Enforcement and Administration of Privacy Laws Privacy and Surveillance Graham Greenleaf Last revised September 2008.

Enforcement and Administration of Privacy Laws Privacy and Surveillance Graham Greenleaf Last revised September 2008

Enforcement & Administration ‘Responsive Regulation’ Enforcement pyramid Objectives of enforcement Complaints & remedies for individual breaches Investigation powers Enforcement notices & criminal offences Compensation and other remedies Appeals and judicial review Systemic aspects of obtaining compliance Publication of decisions & Outcomes of complaints Co-regulatory codes & exemptions - alternative compliance Preventative powers: audits, PIAs etc Privacy Commissioners Independence Roles

‘Responsive regulation’? ALRC wants ‘principles-based regulation’ (Ch 4): focus on defining outcomes, not prescribing processes‘principles-based regulation’ Ch 4 aims to minimise the need for enforcement by ‘encouraging organisations to understand the values behind the law and change their behaviour accordingly ‘nurturing a culture of voluntary compliance with the law’ ALRC also wants ‘compliance-oriented regulation’ (4.62) which places (equal??) emphasis on all 3 of:‘compliance-oriented regulation’ (4.62) ‘Fostering compliance’ (heavy emphasis on Commissioner providing guidance); Monitoring compliance (recommends power to require privacy compliance assessment) Enforcing compliance - supports ‘enforcement pyramid’ approach.

Responsive regulation? (2) CyberLPC IP sub 6-16 argues that Comm in 2007 ‘is a failure at implementing responsive regulation’.sub 6-16 Would current Comm practices + ALRC reforms achieve this aim?

Another categorisation A means of individual redress; low-cost and non-public Appropriate range of remedies, such as: Access to and correction of records; compensatory damages; injunctions or orders to enforce compliance; Criminal penalties for serious/repeated breaches Judicial review of administrative errors; Appeals by either party to the Courts Preventative/educative powers of PCO, such as: Publication of complaint examples and outcomes Audits of data users; Privacy Impact Assessments (PIAs) on new proposals Power to require reports on existing practices

Complaints and compliance - Cth Privacy Act For a summary see Greenleaf & Bygrave ‘ Enforcement aspects of Australia’s Privacy Act 1988 compared with European standards’ (confidential draft) Enforcement aspects of Australia’s Privacy Act 1988 compared with European standards’

Complaints - Overview Investigation - public and private sectors Complaints only re ‘interferences with privacy’: breaches of NPPs, IPPs etc (s36)s36 Representative complaints possible (s36(2), s38 - s39) ‘Own motion’ investigations possible (s40(2) Comm must not investigate unless complaint first made to respondent, unless inappropriate (s40(1A)) If Comm is considering a s52 determination, must give both parties the opportunity of a hearing (s43(5)) Comm’s extensive powers to investigate (ss44-47) Comm can refuse / close / defer investigation (s41)s41 No right of appeal to a Court or Tribunal against Comm’s s52 determination (except on quantum of damages)

s41 dismissal of complaints Most complaints are dealt with under s41 Comm can refuse / close / defer investigation (s41) becauses41 ‘not an interference’ (1)(a); ‘lacking in substance’ (1)(d) Another law ‘provides a more appropriate remedy’ ((1)(f)) Respondent has dealt adequately with complaint ((2)(a)) See examples of possibly excessive use of s41: X v Cth Agency [2004] PrivCmr 4 - s41(2)(a) applies even if complainant dissatisfied - 11(1) PLPR note11(1) PLPR note O v Credit Provider [2004] PrivCmrA 5 and N v Internet Service Provider [2004] PrivCmrA 10 - refusal to investigate because O had not raised every possible issue with respondent - 11(2) PLPR notes11(2) PLPR notes S v Various Cth Agencies [2004] - despite refusals to correct records, investigation refused on (1)(f) grounds - 11(2) PLPR note 11(2) PLPR note Other issues of PLPR Vol 11 contain more examples

s41 dismissal of complaints ALRC recommendations (2008) R 49-1: More powers to Comm to dismiss complaints under s41 where … ‘(c) an investigation, or further investigation… is not warranted having regard to all the circumstances’. R 49-1 Rejects CyberLPC submissions IP 6-16 and DP 72-142 that complainants should be given a right to require a s52 determination if there is a s41 dismissal (and that any extension of s41 is otherwise unsafe).6-16 DP 72-142

Conciliation / mediation Act currently does not specify anything about conciliation role ALRC 2008 recommends R 49-5(a) - if Comm considers successful conciliation ‘reasonably possible’, must attempt it R 49-5(a) R 50–4: Comm should be able to accept an undertaking that an agency or organisation will take specified action to ensure compliance; if they breach undertaking, Comm can seek compliance order in Federal Ct

Right to s52 determination Currently no such right and Comm does not accept that complainants have any right to a s52 determination ALRC 2008 recommendations: R 49-5(b) - if conciliation fails ‘the complainant or respondent may require that the complaint be resolved by determination’ Criticism: Any right under (b) to a s52 determination is therefore dependant on Comm’s subjective decision under (b) that mediation is possible (CyberLPC submission was that any complainant should be able to so require)

S52 Determinations Determinations under s52 are the only ‘enforceable’ orders Comm can makes52 Dismissing complaint never used - s41 (ab)used instead That conduct should not be repeated Never used Performance of reasonable acts TICA determinations 2004/1-4: PC only identifies conduct in breach, refuses to specify acts to be performed2004/1-4 ALRC 2008 R 49–6 : Comm should be able to prescribe the steps that an agency or respondent must take to ensure compliance with the Act.

