Privacy Law and Policy Reporter
compiled by Graham Greenleaf and Nigel Waters
Kathy Leigh, who has been Head of the Information Law Branch at the Commonwealth Attorney General’s Department for several years, has moved to become Acting Head of the Civil Law Division. Ms Leigh’s replacement will be Helen Daniels, who will commence in September. Amanda Davies of the Branch will act as Branch Head in the interim.
This change comes at a less than ideal time, with the draft Bill to extend privacy protection to the private sector due to be released and introduced in the next few months. However, such changes are regrettably all too common in Canberra and the new Branch Head may well bring a new enthusiasm to the task. Amanda Davies will provide the important element of continuity — editor.
The OECD secretariat has been developing a privacy statement ‘generator’ which will provide a template for organisations wishing to develop and promote their own ‘privacy statement’ either to comply with data protection laws or to attempt to satisfy the ‘adequacy’ standard required by the EU Directive. The generator has recently been tested by several data protection authorities and a version is expected to appear on the OECD web site in the next few months for public consultation.
David Loukidelis will be British Columbia’s next Information and Privacy Commissioner following David Flaherty, who completed his term at the end of July.
David Loukidelis is a Vancouver lawyer. He restricts his practice to the representation of British Columbia local governments and other public bodies. He was a founding member of the BC Freedom of Information and Privacy Association and served several years as a director and also served as the president. He has written reports on a wide variety of access and privacy matters. Mr Loukidelis has also been a member of the freedom of information and protection of privacy committee of the BC branch of the Canadian Bar Association since 1994.
Mr Loukidelis assumes his duties in mid-August 1999.
David Flaherty is remaining in British Columbia where he will, amongst other interests, consult on privacy and FOI issues.
The European Commission has decided to send reasoned opinions to France, Luxembourg, the Netherlands, Germany, the UK, Ireland, Denmark, Spain and Austria for failure to notify all the measures necessary to implement the Directive on the protection of personal data (95/46/EC). The reasoned opinions represent the second stage of formal infringement proceedings under art 226 of the EC Treaty. In the absence of a satisfactory response within two months of receipt by the Member State concerned, the Commission may decide to refer the cases to the European Court of Justice.
The data protection Directive, which entered into effect on 25 October 1998, establishes a clear and stable regulatory framework to ensure both a high level of protection for the privacy of individuals in all Member States and the free movement of personal data within the European Union (EU) (see IP/98/925). The Directive also establishes rules to ensure that personal data is only transferred to countries outside the EU when its continued protection is guaranteed, so as to ensure that the high standards of protection introduced by the Directive within the EU are not undermined.
Greece, Portugal, Sweden, Italy, Belgium and Finland have notified measures which implement the Directive in full. Denmark and the United Kingdom have notified measures partially implementing the Directive, but still need to adopt some additional national measures to complete their implementation. All other Member States are still in the process of adopting implementing measures. (The full conformity with the Directive of the measures adopted and notified remains to be verified.)
In any case, individuals are entitled to invoke some of the Directive’s provisions before national courts, in accordance with the case law of the Court of Justice (Marleasing case, C-106/89, 13.11.90). In addition, individuals suffering damage as a result of a Member State’s failure to implement the Directive are in some cases entitled to seek compensation before national courts, under the terms of the Court of Justice’s case law in the Francovich case (C-6/90 and C-9/90, 19.11.91).
Source: Press release, EU Commission, Brussels, 29 July 1999 http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt=gt&doc=IP/99/592|0|RAPID&lg=EN.
Georgetown University’s Health Privacy Project has released a detailed report laying out how states are legislating medical records’ confidentiality. Entitled The State of Health Privacy: An Uneven Terrain, the report is the first publication of its kind to provide a comprehensive comparison of health privacy laws at the state level. The report reveals wide variability in the way states approach health privacy issues. Until this report, there has never been a factual record on which to assess the potential impact of federal legislation on state policies.
To view the full report go to http://www.healthprivacy.com.
Source: Meredith Carter, Health Issues Centre, Melbourne Tel: 03 9614 0500.
Bill C-54 (Canada’s omnibus e-commerce and privacy law which was introduced last October) failed to make it through a third and final reading before the House of Commons recessed for the summer on 11 June. Industry Minister John Manley (under whose auspices the bill was developed) promised it would be reintroduced in the fall.
If Bill C-54 does become law it will immediately apply to all federally regulated private and public organisations and then to all remaining businesses and organisations within four years. It establishes strict privacy regulations regarding the personal information that governments, organisations and businesses collect and mandates the Federal Privacy Commissioner to investigate any alleged abuses of privacy.
Most Canadian privacy activists strongly support privacy legislation but many are disappointed that Bill C-54 is not tougher. Some want to make privacy violations a criminal offence; some want the Commissioner authorised to award restitution directly (Under C-54, a complainant armed with the Commissioner’s findings must seek restitution in the courts); some think the maximum compensation ($20,000) the courts can award should be unlimited; and some believe the Commissioner should be given sweeping authority to randomly audit any business’ privacy standards even if no complaint has been made.
But many activists who tend to view privacy as a fundamental civil liberty or human rights are so eager for privacy legislation they have turned a blind eye to the unprecedented investigative powers the bill does give the Privacy Commissioner — powers which may, oddly enough, violate the spirit (if not the letter) of that section of the Canadian Constitution from which Canadians derive their right to privacy.
Section 8 of the Charter of Rights and Freedoms guarantees all Canadians the right to be secure against unreasonable search and seizure. That means, outside of certain extraordinary circumstances, the government or its agents may not search and/or seize private property without a warrant. By implication, it confirms a constitutional (although very limited) right to privacy.
Yet Bill C-54 grants the Privacy Commissioner, of all people, the authority to disregard s 8 of the Charter. The Commissioner may enter any premises, other than a dwelling-house, and may examine or obtain copies of or extracts from records found in any premises entered all without applying to the courts for a warrant. And he or she is not obligated to meet any minimum legal standard for probable cause before conducting a search or audit; it is sufficient that the Commissioner alone is satisfied that there are reasonable grounds to investigate a matter.
That’s not all. The Commissioner can detain any employee or employer (or anyone else on the premises) and, without informing them of their right to have counsel present, force them to answer questions under oath — which means that failure to oblige the Commissioner can result in a charge of contempt and lying, or misstating the truth, can result in a charge of perjury.
The Commissioner can carry out in those premises entered any inquiries that the Commissioner sees fit and can compel persons to give oral or written evidence on oath. And the evidence collected can be whatever the Commissioner wants it to be; no evidentiary standards apply. He or she can receive and accept any evidence, whether on oath, by affidavit or otherwise, whether or not it is or would be admissible in a court of law.
It is dangerous to ignore the civil liberties implications of this Bill. To lobby for it on the grounds that some kind of privacy legislation is better than nothing is shortsighted. While C-54 does have its merits, privacy legislation at any cost is a shameful mantra. We can only hope this Machiavellian ‘the ends justify the means’ approach adopted by Canada’s privacy activists is temporary.
You can read Bill C-54 for yourself at: http://www.parl.gc.ca/36/1/parlbus/chambus/house/bills/government/C-54/C-54_1/C-54TOCE.html.
For more on the dangers of Bill C-54 read ‘Ottawa’s privacy protection spells business obstruction’ at http://www.nationalpost.com/financialpost.asp?f™0422 /2508801&s2=opinion.
Source: Mark D Hughes, Executive Director of the Victoria, BC based Institute for the Study of Privacy Issues (ISPI), email: ISPI4Privacy@earthlink.net.