Privacy Law and Policy Reporter
Compiled By Graham Greenleaf and Tim Dixon
The European Union's Council of Ministers has at last adopted a 'common position' on the proposed Data Protection Directive, opening the way for Europe-wide privacy laws. The Council finally adopted a common position on February 20 1995, with the UK abstaining (see (1994) 1 PLPR 200). The draft Directive will now go to the European Parliament for a second reading and should return to the Council for formal adoption by mid-year, with final adoption expected by year's end. Member states of the EU will then be allowed two years to amend their laws to conform with the Directive.
The draft Directive was adopted just days before the G7 Summit of leading industrialised nations and, according to a press release from the Commission of the EU, 'gives a signal to the EU's trading partners, such as Canada, Japan and the US, of the importance the EU gives to the protection of the individual's rights in the application of new technological developments'.
Some key elements of the amended draft Directive are: it covers computerised data and manual data (but with a 12 year phase-in) and transmission of information 'whatever the technology'; it covers the public, private and non-profit sectors; it sets out six justifications permitting the processing of personal information; it imposes much stricter requirements for the processing of 'sensitive' data (including data concerning ethnic or racial origin, political or religious beliefs, trade union membership, health or sexual activities); it requires personal data to be relevant, accurate and up-to-date (but only when used); and it requires processing of personal data to be notified to the supervisory authority in each member State. Where there are still some differences between the laws of member States, the law of the State where the data processing is 'established' will prevail.
The export of personal data to non-EU countries will be prohibited except to countries which provide an 'adequate level of protection', and the Council of Ministers will decide which countries meet this standard. The details of the amended Directive, and particularly its implications for data exports to countries such as Australia, will be examined in coming issues of the Reporter.
As Australia's Health Communications Network takes shape, it may do well to note emerging problems with American health communications systems. A Californian recently went to court over his insurance company's refusal to give medical compensation because he had abused drugs. The company's information was based on a computer record of a confidential confession to his doctor that in his youth he had smoked marijuana. Another recent case involved a 13 year old daughter of a Florida hospital worker. She had apparently gone through computerised patient records and for a practical joke called them posing as a hospital worker, and informing them that they had been found HIV positive. Debate continues over the adequacy of security protections, while the rapid transfer of health records on to information systems continues on several fronts. Consumer credit reporting firm Equifax have recently announced plans to computerise a vast quantity of medical records in a co-operative arrangement with telecommunications giant AT&T. The National Information Infrastructure Testbed (NIIT) consortium is building health communications networks with government funding. Special purpose networks are also developing, including a specific network called Telemed recently launched with the aim of keeping track of tuberculosis patients.
('The Economist', 29 April 1995)
The Australian Tax Office has stepped up its use of information technology in recent months with the acquisition of a Teradata computer system. The system makes possible an array of data warehousing functions, comparing and matching current and historical information from a wide range of sources to uncover discrepancies and cases which may require further investigation. The ATO is hoping to connect the system to the Yellow Pages and to the Australian Securities Commission database.
Despite moves elsewhere in NSW to adopt video surveillance, the new Premier, Bob Carr, has cancelled the planned installation of a sophisticated internal security camera system in his offices. The system, which was planned for the new Premier's new offices in Sydney's prestigious Governor Macquarie Tower, would have made possible extensive monitoring of the movements of staff and ministers. Mr Carr said that cancelling the surveillance camera installation would save taxpayers $300,000.
('Sun-Herald', 30 April 1995)
Communications Minister Michael Lee repeated the government's concerns about protecting privacy on computer and communications networks in a major speech to the Australian Telecommunications Users' Group Conference ATUG '95. Mr Lee noted that unless they are fully confident about the security and integrity of networked information, people will not be willing to participate fully in new communications services, whether they are delivered by the Government or by the private sector. He suggested that the solutions to privacy concerns lie both in technologies such as encryption and in establishing processes and protocols to protect personal information. The Minister noted three areas in which the government would taken action. First, he commented that, 'we will also have to ensure that those who misuse personal information are dealt with severely'. Second, Mr Lee stated that the Attorney-General would be providing 'major input into our strategy for information privacy on networked services'. Finally, he noted that, 'in the meantime I am ensuring that the existing telecommunications regime continues to address privacy on networked services until such time as more comprehensive solutions can be achieved'.
The creator of the computer encryption program 'Pretty Good Privacy' faces the prospect of charges in the US for putting his encryption program on to the Internet. The US District-Attorney in San Jose is investigating Mr Phil Zimmerman for making the program available through the Internet in 1991 on the basis that he may have violated US arms export laws, which disallow sending encryption materials overseas.
A recent review of the NZ Press Council has resulted in changes to council procedures on privacy complaints. The Press Council has made changes in recognition of its special responsibility, given that the media is exempted from the application of the Privacy Act, and in response the procedures sets out three ways in which the Press Council may require newspapers to publish the findings of complaints. The first is the normal publication identifying the complainant and the nature of the complaint. The second involves simply publishing the fact that a decision has been made against the newspaper without mentioning the name or circumstances of the complaint. The third requires the newspaper not to publish anything relating to the complaint at all because such a publication may identify the individual concerned. Further, the revised procedures allow the Press Council to require the editor of a newspaper to carry out a review of procedures and practices which led to the complaint being upheld. The editor may be required to report the results of this complaint to the Press Council. The Press Council may also require the editor to publish the fact that an inquiry has been ordered and may later require the editor to publish the outcome of the review. This outcome is likely only in more extreme cases of breaches of personal privacy.
A startling legislative development in the US is extending data surveillance into cross-system enforcement, an area far more significant than data-matching. As part of welfare reform legislation, the House of Representatives, by a vote of 426 to 5, approved a proposal requiring all US States to have laws to suspend driver's licences, occupational licences and recreational licences of people who fail to meet their child-support obligations (known as 'dead beat dads'). Nineteen states already have such laws and, according to the New York Times (24 March 1995), 'preliminary studies suggest that the mere threat of such penalties increases compliance, especially by self-employed parents'.
Cross-system enforcement, the use of the sanctions of one administrative system (for example, licence suspension) to enforce the unrelated goals of another (for example, maintenance payment) is seen by many concerned with privacy issues as the most extreme use of data surveillance techniques. It removes distinctions not only between different information systems, but also between the goals and enforcement methods of different administrative systems. It is a technique that can be used to make a person the equivalent of a modern day 'outlaw', where transgression against one of society's standards is met by sanctions from a whole range of social institutions. The legislation has raised little comment in the US, but deserves serious debate.
The Electronic Privacy Information Center (EPIC) has started a campaign against the new US telecommunications interception legislation. As explained by EPIC, the Communications Assistance for Law Enforcement Act 1994 will require telecommunications carriers and manufacturers of telecommunications equipment to make it easy to wiretap the nation's communication system. This is of particular relevance to Australia because of the Barrett Review of telecommunications interception (see (1994)).
Key provisions requires that new communication systems be designed to: isolate a particular electronic communication; isolate call-identifying information; deliver intercepted information to a remote government monitoring location; and deliver information to the government without disclosing the government's activity.
The Bill went forward after $500 million was authorised to pay companies to make the changes necessary for the wiretap program. However, Congress must now decide whether to appropriate the funds, and EPIC is campaigning to stop the appropriation. Given the strong support in Congress for additional FBI surveillance powers in the wake of the Oklahoma terrorist bombing, EPIC will be campaigning in a very difficult climate.
The wiretap plan has also been linked to the controversial 'Clipper Chip' proposal, which was also developed jointly by the FBI and the National Security Agency (NSA). Clipper also faces strong opposition from industry and civil liberties groups, and its future is uncertain (see the review of the CFP'95 conference in this issue).
Internet resources on this issue are available as follows:
EPIC Web Page on the Wiretap Campaign:
The Communications Assistance for Law Enforcement Act of 1994: