Privacy Law and Policy Reporter
In September, the ever-growing community of national Privacy and Data Protection Commissioners held their twentieth annual conference in Santiago de Compostella in Northern Spain. Nigel Waters attended, and here reports on developments since the Privacy Laws & Business conference in July (see 1998 5 PLPR 30).
The EU Data Protection Directive was understandably the centre of attention, at the time of the meeting there was less than five weeks to go until the commencement date of 25 October.
Ulf Bruhann, from DGXV of the European Commission, gave an update on implementation, and, crucially, on the state of discussions with third countries. He noted that although only Italy, Greece, Sweden and the UK had so far enacted new ‘EU compliant’ laws (with the British law yet to take effect), it is not unusual for member states to miss the formal commencement date, and this should not be taken to indicate a lack of commitment. He also noted that the Commission would act on any failure to notify progress towards implementation, and that from 25 October, individuals can invoke the Directive in national and European courts even if there is no domestic law in place.
Bruhann anticipated a progressive implementation, and also reminded delegates that for data already being processed on 25 October, there is a three year transitional period.
As well as the well-known work of the Article 29 Working Party, comprising representatives of national data protection Commissioners, Bruhann noted that the Article 31 Committee, comprising government officials, has met twice since April and would meet again before 25 October to discuss, amongst other implementation issues, the development of mechanisms and processes for assessing adequacy of privacy protection in third countries.
DGXV, which provides the secretariat for both groups, had also been having formal discussions with the US Department of Commerce since January 1998, recently at senior level. Bruhann felt that there was a growing acknowledgement in the US that the level of privacy protection needed improvement, for good ‘domestic’ reasons, and not just because of the EU initiative. The Commission and the US Government were exploring possibilities for a common benchmark set of privacy principles, reflecting as a minimum the OECD Guidelines, and of mechanisms to provide easy and affordable remedies and independent enforcement.
Bruhann noted other developments outside the EU. Since last year’s conference Poland and Slovakia had enacted laws and the Canadian Government is proceeding towards legislation. There have been several meetings between the South and Central American countries, assisted by Spain and Portugal, and a model law is now on the agenda of the Iberian American Conference of Justice Ministers. He also singled out the Victorian Government proposals in Australia as representing an interesting new model of co-regulation.
The Council of Europe is updating Convention 108, adding a requirement for an independent supervisory authority and provisions relating to trans-border data transfers, and has issued guidelines on Internet privacy, in May 1998. Bruhann also mentioned the OECD Ministerial conference in Ottawa (which followed this meeting in October) for which a declaration has been drafted by a working group of officials chaired by Australia. The draft apparently re-affirms the continuing relevance of the 1980 OECD Guidelines and contains a commitment to achieving privacy protection in all OECD member countries, but is deliberately ambiguous as to the means by which this may be achieved. [See article on p 95 of this issue — Ed]. If this is the final outcome from Ottawa, Bruhann said, it will not shift the balance of arguments about law versus self-regulation one way or the other. The World Trade Organisation (WTO) has also included data protection in it e-commerce work program, but cannot be expected to move quickly.
Bruhann acknowledged these developments as useful but none went far enough to satisfy the clear need for a global solution with binding enforcement mechanisms and remedies.
He also issued a caution about the contribution of privacy enhancing technologies (PETs) — the EUs Article 29 Working Party had commented in June on initiatives such as the Platform for Privacy Preferences (P3P) — and warned that P3P could actually diminish privacy protection unless implemented with care.
Bruhann concluded by noting developments within the EU itself. The 1997 Treaty of Amsterdam inserted a new data protection Article (286) into the Treaty of Rome and plans are well advanced for an EU supervisory authority to oversee the handling of personal data by Community Institutions. There are also proposals for revising the separate data protection protocols that apply in the police, justice and national security areas to which the EU Directive does not apply.
Barbara Wellbery of the US Department of Commerce was invited to address the conference. She stated forcefully that the US Government had no plans for a broad horizontal data protection law. The Department had received more than 600 submissions on its recent discussion paper and there is a clear consensus aknowledging the importance of following the OECD Guidelines and the need for enforcement mechanisms. She briefly reviewed four significant private sector intiatives:
The US Government is relying heavily on the FTC’s powers in relation to unfair or deceptive practices to underpin effective self-regulation. Wellbery cited the recent Geocities case as evidence of how this approach can work [Other commentators have been sceptical about how far this one action to date against a ‘sitting target’ can be seen as signalling an effective program of enforcement, especially in light of the findings of the FTC survey of web sites earlier this year which showed dismal levels of compliance with even a basic notice principle — Ed].
