their mistakes’
Justice is not seen to be done
Publication - Hong Kong PCO
Complaint summaries on Commissioner’s website
Only 6 (01/02) or 8 (00/01) brief complaint summaries in Annual
Rep - about 0.5 per month
Details of cases before other tribunals
have been updated for 2004 but still not complete for 2005
Can’t check currency - not listed in date order
No known criteria for systematic reporting of significant complaints
AAB complaint summaries are in AnRep, and now on website; not
yet available on Internet in full text
Judicial review cases also summarised in Annual Report
No reporting of s66 cases in AnRep or website - There are none
Now also included in WorldLII Privacy Law Project
39 PCO complaint summaries 1998-2004; 8 per year
21 AAB summaries 1997-2003; 3 per year
Publication - Australian Federal
Privacy Commissioner
AnRep had a few small ‘media grab’ summaries
No other mediation details published 1988-2002
Comm avoids making binding Determinations (2 1993, 1
2003) despite powers to do so
Dismisses matters under s40 - publication not required
Since Dec 2002, 13 useful summaries of mediations and
determinations published on web
2x2002, 12x2003 (incl 1 determination); 9 x 6/2004 (include 5
determinations) - still not much more than 1/month
Now receiving 100 complaints/month - reporting 1%
Rate id only 1.1 per month - not 2/month as planned
Publication - NSW Privacy
Commissioner
Almost no mediated complaint summaries
Privacy NSW 2001/2 Annual Report has 4 complaint
summaries, 3 concerning the private sector (2000/1 AR has
2); 2002/3 has 3 only - little change, trivial number
Internal review results also unavailable
AR 2001/2 has extensive details (identified) of 2 special
reports to Parliament, both involving political disputes
No summaries of mediated complaints on web
ADT decisions
26 decided & reported as yet - compare Cth!
37 lodged in 2003 - reported cases will increase
Decisions are on LawLink and AustLII
Privacy NSW also prepares summaries (also on AustLII)
Publication - NZ P Comm
Av 2 per month (03) reasonably detailed
mediation summaries on website
Selection criteria uncertain
Website gives few details of cases on appeal
or their outcome; not available elsewhere on
web; P Comm publishes occasional
compendiums
Overall, difficult for most people to get an
overall view of the law
Publication - Canadian PC
Av 5 detailed PIPEDA case mediation
summaries per month on website
best practice of PCs, but not Info Comms
Few Privacy Act cases on website, but
usually 12 or so in AnnRep
Summaries of cases before Courts are
in AnnRep (but not linked to mediation
summaries) - difficult to obtain overview
Publication 7 recommendations
More reporting than 2/month (% goal)
Publicly stated criteria of seriousness
statistics on reported / resolved ratio
confirmation of adherence in each AnRep
Complainants can elect to be named
In default, name public sector respondents; private sector respondents
only exceptionally
Report sufficient detail for a full understanding of legal issues, and the
adequacy of the remedy
Report regularly rather than in periodic batches
'One stop' reporting including reviews of Commissioner’s decisions
Encourage 3rd-P re-publication + citation standards
Publication - A central location
WorldLII Privacy Law Project <http://www.worldlii.org/int/special/privacy/>
All specialist privacy and/or FOI databases located on any Legal Information
Institute (LII)
Current coverage (all searchable in one search)
Australian Federal Privacy Commissioner Cases (AustLII)
New South Wales Privacy Commissioner ADT summaries (AustLII)
Canadian Privacy Commissioner Cases (CanLII)
New Zealand Privacy Commissioner Cases (AustLII)
Nova Scotia FOI & Privacy Review Office (CanLII)
Queensland Information Comm. Decisions (AustLII)
Western Australian Information Commissioner (AustLII)
Privacy Law & Policy Reporter (AustLII)
EPIC ALERT (WorldLII)
Victorian Privacy Commissioner
NZ HRRT
Hong Kong Privacy Commissioner and AAB
Korean Mediation committee
More are being added, particualarly European and Canadian cases
A seach for ‘disclos* near medical’
Co-regulatory codes
An alternative form of (I) standard setting and / or (ii)
compliance mechanism
Many different versions of codes
Australian private sector - can be full co-regulation
Cth public sector - amended principles only
NSW public sector - amended principles only
HK - merely a rebuttable presumption that compliance is
required
See commentaries by Waters
‘Codewatch’ (2003) 10(5) PLPR 90; ‘Codewatch’ (2004) 11(1) PLPR
and parts of APF submission re NSW Act
A characteristic of the ‘Asia-Pacific model’ ??
