Transcript Document

Enforcement and Administration
of Privacy Laws
Privacy and Surveillance
Graham Greenleaf
Last revised September 2008
Enforcement & Administration

‘Responsive Regulation’




Enforcement pyramid
Objectives of enforcement

Complaints & remedies for
individual breaches




Investigation powers
Enforcement notices &
criminal offences
Compensation and other
remedies
Appeals and judicial review
Systemic aspects of
obtaining compliance



Publication of decisions &
Outcomes of complaints
Co-regulatory codes &
exemptions - alternative
compliance
Preventative powers: audits,
PIAs etc
Privacy Commissioners


Independence
Roles
‘Responsive regulation’?

ALRC wants ‘principles-based regulation’ (Ch 4): focus on
defining outcomes, not prescribing processes



aims to minimise the need for enforcement by ‘encouraging
organisations to understand the values behind the law and
change their behaviour accordingly
‘nurturing a culture of voluntary compliance with the law’
ALRC also wants ‘compliance-oriented regulation’ (4.62)
which places (equal??) emphasis on all 3 of:
 ‘Fostering compliance’ (heavy emphasis on
Commissioner providing guidance);
 Monitoring compliance (recommends power to require
privacy compliance assessment)

Enforcing compliance - supports ‘enforcement pyramid’
approach.
Responsive regulation? (2)


CyberLPC IP sub 6-16 argues that
Comm in 2007 ‘is a failure at
implementing responsive regulation’.
Would current Comm practices + ALRC
reforms achieve this aim?
Another categorisation

A means of individual redress;


low-cost and non-public
Appropriate range of remedies, such as:







Access to and correction of records;
compensatory damages;
injunctions or orders to enforce compliance;
Criminal penalties for serious/repeated breaches
Judicial review of administrative errors;
Appeals by either party to the Courts
Preventative/educative powers of PCO, such as:




Publication of complaint examples and outcomes
Audits of data users;
Privacy Impact Assessments (PIAs) on new proposals
Power to require reports on existing practices
Complaints and compliance Cth Privacy Act
For a summary see Greenleaf & Bygrave
‘Enforcement aspects of Australia’s Privacy Act
1988 compared with European standards’
(confidential draft)
Complaints - Overview

Investigation - public and private sectors








Complaints only re ‘interferences with privacy’: breaches of
NPPs, IPPs etc (s36)
Representative complaints possible (s36(2), s38 - s39)
‘Own motion’ investigations possible (s40(2)
Comm must not investigate unless complaint first made to
respondent, unless inappropriate (s40(1A))
If Comm is considering a s52 determination, must give both
parties the opportunity of a hearing (s43(5))
Comm’s extensive powers to investigate (ss44-47)
Comm can refuse / close / defer investigation (s41)
No right of appeal to a Court or Tribunal against Comm’s s52
determination (except on quantum of damages)
s41 dismissal of complaints


Most complaints are dealt with under s41
Comm can refuse / close / defer investigation (s41) because




‘not an interference’ (1)(a); ‘lacking in substance’ (1)(d)
Another law ‘provides a more appropriate remedy’ ((1)(f))
Respondent has dealt adequately with complaint ((2)(a))
See examples of possibly excessive use of s41:




X v Cth Agency [2004] PrivCmr 4 - s41(2)(a) applies even if
complainant dissatisfied - 11(1) PLPR note
O v Credit Provider [2004] PrivCmrA 5 and N v Internet Service
Provider [2004] PrivCmrA 10 - refusal to investigate because O had
not raised every possible issue with respondent - 11(2) PLPR notes
S v Various Cth Agencies [2004] - despite refusals to correct
records, investigation refused on (1)(f) grounds - 11(2) PLPR note
Other issues of PLPR Vol 11 contain more examples
s41 dismissal of complaints

ALRC recommendations (2008)


R 49-1: More powers to Comm to dismiss
complaints under s41 where … ‘(c) an
investigation, or further investigation… is not
warranted having regard to all the circumstances’.
Rejects CyberLPC submissions IP 6-16 and DP
72-142 that complainants should be given a right
to require a s52 determination if there is a s41
dismissal (and that any extension of s41 is
otherwise unsafe).
Conciliation / mediation


Act currently does not specify anything about
conciliation role
ALRC 2008 recommends


R 49-5(a) - if Comm considers successful
conciliation ‘reasonably possible’, must attempt it
R 50–4: Comm should be able to accept an
undertaking that an agency or organisation will
take specified action to ensure compliance; if they
breach undertaking, Comm can seek compliance
order in Federal Ct
Right to s52 determination


Currently no such right and Comm does not accept
that complainants have any right to a s52
determination
ALRC 2008 recommendations:


R 49-5(b) - if conciliation fails ‘the complainant or respondent
may require that the complaint be resolved by determination’
Criticism: Any right under (b) to a s52 determination is
therefore dependant on Comm’s subjective decision under
(b) that mediation is possible (CyberLPC submission was
that any complainant should be able to so require)
S52 Determinations

Determinations under s52 are the only
‘enforceable’ orders Comm can make

Dismissing complaint


That conduct should not be repeated


never used - s41 (ab)used instead
Never used
Performance of reasonable acts


TICA determinations 2004/1-4: PC only identifies conduct
in breach, refuses to specify acts to be performed
ALRC 2008 R 49–6 : Comm should be able to prescribe
the steps that an agency or respondent must take to
ensure compliance with the Act.
S52 determinations (2)

Compensation - only one contested example



‘correction, deletion or addition to a record’


