AsiaPacific privacy Commissioners Black holes

1
Asia-Pacific privacy Commissioners - Black holes
Collective inaction

• Graham Greenleaf
• Professor of Law, University of New South Wales
• 11 September 2003
• See http//www2.austlii.edu.au/graham/ for
  updates / details
• Parallel Session 6 " A Safe and Open Society
  the role of privacy regulators"

2
Overview

• 1 Two black holes Reporting and remedies
• What evidence is there that Commissioners do
  their job?
• Arguably most important function resolving
  complaints
• Is there accountability for public monies spent?
• Black holes complaints go in, but what comes
  out?
• Outcomes of complaints - who gets a remedy?
• Reporting complaints - do we know what law they
  apply?
• 2 Regional standards and collective action
• What Asia-Pacific regional standards are
  developing?
• Are regional Commissioner providing sufficient
  input?
• Collective input from regional experts the APPCC

3
Black hole 1 Outcomes - Does anyone get a
remedy?

• Sources of evidence available?
• v Annual Reports - only public source
• examined 01/02 some 00/01
• ? websites? - could extract from reported cases
  (have not) - should provide continuous data
• ? FOI requests? - document available? (have not
  done)
• Only some jurisdictions considered
• Privacy Comms - Australia HK NZ Canada
• Information Commissioners not considered - mainly
  access, some correction, some broader

4
Outcomes - Australian PC

• 2001-02 Annual Report - no statistics!
• Complaints tripled with private sector coverage
  (611)
• AR contains summaries of 11 complaints, of which
  one resulted in 5000 compensation
• No statistics given of complaint outcomes at all
• 2000-01 AR included some outcome stats
• 133 closed complaints uncertain breaches found
  
• 9 cases in AR involved 52,000 compensation
• No information about other remedies
• No genuine s52 determinations in 15 years
• No appeal right No substantive case on the Act
  ever before a Court for judicial review

5
Outcomes - NSW PC

• latest Annual Report 1999-2000 before new Act
  commenced (1/7/00)
• No statistics or complaint resolutions yet
  available under new Act
• Since 2000, about 20 cases to NSW ADT
• 7 decided as yet - 7 more than the Cth!
• AR 1999-2000 relevant to non-IPP complaints, as
  they still apply
• 4 complaint resolutions summarised

6
Outcomes - Hong Kong PC

• PC Annual Report 2000/01 (01/02 is similar)
• 789 complaints (up 39)
• 68 vs private sector14 vs government18 vs
  3rd Ps
• Over 50 allege breaches of DPP 3 (use)
• 52 formally investigated (14 of 531 finalised)
• 26 (50) found to involve contravention of PD(P)O
• 10 warning notices 12 enforcement notices - but
  no idea what actions required, or what results
• 4 referals to Police for prosecution but in 3
  Police found insufficient evidence one
  unresolved
• Not one HK 1 compensation paid under s66
• any by mediation? A Rep does not say

7
Comparison - 4 PCs Annual Reports

• Will I get a remedy - and if so, what? is
  largely unanswered - evidence is not there
• Some evidence of the of successful complainants
• Little evidence of what remedies result
• Compensation? - a few examples from Aus and NZ
• All of the PCs are below best practice
• A systematic and comparable standard of reporting
  is needed
• Asia-Pacific PCs could develop standards

8
Will I get a remedy? Evidence from Privacy
Commissioners Annual Reports 2001/02(see web
page for explanatory notes) v yes ? cant tell
9
Black hole 2 Publication of Commissioners
decisions

• For detailed criticisms of reporting practices
• Greenleaf Reforming reporting of privacy cases
  lthttp//www2.austlii.edu.au/graham/publications/2
  003/Reforming_reporting/gt
• Bygrave Where have all the judges gone? (2000)
• European Commissioners were little better -
  improved?
• Why reporting of Commissioners is needed
• Few court decisions means Commissioners views in
  complaint resolutions are the de facto law
• Identifying non-compliance is more valuable (and
  difficult) that feel good exhortations to comply

10
Publication - Importance

• Publication is possible
• Requires anonymisation in most cases
• Exceptions should not be the rule
• Adverse consequences of lack of availability
• Interpretation unknown to parties / legal
  advisers
• No privacy jurisprudence is possible
• Past remedies (tariff) unknown
• Privacy remains Cinderalla of legal practice
• Deficiences in laws do not become apparent
• Commissioners can bury their mistakes
• Justice is not seen to be done
• Deterrent effect is lost
• No accountability for high public expenditure

11
Publication - Australian P Comm (Federal)

• AnRep has a few small media grab summaries
• No other mediation details published 1988-2002
• Comm avoids making binding Determinations (2
  1993, 1 2003) despite powers to do so
• Dismisses matters under s40 - publication not
  required
• Since Dec 2002, 14 useful summaries of mediations
  and determinations published on web
• 2x1993, 2x2002, 10x2003
• Rate now is still only 1.25 per month
• Any Federal Court decisions would be on AustLII
  (but there are none of relevance) - no appeal
  right

12
Publication - HK P Comm

• Complaint summaries on website only to 1998
• Only 6 (01/02) or 8 (00/01)overly brief
  complaint summaries in AnRep - about 0.5 per
  month
• No systematic reporting of significant complaints
• Cases before other tribunals
• AAB complaint summaries are in AnRep, but not on
  website AAB cases not available on Internet
• No reporting of s66 cases in AnRep or website -
  There is only one such case

13
Publication - NZ P Comm

• Av 2 per month (03) reasonably detailed mediation
  summaries on website
• Selection criteria uncertain
• Website gives few details of cases on appeal or
  their outcome not available elsewhere on web P
  Comm publishes occasional compendiums
• Overall, difficult for most people to get an
  overall view of the law

14
Publication - Canadian PC

• Av 5 detailed PIPEDA case mediation summaries per
  month on website
• best practice of PCs, but not Info Comms
• Few Privacy Act cases on website, but usually 12
  or so in AnnRep
• Summaries of cases before Courts are in AnnRep
  (but not linked to mediation summaries) -
  difficult to obtain overview

15
Publication - 7 recommendations

• More reporting than 2/month ( goal)
• statistics on reported / resolved ratio
• Publicly stated criteria of seriousness
• confirmation of adherence in each AnRep
• Complainants can elect to be named
• In default, name public sector respondents
  private sector respondents only exceptionally
• Report sufficient detail for a full understanding
  of legal issues, and the adequacy of the remedy
• Report regularly rather than in periodic batches
• 'One stop' reporting including reviews of
  Commissioners decisions
• Encourage 3rd-P re-publication citation
  standards

16
Publication - A central location

• lthttp//www.worldlii.org/int/special/privacy/gt
• Privacy FOI Law Project All specialist
  privacy and/or FOI databases located on any Legal
  Information Institute (LII)
• Current coverage (all searchable in one search)
• Canadian Privacy Commissioner Cases (WorldLII)
• Privacy Commissioner of Australia Cases (AustLII)
  
• New Zealand Privacy Commissioner Cases (AustLII)
• Nova Scotia FOI Privacy Review Office (CanLII)
• Queensland Information Comm. Decisions (AustLII)
• Western Australian Information Commissioner
  (AustLII)
• Privacy Law Policy Reporter (AustLII)
• Being added
• New South Wales Privacy Commissioner (AustLII)
• EPIC ALERT (WorldLII)

17
(No Transcript)
18
A seach for disclos near medical
19
Part 2 - Regional privacy standards collective
action

• There is no global standard
• One region (Europe) has successfully developed
  regional standards
• Council of Europe Convention 1981
• European privacy Directive 1995
• The Asia-Pacific is the next most advanced region
  in privacy protection
• Far less political and economic unity or
  uniformity
• Starting the most important international privacy
  developments since the EU Directive .

20
Toward an Asia-Pacific standard

• APECs privacy initiative
• Chaired by Australia - US / Aust. initiative
• Asia-Pacific Telecommunity (APT)
• Chaired by Korea
• Asia-Pacific Privacy Charter Council
• A civil society expert group
• FTAA will also affect some countries
• (Free Trade Area of the Americas)

21
APECs privacy Principles - Progress or
stagnation?

• Australia chairs a working group of 10 countries
• Starting point OECD Guidelines (1981)
• 5 draft versions in 6 months
• Do not yet even reach OECD standards
• Only considering very minor improvements to OECD
• V2 strengthened V1, but V3 and V4 far weaker for
  little apparent reason (Serious US input
  coincides with V3)
• At best it offers OECD Lite .

22
APECs OECD Lite

• Examples of weak and outdated standards
• Based on Chairs V4 (Aug 03) - now behind closed
  doors
• No objective limits on information collection
  (P1)
• No explicit requirement of notice to the data
  subject at time of collection (P3)
• Secondary uses allowed if not incompatible (P3)
• OECD Parts 1, 3, 4 and 5 all missing as yet
• Farcical national self-assessment proposed (V1)
• Even OECD allows strong export controls
• Why start from a 20 year old standard?
• This would be laughable in other areas of law
• Most regional countries are not members
• Recognised as inadequate (eg Kirby J 1999)

23
The alternative A real Asia-Pacific standard

• Look to actual standards of regional privacy laws
• Eg Korea, Canada, Hong Kong, New Zealand, Taiwan,
  Australia, Japan, Argentina
• Principles stronger than OECD are common
  (examples over)
• We need to adopt and learn from 25 years regional
  experience, not ignore it
• More input into APEC is needed from Commissioners
  and other experts to identity this standard
• Some individual PCs input is filtered through
  governments
• Regional PCs need a better collective role in
  APEC
• No equivalent yet to A29 Committee - provides
  protection
• Santiago (Feb 04) only offers input on
  implementation
• Asia-Pacific NGO experts are developing the APPCC

24
Examples of high regional standards in
Asia-Pacific

• Collection objectively limited to where necessary
  for functions or activities (HK, Aus, NZ - Can
  stricter)
• Notice upon collection (Aus, NZ, HK, Kor)
• Secondary use only for a directly related purpose
  (HK, NZ, Aus - Kor stricter)
• Right to have recipients of corrected
  information informed (NSW, NZ)
• Deletion after use (HK, NZ, NSW, Kor)
  

25
APT privacy Guidelines (draft)

• Asia-Pacific Telecommunity (APT)
• Agreement of 32 states via Telecomms ministries
  (etc)
• Guidelines on the Protection of Personal
  Information and Privacy (draft), July 2003
• Drafting by KISA (Korea), with Asian Privacy
  Forum input
• Attempts to take a distinctive regional approach
• Explicitly not based solely on OECD or EU (cl8)
• Says OECD Guidelines reflect the 70s and 80s
• Concrete implementation measures unlike OECD
• Allows more variation between States that EU
• Emphasises role of government, not litigation
• Adds new Principles in at least five areas

26
APT Guidelines - implementation

• Legislation required self-regulation encouraged
• A privacy supervisory authority required
• Supervision and complaint investigation
• Data export limits may be reasonably required
  to protect privacy, rights and freedoms
• free flow of information otherwise required
• Limits on these guidelines only by legislation
  only to the extent necessary for other public
  policies
• Common character string need to deal with spam

27
APT Guidelines - new Principles

• No disadvantage for exercising privacy rights
  (A5(2))
• Notification of corrected information to 3rd
  party recipients (A6(4))
• Openness of logic of automated processes (A7)
• No secondary use without consent (A 14(2))
• Deletion if consent to hold is withdrawn (A16)
• Duties on change of information controller (A19)
• Special provision on childrens information (A34)
• Personal location information Principle (A30)
• Unsolicited communications Princple (A31)

28
Conclusions

• Why are APEC and APT so different?
• Membership similar except for the USA
• US/Australia APEC initiative has a defensive and
  outdated starting point (OECD)
• Inadequate process no collective expert input,
  and now behind closed doors
• OECD Guidelines were by an expert group
• A more consultative, confident, and region-based
  APEC initiative is needed

29
Coda The APPCC - a regional expert initiative

• Asia-Pacific Privacy Charter Council
• See http//www.BakerCyberlawCentre.org/appcc/
• 35 non-government privacy experts from 10
  regional countries, and growing
• On 12/11/03, meeting to consider 1st working
  draft
• Headings of Principles under consideration for
  Charter are over - only a first draft
• Covers surveillance and intrusions as well as
  IPPs
• An attempt to develop a positive regional standard

30
APPCC draftPart I - General Principles
31
APPCC draft - Part II - Information Privacy
Principles
32
APPCC draft - Part III - Surveillance limitation
principles
33
APPCC draft - Part IV - Intrusion limitation
principles
34
APPCC principles - Part V - Implementation and
compliance principles