S52 determinations (2) Compensation - only one contested example C v ACT Govt Solicitor [2003] PrivCmrACD 1 - $1,000 compensation[2003] PrivCmrACD 1 Can compensate ‘feelings or humiliation’ ‘correction, deletion or addition to a record’ Never used Reimbursement for ‘expenses reasonable incurred’ [2003] PrivCmrACD 1 - $1,300 costs [2003] PrivCmrACD 1

Determinations in practice Determinations practice to date Determinations are published by the PCO and republished by WorldLIIpublished by the PCO republished by WorldLII 1989-2002: zero substantive determinations (2 fakes in 1993) Why none after that? 2003/1 - ACT govt (disclosure) 2004/1 - ACT govt (disclosure) 2004/2-5 - 4 x TICA (first re private sector) 2004-08 - None by the current Commissioner Is this responsive regulation?

Determinations - enforcement Enforcement of s52 determinations (ss 54-55B)ss 54-55B s55 - respondent must comply with determination s55A - if respondent does not comply, must proceed de novo in Fed Ct / Mag Ct for enforcement Has not occurred as yet Evidence before Commissioner is admissable s55B - Certified copy of Comm’s determination is prima facie evidence of facts found by him Onus is on respondent to rebut facts Onus is still on complainant to show breach of IPP/NPP Is this biased in favour of respondents? Consider different position of TICA parties

Review of Determinations / Appeals against Commissioner Complainant currently has no right of appeal against determination Respondent has de facto right of appeal ALRC 2008 R 49–7: either party should be able to apply to AAT for merits review of a determination Complainant can seek judicial review (of s41 dismissals or s52 determinations) For errors of law or procedural errors But not against the substance of the determination How may complainants could understand (or afford) judicial review? Appeals are simpler.

Injunctions Privacy Act 1988, s98 - unique provisions98 Covers Cth public sector, private sector allows ‘any person’, including P Comm, to seek injunction to enforce IPPs and NPPs Based on s80 Trade Practices Act Against anyone ‘engaging or is proposing to engage’ in breach of Act Orders restraining breach or ‘requiring the person to do any act or thing’ Risk of costs against party seeking injunction, and damages (particularly in the case of interim injunctions) - not so in complaints to P Comm Also risk to respondent of costs against, but no provision for Fed Ct to award damages for breach

Injunctions (2) Channel 7 v MEAA [2004] FCA 637 [2004] FCA 637 See summary by Gunning Rejected submission that only P Comm could enforce Act under s52; distinguished Day v Lynn [2003] FCA 87 and other casesDay v Lynn Injunction granted against MEAA and Connect for multiple breaches of NPPs What orders will Channel 7 draft? Costs against MEAA $10,000 Despite only one injunction in 20 years, ALRC did not make any recommendations

Representative complaints Cth Act provides - s36(2)s36(2 ss38-39 - special conditions for rep. complaintsss38-39 See Connolly and Isaji ‘Representative Privacy Complaints’ (2004) 10(8) PLPR 16 - survey(2004) 10(8) PLPR 16 TICA Determinations #1 - #4: first example#1 - #4 Most successful enforcement action yet under Act Would have been impossible for an individual complainant (particularly tenants)

Own motion investigations Comm can carry out ‘own motion’ investigations (s40(2)) Currently can make any enforceable orders as a result Does not disclose what investigations launched ALRC 2008 recommends: R 50-1 Comm should be able to ‘issue a notice’ requiring ‘specified action’ to ensure compliance with Act, enforceable in Fed Ct or FMC. R 50-1 This would differ from a s52 determination, no capacity to award compensation to individuals.

Criminal offences - Australia Federal Act Public sector and private sector enforcement does not involve significant criminal enforcement Part IIIA credit reporting does involve offences NSW PPIPA ss62-s63ss62-s63 breaches of DPPs do not constitute crimes offences of corrupt disclosure and use of personal information by public officials offence of offer to supply personal information disclosed unlawfully Cth and NSW cybercrime legislation relevant

Penalties for repeated breaches No current general penalty provisions there are criminal offences in credit provisions Other jurisdictions (eg HK) rely on prosecutions for enforcement, Australia relies on compensation etc ALRC 2008 recommends R 50–2: Comm to be abel to seek a civil penalty in the Fed Ct or FMCA where there is a ‘serious or repeated interference with privacy’ R 50–2 An attempt to improve the ‘pointy end’ of the ‘enforcement pyramid’ / responsive regulation R 50-1: Comm should develop and publish enforcement guidelines setting out the criteria for seeking civil penalties

Complaints and compliance - NSW Act For a recent summary see Greenleaf & Bygrave ‘ Data protection in New South Wales – An assessment of strengths and weaknesses’ (Confidential draft)‘ Data protection in New South Wales – An assessment of strengths and weaknesses’

Complaints - NSW Act - Overview see Jenner (2004) 10(9) PLPR 169 overview10(9) PLPR 169 Commissioner can investigate any complaint (IPP or ‘non-IPP’) IPP complainants re NSW agencies have a choice of Pt 4 investigation or Pt 5 internal review / ADT Only ‘Part 5’ complaints to agencies can lead to the ADT and enforceable remedies (after internal review)‘Part 5’ Only Privacy NSW can investigate (under Part 4): Non-IPP complaints against NSW agencies Non-IPP private sector complaints Complaints against bodies / conduct exempt from Cth legislation (will not investigate if NPPs cover)