C v ACT Govt Solicitor [2003] PrivCmrACD 1 - $1,000
compensation
Can compensate ‘feelings or humiliation’
Never used
Reimbursement for ‘expenses reasonable
incurred’

[2003] PrivCmrACD 1 - $1,300 costs
Determinations in practice

Determinations practice to date







Determinations are published by the PCO and
republished by WorldLII
1989-2002: zero substantive determinations (2
fakes in 1993) Why none after that?
2003/1 - ACT govt (disclosure)
2004/1 - ACT govt (disclosure)
2004/2-5 - 4 x TICA (first re private sector)
2004-08 - None by the current Commissioner
Is this responsive regulation?
Determinations - enforcement

Enforcement of s52 determinations (ss 54-55B)


s55 - respondent must comply with determination
s55A - if respondent does not comply, must proceed de novo
in Fed Ct / Mag Ct for enforcement



s55B - Certified copy of Comm’s determination is prima facie
evidence of facts found by him



Has not occurred as yet
Evidence before Commissioner is admissable
Onus is on respondent to rebut facts
Onus is still on complainant to show breach of IPP/NPP
Is this biased in favour of respondents?
 Consider different position of TICA parties
Review of Determinations /
Appeals against Commissioner

Complainant currently has no right of appeal
against determination



Respondent has de facto right of appeal
ALRC 2008 R 49–7: either party should be able to
apply to AAT for merits review of a determination
Complainant can seek judicial review




(of s41 dismissals or s52 determinations)
For errors of law or procedural errors
But not against the substance of the determination
How may complainants could understand (or
afford) judicial review? Appeals are simpler.
Injunctions



Privacy Act 1988, s98 - unique provision
Covers Cth public sector, private sector
allows ‘any person’, including P Comm, to seek injunction to
enforce IPPs and NPPs




Based on s80 Trade Practices Act
Against anyone ‘engaging or is proposing to engage’ in breach of
Act
Orders restraining breach or ‘requiring the person to do any act or
thing’
Risk of costs against party seeking injunction, and damages
(particularly in the case of interim injunctions) - not so in
complaints to P Comm
 Also risk to respondent of costs against, but no provision for
Fed Ct to award damages for breach
Injunctions (2)

Channel 7 v MEAA [2004] FCA 637



See summary by Gunning
Rejected submission that only P Comm could enforce Act
under s52; distinguished Day v Lynn [2003] FCA 87 and
other cases
Injunction granted against MEAA and Connect for multiple
breaches of NPPs

Costs against MEAA $10,000
Despite only one injunction in 20 years, ALRC did not
make any recommendations


What orders will Channel 7 draft?
Representative complaints

Cth Act provides - s36(2)

ss38-39 - special conditions for rep. complaints

See Connolly and Isaji ‘Representative Privacy

Complaints’ (2004) 10(8) PLPR 16 - survey
TICA Determinations #1 - #4: first example


Most successful enforcement action yet under Act
Would have been impossible for an individual complainant
(particularly tenants)
Own motion investigations

Comm can carry out ‘own motion’
investigations (s40(2))



Currently can make any enforceable orders as a
result
Does not disclose what investigations launched
ALRC 2008 recommends:


R 50-1 Comm should be able to ‘issue a notice’
requiring ‘specified action’ to ensure compliance
with Act, enforceable in Fed Ct or FMC.
This would differ from a s52 determination, no
capacity to award compensation to individuals.
Criminal offences - Australia

Federal Act



NSW PPIPA ss62-s63




Public sector and private sector enforcement does
not involve significant criminal enforcement
Part IIIA credit reporting does involve offences
breaches of DPPs do not constitute crimes
offences of corrupt disclosure and use of personal
information by public officials
offence of offer to supply personal information
disclosed unlawfully
Cth and NSW cybercrime legislation relevant
Penalties for repeated breaches

No current general penalty provisions



there are criminal offences in credit provisions
Other jurisdictions (eg HK) rely on prosecutions for
enforcement, Australia relies on compensation etc
ALRC 2008 recommends

R 50–2: Comm to be abel to seek a civil penalty in the Fed
Ct or FMCA where there is a ‘serious or repeated
interference with privacy’


An attempt to improve the ‘pointy end’ of the ‘enforcement
pyramid’ / responsive regulation
R 50-1: Comm should develop and publish enforcement
guidelines setting out the criteria for seeking civil penalties
Complaints and compliance NSW Act
For a recent summary see Greenleaf &
Bygrave ‘Data protection in New South
Wales – An assessment of strengths and
weaknesses’ (Confidential draft)
Complaints - NSW Act Overview





see Jenner (2004) 10(9) PLPR 169 overview
Commissioner can investigate any complaint (IPP or ‘non-IPP’)
IPP complainants re NSW agencies have a choice of Pt 4
investigation or Pt 5 internal review / ADT
Only ‘Part 5’ complaints to agencies can lead to the ADT and
enforceable remedies (after internal review)
Only Privacy NSW can investigate (under Part 4):



Non-IPP complaints against NSW agencies
Non-IPP private sector complaints
Complaints against bodies / conduct exempt from Cth legislation
(will not investigate if NPPs cover)
Complaints - NSW Act - Pt 4
Investigations by P.Comm

Investigation of complaints by P.Comm (Pt 4 Div 3)






See P. Comm’s Complaints Protocol
can only conciliate and make recommendations (s49) (like old
Privacy Committee)
has extensive powers, including compulsory conferences (s49)
May investigate ‘own motion’ complaints (s45 ‘or by’)
For IPP complainant to get to ADT, must first seek internal review
by agency under Pt 5 (s53)
Standards applied in Pt 4 investigations


Physical privacy - ‘US privacy tort’ standard (Morison Report, 1973)
IPP complaints outside PPIPA - own ‘Data Protection Principles’
Complaints - NSW Act representative complaints?

No express provision for representative complaints to P.Comm



Cf Victorian Act s25(3) allows representative complaints but only
with the consent of all the individuals concerned
No express requirements for ‘representative’ internal review or
ADT findings
Recent cases on who is an ‘aggrieved person’ create some
flexibility:


An aggrieved person is not necessarily the person who is the
subject of the personal information
GA v Dept Ed & NSW Police (No 2) [2005] NSWADT 10 - GA not
one where only acting previously on behalf of his sons - see 11(7)
PLPR note
Complaints - NSW Act Internal review and ADT

Pt 5 complaints - agency internal review and ADT





Applicant must seek internal review of conduct by agency (s53)
Agency must conduct internal but independent review (s53(4));
consider provision of the full range of remedies (7); and deal with
the matter within 60 days of receipt (6); notify applicant in writing,
including appeal rights (8)
Agency must inform P.Comm of review and its progress, and
accept submissions from him (s54)
Dissatisfied applicant may apply to ADT for review (s55)
ADT may award damages to $40,000 and other remedies (s55(2))



No s55(2) awards unless applicant has ‘suffered financial loss, or
psychological or physical harm’ (s55(4))
Either party may apply to ADT Appeal Panel for further review
Appeals from ADT go to Supreme Court
Complaints - NSW Act litigation under NSW Act

26 reported cases (to 1/6/04) - 17 of them in
the previous 112 months




Extensive legal interpretation (contra Cth)
Note: Privacy NSW does case summaries
No case has yet resulted in damages paid
Practice - see Jenner (2004) 10(9) PLPR 169



Note differing and limited roles of Privacy NSW in
internal reviews and before the ADT
Note obligations on agencies in internal reviews
Note checklists for complainants and advocates
Complaints and compliance Hong Kong Ordinance
UNSW students may omit these
materials
Complaints and compliance:
Hong Kong
See ‘The Commissioner and enforcement of the
Ordinance’ in McLeish & Greenleaf Chapter





Investigation
Compliance orders
Appeals and reviews
Compensation
Criminal offences
Hong Kong: Investigation


Pt V: Inspections, Complaints and Investigations
Complaints (s37) must be by data subject against a specific
data user
Jurisdictional conditions: s39(1)(d) makes any of the following
sufficient:




(i)(A) complainant resident in HK; or (ii) in HK at the relevant time
(i)(B) data user able to control ‘in or from Hong Kong’ the collection
etc of the data at the relevant time [complainant may be overseas]
(iii) in PC’s opinion, the enforcement of a right or privilege ‘acquired
or accrued in HK by the complainant’ will by prejudiced - meaning?
Will s39(1)(d) satisfy the EU re data transfers to HK?
 (I)(B) will usually suffice to protect EU residents against acts
in HK
Investigations: Hong Kong

Representative complaints are allowed

S37(2) envisages one complainant making a complaint on
behalf of all data subjects affected by a practice


s37(1)) also covers the narrow sense of representatives
authorised in writing (see defn. ‘relevant person’)



But there is no equivalent in s66 (compensation)
Could a lawyer or civil society group represent all affected data
subjects with the written permission of only one of them?
Compare the Aust. Cth ‘class actions’ provisions and the
TICA determinations to see the significance of
representative complaints and the role of civil society groups
Have there been any such complaints in HK? - apparently
not - PCO Press Release re Flight Attendants Union does
not admit possibility of representative complaints
Investigations: Hong Kong

PC may refuse to investigate (s39(2)) if:



(a) Previous similar complaint dismissed (dangerous?)
(b) trivial practice; (c) trivial/vexatious complaint
(d) ‘any investigation or further investigation is for any other
reason unnecessary’ 


Will often be because data user has (in the view of the
Commissioner) remedied problem
Could be because parties have settled dispute - does PC facilitate
settlements? - anecdotal evidence is ‘no’
Could this cover ‘another remedy is available’???

See also s39(1)(a)-(c) for other standard reasons

Refusals to investigate can be the subject of appeals to the AAB, or
judicial review (see later)
Investigations: Hong Kong

Assistance to complainants, and mediation



PC obliged to assist to ‘formulate the complaint’ (s37(4))
No specific requirement to assist in mediation of a complaint,
or s8 power
Refusal to investigate, and appeals

S39(3) - Where PC does not commence formal investigation,
or suspends investigation under s39(2), must give
complainant notice within 45 days


B&W 14.14 interpret this as a 45 day period for ‘informal
resolution’
S39(4) gives complainant right of appeal to Administrative
Appeals Board (AAB) when s39(3) notice is given
 No further appeal to Courts, only judicial review
Hong Kong: Enforcement notices

PC can issue enforcement notices (s50)

If data user ‘is contravening’ or has done so and it is likely
that it will continue or be repeated


requiring data user to ‘remedy the contravention’





No notice possible if no further contravention likely
Does not require any damage to complainant to be remedied
4 notices in 2000, 12 in 2001
PC can instead give warning notices (21 in 2000, 10 in 2001)
Failure to comply is a criminal offence
Are there no adverse consequences for breaches, if
you promise not to do it again?
Hong Kong: Compliance orders


No systematic publication of these serious
complaints resulting in orders
S48 allows PCO to issue formal reports naming
data users (but not others), but has only done so
once



