Privacy Law and Policy Reporter
A privacy commissioner’s job has been described as a lonely one. Sometimes called upon to uphold the rights of unpopular individuals, a commissioner may easily come under attack from politicians and the mass media. A commissioner must work closely with the public sector and yet remain separate from it — inevitably coming into conflict with governments from time-to-time. While working alliances have to be established and maintained with a variety of individuals, departments and interest groups, a commissioner cannot afford to be closely identified with any one if he or she is to be seen to consistently discharge the functions independently. Moreover, many of the contacts with politicians, officials, the public or the news media, will be on guarded terms knowing that an incautious remark might end up on the next day’s front page or be taken as an indication as to how a live complaint might be ruled upon.
This article describes a series of gatherings where commissioners can ‘let their guard down’ — in private amongst other commissioners. Although the protection of privacy is a specialist and lonely task within any one jurisdiction there are now a considerable number of commissioners around the world. Indeed it is now the norm in both Europe and the OECD to have national institutions dealing with privacy. In federal countries these are often joined by state bodies.
The best known international meeting is the annual conference of privacy and data protection commissioners, now in its nineteenth year. Less well known outside the direct participants are a series of regional meetings. Supplementing these geographical gatherings are a series of ad hoc meetings linked to particular topics.
The international conference is held in September each year in a different city with Brussels being the 1997 venue. In 1992 it was held in Sydney — the only time it has left Europe and North America. Recent meetings have been held in the UK, Netherlands, Denmark and Canada. Early meetings were primarily European affairs but gradually other countries were represented. New Zealand was occasionally represented by the Wanganui Computer Centre Privacy Commissioner from 1977 onwards. Australia and New Zealand were represented by their Privacy Commissioners from 1989 and 1992 respectively.
The 1996 Ottawa conference was the largest to date with 23 countries represented — including, from our own region, the newly appointed Hong Kong Privacy Commissioner for Personal Data. Seventy Commissioners and staff joined their Canadian hosts and more than 150 observers from government, business and privacy organisations.
The next largest regional meeting is the conference of European Union commissioners. Begun in 1990 as a forum to discuss the proposed EU Data Protection Directive the two day meeting has now become a feature of the privacy calendar. The April conference is supplemented by a short meeting held in conjunction with the international conference.
Regional meetings, bringing together commissioners from nearby jurisdictions, currently occur in three contexts:
In federal countries there is a particular need to liaise between the national and local governments.
In Switzerland the Federal Data Protection Commissioner and a group of cantonal commissioners meet about 6 times a year in different places around Switzerland. Information exchange and coordination is the objective. Once a year a conference of Swiss data protection authorities takes place which includes not only federal and canton data protection commissioners, but also city commissioners and members of canton commissions. At the end of each conference a press communique is approved and a joint declaration on a privacy issue may be made. For instance in 1996 a common declaration of all Swiss data protection authorities was released on the subject of data communications in the medical sector.
In Canada the provincial and federal privacy and information commissioners meet once a year. At provincial level the privacy function is often combined with a freedom of information role whereas at federal level the tasks are split between two statutes and two commissioners. The vastness of the country makes travel expensive and occasionally conference telephone calls have to substitute for face to face meetings where the situation warrants urgent consultation amongst commissioners.
Germany contains the largest and most well established data protection community of any country. Since 1978 a conference of federal and lander commissioners has been held, usually twice a year in the spring and autumn. All 16 commissioners attend these conferences which are hosted and chaired by each commissioner for a year on a rotation basis. At the end of each conference the chairperson holds a press briefing on the results.
The German conference has initiated a number of working groups on special issues such as media and telecommunications, technical issues, data processing in the fields of law enforcement, finance or research. These groups meet once or twice a year usually before the conference of the commissioners. The groups examine new developments in their respective fields and prepare reports and resolutions for the commissioners’ conference.
Many meetings of commissioners are marked by a degree of informality and are usually held in recognition of their value rather than any formal requirement to transact business. Meetings mandated under treaty are of a slightly different quality.
The 1995 European Union Directive on the Protection of Personal Data creates the ‘Article 29 Working Party’. Under the EU Directive each country is required to have a ‘supervisory authority’. This is the Privacy Commissioner or Data Protection Commissioner in each state. Article 29 establishes a working party of supervisory authorities which has advisory status and acts independently. Article 29 deals with such matters as the composition of the working party, voting, appointment of a chairman, and the creation of a secretariat. Article 30 sets out functions of the working party which includes, amongst others:
It should be noted that this working group, as against a meeting informally convened amongst the same membership of commissioners, has functions which are exercised under international treaty. This is the only time that such a gathering of privacy commissioners has been accorded such a status. There is a consultative committee convened under the Council of Europe Convention on the Protection of Individuals with regard to the Automatic Processing of Personal Data but that usually consists of government officials rather than commissioners.
A number of regular or irregular meetings bring together commissioners from groups of countries in several regions. The main link is geographical but the groupings probably also represent communities of interest based on political, legal or cultural grounds. Linguistic compatibility is significant given the informality and small size of the meetings and the high cost of translation facilities.
Three successful regional groupings exist in:
In Australia the federal commissioner initiated twice yearly meetings with state authorities having responsibility for privacy (which included privacy committees and, in some cases, officials from state Attorney Generals’ offices). In 1992 this arrangement was expanded to include the New Zealand commissioner following which the acronym PANZA was coined for Privacy Agencies of New Zealand and Australia. The meetings usually last a day and are hosted in succession at various cities in the active jurisdictions including, in recent years, Perth, Canberra, Adelaide and Auckland. Occasionally a public conference is arranged for an adjoining day to make the most of visiting expertise. Attendance ranges from about six to 20 participants, with the larger numbers comprising invited officials or experts in addition to commissioners and privacy agency staff.
The main purpose of the PANZA meetings is to exchange information about what each agency is doing. Perspectives are also shared on privacy issues arising across jurisdictions. Sometimes outsiders are invited to give short presentations to the meeting.
The Scandinavian countries of Finland, Denmark, Sweden, Norway and Iceland, meet once a year in June: in 1997 the venue being Kalmar, Sweden. In 1996 the meeting was held in Iceland in the little town of Hoefn. These successful meetings have been held for 10 years now.
The Irish Data Protection Commissioner, the data protection registrars of the UK, Isle of Man and Jersey, and a representative of the Guernsey Data Protection Authority, attend the British and Irish Data Protection Authorities meetings. Such meetings have been held in some form since 1988 and in its present format and composition since 1994. The day long meetings are hosted by each authority in turn with the 1996 meeting in the UK and the 1997 one in the Isle of Man. The meetings fulfil the same purpose as the PANZA meeting being an opportunity to exchange information about current developments and to discuss current issues.
In 1995, for the first and so far only time, a ‘Pan Pacific’ meeting of privacy commissioners was convened in Victoria, British Columbia. This was convened to coincide with a major privacy conference. It drew representation from Canada, Australia and New Zealand. Although the title suggests geographical coherence that is not really the case with a vast distance separating Perth in the west from Montreal in the east. Travel costs make repetition of this meeting difficult but its potential probably lies not in geography but in the community of interest between the privacy legislation in those common law jurisdictions. The law in each draws its inspiration from the OECD guidelines, rather than the European instruments, and is based upon the coverage of all personal information, not just automatically processed data.
In addition to the meetings which are held on a geographical or international basis, there are a series of topic based meetings of Commissioners. A number of these are working groups which report back to larger gatherings. For example, EU Commissioners have working groups on consumer credit, telecommunications, Europol, Internet and on-line services. The range changes from time to time. As already mentioned, the German national conference of data protection commissioners has also initiated a number of working groups on special issues.
A well known working group which has spun off from the international conference, but established a reputation of its own, is the International Working Group on Data Protection in Telecommunications. The Berlin Data Protection Commissioner provides a secretariat for the working group which has since 1990 met twice a year, alternating between Berlin and other cities. The 19th meeting, held in Budapest in April 1996, ranged through a variety of issues such as the Internet, online services, privacy in labour relations, privacy enhancing technology, international transborder/ hotel reservation systems and cooperation in respect of other initiatives dealing with new technologies.
In September 1996 there was held for the first time, in conjunction with the international conference in Ottawa, an informal workshop of commissioners focusing upon practical skills and initiatives of relevance to commissioners’ work. The two subjects tackled at the workshop were ‘improving input into legislative processes’ and ‘getting value for money from education and publicity initiatives’. The workshop brought together 15 commissioners and staff from a variety of jurisdictions under the chair of the New Zealand Privacy Commissioner.
The gathering together of Privacy Commissioners has been seen as a valuable way to enhance the objectives of data protection and to keep abreast of privacy issues. Once a year Commissioners meet in large numbers at the international conference. At other times of the year small handfuls of Commissioners get together in tiny Icelandic villages, the Canadian prairies and Australian state capitals. The Commissioners share experiences. They learn of new privacy issues. They discharge responsibilities under international treaties. In some instances they agree and disseminate formal resolutions. In others the discussion is ‘off the record’ and simply helps Commissioners quietly to get on with their work effectively.
With the establishment of national institutions in more jurisdictions the need for these informal coordination and information sharing meetings becomes even more vital. In our own region we have been recently joined by a Hong Kong commissioner. Tentative talk has been heard of new laws for several Australian state jurisdictions. The PANZA meeting between Australia and New Zealand jurisdictions has been highly successful but may need to adapt to changing circumstances. It has the informality to achieve that if warranted.
The burgeoning size of the international conference made it difficult to satisfy the need for informal and effective exchange of information about what is going on in privacy protection. It has been valuable to supplement the international conference with smaller skills-based, topic-based and regionally-based meetings to help work towards an effective network of Privacy Commissioners around the world. There is probably room for enhancement as coordinated and cooperative ventures between a variety of jurisdictions have significant potential to make better use of each country’s limited resources.
Blair Stewart is Manager, Codes & Legislation Office of the Privacy Commissioner, New Zealand.
The author thanks the following for information about meetings in their region: Lorraine Dixon, Canada; Anne Hinde and Laura Linkomies, UK; Jorma Kuopus, Finland; Sven Moers, Germany; Kosmas Tsiraktsopulos, Switzerland.