1. Baker Cyberlaw Centre Seminar 4/12/031 Pitfalls in the complaints process: a privacy advocate's perspective Graham Greenleaf Professor of Law, UNSW, and Co-Director, Baker & McKenzie Cyberspace Law and Policy Centre Copy available at http://www2.austlii.edu.au/~graham/ Privacy Complaints:How to Win for Your Client (Making privacy laws work)

2. Baker Cyberlaw Centre Seminar 4/12/032 Some pitfalls under the Commonwealth & NSW Acts Who decides remedies? What rights of appeal are there? Does anyone get a remedy? Is the law enforced, or is it a joke? What law is applied? Are cases reported? Is the law applied the same? The widening divergence

3. Baker Cyberlaw Centre Seminar 4/12/033 Objectives in enforcement A means of individual redress; low-cost and non-public Appropriate range of remedies, such as: Access to and correction of records; compensatory damages; injunctions or orders to enforce compliance; Criminal penalties for serious/repeated breaches Judicial review of administrative errors; Appeals by either party to the Courts Preventative/educative powers of PCO, such as: Audits of data users; Privacy Impact Assessments (PIAs) on new proposals Power to require reports on existing practices

4. Baker Cyberlaw Centre Seminar 4/12/034 Complaint resolution - Overview - Cth Act Investigation - public and private sectors Complaints only re ‘interferences with privacy’: breaches of NPPs, IPPs etc (s36) Representative complaints possible (s36(2), s38 - s39) ‘Own motion’ investigations possible (s40(2) Comm must not investigate unless complaint first made to respondent, unless inappropriate (s40(1A)) Comm can refuse / close / defer investigation (s41) ‘not an interference’ (a); ‘lacking in substance’ (d) Another law ‘provides a more appropriate remedy’ (s41(1)(f)) Respondent has dealt edequately with complaint (s41(2)(a)) If Comm is considering a s52 determination, must give both parties the opportunity of a hearing (s43(5)) Comm’s extensive powers to investigate (ss44-47)

5. Baker Cyberlaw Centre Seminar 4/12/035 Complaint resolution - Overview - Cth Act (2) Determinations under s52 Possible determinations Dismissing complaint (not used - s41 instead) That conduct should not be repeated Performance of reasonable acts; compensation ‘correction, deletion or addition to a record’ Can compensate ‘feelings or humiliation’ Reimbursement for ‘expenses reasonable incurred’ Practice so far: determinations made public But they don’t occur

6. Baker Cyberlaw Centre Seminar 4/12/036 Complaint resolution - Overview - Cth Act (3) Enforcement of s52 determinations S55 - respondent must comply with determination s55A - if respondent does not comply, must proceed de novo in Fed Ct / Mag Ct for enforcement Evidence before Commissioner is admissable s55B - Certified copy of Comm’s determination is prima facie evidence of facts found by him Onus is on respondent to rebut facts Onus is still on complainant to show breach of IPP/NPP Is this biased in favour of respondents?

7. Baker Cyberlaw Centre Seminar 4/12/037 Complaint resolution - Overview - NSW Act Basic point: Only ‘Part 5’ complaints to agencies can lead to the ADT and enforceable remedies Investigation of complaints by Commissioner Commissioner can investigate any complaint (IPP or ‘non- IPP’) can only conciliate and make recommendations (s49) (like old Privacy Committee) For complainant to get to ADT, must first seek internal review by agency under Pt 5 Commissioner can appear in ADT hearings (and does) has extensive powers, including compulsory conferences (s49) May investigate ‘own motion’ complaints (s45 ‘or by’)

8. Baker Cyberlaw Centre Seminar 4/12/038 Complaint resolution - Overview - NSW Act (2) Pt 5 complaints - internal review and ADT Applicant must seek review of conduct by agency (s53) Agency must conduct internal but independent review (s53(4)) and consider provision of the full range of remedies (7) Agency must inform Comm of review and its progress, and accept submissions from him (s54) Dissatisfied applicant may apply to ADT for review (s55) ADT may award damages to $40,000 and other remedies Commissioner can appear in ADT hearings (and does) Either party may apply to ADT Appeal Panel for further review

9. Baker Cyberlaw Centre Seminar 4/12/039 Remedies Compensation Access to and correction of records; Injunctions or orders to enforce compliance; Criminal penalties

10. Baker Cyberlaw Centre Seminar 4/12/0310 Injunctions and compliance orders Injunctions - Cth public sector, private sector Privacy Act 1988 s98 allows ‘any person’, including Comm, to seek injunction to enforce IPPs and NPPs Risk of costs against, and damages particularly in the case of interim injunctions Cth Comm s52 determinations are a form of compliance notice NSW - only the ADT can make orders Vic - Comm can serve compliance notice on an organisation but only if ‘flagrant’ or repeated breaches

11. Baker Cyberlaw Centre Seminar 4/12/0311 Criminal offences Cth Public sector and private sector enforcement does not involve significant criminal enforcement Part IIIA credit reporting does involve offences NSW PPIPA ss62-s63 offences of corrupt disclosure and use of personal information by public officials offence of offer to supply personal information disclosed unlawfully Cth and NSW cybercrime legislation relevant

12. Baker Cyberlaw Centre Seminar 4/12/0312 Black hole #1: Complaint outcomes - Does anyone get a remedy? This is from an earlier broader study Sources of evidence available? √ Annual Reports - only public source examined 01/02; some 00/01 ? websites? - could extract from reported cases (have not) - should provide continuous data ? FOI requests? - ‘document’ available? (have not done) Only some jurisdictions considered Privacy Comms - Australian Fed; NSW ; HK; NZ; Canada Information Commissioners not considered - mainly access, some correction, some broader

13. Baker Cyberlaw Centre Seminar 4/12/0313 Outcomes - Australian Fed PC 2000-01 AR included some outcome stats 133 closed complaints; uncertain % breaches found 9 cases in AR involved $52,000 compensation No information about other remedies 2001-02 Annual Report - no statistics! Complaints tripled with private sector coverage (611) AR contains summaries of 11 complaints, of which one resulted in $5000 compensation No statistics given of complaint outcomes at all

14. Baker Cyberlaw Centre Seminar 4/12/0314 Outcomes - Australian Fed PC (2) 2002-2003 Annual Report 225 breaches of the Act found NPPs 127; IPPs35; Pt IIIA 63 No specific details of remedies, just a few vague comments not even compensation total as in 2000/1 No example cases (replaced by 2 per month on web) No details of complaints dismissed (and no use of s52) Is everybody happy? All breaches found were ‘adequately dealt with’ (in the Commissioner’s view) One genuine s52 determinations in 15 years (2003) No appeal right; No substantive case on the Act ever before a Court for judicial review

15. Baker Cyberlaw Centre Seminar 4/12/0315 Outcomes - NSW PC Annual Report 1999-2000 (most recent) Before new Act commenced (1/7/00) No statistics or complaint resolutions yet under new Act still relevant to ‘non-IPP’ complaints 4 complaint resolutions summarised ‘Quick Stats’ 2000-03 provided on web In 2002/3, 219 complaints, and 39 internal reviews, finalised No statistics of complaint mediation outcomes No complaint mediation case-studies Reviews by the NSW ADT (enforceable) 49 cases lodged with ADT (37 in 2003) 15 decided & reported as yet - 15 more than the Cth!

16. Baker Cyberlaw Centre Seminar 4/12/0316 Outcomes - Hong Kong PC PC Annual Report 2000/01 (01/02 is similar) 789 complaints (up 39%); 68% vs private sector;14% vs government;18% vs 3rd Ps Over 50% allege breaches of DPP 3 (use) 52 formally investigated (14% of 531 finalised) 26 (50%) found to involve contravention of PD(P)O 10 warning notices; 12 enforcement notices - but no idea what actions required, or what results 4 referals to Police for prosecution but in 3 Police found insufficient evidence; one unresolved Not one HK $1 compensation paid under s66; any by mediation? A Rep does not say