‘Video Peeping Tom’ case (1997) - hidden video camera
filmed female student in shared accommodation;
undertaking given, but data user not named; victim
apparently gained no other remedy
Hongkong Post pinhole camera case (2005) - see
Materials - named but press had already shamed
PCO has therefore never used ‘name and shame’ power
Compliance orders compared

Closest equivalents are:



Aust Cth - s52 determinations by Comm;
injunctions by Fed Ct (no standing
required)
NSW - only the ADT can make orders
Vic - Comm can serve compliance notice
on an organisation


but only if ‘flagrant’ or repeated breaches
Hong Kong Enforcement notices (s50)
Hong Kong: Appeal structure

Appeals to AAB




S39(4) gives complainant right of appeal to
Administrative Appeals Board (AAB) when s39(3)
notice is given (would also apply if investigation
suspended because no enforcement notice)
s50(7) gives data user 14 days to appeal against
enforcement notice after it is served
No further right of appeal to a Court against AAB
decision, only judicial review
Judicial review of PC decisions (2 in 2003)
Hong Kong: Compensation

PCO or AAB cannot award damages (contra Australia, NZ, Korea)
Compensation (s66) only by separate Court proceedings
Applies to ‘an individual who suffers damage by reason of a contravention’

(s66(1)); including damage to feelings (s66(3))
General defence in s66(4) where data user can show:



Reasonable care to avoid the contravention; or


If the contravention occurred because of inaccurate data, the data was
received from a third party.




Is this fair?
Is this fair?
Complainant must risk costs against; must also risk disclosure of
identity; must also prove complaint ab initio even if already investigated
by PCO
PC not able to assist complainants; HKLRC (2004) criticises this
Only 1 reported case, and it was dismissed - not surprising?
Criminal offences

Hong Kong

S64 creates criminal offences by data users





Supplying false information
Contravening enforcement notices, subject to defence of
due diligence to comply (s46(8)
Contravening matching requirements
Contravening any other provision of the Ordinance
without reasonable excuse (s64(10))
S64 creates offences by any person


Supplying false information
Hindering Commissioner’s investigations
Part 2 - Systemic aspects of
Enforcement & Administration
Enforcement & Administration
Part 2 - Systemic aspects

Assessing existing compliance



Privacy management planning



Privacy Impact Assessments (PIAs)
Privacy management plans
Accountability / Transparency



External audits
Privacy Compliance Assessments (PCAs)
Complaint outcomes
Publication of decisions
Modifying / elaborating legislation

Codes, exemptions and guidelines
Assessing existing compliance
Current Australian practice

Federal Act empowers audits by PC re public sector but
not private sector; however, PCO has abandoned all
auditing (costs)

NSW - No audit power in Privacy NSW, but there are other
controls (eg involvement in internal reviews; privacy
management plans)
ALRC 2008 recommends

47–6 Comm to be empowered to conduct ‘Privacy
Performance Assessments’ of the records of PI
maintained by organisations



Effectively, a new audit power re private sector
Assessing existing compliance
•
Hong Kong
•
•
See McLeish & Greenleaf chapter ‘Assessing compliance’
Pt IV powers of ‘formal inspections’ by PCO (s36)
•
•
•
•
•
Never used
PCo can report recommendations from inspections applying to
classes of data users (s48(1)); See table of improved practices
Also powers to require classes of users to submit ‘data user
returns’ (s14) - never used
Instead, informal ‘compliance checks’ of alleged practices
not complying with PD(P)O
Now proposing to promote voluntary internal audits or
‘Privacy Compliance Audits’ (PCAs)
Privacy Impact Assessments (PIAs)
•
•
•
See RG 9.9 for articles by Waters, Flaherty and
Stewart for comparable practices
Aimed at assessing future impact of proposed
information systems, not existing compliance
Requirements
•
•
No current provisions in any Australian Acts
No provision in HK Ordinance
•
•
•
•
PCO proposing to promote voluntary PIAs
Were some PIAs done on smart ID card
Canada (2002) made PIAs mandatory for all
Federal government institutions
Privacy Impact Assessments (2)

ALRC 2008 recommends:

47–4 Comm able to (a) direct an agency to
provide to it a PIA ‘in relation to a new project or
development that [Comm] considers may have a
significant impact on the handling of personal
information; and (b) report to Minister if it does not.



Criticism: no requirement that PIA be made public
Comm should publish PIA guidelines.
Review in 5 years whether to include private
sector in PIA requirements.
Privacy Management Plans

See RG 9.10

Where a whole organisation is required to publish
how it will deal with privacy issues
 Sometimes has similar effect to a PIA

NSW PPIPA 1998 s33 Preparation and implementation of
privacy management plans


Example: Anne Pickles 'Protecting exposures' (2000) 7 PLPR
61
No similar requirement in Cth or Vic Acts, but some agents
have done so voluntarily
Publication - Importance

Types of publication



Importance of both summaries and statistics




Summaries of complaints
Statistics of outcomes
Past remedies (‘tariff’) unknown
Deterrent effect is lost
No accountability for high public expenditure
For critiques of current practices, see



CyberLPC submission on DP 72 ‘5.2. Transparency of the
Commissioner’s complaints function’ (in materials)
CyberLPC submission on Issues Paper ‘Transparency and feedback –
Inadequacy of the Commissioner’s reporting practices’
Following slides are less up-to-date than these submissions
Complaint outcomes Does anyone get a remedy?


Do complainants actually get the remedies that
privacy laws make available in theory?
Sources of evidence available?