Codes - Hong Kong
See McLeish and Greenleaf Chapter ‘Modifying compliance…’
S12 and s13 (Pt III) - Codes of practice
PC can issue codes drawn up by self or others (s12(1))
PC must consult with data users and others as he sees fit
(s12(9))
Breach of Code is not itself a breach of a DPP but raises a
rebuttable presumption thereof (s13)
Pt III is silent on whether compliance with a Code constitutes
compliance with Ordinance - It doesn’t but it would influence
PCO in considering enforcement, or Ct considering penalty
As elsewhere, no demand for special industry codes
Only 2 HK codes, both for special reasons: ID and credit
PCO was to issue Code on workplace surveillance but reduced
this to Guidelines instead - why so?
Codes - Australian private sector
Codes are regulated by Part IIIAA Privacy Act
Overview
Only 3 so far (insurance; Qld clubs; Market and social research), 3
in queue (Biometrics; Internet Industry Association; Casino
Association)
If includes complaint handling, shifts costs to private sector
Little interest by industry groups, despite government boosting
IPP standards & scope
Must incorporate ‘all the NPPs’ or ‘obligations that overall are at
least the equivalent’ of the NPPs (s18BB(2))
No Parliamentary disallowance, so could only proceed against
Commissioner for ultra vires decision re overall equivalence
Must specify who is bound (or a way of determining them), and be
with their consent (s18BB(2)). Can be limited by information,
activity, or industry sector (s18BB(7))
Codes - private sector (2)
Code formation procedures
On application by an ‘organisation’ (s18BA)
Commissioner may consult anyone (s18BB(1)) and must
provide ‘adequate opportunity’ for public comment
(s18BB(2)(f))
See Water’s criticisms of adequacy of publicity/consultation
Commissioner approves Codes and keeps a Register (3 as
yet)
Codes are not gazetted - no disallowance by Parliament
Similar processes for variation and revocation (ss18BD18BE)
Codes - private sector (3)
Complaint resolution procedures
Code may include complaint procedures
Only the Insurance industry code does so
Procedures must comply with s18BB(3):
‘prescribed standards’ (Regs) and Comm’s Guidelines (a)
‘Independent adjudicator’ (b)
Same determination powers as Comm (d)
Organisations bound by Code are required to ‘co-operate’ (f), (g)
But adjudicator has no investigative powers
Detailed reporting requirements (h)-(k), including of individual
complaints resolved, including by ‘non-determination’ (ka)
A ‘determination’ [but not other findings] by a Code adjudicator can
be reviewed by the Commissioner (s18BI)
Comm can make a s52 determination to replace it
No judicial review available of ‘non-determinations’ - can Code
adjudicators dismiss complaints ‘adequately dealt with’?
Codes - Private sector practice
See Waters ‘Codewatch’ (2004) 11(1) PLPR
Only 3 so far (insurance; Qld clubs; Market and social research), 3 in
queue (Biometrics; Internet Industry Association; Casino Association)
Considerable differences in effectiveness of consultation
Insurance Industry Code
Only one with its own complaints procedure
General Insurance industry privacy code
Insurance Enquiries & Complaints Limited
Two (of 21) complaints referred to external Complaints Committee; one
referred to PCO, other unresolved
Reports give statistics of 19 resolved complaints (internal reviews)
Major insurers not yet signatories
No auditing to assess how NPPs applied (s18BH allows, but
unlikely); relies on appeals to PCO - but PCO has published no
details yet
Codes - Cth public sector PIDs
Part VI Privacy Act (Cth)
Comm can waive IPP if public interest in exemption outweighs
adherence ‘to a substantial degree’ (s72)
Public consultation required, hearings have been held
PIDs are disallowable instruments (s80)
Senate Regs & Ordinances C’tee threatened disallowance of PID
#2 until Comm O’Connor reissued it
10 made since 1988 - has not been a means of wholesale
exemption
No separate complaints procedure
PCO maintains Register of Public Interest Determinations listing
10 current Determinations, none temporary and none pending
Codes - NSW - Pt 3 Codes
Part 3 of NSW Act covers Codes
Overview of Codes under Pt 3
Codes only modify IPPs, and do not contain complaint procedures
More like Cth PID procedure for agencies
Standards for codes
Codes are ‘for the purpose of protecting the privacy of individuals’
(s29(1)); otherwise, few standards set
they can ‘modify’ the application of IPPs (s30) - ‘exempting’
agencies or classes of agencies
Must not be any higher than NSW IPPs (s29(7)(b))
Must not be so low as to endanger data imports (s29(7)(a))
How far can Codes be lower than IPPs? - s30 v s29(1)?
