Privacy Law and Policy Reporter
Hon Justice Michael Kirby
The OECD principles on privacy have an importance extending far beyond their subject matter. It concerns the capacity of law making institutions in democratic societies to respond to large and complex developments of global technology.
Let me remind you that this was a novel initiative for that hard nosed international body of economists and statisticians. The OECD had grown out of the Marshall Plan, by which the economies of Western Europe had been rescued from devastation by the drive, generosity and capital of the United States of America. As such, the OECD was not a body concerned with human rights. It could leave such nebulous and contentious topics to the Council of Europe, the European Court of Human Rights or the neverending debates in the United Nations, including in its agency UNESCO, meeting in Paris on the other side of the river Seine.
The concern which propelled the OECD into the issues of privacy was the fear that its member states would introduce incompatible and conflicting laws for the defence of privacy in the newly established databases of the interlinked information technologies. The fear that this would result in serious barriers to the generally free flow of data across the borders of the member states of the OECD and beyond was the cause that brought together the Expert Group on Privacy which I was elected to chair.
That we achieved consensus in the end was a remarkable tribute to the outstanding work of the OECD Secretariat, led for this topic by Mr Hans Peter Gassmann. Within the Expert Group there were brilliant antagonists. The chief US delegate, Mr William Fishman, expressed with great clarity the American commitment to the free flow of data and of ideas. The head of the French delegation, Mr Louis Joinet, led those in the Expert Group who were alarmed by the dangers to individual privacy of completely unrestrained collections of personal data, vastly expanded in quantity and kind by the new technology. Each protagonist spoke with sincere conviction and gathered supporters. The contemporary state of technology meant that US business interests stood to gain from the growth of informatics and the spread of transborder data flows. The French and European business interests, on the other hand, coincided generally with restrictions insistent upon privacy protection. Not for the first time, philosophy and law followed trade.
It is something of a miracle that the OECD Guidelines emerged at all. But they were able to draw on the work of the Nordic Council and the Council of Europe. The Guidelines gave depth and substance to the generalised statements about privacy in the international and regional statements of human rights — not that these guarantees have proved ineffective. On the contrary, the guarantee of private life in the European Convention was to be pressed into service to remove the criminalisation of homosexual conduct in Northern Ireland, the Irish Republic and Cyprus. The guarantee of privacy in the International Covenant on Civil and Political Rights was invoked to precipitate the removal of Australia’s last criminal laws against private adult consensual homosexual conduct.
Once adopted, the OECD Guidelines became highly influential on a broader plain throughout the member states of that organisation. The Australian and New Zealand statutes were profoundly influenced both by the privacy principles expressed in the Guidelines and by the high measure of flexibility which they suggested to be appropriate to each jurisdiction introducing them into its laws and practice.
The recent review of the New Zealand Act, after its first three years of operation, found no substantial faults with the 12 information privacy principles contained in the Act, adapted from the OECD Guidelines. One commentator observed:
That the original set of principles has largely stood up to five years of experience, in a myriad of different sets of circumstances and still looks pretty good ... must be seen as a solid endorsement of the decision to follow some other jurisdictions in enacting principles as such rather than attempt to reduce them to a set of precise and prescriptive rules. This is, of course, a credit to the good sense and scope of the original OECD principles and perhaps especially the 1988 Australian embodiment of them, upon which the NZ set was closely based. It is also a credit to Bruce Slane, who devoted the better part of the 1992-93 year to trying to get the NZ Act right.
Since the 1980 Guidelines on Privacy, the OECD has moved increasingly to a recognition of the close inter-relationship between an open and dynamic economy and an open and dynamic democracy operating under the rule of law. This has led the OECD, like the World Bank, into an increased appreciation of the importance of governance to economic development and hence of good governance in developing countries for the growth of global markets upon which depend the sustained economic viability and strength of the economies of OECD member states.
It was therefore unsurprising that, in October 1998 at Ottawa in Canada, the OECD convened a high level meeting of ministers and officials from the 29 member countries to consider, among other things, the privacy questions presented by the continuing rapid growth in electronic commerce. Once again, it was a technological development with huge economic ramifications which had propelled the OECD into concerted action. Once again, in the words of the OECD Secretary-General, Donald Johnston, a major goal was to ‘lay down a rules-based framework to eliminate, or reduce, the downside risk’ perceived in electronic commerce.
As a result of the Ministerial meeting, three declarations were adopted to establish baseline principles and goals and to provide guidance on the future work of the OECD. One of these, the Declaration on the Protection of Privacy on Global Networks (the Ottowa Declaration), recognises the ubiquitous nature of digital computer and network technologies today. They offer the opportunity for great social and economic benefits towards information exchange, consumer choice, market expansion and continuing innovation. But they present problems for the fair collection and handling of personal data.
The Ministers in Ottawa recognised that the 1980 Privacy Guidelines of the OECD were still applicable in that they ‘represent international consensus and guidance concerning the collection and handling of personal data in any medium, and provide a foundation for privacy protection on global networks’. The Ottawa Declaration affirmed the commitment of the governments of OECD member countries ‘to the protection of privacy on global networks in order to ensure the respect of important rights, build confidence ... and prevent unnecessary restrictions on transborder flows of personal data’. They saw this as a way to ‘build bridges between the different approaches adopted by member countries to ensure privacy protection on global networks based on the OECD guidelines’. The Declaration also recognised that different countries would implement privacy protection by legal, self-regulatory, administrative or technological means. But the Ministers considered it important to encourage the adoption of privacy policies, the notification online to users of privacy policies, the promotion of user education and the encouragement of privacy enhancing technology.
Although I appreciate that many participants at this conference come from countries outside the OECD, Hong Kong is an associate member, Japan, Korea, Australia and New Zealand are members, and the advanced economies of the OECD undoubtedly dominate information technology, transborder data flows and global networks. So the Ministerial Declaration on Privacy is extremely important. It signals a continuing commitment of the OECD to the protection of individual privacy. This unexpected child, conceived in a union of economics and human rights, born in 1980, is now 20 years old. Its parents have acknowledged and praised it. Yet the world of today, particularly the world of technology, has changed beyond recognition from the world into which it came nearly 20 years ago. It is timely to consider the changes and some of their implications. It is timely to ask, as The Economist did in May 1999: are we witnessing ‘the end of privacy’?
The most important change is brought about by the growth of the world wide web, the unstoppable expansion of the internet and the rapid development of e-commerce. Use of the world wide web doubles every 12 months. William Gibson’s vision of cyberspace appears to be fast becoming a reality. Starting in 1995 with 8.5 million users, the internet is expected to reach over 142 million users by the year 2000. Looking ahead, it is necessary to envisage the way in which the lives of human beings will be altered as the global network of interconnected users of information technology becomes bigger and ever more powerful.
A recent OECD document listed 92 ways in which, it was claimed, the lives of ordinary people will be changed by the technology over the next 30 years. Global culture, education, employment, production and even crime will be affected. Privacy, it is argued, will be harder to maintain. Not unconnected with this, interpersonal relationships of human beings may become increasingly unstable. National governments will have limited control over cyberspace and over the pace at which globalisation of interconnected human consciousness is occurring.
Whereas in the past one of the chief protections for privacy lay in the sheer cost of retrieving personal information (and the impermanency of the forms in which much information was stored) such practical safeguards for privacy largely disappear in the digital age. It is not always appreciated by users of the web that without specific initiatives on their own part, their visits to particular websites can often be resurrected, presenting a comprehensive profile of their minds. That profile may illustrate the subjects in which they are interested; their inclinations, political, social, sexual and otherwise.
The extensive indexes on internet sites such as Yahoo and the Altavista search engine change forever the personal information profile of the individual. The OECD Guidelines of 1980 were prepared in the context of the technology then known and envisaged. But that was long before the internet and the web crawlers, spiders, robots and trawlers which have introduced completely new methods for an intense ‘dataveillance’ of the individual.
It is in this context that there appears to be a need to review the 1980 OECD Guidelines, which are already showing signs of their age. Informed writers are already suggesting the necessity for new privacy principles apt to contemporary technology. The suggestions include:
The common theme of many of the suggested revisions of the OECD Guidelines is the need to render ‘data collection practices ... fully visible to the individual ... Any feature which results in the collection of personally identifiable information should be known prior to operation and ... the individual should retain the ability to disentitle the feature if he or she so chooses’. Some might consider this too absolute a statement of disengagement. Others might question the marginal utility of undemanded notifications of all identifiable information about the individual without any initiative on the part of that individual. But clearly the ‘openness principle’ of the OECD Guidelines was always one of the weakest. The advent and potential of the internet require that there be new attention to it.
One of the most dynamic technological changes which is occurring today involves the marriage of information technology and human genetics. Scientists collaborating in the Human Genome Project are in the process of sequencing the entire genome and thereby discovering the keys that will unlock what have hitherto been the mysteries of the basic building blocks of life in the human and other species.
In future it will be possible to analyse the DNA of every individual and to gain a remarkably detailed map of that individual’s genetic predispositions and likely health. It may be anticipated that, unless restrained by law, governments, employers, insurers and others may, in some circumstances, seek access to data of this kind. Already in Australia a Genetic Privacy and Non-Discrimination Bill 1998 (Cth) has been introduced as a Private Member’s measure. Because of the implications raised for genetic privacy and discrimination, a Senate Committee has recommended that the Bill be considered by a national working party. The primary purposes of the Bill are to establish an enforceable right to privacy of genetic information of an individual; to prevent any person collecting a DNA sample from an individual without informed consent and to make discrimination based on genetic information unlawful.
Concerns of this kind were simply not around when the OECD Expert Group delivered its report in 1980. Many of them did not exist when the report on security of information systems was delivered in 1992. Doubtless further and more complex developments will occur between now and the end of the next 20 years. What may be needed is an ongoing institutional arrangement by which the advances of technology and their implications for the OECD Guidelines on Privacy can be kept under constant review.
Also needed is a regular and universally respected report on the state of privacy, which is increasingly rendered vulnerable by the remarkable developments of technology. A recent review of Asian privacy and surveillance laws found most of them inadequate. In the case of Hong Kong, the review criticised as unacceptably vague the procedural safeguards on the interception of telecommunications permitted by law. In India, there is no privacy or data protection statute, and illegal wire-tapping by governmental agencies was said to be continuing. In Japan, although legislation governing the use of personal information in computerised files held by government agencies was adopted in 1988 in line with the OECD Guidelines, the private sector is still substantially unregulated. Various complaints have been made concerning police video surveillance systems. The Republic of Korea, like Japan, has adopted legislation drawn from the OECD Privacy Guidelines for the protection of personal information in public computer based information systems. Credit reports are regulated by statute in Korea. But there has been criticism of the lack of effective accountability of intelligence and police officials using electronic interception. In most other countries of Asia, removed from the stimulus and impetus of the OECD, the law is in an even more primitive and unprotective state.
It is therefore timely that this meeting should take place in Hong Kong, and that it should occur under the sponsorship of the Privacy Commissioner for Personal Data in Hong Kong. The venue and the host make the point that privacy is a universal value, as the instruments of the United Nations declare. It is not a culture-bound value only relevant to advanced Western democracies. While the exact content and priorities for privacy protection will differ from one country to another and will vary between different cultures, the core value is the same. It inheres in the dignity of each individual human being. It gathers universal significance because of the dynamic forces of global technology: the internet, global e-commerce and the Human Genome Project.
In 1980, a small band of intrepid individuals in a transcontinental organisation representing different cultures among the rich countries of the world laid down a framework of privacy principles which has been extraordinarily successful and remarkably enduring. But that was the old testament. So dynamic have been the changes of technology in the interim that a new testament is now needed. It will embrace the outcomes of technological advances and recognise that they are overwhelmingly to the benefit of humanity. But it will also demand that they go forward with a social and legal regime that upholds and protects the individual’s right to privacy and to data protection and data security.
From humble beginnings much has been accomplished. The achievement of 1980 shows that international consensus can indeed be found and can be extremely useful. But it would certainly be remarkable if the words written in 1980 were to be the last expression of the international principles for personal privacy and data protection. They are not writ in stone. They exist in disembodied electronic form as befits our age of revolutionary technology. I hope that this conference will chart the way ahead for privacy protection for Asia and for the world.
According to The Economist it is too late. The editor says that we cannot even restore the levels of privacy enjoyed in the 1970s. Most people, he asserts, do not care. With greater surveillance comes the chance of greater safety in shopping malls and urban streets. A universal data bank of DNA will allow criminals to be found and convicted. International satellite monitoring of telecommunications by Echelon will make the world safer from terrorists. The Economist’s conclusion: ‘The best advice is: get used to it’.
But not everyone takes this attitude. The European Union’s Data Protection Directive is striving to defend privacy values. Not many jurisdictions of the world outside Europe meet the Directive’s demand that the laws of other places, sharing personal data with European systems, must ‘effectively’ protect personal data. Already this has led to negotiations with a view to providing more effective privacy laws. The Australian Government, after initially promising privacy protection laws applicable to the private sector and then resiling, has now returned to its original intention and new legislation is awaited.
There are two visions for the future here. One defends individual privacy. The other gives up. One asserts the capacity of law and policy-makers to uphold a fundamental human right in the face of technology. The other says it is impossible — and possibly unnecessary. Resolving these debates presents one of the greatest questions before humanity in the coming century. The resolution will shape the human environment and all that follows. There could scarcely be a more important reason for gathering in Hong Kong at this time and on this topic. What is at stake is nothing less than the future of the human condition.
This paper was the keynote address to the 21st International Conference of Privacy and Data Protection Commissioners in Hong Kong on 13 September, and is reprinted with the kind permission of Justice Kirby and of Stephen Lau, the Hong Kong Commissioner.
The Hon Justice Michael Donald Kirby AC CMG is a Justice of the High Court of Australia and a Commissioner of the International Commission of Jurists. He was Chairman of the OECD Expert Groups on Privacy (1978-80) and Data Security (1991-2).