Annual Reports - only significant public source
Websites?




Stats provided often only show what is in Annual Reports
Reported cases can be searched for types of remedies
FOI requests would only work if a ‘document’ was available
Only some jurisdictions considered


Privacy Comms - Australian Fed; NSW ; HK; NZ; Canada
Information Commissioners not considered - mainly access,
some correction, some broader
Outcomes - Hong Kong PC

See 03-04 & 04 -05 Annual Report (Materials #4)


Analysis in McLeish & Greenleaf chapter (‘Complaints and
enquiries’ and ‘Reporting outcomes’)
PC Annual Report 2000/01 (01/02 is similar)

789 complaints (up 39%);



68% vs private sector;14% vs government;18% vs 3rd Ps
Over 50% allege breaches of DPP 3 (use)
52 formally investigated (14% of 531 finalised)



26 (50%) found to involve contravention of PD(P)O
10 warning notices; 12 enforcement notices - but no idea what
actions required, or what results
4 referrals to Police for prosecution but in 3 Police found
insufficient evidence; one unresolved
Outcomes - Australian Fed PC

2000-01 AR included some outcome stats


133 closed complaints; uncertain % breaches found
9 cases in AR involved $52,000 compensation



Was prior to reporting case summaries on website
No information about other remedies
2001-02 Annual Report - no statistics!



Complaints tripled with private sector coverage (611)
AR contains summaries of 11 complaints, of which one
resulted in $5000 compensation
No statistics given of complaint outcomes at all
Outcomes - Australian Fed PC (2)

2002-2003 Annual Report

225 breaches of the Act found


No specific details of remedies, just a few vague comments




NPPs 127; IPPs35; Pt IIIA 63
not even compensation total as in 2000/1
No example cases (replaced by 2 per month on web)
No details of complaints dismissed (and no use of s52)
Is everybody happy?




All 225 breaches found were ‘adequately dealt with’ (in the
Commissioner’s view)
Lack of s52 determinations
No appeal right; No substantive case on the Act ever before a
Court for judicial review
X v Commonwealth Agency [2004] PrivCmrA 4 - PCO admits complainant is not
happy, but still dismisses complaint under s41(2)(a) despite breach
Outcomes - NSW PC

Annual Report 2002/3 (pgs 19-23)





Annual Report 2001/2 - Details of complaints analysed in
every possible way except by the outcomes received by
complainants
‘Quick Stats’ 2000-03 provided on web




for the first time, some outcomes of complaints given
% of complaints resulting in adverse findings (but not actions)
24% referred to internal review
In 2002/3, 219 complaints, and 39 internal reviews, finalised
No statistics of complaint mediation outcomes
No complaint mediation case-studies
Reviews by the NSW ADT (enforceable)


See previous slide - now at 16 reported cases p/a
But no damages awards yet (may be settlements)
Comparison - 4 PCs Annual Reports






‘Will I get a remedy - and if so, what?’ is largely
unanswered - evidence is not there
Some evidence of the % of successful complainants
Little evidence of what remedies result
Compensation? - a few examples from Aus and NZ
All of the PCs are below ‘best practice’
A systematic and comparable standard of reporting is
needed

Asia-Pacific PCs could develop standards
Will I get a remedy?
Evidence from Privacy Commissioners Annual Reports
2001/02
(see web page for explanatory notes) √= yes; ?= can’t tell
Aus
NZ
HK
Can
√/√
√/√
√/√
√/√
Type of complaint/respondent ? (√ / √)
√/√
√/√
√/√
Respondent name (‘Top 10’)
? (no)
√
no
√
% formal finding
0% (0%)
8%
10%
72%
% found breaches mediated / awarded
? (√ / √) ? / ?
(? / -)
√/√
25 / 46
√ / √
59 / 63
% success in Court
N/A
√ (0%)
?
?
Remedies mediated / awarded
?
(31 / 0)
?/?
4 egs
?/?
?/?
Damages mediated / awarded
?
(9 / 0)
?/?
4 egs
?/0
?/?
Complaints opened/complete
55
Publication of Commissioners’
decisions (‘complaint summaries)

For detailed criticisms of reporting practices:


Greenleaf ‘Reforming reporting of privacy cases’
<http://www2.austlii.edu.au/~graham/publications/2003/Refo
rming_reporting/>
Bygrave ‘Where have all the judges gone?’ (2000)


European Commissioners were little better - improved?
Why reporting of Commissioners is needed


Few court decisions means Commissioners’ views in
complaint resolutions are the de facto law
Identifying non-compliance is more valuable (and difficult)
that ‘feel good’ exhortations to comply
Importance of complaint summaries

Publication of complaint summaries is possible



Requires anonymisation in most cases
Exceptions should not be the rule
Adverse consequences of lack of availability






Interpretation unknown to parties / legal advisers
No privacy jurisprudence is possible
Privacy remains ‘Cinderella’ of legal practice
Deficiences in laws do not become apparent
Commissioners can ‘bury their mistakes’
Justice is not seen to be done
Publication - Hong Kong PCO

Complaint summaries on Commissioner’s website





Only 6 (01/02) or 8 (00/01) brief complaint summaries in Annual
Rep - about 0.5 per month
Details of cases before other tribunals




have been updated for 2004 but still not complete for 2005
Can’t check currency - not listed in date order
No known criteria for systematic reporting of significant complaints
AAB complaint summaries are in AnRep, and now on website; not
yet available on Internet in full text
Judicial review cases also summarised in Annual Report
No reporting of s66 cases in AnRep or website - There are none
Now also included in WorldLII Privacy Law Project