See the APF submission for a general critique
Codes - NSW - Pt 3 Codes (2)
Code formation and review
P.Commissioner or agency can propose codes (s31)
Agencies must consult Comm, who may consult anyone - criticised for
lack of consultation
Minister (A-G) ‘makes’ codes proposed under s31 (but cannot
modify a proposed Code)
11 codes to date, 9 in queue - does not appear to be abused
Codes are not statutory rules, so no procedure for Parliamentary
disallowance (contrast Cth PIDs)
Types of Codes
Multi-agency eg Privacy Code of Practice (General) 2003: covers disclosures
between various agencies, and exemptions for various public registers
Single agency (most) eg NSW Health: Privacy Code of Practice
For any NSW agency, must check if a Code applies before
concluding there is a breach
Codes - NSW - s41 Directions
S41 Exemptions (‘directions’) by Commissioner
P.Comm can also grant exceptions where public interest in doing
so outweighs public interest in upholding the IPP (s41)
Similar to Cth PIDs, but no provision for disallowance
No consultation requirements; little has occurred
9 current directions in force, all expiring by 31/12/04; 6 previous
have expired; no requirement in Act that they be temporary
Main use is to provide a temporary exemption until an agency can
go through the procedures to obtain a permanent Code.
Must be checked before finding a breach by a NSW agency
See Australian Privacy Foundation (APF) submission re need for
one uniform exemption procedure
Privacy Commissioners Independence & Functions
Independence of Privacy
Commissioners
Studies of roles of Commissioners
Blair Stewart ‘A comparative study of data protection authorities: Pt
1 - Form and Structure’ (2004) 11 PLPR 46; ‘Pt 2: Independence
and functions’ (2004) 11(3) PLPR 81
C Bennet & C Raab The Governance of Privacy Ch5 ‘Legal
Instruments and Regulatory Agencies’, Ashgate 2003
Independence
crucial, given role as check on government power
Factors include method of appointment and dismissal, reporting
lines, and control over budget
EU Directive A28 requires that Commissioners ‘act with complete
independence’; CoE Convention similar; APEC Framework does
not require a Commissioner (nor does OECD)
See Stewart Pt 2 on measures needed to ensure full
independence, beyond appointment and removal
Commissioners’ Independence: Cth
Australian Commonwealth Commissioner
Appointed (in effect) by A-G for 5 year renewable term
S25 Grounds of dismissal - misbehaviour etc
No longer a HREOC Commissioner
1st (O’Connor) not renewed after 2 terms; 2nd (Scollay)
changed jobs after 1; 3rd (Crompton) resigned after 1 term; 4th
(Curtis) now in office
rejected suggestion of being an officer of Parlt like Ombudsman
or Auditor-General
Can make special and annual Reports direct to Parlt, and
public statements on most matters
Budget depends on Govt - pressure to keep on reasonable
terms with current Govt
Budget reduced 2003-4 despite increase in private sector
complaints
Commissioners’ Independence: NSW
NSW Privacy Commissioner
Similar appointment and dismissal as Cth
Similar budget dependence as Cth
1st Comm (Puplick) resigned after repeated public clashes with
Ministers (and misconduct allegation), stating could not
continue without the Premier’s confidence - see article (2002)
9(2) PLPR 133
No appointment of 2nd Commissioner after 2 years; acting parttime Comm on short-term contracts
NSW PCO budget increased early 2003
Proposed 25% staff cut 2004 - not finalised
Bill to abolish Commissioner defeated 2003
Intended to transfer powers to Ombudsman
See Greenleaf & Waters critique
Commissioner’s Roles - Cth
Cth Commissioner - S27 specifies functions
Broad, and broadened further in early 90s during
extension of TFN powers
(b), (k) and (r) give broad powers/duties to make
public statements and criticise proposals
Guidelines under (e) can be to 2 types of conduct:
‘ interferences with …privacy’ ie breaches of IPPs, NPPs
‘may otherwise have any adverse effects on … privacy’ ie only ‘best practice’ Guidelines
Commissioner fails to distinguish them - eg PKI G/Ls
Effect of IPP G/Ls on complaints uncertain - contra HK
where breach of G/Ls = prima facie breach of Ordinance
Commissioner’s roles: NSW
NSW Commissioner
s36 broad functions
generally not tied to breaches of IPPs (‘protection of
personal information’) but also cover ‘the privacy of
individuals’
General power to make public statements (h), and to
publish reports and recommendations (j)
Power to make special report to Parlt (s65)
Exercised twice, re a local Council and re Minister of
Education - very strong political reaction
The big Q: ‘Watchdog or lapdog’?
What is the objective role of a PC? At least 2:
‘Watchdog’: The stated role is to limit
invasions of privacy
‘Lapdog’: Do they also legitimate extensions
of surveillance?
‘The Commissioner is being kept informed’
Inability or unwillingness to conflict with
government programs or legislative proposals
‘Watchdog or lapdog’?
Possible HK examples of legitimation function
Extended use of HK ‘dumb’ ID card, then ‘smart’
card
Extension of credit reporting to all financial
institutions, and then conversion into positive
reporting
See McLeish and Greenleaf Chapter for details
What powers do Commissioners need?
What powers do they need to help prevent
undesirable losses of privacy? How important are:
Powers to prevent undesirable information systems even
being built, or close them?
Power to award damages?; or to prosecute?
Audit powers? (and resources)
Privacy Impact Assessments (PIAs)?
A specific power (duty?) to make public statements?
Commissioners’ Independence : Hong Kong
5 year term appointed by CE, renewable +5 more (s3)
First Commissioner, S Lau (1996-2001), not reappointed
2nd Commissioner, R Tang (2001-05) became Equal Opportunities
Commissioner after 3.5 years
3rd Commissioner, R Woo, former Law Society head, appointed
2005
Can only be removed by CE with LegCo approval for (i) inability
to perform office; or (ii) misbehaviour (s5(5)(b))
Is not a public servant or government agent (except for anticorruption purposes) (s5(8),(9))
On Stewart’s criteria, must look at additional matters …
Hong Kong - Other measures to support
Commissioner’s independence (Stewart)
Ability to report directly to head of Govt or Legislature
Ability to make public statements
S8(1)(d) power to examine proposed legislation and report to proposer;
comments are often made to Bills C’tee of LegCo; AR 2003-04 Appendix II summaries of 9/19 comments on proposed legislative changes
no explicit role of public comment (eg little on smart ID card)
Occasional public statements made on website
3 ‘Issues of public concern’ in 2003-04 AR
Statutory direction to act independently
None in PD(P)O; submissions sometimes invited by LegCo
None; but not a servant or agent of govt (s3(8))
Administrative structure of independent agency
Corporation sole (s3(2))
Do other HK agencies have a more independent structure?
Hong Kong - Other measures to support
Commissioner’s independence (Stewart) (2)
Funding mechanism recognising independence
Immunity against personal actions re duties
Commissioner to hold no other office, unless approved by CE (s6)
Guaranteed remuneration
Comm does not enjoy ‘immunities of the govt.’ (s8)
No other immunities in PD(P)O - any elswhere?
No financial conflicts of interest
Funds appropriated by LegCo for purpose of Comm, plus others
provided by Govt (Sch 2)
Budget of HK$40M p/a for 39 staff (2004-05)
Determined by CE (s6)
[Add?] Guarantee of position beyond Office
Should a PC have a guaranteed ‘soft landing’ after completion?
Commissioners’ roles: Hong Kong
Functions (s8(1)) include:
Supervise compliance with DPPs (a) - no explicit mention of
mediation in complaints
Assist with preparation of s12 Codes (b); and publish
Guidelines (s8(5))
Promote awareness (c)
Examine proposed legislation and report to proposer (d) - no
explicit role of public comment (eg smart ID card)
‘carry out inspections’ of govt. data users (e) - not a specific
audit power
Monitor technology developments (f)
Some other functions re data matching