AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 1999 >> [1999] PrivLawPRpr 41

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Kirby, Michael --- "Privacy protection, a new beginning: OECD principles 20 years on" [1999] PrivLawPRpr 41; (1999) 6(3) Privacy Law & Policy Reporter 25

Privacy protection, a new beginning: OECD principles 20 years on

Hon Justice Michael Kirby

The OECD principles on privacy have an importance extending far beyond their subject matter. It concerns the capacity of law making institutions in democratic societies to respond to large and complex developments of global technology.

Let me remind you that this was a novel initiative for that hard nosed international body of economists and statisticians. The OECD had grown out of the Marshall Plan, by which the economies of Western Europe had been rescued from devastation by the drive, generosity and capital of the United States of America. As such, the OECD was not a body concerned with human rights. It could leave such nebulous and contentious topics to the Council of Europe, the European Court of Human Rights or the neverending debates in the United Nations, including in its agency UNESCO, meeting in Paris on the other side of the river Seine.

The concern which propelled the OECD into the issues of privacy was the fear that its member states would introduce incompatible and conflicting laws for the defence of privacy in the newly established databases of the interlinked information technologies. The fear that this would result in serious barriers to the generally free flow of data across the borders of the member states of the OECD and beyond was the cause that brought together the Expert Group on Privacy which I was elected to chair.

That we achieved consensus in the end was a remarkable tribute to the outstanding work of the OECD Secretariat, led for this topic by Mr Hans Peter Gassmann. Within the Expert Group there were brilliant antagonists. The chief US delegate, Mr William Fishman, expressed with great clarity the American commitment to the free flow of data and of ideas. The head of the French delegation, Mr Louis Joinet, led those in the Expert Group who were alarmed by the dangers to individual privacy of completely unrestrained collections of personal data, vastly expanded in quantity and kind by the new technology. Each protagonist spoke with sincere conviction and gathered supporters. The contemporary state of technology meant that US business interests stood to gain from the growth of informatics and the spread of transborder data flows. The French and European business interests, on the other hand, coincided generally with restrictions insistent upon privacy protection. Not for the first time, philosophy and law followed trade.

It is something of a miracle that the OECD Guidelines emerged at all. But they were able to draw on the work of the Nordic Council[1] and the Council of Europe.[2] The Guidelines gave depth and substance to the generalised statements about privacy in the international[3] and regional[4] statements of human rights — not that these guarantees have proved ineffective. On the contrary, the guarantee of private life in the European Convention was to be pressed into service to remove the criminalisation of homosexual conduct in Northern Ireland,[5] the Irish Republic[6] and Cyprus.[7] The guarantee of privacy in the International Covenant on Civil and Political Rights was invoked to precipitate the removal of Australia’s last criminal laws against private adult consensual homosexual conduct.[8]

Once adopted, the OECD Guidelines became highly influential on a broader plain throughout the member states of that organisation. The Australian[9] and New Zealand[10] statutes were profoundly influenced both by the privacy principles expressed in the Guidelines and by the high measure of flexibility which they suggested to be appropriate to each jurisdiction introducing them into its laws and practice.

The recent review of the New Zealand Act, after its first three years of operation,[11] found no substantial faults with the 12 information privacy principles contained in the Act, adapted from the OECD Guidelines. One commentator observed:[12]

That the original set of principles has largely stood up to five years of experience, in a myriad of different sets of circumstances and still looks pretty good ... must be seen as a solid endorsement of the decision to follow some other jurisdictions in enacting principles as such rather than attempt to reduce them to a set of precise and prescriptive rules. This is, of course, a credit to the good sense and scope of the original OECD principles and perhaps especially the 1988 Australian embodiment of them, upon which the NZ set was closely based. It is also a credit to Bruce Slane, who devoted the better part of the 1992-93 year to trying to get the NZ Act right.

Since the 1980 Guidelines on Privacy, the OECD has moved increasingly to a recognition of the close inter-relationship between an open and dynamic economy and an open and dynamic democracy operating under the rule of law. This has led the OECD, like the World Bank, into an increased appreciation of the importance of governance to economic development and hence of good governance in developing countries for the growth of global markets upon which depend the sustained economic viability and strength of the economies of OECD member states.