39 PCO complaint summaries 1998-2004; 8 per year
21 AAB summaries 1997-2003; 3 per year
Publication - Australian Federal
Privacy Commissioner



AnRep had a few small ‘media grab’ summaries
No other mediation details published 1988-2002
Comm avoids making binding Determinations (2 1993, 1
2003) despite powers to do so


Dismisses matters under s40 - publication not required
Since Dec 2002, 13 useful summaries of mediations and
determinations published on web



2x2002, 12x2003 (incl 1 determination); 9 x 6/2004 (include 5
determinations) - still not much more than 1/month
Now receiving 100 complaints/month - reporting 1%
Rate id only 1.1 per month - not 2/month as planned
Publication - NSW Privacy
Commissioner

Almost no mediated complaint summaries





Privacy NSW 2001/2 Annual Report has 4 complaint
summaries, 3 concerning the private sector (2000/1 AR has
2); 2002/3 has 3 only - little change, trivial number
Internal review results also unavailable
AR 2001/2 has extensive details (identified) of 2 special
reports to Parliament, both involving political disputes
No summaries of mediated complaints on web
ADT decisions




26 decided & reported as yet - compare Cth!
37 lodged in 2003 - reported cases will increase
Decisions are on LawLink and AustLII
Privacy NSW also prepares summaries (also on AustLII)
Publication - NZ P Comm




Av 2 per month (03) reasonably detailed
mediation summaries on website
Selection criteria uncertain
Website gives few details of cases on appeal
or their outcome; not available elsewhere on
web; P Comm publishes occasional
compendiums
Overall, difficult for most people to get an
overall view of the law
Publication - Canadian PC

Av 5 detailed PIPEDA case mediation
summaries per month on website



best practice of PCs, but not Info Comms
Few Privacy Act cases on website, but
usually 12 or so in AnnRep
Summaries of cases before Courts are
in AnnRep (but not linked to mediation
summaries) - difficult to obtain overview
Publication 7 recommendations

More reporting than 2/month (% goal)


Publicly stated criteria of seriousness







statistics on reported / resolved ratio
confirmation of adherence in each AnRep
Complainants can elect to be named
In default, name public sector respondents; private sector respondents
only exceptionally
Report sufficient detail for a full understanding of legal issues, and the
adequacy of the remedy
Report regularly rather than in periodic batches
'One stop' reporting including reviews of Commissioner’s decisions
Encourage 3rd-P re-publication + citation standards
Publication - A central location
WorldLII Privacy Law Project <http://www.worldlii.org/int/special/privacy/>


All specialist privacy and/or FOI databases located on any Legal Information
Institute (LII)
Current coverage (all searchable in one search)














Australian Federal Privacy Commissioner Cases (AustLII)
New South Wales Privacy Commissioner ADT summaries (AustLII)
Canadian Privacy Commissioner Cases (CanLII)
New Zealand Privacy Commissioner Cases (AustLII)
Nova Scotia FOI & Privacy Review Office (CanLII)
Queensland Information Comm. Decisions (AustLII)
Western Australian Information Commissioner (AustLII)
Privacy Law & Policy Reporter (AustLII)
EPIC ALERT (WorldLII)
Victorian Privacy Commissioner
NZ HRRT
Hong Kong Privacy Commissioner and AAB
Korean Mediation committee
More are being added, particualarly European and Canadian cases
A seach for ‘disclos* near medical’
Co-regulatory codes


An alternative form of (I) standard setting and / or (ii)
compliance mechanism
Many different versions of codes





Australian private sector - can be full co-regulation
Cth public sector - amended principles only
NSW public sector - amended principles only
HK - merely a rebuttable presumption that compliance is
required
See commentaries by Waters


‘Codewatch’ (2003) 10(5) PLPR 90; ‘Codewatch’ (2004) 11(1) PLPR
and parts of APF submission re NSW Act
A characteristic of the ‘Asia-Pacific model’ ??
Codes - Hong Kong









See McLeish and Greenleaf Chapter ‘Modifying compliance…’
S12 and s13 (Pt III) - Codes of practice
PC can issue codes drawn up by self or others (s12(1))
PC must consult with data users and others as he sees fit
(s12(9))
Breach of Code is not itself a breach of a DPP but raises a
rebuttable presumption thereof (s13)
Pt III is silent on whether compliance with a Code constitutes
compliance with Ordinance - It doesn’t but it would influence
PCO in considering enforcement, or Ct considering penalty
As elsewhere, no demand for special industry codes
Only 2 HK codes, both for special reasons: ID and credit
PCO was to issue Code on workplace surveillance but reduced
this to Guidelines instead - why so?
Codes - Australian private sector
Codes are regulated by Part IIIAA Privacy Act

Overview




Only 3 so far (insurance; Qld clubs; Market and social research), 3
in queue (Biometrics; Internet Industry Association; Casino
Association)
If includes complaint handling, shifts costs to private sector
Little interest by industry groups, despite government boosting
IPP standards & scope

Must incorporate ‘all the NPPs’ or ‘obligations that overall are at
least the equivalent’ of the NPPs (s18BB(2))


No Parliamentary disallowance, so could only proceed against
Commissioner for ultra vires decision re overall equivalence
Must specify who is bound (or a way of determining them), and be
with their consent (s18BB(2)). Can be limited by information,
activity, or industry sector (s18BB(7))
Codes - private sector (2)

Code formation procedures


On application by an ‘organisation’ (s18BA)
Commissioner may consult anyone (s18BB(1)) and must
provide ‘adequate opportunity’ for public comment
(s18BB(2)(f))




See Water’s criticisms of adequacy of publicity/consultation
Commissioner approves Codes and keeps a Register (3 as
yet)
Codes are not gazetted - no disallowance by Parliament
Similar processes for variation and revocation (ss18BD18BE)
Codes - private sector (3)

Complaint resolution procedures

Code may include complaint procedures


Only the Insurance industry code does so
Procedures must comply with s18BB(3):




‘prescribed standards’ (Regs) and Comm’s Guidelines (a)
‘Independent adjudicator’ (b)
Same determination powers as Comm (d)
Organisations bound by Code are required to ‘co-operate’ (f), (g)



But adjudicator has no investigative powers
Detailed reporting requirements (h)-(k), including of individual
complaints resolved, including by ‘non-determination’ (ka)
A ‘determination’ [but not other findings] by a Code adjudicator can
be reviewed by the Commissioner (s18BI)


Comm can make a s52 determination to replace it
No judicial review available of ‘non-determinations’ - can Code
adjudicators dismiss complaints ‘adequately dealt with’?
Codes - Private sector practice


See Waters ‘Codewatch’ (2004) 11(1) PLPR

Only 3 so far (insurance; Qld clubs; Market and social research), 3 in
queue (Biometrics; Internet Industry Association; Casino Association)

Considerable differences in effectiveness of consultation
Insurance Industry Code



Only one with its own complaints procedure
General Insurance industry privacy code
Insurance Enquiries & Complaints Limited




Two (of 21) complaints referred to external Complaints Committee; one
referred to PCO, other unresolved
Reports give statistics of 19 resolved complaints (internal reviews)
Major insurers not yet signatories
No auditing to assess how NPPs applied (s18BH allows, but
unlikely); relies on appeals to PCO - but PCO has published no
details yet
Codes - Cth public sector PIDs



Part VI Privacy Act (Cth)
Comm can waive IPP if public interest in exemption outweighs
adherence ‘to a substantial degree’ (s72)
Public consultation required, hearings have been held
PIDs are disallowable instruments (s80)




Senate Regs & Ordinances C’tee threatened disallowance of PID
#2 until Comm O’Connor reissued it
10 made since 1988 - has not been a means of wholesale
exemption
No separate complaints procedure
PCO maintains Register of Public Interest Determinations listing
10 current Determinations, none temporary and none pending
Codes - NSW - Pt 3 Codes
Part 3 of NSW Act covers Codes

Overview of Codes under Pt 3



Codes only modify IPPs, and do not contain complaint procedures
More like Cth PID procedure for agencies
Standards for codes

Codes are ‘for the purpose of protecting the privacy of individuals’
(s29(1)); otherwise, few standards set
they can ‘modify’ the application of IPPs (s30) - ‘exempting’
agencies or classes of agencies
Must not be any higher than NSW IPPs (s29(7)(b))
Must not be so low as to endanger data imports (s29(7)(a))
How far can Codes be lower than IPPs? - s30 v s29(1)?

See the APF submission for a general critique




Codes - NSW - Pt 3 Codes (2)

Code formation and review

P.Commissioner or agency can propose codes (s31)






Agencies must consult Comm, who may consult anyone - criticised for
lack of consultation
Minister (A-G) ‘makes’ codes proposed under s31 (but cannot
modify a proposed Code)
11 codes to date, 9 in queue - does not appear to be abused
Codes are not statutory rules, so no procedure for Parliamentary
disallowance (contrast Cth PIDs)
Types of Codes

Multi-agency eg Privacy Code of Practice (General) 2003: covers disclosures

between various agencies, and exemptions for various public registers
Single agency (most) eg NSW Health: Privacy Code of Practice
For any NSW agency, must check if a Code applies before
concluding there is a breach
Codes - NSW - s41 Directions

S41 Exemptions (‘directions’) by Commissioner







P.Comm can also grant exceptions where public interest in doing
so outweighs public interest in upholding the IPP (s41)
Similar to Cth PIDs, but no provision for disallowance
No consultation requirements; little has occurred
9 current directions in force, all expiring by 31/12/04; 6 previous
have expired; no requirement in Act that they be temporary
Main use is to provide a temporary exemption until an agency can
go through the procedures to obtain a permanent Code.
Must be checked before finding a breach by a NSW agency
See Australian Privacy Foundation (APF) submission re need for
one uniform exemption procedure
Privacy Commissioners Independence & Functions
Independence of Privacy
Commissioners

Studies of roles of Commissioners



Blair Stewart ‘A comparative study of data protection authorities: Pt
1 - Form and Structure’ (2004) 11 PLPR 46; ‘Pt 2: Independence
and functions’ (2004) 11(3) PLPR 81
C Bennet & C Raab The Governance of Privacy Ch5 ‘Legal
Instruments and Regulatory Agencies’, Ashgate 2003
Independence




crucial, given role as check on government power
Factors include method of appointment and dismissal, reporting
lines, and control over budget
EU Directive A28 requires that Commissioners ‘act with complete
independence’; CoE Convention similar; APEC Framework does
not require a Commissioner (nor does OECD)
See Stewart Pt 2 on measures needed to ensure full
independence, beyond appointment and removal
Commissioners’ Independence: Cth

