Privacy Law and Policy Reporter
Compiled by Graham Greenleaf and Nigel Waters
QLD GOVERNMENT WIMPS OUT
The official response from the new Queensland Labor Government to the 32 recommendations of the Legal Constitutional and Administrative Review Committee’s Report ‘Privacy in Queensland’ (see 5 PLPR 49) is ... nothing much. Attorney-General Matt Foley tabled the Government’s response in the Queensland Parliament on 20 October. It says that budget constraints and their limited time in office don’t enable them to do anything now — but they will some day (‘the Government remains committed to its policy to protect privacy’).
Oh, and they are going to let the Scrutiny of Legislation Committee explicitly consider privacy in relation to regulations, and will review the archives legislation, just so no-one can say they are ducking the big ones. So endeth one of the better parliamentary reports on privacy in Australian history (see article p72).
The Victorian Government’s proposed Data Protection Bill (see 5 PLPR 21) is unlikely to be introduced into Parliament this year as planned, but release of an exposure draft this year is still likely.
The Philippines Supreme Court on July 23 1998 declared unconstitutional the national identification card which the government of former president Fidel Ramos attempted to implement by administrative order in 1996, ostensibly as a means to fight crime. The court said the administrative order violates the constitutional right to privacy, and could not be implemented without a legislative basis. The court upheld the petition of Senator Blas Ople, upholding a previous court ruling in Easter 1997. (Source: Xinhua news agency)
The Electronic Privacy Information Center (EPIC) has just published a brand new Privacy Law Sourcebook. The book includes the full text of federal privacy laws, the full text of international privacy documents (including the OECD Guidelines and the EU Data Protection Directive), and the full text of selected other laws, documents, and materials on privacy, anonymity, and cryptography. It even includes some of the latest EU documents on adequacy and self-regulation.
The price is $50 (with discounts for some), and more information is available at the EPIC bookstore at www.epic.org/ bookstore. You can order the book from the website.
ACA used its powers of direction for the first time on 2 October, directing an internet service provider to join the Telecommunications Industry Ombudsman (TIO) scheme (see http://www.aca.gov.au/ media/40-98.htm). Healey Communi-cations, which has so far refused to join the scheme, faces a penalty of up to $50,000 if the ACA has to resort to an action in the Federal Court. Another two ISPs have been given a final warning for failing to join the scheme, as they are required to do under the Telecommunications Act 1997. ISPs now account for over 450 of the TIO’s 600 members. This is co-regulation with a bite.
‘It is difficult to see how a provision for compulsory random testing could ever be other than harsh or oppressive’. This statement in a recent judgment by Goddard CJ, Chief Judge of New Zealand’s Employment Court, offers some hope of putting a brake on the previously growing, and highly privacy intrusive, practice of random drug testing in NZ workplaces. The case arose out of a sale of a wool scouring firm and the imposition of new employment contracts on the workers by the purchasers. Successful court action was taken by nine workers for the striking out of certain harsh and oppressive clauses in the contract and compensation for the insult, indignity and coercion.
In a further notable aspect of the case from a privacy perspective, the judge reaffirmed the basic right, guaranteed in the New Zealand Bill of Rights Act 1990 but put into question by the contract, to refuse to undergo medical treatment, which His Honour took to include medical examination. The judgment attracted lively debate in the news media with unions and employers staking out predictable positions.
It is understood that the case will be appealed, and the prospects of success before the current NZ Court of Appeal may be good. In a recent employment case concerning redundancy the Court overturned previous Employment Court doctrine requiring compensation for redundancy in most cases in favour of a more literal interpretation of clauses and the sanctity of the written contract. This leaves most NZ workers without any entitlement to redundancy payments. Whatever the ultimate outcome, it is likely that fewer employers will try to introduce random drug testing unilaterally and instead contemplate genuine negotiation if they wish to adopt the practice.
See Harrison and others v Tucker Wool Processors Ltd (WEC 87/97), Goddard CJ, 30 September 1998 (judgment no WC63/98).
(Item contributed by Blair Stewart)
The Australian Privacy Commissioner has a flash new site at http://www.privacy.gov.au.
The NZ Privacy Commissioner has also substantially re-vamped his site, with a new address at http://www.privacy.org.nz.
The Western Australian Information Commissioner has a new site at http://www.foi.wa.gov.au. All of the Commissioner’s decisions will soon be available in full text on AustLII.
The Data Protection section on DG XV of the European Commission’s website at http://www.europa.eu.int/comm/dg15/en/media/dataprot/index.htm has been upgraded for the introduction of the EU privacy Directive. The site contains documents by the Data Protection Working Party (the A29 Committee), usually in 11 languages, and contact details of the national Data Protection Commissioners, with links to their web sites.
There is also an online handbook on the Directive, Handbook on Cost Effective Compliance with Directive 95/46/EC (Masons Study) at http://www.europa.eu.int/comm/dg15/en/media/dataprot/handbook/summary.htm, which examines the most cost effective means for companies and other organisations to comply with the specific obligations resulting from the data protection directive. It is mainly aimed at assisting organisations within the EU.
Ann Cavoukian has been appointed as Ontario’s Information and Privacy Commissioner for a five year term from July 1998. Cavoukian, Assistant Commissioner since 1990, is one of the most experienced privacy advocates in the ranks of privacy officials world-wide. She was recommended for appointment by an all-party parliamentary committee.
Nearer to home, Blair Stewart, a member of PLPR’s Editorial Board, has been promoted to Assistant Privacy Commissioner of New Zealand, from his previous position of Manager, Codes and Legislation.
In the US, the Federal Trade Commission’s enforcement action against Internet business GeoCities provides an interesting insight into the US government’s commitment to improving privacy standards, according to privacy consultant Robert Gellman. The FTC had taken GeoCities to task for deceptive and misleading practices in collecting information from individuals, including children, browsing its web site, and making it available to third parties, for marketing purposes, without the individuals’ knowledge or consent. Writing in his column in DM News, 21 September, Gellman notes that the FTC used some rather sharp words in its press release, stating that GeoCities misled its customers by not telling the truth. He said ‘The FTC got mostly good marks from privacy advocates for bringing the action, but not everyone thought that the settlement went far enough in providing actual remedies for aggrieved customers.’
Under a settlement (consent order) details of which were released in August, GeoCities agreed to post a clear privacy notice telling consumers the details of its information collection, disclosure, and removal process. GeoCities also agreed to obtain parental consent before collecting information from children 12 and under. Interestingly, GeoCities was in the midst of an initial stock offering at the time of investigation, and its stock took a big hit when the settlement was announced. This may send a message to businesses about the ‘bottom line’ risk of mismanaging the privacy issue.
But Gellman points out that the GeoCities case may have a perverse effect. ‘It may give companies a reason to avoid making any privacy promises at all. No US law requires an Internet privacy disclosure statement. The FTC may not have the ability to pressure companies to address privacy in the first place. Those companies that do are more likely to make vague promises so that they cannot be challenged.’ he says. He welcomes the FTC’s action in GeoCities for producing a result in its first Internet privacy case that is useful to both privacy advocates and business alike. But he says that ‘On the broader issue of the FTC’s general effectiveness as a privacy enforcer, however, the jury is still out.’
Source: Bob Gellman, US Direct Marketing News September 21, 1998, p15
The Privacy Laws & Business International Newsletter features in Issue 43 (May 1998) its annual survey of privacy legislation, this year covering 47 countries. PLPR readers looking for more detailed coverage of European developments can contact PL&B at email@example.com.