Complaints - NSW Act - Pt 4 Investigations by P.Comm Investigation of complaints by P.Comm (Pt 4 Div 3)Pt 4 Div 3 See P. Comm’s Complaints Protocol can only conciliate and make recommendations (s49) (like old Privacy Committee) has extensive powers, including compulsory conferences (s49) May investigate ‘own motion’ complaints (s45 ‘or by’) For IPP complainant to get to ADT, must first seek internal review by agency under Pt 5 (s53)s53 Standards applied in Pt 4 investigations Physical privacy - ‘US privacy tort’ standard (Morison Report, 1973) IPP complaints outside PPIPA - own ‘Data Protection Principles’

Complaints - NSW Act - representative complaints? No express provision for representative complaints to P.Comm Cf Victorian Act s25(3) allows representative complaints but only with the consent of all the individuals concerned No express requirements for ‘representative’ internal review or ADT findings Recent cases on who is an ‘aggrieved person’ create some flexibility: An aggrieved person is not necessarily the person who is the subject of the personal information GA v Dept Ed & NSW Police (No 2) [2005] NSWADT 10 - GA not one where only acting previously on behalf of his sons - see 11(7) PLPR note11(7) PLPR note

Complaints - NSW Act - Internal review and ADT Pt 5 complaints - agency internal review and ADTPt 5 Applicant must seek internal review of conduct by agency (s53) Agency must conduct internal but independent review (s53(4)); consider provision of the full range of remedies (7); and deal with the matter within 60 days of receipt (6); notify applicant in writing, including appeal rights (8) Agency must inform P.Comm of review and its progress, and accept submissions from him (s54) Dissatisfied applicant may apply to ADT for review (s55)s55 ADT may award damages to $40,000 and other remedies (s55(2)) No s55(2) awards unless applicant has ‘suffered financial loss, or psychological or physical harm’ (s55(4)) Either party may apply to ADT Appeal Panel for further review Appeals from ADT go to Supreme Court

Complaints - NSW Act - litigation under NSW Act 26 reported cases (to 1/6/04) - 17 of them in the previous 112 monthsreported cases Extensive legal interpretation (contra Cth) Note: Privacy NSW does case summaries No case has yet resulted in damages paid Practice - see Jenner (2004) 10(9) PLPR 16910(9) PLPR 169 Note differing and limited roles of Privacy NSW in internal reviews and before the ADT Note obligations on agencies in internal reviews Note checklists for complainants and advocates

Complaints and compliance - Hong Kong Ordinance UNSW students may omit these materials

Complaints and compliance: Hong Kong See ‘The Commissioner and enforcement of the Ordinance’ in McLeish & Greenleaf Chapter Investigation Compliance orders Appeals and reviews Compensation Criminal offences

Hong Kong: Investigation Pt V: Inspections, Complaints and Investigations Complaints (s37) must be by data subject against a specific data users37 Jurisdictional conditions: s39(1)(d) makes any of the following sufficient:s39(1)(d) (i)(A) complainant resident in HK; or (ii) in HK at the relevant time (i)(B) data user able to control ‘in or from Hong Kong’ the collection etc of the data at the relevant time [complainant may be overseas] (iii) in PC’s opinion, the enforcement of a right or privilege ‘acquired or accrued in HK by the complainant’ will by prejudiced - meaning? Will s39(1)(d) satisfy the EU re data transfers to HK? (I)(B) will usually suffice to protect EU residents against acts in HK

Investigations: Hong Kong Representative complaints are allowed S37(2) envisages one complainant making a complaint on behalf of all data subjects affected by a practice S37(2) But there is no equivalent in s66 (compensation) s37(1)) also covers the narrow sense of representatives authorised in writing (see defn. ‘relevant person’) Could a lawyer or civil society group represent all affected data subjects with the written permission of only one of them? Compare the Aust. Cth ‘class actions’ provisions and the TICA determinations to see the significance of representative complaints and the role of civil society groups Have there been any such complaints in HK? - apparently not - PCO Press Release re Flight Attendants Union does not admit possibility of representative complaintsFlight Attendants Union

Investigations: Hong Kong PC may refuse to investigate (s39(2)) if:s39(2 (a) Previous similar complaint dismissed (dangerous?) (b) trivial practice; (c) trivial/vexatious complaint (d) ‘ any investigation or further investigation is for any other reason unnecessary’ - Will often be because data user has (in the view of the Commissioner) remedied problem Could be because parties have settled dispute - does PC facilitate settlements? - anecdotal evidence is ‘no’ Could this cover ‘another remedy is available’??? See also s39(1)(a)-(c) for other standard reasons Refusals to investigate can be the subject of appeals to the AAB, or judicial review (see later)

Investigations: Hong Kong Assistance to complainants, and mediation PC obliged to assist to ‘formulate the complaint’ (s37(4)) No specific requirement to assist in mediation of a complaint, or s8 power Refusal to investigate, and appeals S39(3) - Where PC does not commence formal investigation, or suspends investigation under s39(2), must give complainant notice within 45 days S39(3) B&W 14.14 interpret this as a 45 day period for ‘informal resolution’ S39(4) gives complainant right of appeal to Administrative Appeals Board (AAB) when s39(3) notice is given No further appeal to Courts, only judicial review

Hong Kong: Enforcement notices PC can issue enforcement notices (s50)s50 If data user ‘is contravening’ or has done so and it is likely that it will continue or be repeated No notice possible if no further contravention likely requiring data user to ‘ remedy the contravention’ Does not require any damage to complainant to be remedied 4 notices in 2000, 12 in 2001 PC can instead give warning notices (21 in 2000, 10 in 2001) Failure to comply is a criminal offence Are there no adverse consequences for breaches, if you promise not to do it again?

Hong Kong: Compliance orders No systematic publication of these serious complaints resulting in orders S48 allows PCO to issue formal reports naming data users (but not others), but has only done so once S48 ‘Video Peeping Tom’ case (1997) - hidden video camera filmed female student in shared accommodation; undertaking given, but data user not named; victim apparently gained no other remedy Hongkong Post pinhole camera case (2005) - see Materials - named but press had already shamed PCO has therefore never used ‘name and shame’ power

Compliance orders compared Closest equivalents are: Aust Cth - s52 determinations by Comm; injunctions by Fed Ct (no standing required) NSW - only the ADT can make orders Vic - Comm can serve compliance notice on an organisation but only if ‘flagrant’ or repeated breaches Hong Kong Enforcement notices (s50)

Hong Kong: Appeal structure Appeals to AAB S39(4) gives complainant right of appeal to Administrative Appeals Board (AAB) when s39(3) notice is given (would also apply if investigation suspended because no enforcement notice) s50(7) gives data user 14 days to appeal against enforcement notice after it is served s50(7) No further right of appeal to a Court against AAB decision, only judicial review Judicial review of PC decisions (2 in 2003)

Hong Kong: Compensation PCO or AAB cannot award damages (contra Australia, NZ, Korea) Compensation (s66) only by separate Court proceedingss66 Applies to ‘ an individual who suffers damage by reason of a contravention’ (s66(1)); including damage to feelings (s66(3)) General defence in s66(4) where data user can show: Reasonable care to avoid the contravention; or Is this fair? If the contravention occurred because of inaccurate data, the data was received from a third party. Is this fair? Complainant must risk costs against; must also risk disclosure of identity; must also prove complaint ab initio even if already investigated by PCO PC not able to assist complainants; HKLRC (2004) criticises this Only 1 reported case, and it was dismissed - not surprising?

Criminal offences Hong Kong S64 creates criminal offences by data users S64 Supplying false information Contravening enforcement notices, subject to defence of due diligence to comply (s46(8) Contravening matching requirements Contravening any other provision of the Ordinance without reasonable excuse (s64(10)) S64 creates offences by any person Supplying false information Hindering Commissioner’s investigations

Part 2 - Systemic aspects of Enforcement & Administration

Enforcement & Administration Part 2 - Systemic aspects Assessing existing compliance External audits Privacy Compliance Assessments (PCAs) Privacy management planning Privacy Impact Assessments (PIAs) Privacy management plans Accountability / Transparency Complaint outcomes Publication of decisions Modifying / elaborating legislation Codes, exemptions and guidelines

Assessing existing compliance  Current Australian practice  Federal Act empowers audits by PC re public sector but not private sector; however, PCO has abandoned all auditing (costs)  NSW - No audit power in Privacy NSW, but there are other controls (eg involvement in internal reviews; privacy management plans)  ALRC 2008 recommends  47–6 Comm to be empowered to conduct ‘Privacy Performance Assessments’ of the records of PI maintained by organisations  Effectively, a new audit power re private sector

Assessing existing compliance Hong Kong See McLeish & Greenleaf chapter ‘Assessing compliance’ Pt IV powers of ‘formal inspections’ by PCO (s36)s36 Never used PCo can report recommendations from inspections applying to classes of data users (s48(1)); See table of improved practices Also powers to require classes of users to submit ‘data user returns’ (s14) - never useds14 Instead, informal ‘compliance checks’ of alleged practices not complying with PD(P)O Now proposing to promote voluntary internal audits or ‘Privacy Compliance Audits’ (PCAs)

Privacy Impact Assessments (PIAs) See RG 9.9 for articles by Waters, Flaherty and Stewart for comparable practicesRG 9.9 Aimed at assessing future impact of proposed information systems, not existing compliance Requirements No current provisions in any Australian Acts No provision in HK Ordinance PCO proposing to promote voluntary PIAs Were some PIAs done on smart ID card Canada (2002) made PIAs mandatory for all Federal government institutions

Privacy Impact Assessments (2) ALRC 2008 recommends: 47–4 Comm able to (a) direct an agency to provide to it a PIA ‘in relation to a new project or development that [Comm] considers may have a significant impact on the handling of personal information; and (b) report to Minister if it does not. Criticism: no requirement that PIA be made public Comm should publish PIA guidelines. Review in 5 years whether to include private sector in PIA requirements.

Privacy Management Plans See RG 9.10RG 9.10 Where a whole organisation is required to publish how it will deal with privacy issues Sometimes has similar effect to a PIA NSW PPIPA 1998 s33 Preparation and implementation of privacy management planss33 Example: Anne Pickles 'Protecting exposures' (2000) 7 PLPR 61'Protecting exposures' No similar requirement in Cth or Vic Acts, but some agents have done so voluntarily

Publication - Importance Types of publication Summaries of complaints Statistics of outcomes Importance of both summaries and statistics Past remedies (‘tariff’) unknown Deterrent effect is lost No accountability for high public expenditure For critiques of current practices, see CyberLPC submission on DP 72 ‘5.2. Transparency of the Commissioner’s complaints function’ (in materials)5.2. Transparency of the Commissioner’s complaints function’ CyberLPC submission on Issues Paper ‘ Transparency and feedback – Inadequacy of the Commissioner’s reporting practices’ Transparency and feedback – Inadequacy of the Commissioner’s reporting practices’ Following slides are less up-to-date than these submissions

Complaint outcomes - Does anyone get a remedy? Do complainants actually get the remedies that privacy laws make available in theory? Sources of evidence available? Annual Reports - only significant public source Websites? Stats provided often only show what is in Annual Reports Reported cases can be searched for types of remedies FOI requests would only work if a ‘document’ was available Only some jurisdictions considered Privacy Comms - Australian Fed; NSW ; HK; NZ; Canada Information Commissioners not considered - mainly access, some correction, some broader

Outcomes - Hong Kong PC See 03-04 & 04 -05 Annual Report (Materials #4) Analysis in McLeish & Greenleaf chapter (‘Complaints and enquiries’ and ‘Reporting outcomes’) PC Annual Report 2000/01 (01/02 is similar) 789 complaints (up 39%); 68% vs private sector;14% vs government;18% vs 3rd Ps Over 50% allege breaches of DPP 3 (use) 52 formally investigated (14% of 531 finalised) 26 (50%) found to involve contravention of PD(P)O 10 warning notices; 12 enforcement notices - but no idea what actions required, or what results 4 referrals to Police for prosecution but in 3 Police found insufficient evidence; one unresolved

Outcomes - Australian Fed PC 2000-01 AR included some outcome stats 133 closed complaints; uncertain % breaches found 9 cases in AR involved $52,000 compensation Was prior to reporting case summaries on website No information about other remedies 2001-02 Annual Report - no statistics! Complaints tripled with private sector coverage (611) AR contains summaries of 11 complaints, of which one resulted in $5000 compensation No statistics given of complaint outcomes at all

Outcomes - Australian Fed PC (2) 2002-2003 Annual Report 225 breaches of the Act found NPPs 127; IPPs35; Pt IIIA 63 No specific details of remedies, just a few vague comments not even compensation total as in 2000/1 No example cases (replaced by 2 per month on web) No details of complaints dismissed (and no use of s52) Is everybody happy? All 225 breaches found were ‘adequately dealt with’ (in the Commissioner’s view) Lack of s52 determinations No appeal right; No substantive case on the Act ever before a Court for judicial review X v Commonwealth Agency [2004] PrivCmrA 4 - PCO admits complainant is not happy, but still dismisses complaint under s41(2)(a) despite breach X v Commonwealth Agency

Outcomes - NSW PC Annual Report 2002/3 (pgs 19-23) Annual Report 2002/3 for the first time, some outcomes of complaints given % of complaints resulting in adverse findings (but not actions) 24% referred to internal review Annual Report 2001/2 - Details of complaints analysed in every possible way except by the outcomes received by complainants ‘Quick Stats’ 2000-03 provided on web In 2002/3, 219 complaints, and 39 internal reviews, finalised No statistics of complaint mediation outcomes No complaint mediation case-studies Reviews by the NSW ADT (enforceable) See previous slide - now at 16 reported cases p/a But no damages awards yet (may be settlements)

Comparison - 4 PCs Annual Reports ‘Will I get a remedy - and if so, what?’ is largely unanswered - evidence is not there Some evidence of the % of successful complainants Little evidence of what remedies result Compensation? - a few examples from Aus and NZ All of the PCs are below ‘best practice’ A systematic and comparable standard of reporting is needed Asia-Pacific PCs could develop standards

55 Will I get a remedy? Evidence from Privacy Commissioners Annual Reports 2001/02 (see web page for explanatory notes) √= yes; ?= can’t tell AusNZHKCan Complaints opened/complete√ / √ Type of complaint/respondent? (√ / √)√ / √ Respondent name (‘Top 10’)? (no)√no√ % formal finding0% (0%)8%10%72% % found breaches - mediated / awarded ? (√ / √) (? / -) ? / ?√ / √ 25 / 46 √ / √ 59 / 63 % success in CourtN/A√ (0%)?? Remedies - mediated / awarded ? (31 / 0) ? / ? 4 egs ? / ? Damages - mediated / awarded ? (9 / 0) ? / ? 4 egs ? / 0? / ?

Publication of Commissioners’ decisions (‘complaint summaries) For detailed criticisms of reporting practices: Greenleaf ‘Reforming reporting of privacy cases’ http://www2.austlii.edu.au/~graham/publications/2003/Refo rming_reporting/ Bygrave ‘Where have all the judges gone?’ (2000) European Commissioners were little better - improved? Why reporting of Commissioners is needed Few court decisions means Commissioners’ views in complaint resolutions are the de facto law Identifying non-compliance is more valuable (and difficult) that ‘feel good’ exhortations to comply

Importance of complaint summaries Publication of complaint summaries is possible Requires anonymisation in most cases Exceptions should not be the rule Adverse consequences of lack of availability Interpretation unknown to parties / legal advisers No privacy jurisprudence is possible Privacy remains ‘Cinderella’ of legal practice Deficiences in laws do not become apparent Commissioners can ‘bury their mistakes’ Justice is not seen to be done

Publication - Hong Kong PCO Complaint summaries on Commissioner’s website have been updated for 2004 but still not complete for 2005 Can’t check currency - not listed in date order No known criteria for systematic reporting of significant complaints Only 6 (01/02) or 8 (00/01) brief complaint summaries in Annual Rep - about 0.5 per month Details of cases before other tribunals AAB complaint summaries are in AnRep, and now on website; not yet available on Internet in full text Judicial review cases also summarised in Annual Report No reporting of s66 cases in AnRep or website - There are none Now also included in WorldLII Privacy Law ProjectPrivacy Law Project 39 PCO complaint summaries 1998-2004; 8 per year 21 AAB summaries 1997-2003; 3 per year