It was therefore unsurprising that, in October 1998 at Ottawa in Canada, the OECD convened a high level meeting of ministers and officials from the 29 member countries to consider, among other things, the privacy questions presented by the continuing rapid growth in electronic commerce.[13] Once again, it was a technological development with huge economic ramifications which had propelled the OECD into concerted action. Once again, in the words of the OECD Secretary-General, Donald Johnston, a major goal was to ‘lay down a rules-based framework to eliminate, or reduce, the downside risk’ perceived in electronic commerce.[14]

As a result of the Ministerial meeting, three declarations were adopted to establish baseline principles and goals and to provide guidance on the future work of the OECD.[15] One of these, the Declaration on the Protection of Privacy on Global Networks (the Ottowa Declaration), recognises the ubiquitous nature of digital computer and network technologies today. They offer the opportunity for great social and economic benefits towards information exchange, consumer choice, market expansion and continuing innovation. But they present problems for the fair collection and handling of personal data.

The Ministers in Ottawa recognised that the 1980 Privacy Guidelines of the OECD were still applicable in that they ‘represent international consensus and guidance concerning the collection and handling of personal data in any medium, and provide a foundation for privacy protection on global networks’.[16] The Ottawa Declaration affirmed the commitment of the governments of OECD member countries ‘to the protection of privacy on global networks in order to ensure the respect of important rights, build confidence ... and prevent unnecessary restrictions on transborder flows of personal data’. They saw this as a way to ‘build bridges between the different approaches adopted by member countries to ensure privacy protection on global networks based on the OECD guidelines’.[17] The Declaration also recognised that different countries would implement privacy protection by legal, self-regulatory, administrative or technological means. But the Ministers considered it important to encourage the adoption of privacy policies, the notification online to users of privacy policies, the promotion of user education and the encouragement of privacy enhancing technology.[18]

Although I appreciate that many participants at this conference come from countries outside the OECD, Hong Kong is an associate member, Japan, Korea, Australia and New Zealand are members, and the advanced economies of the OECD undoubtedly dominate information technology, transborder data flows and global networks. So the Ministerial Declaration on Privacy is extremely important. It signals a continuing commitment of the OECD to the protection of individual privacy. This unexpected child, conceived in a union of economics and human rights, born in 1980, is now 20 years old. Its parents have acknowledged and praised it. Yet the world of today, particularly the world of technology, has changed beyond recognition from the world into which it came nearly 20 years ago. It is timely to consider the changes and some of their implications. It is timely to ask, as The Economist did in May 1999: are we witnessing ‘the end of privacy’?[19]

Cyberspace and electronic commerce

The most important change is brought about by the growth of the world wide web, the unstoppable expansion of the internet and the rapid development of e-commerce. Use of the world wide web doubles every 12 months.[20] William Gibson’s vision of cyberspace[21] appears to be fast becoming a reality. Starting in 1995 with 8.5 million users, the internet is expected to reach over 142 million users by the year 2000.[22] Looking ahead, it is necessary to envisage the way in which the lives of human beings will be altered as the global network of interconnected users of information technology becomes bigger and ever more powerful.

A recent OECD document[23] listed 92 ways in which, it was claimed, the lives of ordinary people will be changed by the technology over the next 30 years. Global culture, education, employment, production and even crime will be affected. Privacy, it is argued, will be harder to maintain. Not unconnected with this, interpersonal relationships of human beings may become increasingly unstable. National governments will have limited control over cyberspace and over the pace at which globalisation of interconnected human consciousness is occurring.

Whereas in the past one of the chief protections for privacy lay in the sheer cost of retrieving personal information (and the impermanency of the forms in which much information was stored) such practical safeguards for privacy largely disappear in the digital age.[24] It is not always appreciated by users of the web that without specific initiatives on their own part, their visits to particular websites can often be resurrected, presenting a comprehensive profile of their minds. That profile may illustrate the subjects in which they are interested; their inclinations, political, social, sexual and otherwise.[25]

The extensive indexes on internet sites such as Yahoo[26] and the Altavista search engine[27] change forever the personal information profile of the individual. The OECD Guidelines of 1980 were prepared in the context of the technology then known and envisaged. But that was long before the internet and the web crawlers, spiders, robots and trawlers which have introduced completely new methods for an intense ‘dataveillance’ of the individual.[28]

