Presentation is loading. Please wait.

Presentation is loading. Please wait.

Asia-Pacific privacy Commissioners - Black holes & Collective inaction Graham Greenleaf Professor of Law, University of New South Wales 11 September 2003.

Published byMegan Willis Modified over 8 years ago

Similar presentations

Presentation on theme: "Asia-Pacific privacy Commissioners - Black holes & Collective inaction Graham Greenleaf Professor of Law, University of New South Wales 11 September 2003."— Presentation transcript:

1 Asia-Pacific privacy Commissioners - Black holes & Collective inaction Graham Greenleaf Professor of Law, University of New South Wales 11 September 2003 See http://www2.austlii.edu.au/~graham/ for updates / detailshttp://www2.austlii.edu.au/~graham/ Parallel Session 6: " A Safe and Open Society: the role of privacy regulators"

2 Overview 1Two black holes: Reporting and remedies –What evidence is there that Commissioners do their job? Arguably most important function: resolving complaints Is there accountability for public monies spent? –‘Black holes’: complaints go in, but what comes out? –Outcomes of complaints - who gets a remedy? –Reporting complaints - do we know what law they apply? 2Regional standards and collective action –What Asia-Pacific regional standards are developing? –Are regional Commissioner providing sufficient input? –Collective input from regional experts: the APPCC

3 Black hole #1: Outcomes - Does anyone get a remedy? Sources of evidence available? –√ Annual Reports - only public source examined 01/02; some 00/01 –? websites? - could extract from reported cases (have not) - should provide continuous data –? FOI requests? - ‘document’ available? (have not done) Only some jurisdictions considered –Privacy Comms - Australia; HK; NZ; Canada –Information Commissioners not considered - mainly access, some correction, some broader

4 Outcomes - Australian PC –2001-02 Annual Report - no statistics! Complaints tripled with private sector coverage (611) AR contains summaries of 11 complaints, of which one resulted in $5000 compensation No statistics given of complaint outcomes at all –2000-01 AR included some outcome stats 133 closed complaints; uncertain % breaches found 9 cases in AR involved $52,000 compensation No information about other remedies –No genuine s52 determinations in 15 years –No appeal right; No substantive case on the Act ever before a Court for judicial review

5 Outcomes - NSW PC –latest Annual Report 1999-2000 before new Act commenced (1/7/00) No statistics or complaint resolutions yet available under new Act –Since 2000, about 20 cases to NSW ADT 7 decided as yet - 7 more than the Cth! –AR 1999-2000 relevant to ‘non-IPP’ complaints, as they still apply 4 complaint resolutions summarised

6 Outcomes - Hong Kong PC PC Annual Report 2000/01 (01/02 is similar) –789 complaints (up 39%); 68% vs private sector;14% vs government;18% vs 3rd Ps Over 50% allege breaches of DPP 3 (use) –52 formally investigated (14% of 531 finalised) 26 (50%) found to involve contravention of PD(P)O 10 warning notices; 12 enforcement notices - but no idea what actions required, or what results 4 referals to Police for prosecution but in 3 Police found insufficient evidence; one unresolved Not one HK $1 compensation paid under s66; –any by mediation? A Rep does not say

7 Comparison - 4 PCs Annual Reports ‘Will I get a remedy - and if so, what?’ is largely unanswered - evidence is not there Some evidence of the % of successful complainants Little evidence of what remedies result Compensation? - a few examples from Aus and NZ All of the PCs are below ‘best practice’ A systematic and comparable standard of reporting is needed –Asia-Pacific PCs could develop standards

8 Will I get a remedy? Evidence from Privacy Commissioners Annual Reports 2001/02 (see web page for explanatory notes) √= yes; ?= can’t tell AusNZHKCan Complaints opened / completed √ / √ Type of complaint/ respondent ? (√ / √)√ / √ Respondent name (‘Top 10’)? (no)√no√ % formal finding0% (0%)8%10%72% % found breaches - mediated / awarded ? (√ / √) (? / -) ? / ?√ / √ 25 / 46 √ / √ 59 / 63 % success in CourtN/A√ (0%)?? Remedies - mediated / awarded ? (31 / 0) ? / ? 4 egs ? / ? Damages - mediated / awarded ? (9 / 0) ? / ? 4 egs ? / 0? / ?

9 Black hole #2: Publication of Commissioners’ decisions For detailed criticisms of reporting practices: –Greenleaf ‘Reforming reporting of privacy cases’ http://www2.austlii.edu.au/~graham/publications/2003/Refo rming_reporting/ –Bygrave ‘Where have all the judges gone?’ (2000) European Commissioners were little better - improved? Why reporting of Commissioners is needed –Few court decisions means Commissioners’ views in complaint resolutions are the de facto law –Identifying non-compliance is more valuable (and difficult) that ‘feel good’ exhortations to comply

10 Publication - Importance –Publication is possible Requires anonymisation in most cases Exceptions should not be the rule –Adverse consequences of lack of availability Interpretation unknown to parties / legal advisers No privacy jurisprudence is possible Past remedies (‘tariff’) unknown Privacy remains ‘Cinderalla’ of legal practice Deficiences in laws do not become apparent Commissioners can ‘bury their mistakes’ Justice is not seen to be done Deterrent effect is lost No accountability for high public expenditure

11 Publication - Australian P Comm (Federal) –AnRep has a few small ‘media grab’ summaries –No other mediation details published 1988-2002 –Comm avoids making binding Determinations (2 1993, 1 2003) despite powers to do so Dismisses matters under s40 - publication not required –Since Dec 2002, 14 useful summaries of mediations and determinations published on webpublished on web 2x1993, 2x2002, 10x2003 Rate now is still only 1.25 per month –Any Federal Court decisions would be on AustLII (but there are none of relevance) - no appeal right

12 Publication - HK P Comm Complaint summaries on website only to 1998 Only 6 (01/02) or 8 (00/01)overly brief complaint summaries in AnRep - about 0.5 per month No systematic reporting of significant complaints Cases before other tribunals –AAB complaint summaries are in AnRep, but not on website; AAB cases not available on Internet –No reporting of s66 cases in AnRep or website - There is only one such case

13 Publication - NZ P Comm Av 2 per month (03) reasonably detailed mediation summaries on website Selection criteria uncertain Website gives few details of cases on appeal or their outcome; not available elsewhere on web; P Comm publishes occasional compendiums Overall, difficult for most people to get an overall view of the law

14 Publication - Canadian PC Av 5 detailed PIPEDA case mediation summaries per month on website –best practice of PCs, but not Info Comms Few Privacy Act cases on website, but usually 12 or so in AnnRep Summaries of cases before Courts are in AnnRep (but not linked to mediation summaries) - difficult to obtain overview

15 Publication - 7 recommendations More reporting than 2/month (% goal) –statistics on reported / resolved ratio Publicly stated criteria of seriousness –confirmation of adherence in each AnRep Complainants can elect to be named In default, name public sector respondents; private sector respondents only exceptionally Report sufficient detail for a full understanding of legal issues, and the adequacy of the remedy Report regularly rather than in periodic batches 'One stop' reporting including reviews of Commissioner’s decisions Encourage 3rd-P re-publication + citation standards

16 Publication - A central location http://www.worldlii.org/int/special/privacy/ Privacy & FOI Law Project = All specialist privacy and/or FOI databases located on any Legal Information Institute (LII) Current coverage (all searchable in one search) –Canadian Privacy Commissioner Cases (WorldLII) –Privacy Commissioner of Australia Cases (AustLII) –New Zealand Privacy Commissioner Cases (AustLII) –Nova Scotia FOI & Privacy Review Office (CanLII) –Queensland Information Comm. Decisions (AustLII) –Western Australian Information Commissioner (AustLII) –Privacy Law & Policy Reporter (AustLII) Being added –New South Wales Privacy Commissioner (AustLII) –EPIC ALERT (WorldLII)

17

18 A seach for ‘disclos* near medical’

19 Part 2 - Regional privacy standards & collective action There is no global standard One region (Europe) has successfully developed regional standards –Council of Europe Convention 1981 –European privacy Directive 1995 The Asia-Pacific is the next most advanced region in privacy protection –Far less political and economic unity or uniformity –Starting the most important international privacy developments since the EU Directive ….

20 Toward an Asia-Pacific standard APEC’s privacy initiative –Chaired by Australia - US / Aust. initiative Asia-Pacific Telecommunity (APT) –Chaired by Korea Asia-Pacific Privacy Charter Council –A ‘civil society’ expert group FTAA will also affect some countries – (Free Trade Area of the Americas)

21 APEC’s privacy Principles - Progress or stagnation? Australia chairs a working group of 10 countries Starting point: OECD Guidelines (1981) 5 draft versions in 6 months –Do not yet even reach OECD standards –Only considering very minor improvements to OECD –V2 strengthened V1, but V3 and V4 far weaker for little apparent reason (Serious US input coincides with V3) At best it offers ‘OECD Lite’ ….

22 APEC’s ‘OECD Lite’ Examples of weak and outdated standards Based on Chair’s V4 (Aug 03) - now behind closed doors –No objective limits on information collection (P1) –No explicit requirement of notice to the data subject at time of collection (P3) –Secondary uses allowed if ‘not incompatible’ (P3) –OECD Parts 1, 3, 4 and 5 all missing as yet –Farcical national self-assessment proposed (V1) Even OECD allows strong export controls Why start from a 20 year old standard? –This would be laughable in other areas of law –Most regional countries are not members –Recognised as inadequate (eg Kirby J 1999)

23 The alternative: A real Asia-Pacific standard Look to actual standards of regional privacy laws –Eg Korea, Canada, Hong Kong, New Zealand, Taiwan, Australia, Japan, Argentina –Principles stronger than OECD are common (examples over) We need to adopt and learn from 25 years regional experience, not ignore it More input into APEC is needed from Commissioners and other experts to identity this standard –Some individual PCs input is filtered through governments –Regional PCs need a better collective role in APEC No equivalent yet to A29 Committee - provides protection Santiago (Feb 04) only offers input on implementation –Asia-Pacific NGO experts are developing the APPCC

24 Examples of high regional standards in Asia-Pacific –Collection objectively limited to where necessary for functions or activities (HK, Aus, NZ - Can stricter) –Notice upon collection (Aus, NZ, HK, Kor) –Secondary use only for a directly related purpose (HK, NZ, Aus - Kor stricter) – Right to have recipients of corrected information informed (NSW, NZ) – Deletion after use (HK, NZ, NSW, Kor)

25 APT privacy Guidelines (draft) –Asia-Pacific Telecommunity (APT) –Agreement of 32 states via Telecomms ministries (etc) –Guidelines on the Protection of Personal Information and Privacy (draft), July 2003 Drafting by KISA (Korea), with Asian Privacy Forum input –Attempts to take a distinctive regional approach Explicitly not based solely on OECD or EU (cl8) Says OECD Guidelines ‘reflect … the 70s and 80s’ ‘Concrete implementation measures’ unlike OECD Allows more variation between States that EU Emphasises role of government, not litigation Adds new Principles in at least five areas …

26 APT Guidelines - implementation –Legislation required + self-regulation encouraged –A privacy supervisory authority required Supervision and complaint investigation –Data export limits may be ‘reasonably required’ to protect ‘privacy, rights and freedoms’; free flow of information otherwise required –Limits on these guidelines only by legislation; only to the extent necessary for other public policies –Common character string need to deal with spam

27 APT Guidelines - new Principles –No disadvantage for exercising privacy rights (A5(2)) –Notification of corrected information to 3rd party recipients (A6(4)) –‘Openness’ of logic of automated processes (A7) –No secondary use without consent (A 14(2)) –Deletion if consent to hold is withdrawn (A16) –Duties on change of information controller (A19) –Special provision on children’s information (A34) –Personal location information Principle (A30) –Unsolicited communications Princple (A31)

28 Conclusions Why are APEC and APT so different? –Membership similar except for the USA US/Australia APEC initiative has a defensive and outdated starting point (OECD) Inadequate process: no collective expert input, and now behind closed doors –OECD Guidelines were by an ‘expert group’ A more consultative, confident, and region- based APEC initiative is needed

29 Coda: The APPCC - a regional expert initiative Asia-Pacific Privacy Charter Council –See http://www.BakerCyberlawCentre.org/appcc/http://www.BakerCyberlawCentre.org/appcc/ –35 non-government privacy experts from 10 regional countries, and growing –On 12/11/03, meeting to consider 1st working draft –Headings of Principles under consideration for Charter are over - only a first draft –Covers surveillance and intrusions as well as IPPs –An attempt to develop a positive regional standard

30 APPCC draft Part I - General Principles 1.Justification and proportionality 2.Consent 3.Accountability 4.Openness 5. Non-discrimination 6.Reasons for non-compliance

31 APPCC draft - Part II - Information Privacy Principles 7. Anonymous transactions14. Retention limitation 8. Collection limitation15. Public registers 9.Identifier limitation16. Information security 10. Information quality17. Automated decisions 11. Use and disclosure limitations 18.Identity protection 12.Export limitations19.Disclosure of private facts 13. Access and correction

32 APPCC draft - Part III - Surveillance limitation principles 20.Surveillance justification 21.Notice of overt surveillance 22.Approval of covert surveillance 23.Accountability for covert surveillance 24.Surveillance security 25.Surveillance materials 26.Transborder surveillance

33 APPCC draft - Part IV - Intrusion limitation principles 27.Intrusion limitation 28.Bodily privacy 29.Biometrics limitation 30.Private space 31.Communications & cyberspace privacy 32.Personal location limitation 33.Unsolicited communication limitation

34 APPCC principles - Part V - Implementation and compliance principles 34.Implementation by law40.Independent appeal 35.Sufficient implementation measures 41.Transparency of official actions 36.Supervisory body42.Individual recourse to Courts 37.Privacy impact assessments 43.International cooperation 38.Sufficient remedies for breach 44.Jurisdictional certainty 39. Obligations of information subjects

Download ppt "Asia-Pacific privacy Commissioners - Black holes & Collective inaction Graham Greenleaf Professor of Law, University of New South Wales 11 September 2003."

Similar presentations

VOLUNTARY PRINCIPLES ON SECURITY & HUMAN RIGHTS. What are the Voluntary Principles? Tripartite, multi-stakeholder initiative Initiated in 2000 by UK Foreign.

VOLUNTARY PRINCIPLES ON SECURITY & HUMAN RIGHTS. What are the Voluntary Principles? Tripartite, multi-stakeholder initiative Initiated in 2000 by UK Foreign.
Transparency and Domestic Regulation Mina Mashayekhi Division on International Trade UNCTAD.

Transparency and Domestic Regulation Mina Mashayekhi Division on International Trade UNCTAD.
Implications for the Regions EU-Regional Policy 1 Governance White Paper Introduction Adoption of White Paper on European Governance, July 25, 2001 Aim:

Implications for the Regions EU-Regional Policy 1 Governance White Paper Introduction Adoption of White Paper on European Governance, July 25, 2001 Aim:
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
The Problem Solvers TM www.singleton.com Privacy Rights: Minors and Parents Michael J. Hewitt Marcel Daigle Singleton Urquhart LLP.

The Problem Solvers TM Privacy Rights: Minors and Parents Michael J. Hewitt Marcel Daigle Singleton Urquhart LLP.
The fundamentals of EC competition law

The fundamentals of EC competition law
Data-Sharing and Governance Consultation ANALYSIS OF RESPONSES.

Data-Sharing and Governance Consultation ANALYSIS OF RESPONSES.
Reform of Arbitration Law The New Arbitration Ordinance (Chapter 609) #359905 Frank Poon Solicitor General (Acting) Department of Justice Hong Kong SAR.

Reform of Arbitration Law The New Arbitration Ordinance (Chapter 609) # Frank Poon Solicitor General (Acting) Department of Justice Hong Kong SAR.
6/1/2015MINISTRY OF ENERGY, COMMUNICATIONS AND MULTIMEDIA 1 PRESENTATION OF PERSONAL DATA PROTECTION BILL PRESENTATION OF PERSONAL DATA PROTECTION BILL.

6/1/2015MINISTRY OF ENERGY, COMMUNICATIONS AND MULTIMEDIA 1 PRESENTATION OF PERSONAL DATA PROTECTION BILL PRESENTATION OF PERSONAL DATA PROTECTION BILL.
Hong Kong Privacy Code on Human Resource Management

Hong Kong Privacy Code on Human Resource Management
The Treaties, Institutions and Policies of the EU

The Treaties, Institutions and Policies of the EU
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
3rd session: Corporate Governance

3rd session: Corporate Governance
CHAPTER 1 The sources and institutions of employment law.

CHAPTER 1 The sources and institutions of employment law.
A European View of Privacy Protection John Woulds Director of Operations UK Data Protection Commissioner National Conference on Privacy, Technology & Criminal.

A European View of Privacy Protection John Woulds Director of Operations UK Data Protection Commissioner National Conference on Privacy, Technology & Criminal.
1 Consent for treatment A summary guide for health practitioners about obtaining consent for treatment Bridie Woolnough Resolution Officer Health Care.

1 Consent for treatment A summary guide for health practitioners about obtaining consent for treatment Bridie Woolnough Resolution Officer Health Care.
Per Anders Eriksson

Per Anders Eriksson

Similar presentations

Ads by Google