Publication - Australian Federal Privacy Commissioner AnRep had a few small ‘media grab’ summaries No other mediation details published 1988-2002 Comm avoids making binding Determinations (2 1993, 1 2003) despite powers to do so Dismisses matters under s40 - publication not required Since Dec 2002, 13 useful summaries of mediations and determinations published on webpublished on web 2x2002, 12x2003 (incl 1 determination); 9 x 6/2004 (include 5 determinations) - still not much more than 1/month Now receiving 100 complaints/month - reporting 1%100 complaints/month Rate id only 1.1 per month - not 2/month as planned

Publication - NSW Privacy Commissioner Almost no mediated complaint summaries Privacy NSW 2001/2 Annual Report has 4 complaint summaries, 3 concerning the private sector (2000/1 AR has 2); 2002/3 has 3 only - little change, trivial number Internal review results also unavailable AR 2001/2 has extensive details (identified) of 2 special reports to Parliament, both involving political disputes No summaries of mediated complaints on web ADT decisions 26 decided & reported as yet - compare Cth! 37 lodged in 2003 - reported cases will increase Decisions are on LawLink and AustLII Privacy NSW also prepares summaries (also on AustLII)

Publication - NZ P Comm Av 2 per month (03) reasonably detailed mediation summaries on website Selection criteria uncertain Website gives few details of cases on appeal or their outcome; not available elsewhere on web; P Comm publishes occasional compendiums Overall, difficult for most people to get an overall view of the law

Publication - Canadian PC Av 5 detailed PIPEDA case mediation summaries per month on website best practice of PCs, but not Info Comms Few Privacy Act cases on website, but usually 12 or so in AnnRep Summaries of cases before Courts are in AnnRep (but not linked to mediation summaries) - difficult to obtain overview

Publication - 7 recommendations More reporting than 2/month (% goal) statistics on reported / resolved ratio Publicly stated criteria of seriousness confirmation of adherence in each AnRep Complainants can elect to be named In default, name public sector respondents; private sector respondents only exceptionally Report sufficient detail for a full understanding of legal issues, and the adequacy of the remedy Report regularly rather than in periodic batches 'One stop' reporting including reviews of Commissioner’s decisions Encourage 3rd-P re-publication + citation standards

Publication - A central location WorldLII Privacy Law Project http://www.worldlii.org/int/special/privacy/ All specialist privacy and/or FOI databases located on any Legal Information Institute (LII) Current coverage (all searchable in one search) Australian Federal Privacy Commissioner Cases (AustLII) New South Wales Privacy Commissioner ADT summaries (AustLII) Canadian Privacy Commissioner Cases (CanLII) New Zealand Privacy Commissioner Cases (AustLII) Nova Scotia FOI & Privacy Review Office (CanLII) Queensland Information Comm. Decisions (AustLII) Western Australian Information Commissioner (AustLII) Privacy Law & Policy Reporter (AustLII) EPIC ALERT (WorldLII) Victorian Privacy Commissioner NZ HRRT Hong Kong Privacy Commissioner and AAB Korean Mediation committee More are being added, particualarly European and Canadian cases

A seach for ‘disclos* near medical’

Co-regulatory codes An alternative form of (I) standard setting and / or (ii) compliance mechanism Many different versions of codes Australian private sector - can be full co-regulation Cth public sector - amended principles only NSW public sector - amended principles only HK - merely a rebuttable presumption that compliance is required See commentaries by Waters ‘Codewatch’ (2003) 10(5) PLPR 90; ‘Codewatch’ (2004) 11(1) PLPR and parts of APF submission re NSW Act(2003) 10(5) PLPR 90(2004) 11(1) PLPR APF submission A characteristic of the ‘Asia-Pacific model’ ??

Codes - Hong Kong See McLeish and Greenleaf Chapter ‘Modifying compliance…’ S12 and s13 (Pt III) - Codes of practice S12 PC can issue codes drawn up by self or others (s12(1)) PC must consult with data users and others as he sees fit (s12(9)) Breach of Code is not itself a breach of a DPP but raises a rebuttable presumption thereof (s13) Pt III is silent on whether compliance with a Code constitutes compliance with Ordinance - It doesn’t but it would influence PCO in considering enforcement, or Ct considering penalty As elsewhere, no demand for special industry codes Only 2 HK codes, both for special reasons: ID and credit PCO was to issue Code on workplace surveillance but reduced this to Guidelines instead - why so?

Codes - Australian private sector Codes are regulated by Part IIIAA Privacy ActPart IIIAA Overview Only 3 so far (insurance; Qld clubs; Market and social research), 3 in queue (Biometrics; Internet Industry Association; Casino Association) If includes complaint handling, shifts costs to private sector Little interest by industry groups, despite government boosting IPP standards & scope Must incorporate ‘all the NPPs’ or ‘obligations that overall are at least the equivalent’ of the NPPs (s18BB(2)) No Parliamentary disallowance, so could only proceed against Commissioner for ultra vires decision re overall equivalence Must specify who is bound (or a way of determining them), and be with their consent (s18BB(2)). Can be limited by information, activity, or industry sector (s18BB(7))

Codes - private sector (2) Code formation procedures On application by an ‘organisation’ (s18BA) Commissioner may consult anyone (s18BB(1)) and must provide ‘adequate opportunity’ for public comment (s18BB(2)(f)) See Water’s criticisms of adequacy of publicity/consultation Commissioner approves Codes and keeps a Register (3 as yet)Register Codes are not gazetted - no disallowance by Parliament Similar processes for variation and revocation (ss18BD- 18BE)

Codes - private sector (3) Complaint resolution procedures Code may include complaint procedures Only the Insurance industry code does so Insurance industry code Procedures must comply with s18BB(3): ‘prescribed standards’ (Regs) and Comm’s Guidelines (a)RegsComm’s Guidelines ‘Independent adjudicator’ (b) Same determination powers as Comm (d) Organisations bound by Code are required to ‘co-operate’ (f), (g) But adjudicator has no investigative powers Detailed reporting requirements (h)-(k), including of individual complaints resolved, including by ‘non-determination’ (ka) A ‘determination’ [but not other findings] by a Code adjudicator can be reviewed by the Commissioner (s18BI) Comm can make a s52 determination to replace it No judicial review available of ‘non-determinations’ - can Code adjudicators dismiss complaints ‘adequately dealt with’?

Codes - Private sector practice See Waters ‘Codewatch’ (2004) 11(1) PLPR(2004) 11(1) PLPR Only 3 so far (insurance; Qld clubs; Market and social research), 3 in queue (Biometrics; Internet Industry Association; Casino Association) Considerable differences in effectiveness of consultation Insurance Industry Code Only one with its own complaints procedure General Insurance industry privacy code Insurance Enquiries & Complaints Limited Two (of 21) complaints referred to external Complaints Committee; one referred to PCO, other unresolved Reports give statistics of 19 resolved complaints (internal reviews) Major insurers not yet signatories No auditing to assess how NPPs applied (s18BH allows, but unlikely); relies on appeals to PCO - but PCO has published no details yet

Codes - Cth public sector PIDs Part VI Part VI Privacy Act (Cth) Comm can waive IPP if public interest in exemption outweighs adherence ‘to a substantial degree’ (s72) Public consultation required, hearings have been held PIDs are disallowable instruments (s80) Senate Regs & Ordinances C’tee threatened disallowance of PID #2 until Comm O’Connor reissued it 10 made since 1988 - has not been a means of wholesale exemption No separate complaints procedure PCO maintains Register of Public Interest Determinations listing 10 current Determinations, none temporary and none pending Register of Public Interest Determinations

Codes - NSW - Pt 3 Codes Part 3 of NSW Act covers Codes Overview of Codes under Pt 3Pt 3 Codes only modify IPPs, and do not contain complaint procedures More like Cth PID procedure for agencies Standards for codes Codes are ‘for the purpose of protecting the privacy of individuals’ (s29(1)); otherwise, few standards set they can ‘modify’ the application of IPPs (s30) - ‘exempting’ agencies or classes of agencies Must not be any higher than NSW IPPs (s29(7)(b)) Must not be so low as to endanger data imports (s29(7)(a)) How far can Codes be lower than IPPs? - s30 v s29(1)? See the APF submission for a general critiqueAPF submission

Codes - NSW - Pt 3 Codes (2) Code formation and review P.Commissioner or agency can propose codes (s31) Agencies must consult Comm, who may consult anyone - criticised for lack of consultation Minister (A-G) ‘makes’ codes proposed under s31 (but cannot modify a proposed Code) 11 codes to date, 9 in queue - does not appear to be abusedcodes to date, Codes are not statutory rules, so no procedure for Parliamentary disallowance (contrast Cth PIDs) Types of Codes Multi-agency eg Privacy Code of Practice (General) 2003: covers disclosures between various agencies, and exemptions for various public registers Privacy Code of Practice (General) 2003: Single agency (most) eg NSW Health: Privacy Code of PracticeNSW Health: Privacy Code of Practice For any NSW agency, must check if a Code applies before concluding there is a breach

Codes - NSW - s41 Directions S41 Exemptions (‘directions’) by Commissioner P.Comm can also grant exceptions where public interest in doing so outweighs public interest in upholding the IPP (s41) Similar to Cth PIDs, but no provision for disallowance No consultation requirements; little has occurred 9 current directions in force, all expiring by 31/12/04; 6 previous have expired; no requirement in Act that they be temporarycurrent directions in force Main use is to provide a temporary exemption until an agency can go through the procedures to obtain a permanent Code. Must be checked before finding a breach by a NSW agency See Australian Privacy Foundation (APF) submission re need for one uniform exemption procedure(APF) submission

Privacy Commissioners - Independence & Functions

Independence of Privacy Commissioners Studies of roles of Commissioners Blair Stewart ‘A comparative study of data protection authorities: Pt 1 - Form and Structure’ (2004) 11 PLPR 46; ‘Pt 2: Independence and functions’ (2004) 11(3) PLPR 81(2004) 11 PLPR 46(2004) 11(3) PLPR 81 C Bennet & C Raab The Governance of Privacy Ch5 ‘Legal Instruments and Regulatory Agencies’, Ashgate 2003 Independence crucial, given role as check on government power Factors include method of appointment and dismissal, reporting lines, and control over budget EU Directive A28 requires that Commissioners ‘act with complete independence’; CoE Convention similar; APEC Framework does not require a Commissioner (nor does OECD) See Stewart Pt 2 on measures needed to ensure full independence, beyond appointment and removal

Commissioners’ Independence: Cth Australian Commonwealth Commissioner Appointed (in effect) by A-G for 5 year renewable term 1st (O’Connor) not renewed after 2 terms; 2nd (Scollay) changed jobs after 1; 3rd (Crompton) resigned after 1 term; 4th (Curtis) now in office S25 Grounds of dismissal - misbehaviour etc No longer a HREOC Commissioner rejected suggestion of being an officer of Parlt like Ombudsman or Auditor-General Can make special and annual Reports direct to Parlt, and public statements on most matters Budget depends on Govt - pressure to keep on reasonable terms with current Govt Budget reduced 2003-4 despite increase in private sector complaints

Commissioners’ Independence: NSW NSW Privacy Commissioner Similar appointment and dismissal as Cth 1st Comm (Puplick) resigned after repeated public clashes with Ministers (and misconduct allegation), stating could not continue without the Premier’s confidence - see article (2002) 9(2) PLPR 133(2002) 9(2) PLPR 133 No appointment of 2nd Commissioner after 2 years; acting part- time Comm on short-term contracts Similar budget dependence as Cth NSW PCO budget increased early 2003 Proposed 25% staff cut 2004 - not finalised Bill to abolish Commissioner defeated 2003 Intended to transfer powers to Ombudsman See Greenleaf & Waters critiqueGreenleaf & Waters critique

Commissioner’s Roles - Cth Cth Commissioner - S27 specifies functionsS27 Broad, and broadened further in early 90s during extension of TFN powers (b), (k) and (r) give broad powers/duties to make public statements and criticise proposals Guidelines under (e) can be to 2 types of conduct: ‘ interferences with …privacy’ ie breaches of IPPs, NPPs ‘may otherwise have any adverse effects on … privacy’ - ie only ‘best practice’ Guidelines Commissioner fails to distinguish them - eg PKI G/LsPKI G/Ls Effect of IPP G/Ls on complaints uncertain - contra HK where breach of G/Ls = prima facie breach of Ordinance

Commissioner’s roles: NSW NSW Commissioner s36 broad functionss36 generally not tied to breaches of IPPs (‘protection of personal information’) but also cover ‘the privacy of individuals’ General power to make public statements (h), and to publish reports and recommendations (j) Power to make special report to Parlt (s65) Exercised twice, re a local Council and re Minister of Education - very strong political reaction

The big Q: ‘Watchdog or lapdog’? What is the objective role of a PC? At least 2: ‘Watchdog’: The stated role is to limit invasions of privacy ‘Lapdog’: Do they also legitimate extensions of surveillance? ‘The Commissioner is being kept informed’ Inability or unwillingness to conflict with government programs or legislative proposals

‘Watchdog or lapdog’? Possible HK examples of legitimation function Extended use of HK ‘dumb’ ID card, then ‘smart’ card Extension of credit reporting to all financial institutions, and then conversion into positive reporting See McLeish and Greenleaf Chapter for details

What powers do Commissioners need? What powers do they need to help prevent undesirable losses of privacy? How important are: Powers to prevent undesirable information systems even being built, or close them? Power to award damages?; or to prosecute? Audit powers? (and resources) Privacy Impact Assessments (PIAs)? A specific power (duty?) to make public statements?

Commissioners’ Independence : Hong Kong 5 year term appointed by CE, renewable +5 more (s3) First Commissioner, S Lau (1996-2001), not reappointed 2nd Commissioner, R Tang (2001-05) became Equal Opportunities Commissioner after 3.5 years 3rd Commissioner, R Woo, former Law Society head, appointed 2005 Can only be removed by CE with LegCo approval for (i) inability to perform office; or (ii) misbehaviour (s5(5)(b)) Is not a public servant or government agent (except for anti- corruption purposes) (s5(8),(9)) On Stewart’s criteria, must look at additional matters …

Hong Kong - Other measures to support Commissioner’s independence (Stewart) Ability to report directly to head of Govt or Legislature None in PD(P)O; submissions sometimes invited by LegCo Ability to make public statements S8(1)(d) power to examine proposed legislation and report to proposer; comments are often made to Bills C’tee of LegCo; AR 2003-04 Appendix II - summaries of 9/19 comments on proposed legislative changes no explicit role of public comment (eg little on smart ID card) Occasional public statements made on website 3 ‘Issues of public concern’ in 2003-04 AR Statutory direction to act independently None; but not a servant or agent of govt (s3(8)) Administrative structure of independent agency Corporation sole (s3(2)) Do other HK agencies have a more independent structure?

Hong Kong - Other measures to support Commissioner’s independence (Stewart) (2) Funding mechanism recognising independence Funds appropriated by LegCo for purpose of Comm, plus others provided by Govt (Sch 2) Budget of HK$40M p/a for 39 staff (2004-05) Immunity against personal actions re duties Comm does not enjoy ‘immunities of the govt.’ (s8) No other immunities in PD(P)O - any elswhere? No financial conflicts of interest Commissioner to hold no other office, unless approved by CE (s6) Guaranteed remuneration Determined by CE (s6) [Add?] Guarantee of position beyond Office Should a PC have a guaranteed ‘soft landing’ after completion?

Commissioners’ roles: Hong Kong Functions (s8(1)) include:s8(1) Supervise compliance with DPPs (a) - no explicit mention of mediation in complaints Assist with preparation of s12 Codes (b); and publish Guidelines (s8(5)) Promote awareness (c) Examine proposed legislation and report to proposer (d) - no explicit role of public comment (eg smart ID card) ‘carry out inspections’ of govt. data users (e) - not a specific audit power Monitor technology developments (f) Some other functions re data matching

Enforcement and Administration of Privacy Laws Privacy and Surveillance Graham Greenleaf Last revised September 2008.

Similar presentations

Presentation on theme: "Enforcement and Administration of Privacy Laws Privacy and Surveillance Graham Greenleaf Last revised September 2008."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Enforcement and Administration of Privacy Laws Privacy and Surveillance Graham Greenleaf Last revised September 2008.

Similar presentations

Presentation on theme: "Enforcement and Administration of Privacy Laws Privacy and Surveillance Graham Greenleaf Last revised September 2008."— Presentation transcript:

Similar presentations

About project

Feedback