17. Baker Cyberlaw Centre Seminar 4/12/0317 Comparison - 4 PCs Annual Reports ‘Will I get a remedy - and if so, what?’ is largely unanswered - evidence is not there Some evidence of the % of successful complainants Little evidence of what remedies result Compensation? - a few examples from Aus and NZ All of the PCs are below ‘best practice’ A systematic and comparable standard of reporting is needed Asia-Pacific PCs could develop standards

18. 18 Will I get a remedy? Evidence from Privacy Commissioners Annual Reports 2001/02 (see web page for explanatory notes) √= yes; ?= can’t tell AusNZHKCan Complaints opened/complete√ / √ Type of complaint/respondent? (√ / √)√ / √ Respondent name (‘Top 10’)? (no)√no√ % formal finding0% (0%)8%10%72% % found breaches - mediated / awarded ? (√ / √) (? / -) ? / ?√ / √ 25 / 46 √ / √ 59 / 63 % success in CourtN/A√ (0%)?? Remedies - mediated / awarded ? (31 / 0) ? / ? 4 egs ? / ? Damages - mediated / awarded ? (9 / 0) ? / ? 4 egs ? / 0? / ?

19. Baker Cyberlaw Centre Seminar 4/12/0319 Black hole #2: Publication of Commissioners’ decisions For detailed criticisms of reporting practices: Greenleaf ‘Reforming reporting of privacy cases’ http://www2.austlii.edu.au/~graham/publications/2003/Refo rming_reporting/ Bygrave ‘Where have all the judges gone?’ (2000) European Commissioners were little better - improved? Why reporting of Commissioners is needed Few court decisions means Commissioners’ views in complaint resolutions are the de facto law Identifying non-compliance is more valuable (and difficult) that ‘feel good’ exhortations to comply

20. Baker Cyberlaw Centre Seminar 4/12/0320 Publication - Importance Publication is possible Requires anonymisation in most cases Exceptions should not be the rule Adverse consequences of lack of availability Interpretation unknown to parties / legal advisers No privacy jurisprudence is possible Past remedies (‘tariff’) unknown Privacy remains ‘Cinderalla’ of legal practice Deficiences in laws do not become apparent Commissioners can ‘bury their mistakes’ Justice is not seen to be done Deterrent effect is lost No accountability for high public expenditure

21. Baker Cyberlaw Centre Seminar 4/12/0321 Publication - Australian Federal Privacy Commissioner AnRep had a few small ‘media grab’ summaries No other mediation details published 1988-2002 Comm avoids making binding Determinations (2 1993, 1 2003) despite powers to do so Dismisses matters under s40 - publication not required Since Dec 2002, 13 useful summaries of mediations and determinations published on webpublished on web 2x2002, 11x2003 (+ 2x1993, 1x2003 determinations) Rate id only 1.1 per month - not 2/month as planned

22. Baker Cyberlaw Centre Seminar 4/12/0322 Publication - Australian Federal Privacy Commissioner (2) Any Federal Court decisions would be on AustLII (but there are none of relevance) No right of appeal to complainants Respondents have de facto right of appeal by refusing to comply with determination - de novo hearing in Federal Court - biased and unfair How would complainants react to this? Judicial review (ADJR) is possible How many complainants are aware? How many could afford this?

23. Baker Cyberlaw Centre Seminar 4/12/0323 Publication - NSW Privacy Commissioner No mediated complaint summaries No Annual Report since new Act Privacy NSW says it intends to publish them Internal review results also needed ADT decisions 49 cases lodged with ADT (37 in 2003) 15 decided & reported as yet - compare Cth! Decisions are on LawLink and AustLII Privacy NSW also prepares summaries (also on AustLII)

24. Baker Cyberlaw Centre Seminar 4/12/0324 Publication - HK P Comm Complaint summaries on website only to 1998 Only 6 (01/02) or 8 (00/01)overly brief complaint summaries in AnRep - about 0.5 per month No systematic reporting of significant complaints Cases before other tribunals AAB complaint summaries are in AnRep, but not on website; AAB cases not available on Internet No reporting of s66 cases in AnRep or website - There is only one such case

25. Baker Cyberlaw Centre Seminar 4/12/0325 Publication - NZ P Comm Av 2 per month (03) reasonably detailed mediation summaries on website Selection criteria uncertain Website gives few details of cases on appeal or their outcome; not available elsewhere on web; P Comm publishes occasional compendiums Overall, difficult for most people to get an overall view of the law

26. Baker Cyberlaw Centre Seminar 4/12/0326 Publication - Canadian PC Av 5 detailed PIPEDA case mediation summaries per month on website best practice of PCs, but not Info Comms Few Privacy Act cases on website, but usually 12 or so in AnnRep Summaries of cases before Courts are in AnnRep (but not linked to mediation summaries) - difficult to obtain overview

27. Baker Cyberlaw Centre Seminar 4/12/0327 Publication - 7 recommendations More reporting than 2/month (% goal) statistics on reported / resolved ratio Publicly stated criteria of seriousness confirmation of adherence in each AnRep Complainants can elect to be named In default, name public sector respondents; private sector respondents only exceptionally Report sufficient detail for a full understanding of legal issues, and the adequacy of the remedy Report regularly rather than in periodic batches 'One stop' reporting including reviews of Commissioner’s decisions Encourage 3rd-P re-publication + citation standards

28. Baker Cyberlaw Centre Seminar 4/12/0328 Publication - A central location http://www.worldlii.org/int/special/privacy/ Privacy & FOI Law Project = All specialist privacy and/or FOI databases located on any Legal Information Institute (LII) Current coverage (all searchable in one search) Australian Federal Privacy Commissioner Cases (AustLII) New South Wales Privacy Commissioner ADT summaries (AustLII) Canadian Privacy Commissioner Cases (CanLII) New Zealand Privacy Commissioner Cases (AustLII) Nova Scotia FOI & Privacy Review Office (CanLII) Queensland Information Comm. Decisions (AustLII) Western Australian Information Commissioner (AustLII) Privacy Law & Policy Reporter (AustLII) EPIC ALERT (WorldLII) More are being added

29. Baker Cyberlaw Centre Seminar 4/12/0329

30. Baker Cyberlaw Centre Seminar 4/12/0330 A seach for ‘disclos* near medical’

31. Baker Cyberlaw Centre Seminar 4/12/0331 Widening divergence in public sector privacy laws Variations so far Commonwealth / ACT - IPPs NSW - NSW IPPs Vic & NT (and private sector) - NPPs Superficial similarities in aims All based on life-cycle of information Significant differences in details Little case law except new NSW cases - major differences already emerging NSW caselaw shows how quickly the Acts can diverge once Courts interpret them

32. Baker Cyberlaw Centre Seminar 4/12/0332 Examples and recent cases  Collection from the data subject DO v University of New South Wales [2002] NSWADT 211; [2003] NSW ADTAP 9 Consent exception to disclosure- express or implied Macquarie University v FM [2003] NSWADTAP 43 Macquarie University v FM Minimal collection - anonymity Wykanak v Dept Local Govt [2002] NSWADT 208 Wykanak v Dept Local Gov FH v NSW Dept Corrective Services [2003] NSWADT 72 FH v NSW Dept Corrective Services Are records required before Acts apply? Macquarie University v FM [2003] NSWADTAP 43 Macquarie University v FM

33. Baker Cyberlaw Centre Seminar 4/12/0333 Collection from the data subject Some laws require collection from the data subject, but they differ considerably Cth IPPs impose no obligation to do collect from the individual, no consent needed to collect from 3rd Ps NPP 1.4 requires collection only from individual ‘if it is reasonable and practicable to do so’ NSW s9 (IPP 2) requires collection directly from individual unless NSW s9 3rd P collection is authorised by the individual; or Provided by parent/guardian if under 16 DO v University of New South Wales [2002] NSWADT 211 UNSW did have authorisation to collect from 3rd Ps Iillustrates risks under NSW Act It is OK to ‘double check’ with a 3rd P - collection from both GV v DPP [2003] NSWADT 177 GV v DPP DPP obtained a more detailed medical certificate from doctor than patient’s consent allowed - breach of IPP 2 (subpoena may have avoided this) But the s23(2) exemption for collection in connection with court proceeedings applied

34. Baker Cyberlaw Centre Seminar 4/12/0334 Consent exception to disclosure Cth IPPs and NPPs - implied consent ‘express consent or implied consent’ (Cth PA s6, also Vic) Consent must also be informed ( meaning of ‘consent’) Can consent be implied from failure to opt out? NSW s26(2) requires express consent Failure to opt out could never be good enough Macquarie University v FM [2003] NSWADTAP 43 Macquarie University v FM Consent to UNSW to collect transcript from UNSW was implied consent to Macquarie to disclose it, but that is not express consent The agency disclosing must go to the individual concerned and ask Cf NZ requires ‘authorization’ NZ Courts (L v J, L v L) have held this includes implied authorizations (see Roth article)

35. Baker Cyberlaw Centre Seminar 4/12/0335 Minimal collection - anonymity NPP 8 - ‘Wherever lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation’ - no direct NSW equiv. Is it a breach to build systems which make anonymity impracticable? Does NPP8 require anonymity to be ‘designed in’? FH v NSW Dept Corrective Services [2003] NSWADT 72 - FH v NSW Dept Corrective Services Equivocal on whether breach of security principle where it would cost millions for Dept to change system to log accesses Wykanak v Dept Local Govt [2002] NSWADT 208 (summary) Wykanak v Dept Local Govsummary ADT could not review a complaint of an anticipated breach of a NSW IPP Compare Cth IPPs or NPPs - s98 Injunctions available where ‘a person … is proposing to engage in any conduct that … would constitute a contravention of this Act’Cth IPPs or NPPs - s98 Injunctions

36. Baker Cyberlaw Centre Seminar 4/12/0336 'Records' / 'documents’ Significance in Commonwealth Privacy Act Cth IPPs all require information in ‘records’ or a ‘generally available publication’IPPsrecords NPPs don’t, but s16B has same effects16B One of the dividing lines between information privacy and surveillance laws Problems - compare Cth and NSW results Interview with no notes taken CCTV with no film Listening device with no recording

37. Baker Cyberlaw Centre Seminar 4/12/0337 'Records' / 'documents’ (2) Other jurisdictions requiring records / documents Victoria S3 definition ‘personal information’ - ‘means information … that is recorded in any form …’ Northern Territory S4 definition ‘personal information’ means ‘government information from which …’ S4 definition ‘government information’ means ‘a record held …’ Hong Kong s2 definition 'data' is only 'any representation of information, in any document'. 'document' includes disks, film etc from which visual images or other data are 'capable...of being reproduced’

38. Baker Cyberlaw Centre Seminar 4/12/0338 'Records' / 'documents’ (3) New South Wales - the odd one out S4 defn ‘personal information’ means ‘information or an opinion (….whether or not recorded in a material form) …’ - cannot imply a record from the definition NSW IPPs all refer to ‘personal information’ (contrast Cth IPPs require ‘in a record’) No equivalent to Cth s16B re NPPs All NSW IPPs therefore apply to all personal information whether or not it is ever recorded IPPs only require that agency must ‘collect’ or ‘hold’ personal information However, New Zealand Privacy Act 1993 (s2 "Personal information") does not limit most of its IPPs to records or documents

39. Baker Cyberlaw Centre Seminar 4/12/0339 'Records' / 'documents’ (4) Macquarie University v FM [2003] NSWADTAP 43Macquarie University v FM Upheld approach taken in Macquarie University v FM [2003] NSWADT 78 S18 breach by Macq’s disclosure to UNSW of information in 2 telephone conversations Information was observations of FM and opinions about him The information was never recorded by Macq Held - Was ‘personal information’ even though FM’s behaviour was observed by others Held - Info was ‘held’ in the mind of Macq staff s4(4) defines ‘held’ as ‘possession or control’ ‘Possess’ must include ‘in the mind’ for non-material information Order - Macq staff must not disclose any information in their minds about students, unless s18 exemption applies