Wellbery also noted the range of initiatives within the Federal Govern-ment announced by Vice-President Gore in July. These include proposed legislation or regulations to strengthen the Fair Credit Reporting Act and in the areas of medical records, children’s privacy, identity theft and fraudulent obtaining of financial records. There were also discussions with State and Local government about public register privacy issues, and the role of the Office of Management and Budget (OMB) under the 1974 Privacy Act is to be strengthened.
Later in the conference, Professor Joel Reidenberg from Fordham University in New York gave a very interesting paper commenting on the apparent ‘stalemate’ between the EU and those third country governments (notably the US) which are resisting comprehensive privacy law.
Reidenberg clearly outlined the growing difficulty as disparate data protection laws seek to deal with data flows, particularly on the Internet, which are seamless and know no borders. He pointed out that even within Europe, businesses would find it difficult to easily meet the varying requirements of the national laws (which will remain different even after the implementation of the Directive) with a single common standard. For example it would be difficult to draft wording for a notice to users on a web-site which would satisfy all the European laws. He also noted that European supervisory authorities do not seem in practice to be requiring the same standards that they are suggesting need to be met in other countries.
Reidenberg also reviewed the various attempts at achieving international harmonisation, pointing out the difficulties and obstacles they face. Somewhat surprisingly, he concluded that a new instrument is required. He suggested that a General Agreement on Information Privacy (GAIP) could be drafted, following a similar model to the 1947 GATT negotiations. GAIP would not only facilitate the co-existence of different data protection regimes, but also contribute towards harmonising these regimes.
Reidenberg also sees a role for other initiatives, including a biennial OECD conference, and more emphasis on technical codes and standards, for which data protection authorities may need to upgrade their skills.
New Zealand Commissioner Bruce Slane introduced a new argument into the debate by suggesting that the US reliance on litigation as the ‘remedy’ for privacy breaches meant that the private sector would always be fearful of major damages awards. Statutory regulation should perhaps be ‘sold’ to American business on the basis that it could limit their liability — compensation awards by a supervisory authority would be likely to be modest by comparison with damages in civil litigation, and could even be statutorily ‘capped’. He also reminded business that only comprehensive legislation can deal with the problem of ‘maverick’ companies which refuse to join self-regulatory schemes, damage the image of the sector, and gain an unfair competitive advantage by avoiding the costs of privacy compliance.
The focus on international issues inevitably drew attention away from the understandable desire of the Spanish hosts to showcase their law and practice. A draft revision of the 1992 data protection law is currently being considered, and a new Telecommunications Act in April 1998 incorporates privacy provisions to comply with the 1997 EU Telecoms Privacy Directive. [Note that all EC members are having to implement both the general and the telecommunications specific privacy Directives — the UK proposals can be found at http://www.dti.gov.uk/CII/tpdp/telecom.pdf]. Spain also has a new specific law controlling the use of video surveillance, with strict controls on fixed installations and somewhat looser regulation of mobile recording. There are 17 regional commissions overseeing this new law, and the exact relationship with the general data protection law is still being worked out.
In a useful session on public register privacy, Marcel Pinet, a member of the French Commission (CNIL), firmly rejected the often heard argument that personal information once in the public domain cannot and should not be protected — that it is ‘fair game’ for any use. He referred to both the increased technical capabilities — to store, search and retrieve, and the growing pressures of commercialisation — as reasons why public register data more than ever needs effective privacy protection. He warned that if the issues in this area are left unresolved the result will be less availability of public data, which could harm other public and private interests. He cited telephone directories — in France more than 20 per cent of subscribers have chosen ‘silent’ lines (that is, unlisted numbers). Pinet suggested that the general objective should be to give people choices, but that some acitivities should be prohibited altogether — the CNIL has ruled that commercial solicitation using e-mail addresses is unlawful. He called for international agreement and action to deal with the issue of public register information available on the Internet.
On the same topic, NZ Commissioner Bruce Slane noted that public registers which involve a registration fee have another dimension in that as well as having their data used for unrelated purposes without their knowledge or consent, registrants may effectively be subidising third party use. Slane favours amendment of public register laws to clearly specify the intended and permissible uses, and cited his disagreement with the NZ Ombudsman over interpretation of the Official Information Act as an example of a law which is not clear. Like Pinet, Slane expressed particular concern over Internet publication of public register information and the loss of control that inevitably results.
Another useful discussion centred on the growing use of electronic toll systems to charge road users for the use of bridges, tunnels, freeways and city centre roads. The Dutch Data Registration Chamber has been closely involved in the design of a new system for roads in the Netherlands. President of the Chamber Peter Hustinx explained how this early participation had allowed for consideration of privacy from the start, with the smart card chosen providing for a separation of data flows. This will allow individuals to challenge bills without the toll operators needing to know the individuals’ identity. Legislation to regulate the system is pending, and it is not yet known if the Registration Chamber’s arguments for a wholly anonymous use option has been accepted. If not, there will nevertheless be strict safeguards, as there already are for the network of speed control cameras on Dutch roads.
It seems impossible for data protection ‘buffs’ to meet anywhere in the world without discussing privacy on the Internet, and Spain was no exception. Italian delegate Stefano Rodota led the call for seamless international rules that would allow free and fair competition in the global marketplace, while safeguarding Net users’ privacy. He noted that even in the US there is a growing recognition that relying on ‘negative’ consent in the form of an ‘opt-out’ facility is not enough. Reference was made to the Council of Europe’s draft Internet Privacy Guidelines, issued in May 1998 (http://www.coe.fr/DataProtection/elignes.htm).
Hong Kong Commissioner Stephen Lau explained how he was following up his guidelines for both Net users and website ‘owners’ by discussions with the consumer council about e-commerce guarantees and a consumer bill of rights. Collection of personal data from children over the Internet, without parental consent, appears to be a big issue in every country [Note that the Singapore Broadcasting Authority has also issued privacy guidelines for the Internet as part of an e-commerce Code for consumers: see www.sba.gov.sg — Ed].
Ontario Commissioner Ann Cavoukian stressed that legislation is not the complete answer to Internet privacy protection — protocols and technological choices will also be important. She declared an interest as a member of the WWW Consortium’s technical committee for P3P, but defended it against criticism from the EU and others, which she felt was too demanding. She saw P3P as better than nothing, and a good complement to binding rules where they exist. P3P will continue to evolve and criticisms are being taken into account in the design of further versions. The ‘default’ settings will be critical, and Cavoukian anticipated a role for consumer groups to provide and promote pre-packaged settings for different levels of privacy which Net users can just click to install in their browsers.
Security is sometimes taken for granted in privacy circles, as a routine ‘bread and butter’ issue which is usually assured for other reasons. The Spanish conference included a useful ‘reminder’ session about the need for attention to the often distinctive security concerns attaching to personal data. UK Data Protection Registrar Elizabeth France explained how the new UK Act introduces a specific reporting requirement where data users have to notify the Registrar of security measures. This is required by the EU Directive and should therefore become a feature of all EU regimes. The UK office is looking at an existing ‘standard’ (BS 7799), and equivalent international (ISO) standards to see if they can be used, although the certification processs is likely to be too onerous for small and medium sized enterprises. The Dutch Registration Chamber issued detailed security standards in 1994 which are consistent with the British Standard 7799, and which they see as being necessary before an organisation can be held to account in any audit. The British and Dutch delegates debated the merits and drawbacks of self-assessment of security standards, and John Bjorking from the Dutch Chamber emphasised the difference between network and database security. Hong Kong Commissioner Stephen Lau reminded the conference that in his experience, 80 per cent of security breaches were by authorised users making unauthorised uses, and suggested requiring two people to carry out some transactions as a simple procedural safeguard.
Stuart Dresner of Privacy Laws and Business (PL&B) briefly explained ‘A comparative analysis of the interpretation and planned implemen-tation by EU Member States of the EU Data Protection Directive’s Data Security Provisions’. This is a study being conducted for PL&B by Julia Brown at the University of Westminster, London, who is due to report later this year.
Nigel Waters, Associate Editor.