It is in this context that there appears to be a need to review the 1980 OECD Guidelines, which are already showing signs of their age. Informed writers are already suggesting the necessity for new privacy principles apt to contemporary technology. The suggestions include:

The common theme of many of the suggested revisions of the OECD Guidelines is the need to render ‘data collection practices ... fully visible to the individual ... Any feature which results in the collection of personally identifiable information should be known prior to operation and ... the individual should retain the ability to disentitle the feature if he or she so chooses’.[32] Some might consider this too absolute a statement of disengagement. Others might question the marginal utility of undemanded notifications of all identifiable information about the individual without any initiative on the part of that individual. But clearly the ‘openness principle’ of the OECD Guidelines was always one of the weakest. The advent and potential of the internet require that there be new attention to it.

Similarly, the rapid growth of e-commerce has led to demands not only for national laws and self-regulation but for international co-operation within multinational bodies such as UNCTAD, WTO, the European Union, OECD, APEC and others. Commissioner Stephen Lau has drawn attention to the high level of concern reported among computer users and net users in 1998 about both the privacy and security of their personal data.[33] He has mentioned the demands of consumers and their representatives to be informed of the provider’s policy on data privacy; to have a choice of anonymity for browsing and transacting business; and to be able to ensure encryption facilities for the collection and use of sensitive data. One suggestion in this context is accreditation of information systems with a recognised ‘privacy seal’. This would provide effective assurance to consumers on the supplier’s compliance with an adequate privacy policy.[34] But we can be sure that governments will want to crack such seals where they consider this to be warranted for law enforcement, intellectual property protection and taxation objectives.

Genetic privacy

One of the most dynamic technological changes which is occurring today involves the marriage of information technology and human genetics. Scientists collaborating in the Human Genome Project are in the process of sequencing the entire genome and thereby discovering the keys that will unlock what have hitherto been the mysteries of the basic building blocks of life in the human and other species.

In future it will be possible to analyse the DNA of every individual and to gain a remarkably detailed map of that individual’s genetic predispositions and likely health. It may be anticipated that, unless restrained by law, governments, employers, insurers and others may, in some circumstances, seek access to data of this kind. Already in Australia a Genetic Privacy and Non-Discrimination Bill 1998 (Cth) has been introduced as a Private Member’s measure.[35] Because of the implications raised for genetic privacy and discrimination, a Senate Committee has recommended that the Bill be considered by a national working party. The primary purposes of the Bill are to establish an enforceable right to privacy of genetic information of an individual; to prevent any person collecting a DNA sample from an individual without informed consent and to make discrimination based on genetic information unlawful.

Concerns of this kind were simply not around when the OECD Expert Group delivered its report in 1980. Many of them did not exist when the report on security of information systems was delivered in 1992. Doubtless further and more complex developments will occur between now and the end of the next 20 years. What may be needed is an ongoing institutional arrangement by which the advances of technology and their implications for the OECD Guidelines on Privacy can be kept under constant review.

State of privacy

Also needed is a regular and universally respected report on the state of privacy, which is increasingly rendered vulnerable by the remarkable developments of technology. A recent review of Asian privacy and surveillance laws[36] found most of them inadequate. In the case of Hong Kong, the review criticised as unacceptably vague the procedural safeguards on the interception of telecommunications permitted by law.[37] In India, there is no privacy or data protection statute, and illegal wire-tapping by governmental agencies was said to be continuing.[38] In Japan, although legislation governing the use of personal information in computerised files held by government agencies was adopted in 1988 in line with the OECD Guidelines, the private sector is still substantially unregulated. Various complaints have been made concerning police video surveillance systems. The Republic of Korea, like Japan, has adopted legislation drawn from the OECD Privacy Guidelines[39] for the protection of personal information in public computer based information systems. Credit reports are regulated by statute in Korea. But there has been criticism of the lack of effective accountability of intelligence and police officials using electronic interception. In most other countries of Asia, removed from the stimulus and impetus of the OECD, the law is in an even more primitive and unprotective state.