Australian Commonwealth Commissioner

Appointed (in effect) by A-G for 5 year renewable term



S25 Grounds of dismissal - misbehaviour etc
No longer a HREOC Commissioner



1st (O’Connor) not renewed after 2 terms; 2nd (Scollay)
changed jobs after 1; 3rd (Crompton) resigned after 1 term; 4th
(Curtis) now in office
rejected suggestion of being an officer of Parlt like Ombudsman
or Auditor-General
Can make special and annual Reports direct to Parlt, and
public statements on most matters
Budget depends on Govt - pressure to keep on reasonable
terms with current Govt
 Budget reduced 2003-4 despite increase in private sector
complaints
Commissioners’ Independence: NSW

NSW Privacy Commissioner

Similar appointment and dismissal as Cth



Similar budget dependence as Cth



1st Comm (Puplick) resigned after repeated public clashes with
Ministers (and misconduct allegation), stating could not
continue without the Premier’s confidence - see article (2002)
9(2) PLPR 133
No appointment of 2nd Commissioner after 2 years; acting parttime Comm on short-term contracts
NSW PCO budget increased early 2003
Proposed 25% staff cut 2004 - not finalised
Bill to abolish Commissioner defeated 2003


Intended to transfer powers to Ombudsman
See Greenleaf & Waters critique
Commissioner’s Roles - Cth

Cth Commissioner - S27 specifies functions



Broad, and broadened further in early 90s during
extension of TFN powers
(b), (k) and (r) give broad powers/duties to make
public statements and criticise proposals
Guidelines under (e) can be to 2 types of conduct:




‘ interferences with …privacy’ ie breaches of IPPs, NPPs
‘may otherwise have any adverse effects on … privacy’ ie only ‘best practice’ Guidelines
Commissioner fails to distinguish them - eg PKI G/Ls
Effect of IPP G/Ls on complaints uncertain - contra HK
where breach of G/Ls = prima facie breach of Ordinance
Commissioner’s roles: NSW

NSW Commissioner

s36 broad functions



generally not tied to breaches of IPPs (‘protection of
personal information’) but also cover ‘the privacy of
individuals’
General power to make public statements (h), and to
publish reports and recommendations (j)
Power to make special report to Parlt (s65)

Exercised twice, re a local Council and re Minister of
Education - very strong political reaction
The big Q: ‘Watchdog or lapdog’?



What is the objective role of a PC? At least 2:
‘Watchdog’: The stated role is to limit
invasions of privacy
‘Lapdog’: Do they also legitimate extensions
of surveillance?


‘The Commissioner is being kept informed’
Inability or unwillingness to conflict with
government programs or legislative proposals
‘Watchdog or lapdog’?

Possible HK examples of legitimation function



Extended use of HK ‘dumb’ ID card, then ‘smart’
card
Extension of credit reporting to all financial
institutions, and then conversion into positive
reporting
See McLeish and Greenleaf Chapter for details
What powers do Commissioners need?

What powers do they need to help prevent
undesirable losses of privacy? How important are:





Powers to prevent undesirable information systems even
being built, or close them?
Power to award damages?; or to prosecute?
Audit powers? (and resources)
Privacy Impact Assessments (PIAs)?
A specific power (duty?) to make public statements?
Commissioners’ Independence : Hong Kong

5 year term appointed by CE, renewable +5 more (s3)






First Commissioner, S Lau (1996-2001), not reappointed
2nd Commissioner, R Tang (2001-05) became Equal Opportunities
Commissioner after 3.5 years
3rd Commissioner, R Woo, former Law Society head, appointed
2005
Can only be removed by CE with LegCo approval for (i) inability
to perform office; or (ii) misbehaviour (s5(5)(b))
Is not a public servant or government agent (except for anticorruption purposes) (s5(8),(9))
On Stewart’s criteria, must look at additional matters …
Hong Kong - Other measures to support
Commissioner’s independence (Stewart)

Ability to report directly to head of Govt or Legislature


Ability to make public statements





S8(1)(d) power to examine proposed legislation and report to proposer;
comments are often made to Bills C’tee of LegCo; AR 2003-04 Appendix II summaries of 9/19 comments on proposed legislative changes
no explicit role of public comment (eg little on smart ID card)
Occasional public statements made on website
3 ‘Issues of public concern’ in 2003-04 AR
Statutory direction to act independently


None in PD(P)O; submissions sometimes invited by LegCo
None; but not a servant or agent of govt (s3(8))
Administrative structure of independent agency


Corporation sole (s3(2))
Do other HK agencies have a more independent structure?
Hong Kong - Other measures to support
Commissioner’s independence (Stewart) (2)

Funding mechanism recognising independence



Immunity against personal actions re duties



Commissioner to hold no other office, unless approved by CE (s6)
Guaranteed remuneration


Comm does not enjoy ‘immunities of the govt.’ (s8)
No other immunities in PD(P)O - any elswhere?
No financial conflicts of interest


Funds appropriated by LegCo for purpose of Comm, plus others
provided by Govt (Sch 2)
Budget of HK$40M p/a for 39 staff (2004-05)
Determined by CE (s6)
[Add?] Guarantee of position beyond Office

Should a PC have a guaranteed ‘soft landing’ after completion?
Commissioners’ roles: Hong Kong

Functions (s8(1)) include:







Supervise compliance with DPPs (a) - no explicit mention of
mediation in complaints
Assist with preparation of s12 Codes (b); and publish
Guidelines (s8(5))
Promote awareness (c)
Examine proposed legislation and report to proposer (d) - no
explicit role of public comment (eg smart ID card)
‘carry out inspections’ of govt. data users (e) - not a specific
audit power
Monitor technology developments (f)
Some other functions re data matching