It is therefore timely that this meeting should take place in Hong Kong, and that it should occur under the sponsorship of the Privacy Commissioner for Personal Data in Hong Kong. The venue and the host make the point that privacy is a universal value, as the instruments of the United Nations declare. It is not a culture-bound value only relevant to advanced Western democracies. While the exact content and priorities for privacy protection will differ from one country to another and will vary between different cultures, the core value is the same. It inheres in the dignity of each individual human being. It gathers universal significance because of the dynamic forces of global technology: the internet, global e-commerce and the Human Genome Project.[40]

A new beginning

In 1980, a small band of intrepid individuals in a transcontinental organisation representing different cultures among the rich countries of the world laid down a framework of privacy principles which has been extraordinarily successful and remarkably enduring. But that was the old testament. So dynamic have been the changes of technology in the interim that a new testament is now needed. It will embrace the outcomes of technological advances and recognise that they are overwhelmingly to the benefit of humanity. But it will also demand that they go forward with a social and legal regime that upholds and protects the individual’s right to privacy and to data protection and data security.

From humble beginnings much has been accomplished. The achievement of 1980 shows that international consensus can indeed be found and can be extremely useful. But it would certainly be remarkable if the words written in 1980 were to be the last expression of the international principles for personal privacy and data protection. They are not writ in stone. They exist in disembodied electronic form as befits our age of revolutionary technology. I hope that this conference will chart the way ahead for privacy protection for Asia and for the world.

According to The Economist it is too late. The editor says that we cannot even restore the levels of privacy enjoyed in the 1970s. Most people, he asserts, do not care. With greater surveillance comes the chance of greater safety in shopping malls and urban streets. A universal data bank of DNA will allow criminals to be found and convicted. International satellite monitoring of telecommunications by Echelon will make the world safer from terrorists. The Economist’s conclusion: ‘The best advice is: get used to it’.[41]

But not everyone takes this attitude. The European Union’s Data Protection Directive is striving to defend privacy values. Not many jurisdictions of the world outside Europe meet the Directive’s demand that the laws of other places, sharing personal data with European systems, must ‘effectively’ protect personal data. Already this has led to negotiations with a view to providing more effective privacy laws.[42] The Australian Government, after initially promising privacy protection laws applicable to the private sector and then resiling, has now returned to its original intention and new legislation is awaited.

There are two visions for the future here. One defends individual privacy. The other gives up. One asserts the capacity of law and policy-makers to uphold a fundamental human right in the face of technology. The other says it is impossible — and possibly unnecessary. Resolving these debates presents one of the greatest questions before humanity in the coming century. The resolution will shape the human environment and all that follows. There could scarcely be a more important reason for gathering in Hong Kong at this time and on this topic. What is at stake is nothing less than the future of the human condition.

This paper was the keynote address to the 21st International Conference of Privacy and Data Protection Commissioners in Hong Kong on 13 September, and is reprinted with the kind permission of Justice Kirby and of Stephen Lau, the Hong Kong Commissioner.

The Hon Justice Michael Donald Kirby AC CMG is a Justice of the High Court of Australia and a Commissioner of the International Commission of Jurists. He was Chairman of the OECD Expert Groups on Privacy (1978-80) and Data Security (1991-2).

[1] The history is told in Australian Law Reform Commission, Privacy Report no 22 vol 1 (1983) 264 and following.

[2] Council of Europe, Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data (adopted September 1980).

[3] Universal Declaration of Human Rights (1948) art 12; International Covenant on Civil and Political Rights art 17.

[4] European Convention of Human Rights, art 8; American Declaration of Rights and Duties of Man (1948) art V; American Convention on Human Rights (1969) art V; see also Bygrave L, ‘Data protection pursuant to the right to privacy in human rights treaties’ (1998) 6 International Journal of Law and Information Technology 247.

[5] Dudgeon v United Kingdom [1981] ECHR 5; (1981) 4 EHRR 149.

[6] Norris v Republic of Ireland [1988] ECHR 22; (1988) 13 EHRR 186.

[7] Modinos v Cyprus [1993] ECHR 19; (1993) 16 EHRR 485.

[8] Toonen v Australia (1994) 1 Int Hum Rts Reports 97, extracted in Steiner H J and Alston P International Human Rights in Context Oxford, 1996, 545. The decision led to the enactment by the Australian Federal Parliament of the Human Rights (Sexual Conduct) Act 1994 (Cth) and subsequently to the repeal of ss 122(a) and (c) and 123 of the Criminal Code (Tas) by the Tasmanian Parliament and the adoption of reformed non-discriminatory offences.

[9] Privacy Act 1988 (Cth).

[10] Privacy Act 1993 (NZ). The Act did not fully commence in operation until July 1996.

[11] McBride T, ‘The review process — taking on the critics’ (1998) 5 PLPR 6 at 101.

[12] Stevens B, ‘The Review’s treatment of the Information Privacy Principles’ (1998) 5 PLPR 6 at 120.

[13] ‘From barriers to solutions: the OECD Ministerial on Electronic Commerce’ (4th Quarter 1998) I-Ways 38.

[14] As above, 38.

[15] As above, 46.

[16] As above, 46.

[17] OECD Ministerial Declaration on Privacy on Global Networks (4th Quarter, 1998) I-Ways 48.

[18] The entire text of the Ministerial Declaration can be found at <http://www.>.

[19] See ‘The end of privacy’ The Economist 1 May 1999 p 11 and ‘The surveillance society’ The Economist, 1 May 1999, pp 17-19.

[20] Miller R, The Internet in Twenty Years: Cyberspace, the New Frontier? OECD, Paris, 1997; see also Kirby M D, ‘Privacy in cyberspace’ [1998] UNSWLawJl 47; (1998) 21 UNSW Law Journal 323.

[21] Gibson W, Neuromancer cited in M S Borella, ‘Computer privacy versus first and Fourth Amendment Rights’ at <>; see also France E, ‘Can data protection survive in cyberspace?’ (1997) 8 (2) Computers and Law p 20.

[22] Miller R, above note 20.

[23] Cornish E, ‘The cyber future: 92 ways our lives will change by the year 2025’ (1996) 30 (1) The Futurist p 27, abstracted in Miller R, above note 20 at 12.

[24] Greenleaf G, ‘Privacy in cyberspace: an ambiguous relationship’ (1996) 3 PLPR 5 at 88.

[25] Balz S D and Hance O, ‘Privacy and the internet: intrusion, surveillance and personal data’ (1996) 10 (2) International Review of Law, Computers and Technology 219.

[26] Greenleaf G, above note 24. A catalogue of internet privacy issues may be found at <>.

[27] See <>.

[28] Hilvert J in Information Age May 1996 pp 18-13 cited Greenleaf G, above note 24 at 89-90.

[29] Organisation for Economic Co-operation and Development, Guidelines for Cryptography Policy 27 March 1997 (OECD.doc.C (1997) 62/Final); Adams J, ‘Encryption: the next best thing?’ (1998) 2 Computers and Law 39 at 40.

[30] Greenleaf G, ‘Privacy Principles —irrelevant to cyberspace? ’ (1996) 3 PLPR 6 at 114, 118.

[31] Clarke R, ‘Profiling and its privacy implications’ (1994) 1 PLPR 7 at 128-9; Wacks R, ‘Privacy in cyberspace: personal information, free speech and the internet’ in Birks P (ed), Privacy and Loyalty Oxford, 1997, p 93.

[32] Perritt H H and Lhulier C J, ‘Information access rights based on international human rights law’ (1997) 45 Buffalo Law Review 899 at 906 and following.

[33] Lau S, ‘E-commerce, consumer Rights and data privacy’ [3rd Quarter, 1998] I-Ways 37.

[34] As above, 38.

[35] Australia, Senate Legal and Constitutional Legislation Committee, Consideration of Provisions of the Genetic Privacy and Non-Discrimination Bill 1998 (March 1999).

[36] Banisar D and Davies S, ‘CILC’s survey of Asian privacy and surveillance laws ’ (1998) 5 PLPR 5 at 86.

[37] Telecommunications Ordinance and Post Office Ordinance.

[38] Banisar D and Davies S, above note 36 at 87.

[39] Banisar D and Davies S, above note 36 at 88.

[40] Compare Hagel J and Singer M, ‘Private lives — electronic commerce’ (1990) 1 (7) The McKinsey Quarterly.

[41] The Economist, 1 May 1999, p 12.

[42] The revised Safe Harbor Privacy Principles, published 19 April 1999, may be seen at <>.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback