Privacy Law and Policy Reporter
compiled by Graham Greenleaf
No US State has yet enacted a comprehensive information privacy law covering the private sector, but such a Bill has now been introduced into the Hawaiian legislature as part of the House Majority legislative package. ‘A Bill For An Act Relating To Informational Privacy’, House Bill 1877 (<http://www.capitol.hawaii.gov/sessioncurrent/bills/hb1877_.htm>), was scheduled for Committee hearings on 31 January 2000.
In her letter requesting comments on the Bill, the Director of the Hawaii Office of Information Practices, Moya Gray, summarised the Bill as follows:
In brief, the legislation follows the Asia-Pacific Model adopted in New Zealand and Hong Kong. This model was discussed at the Data Protection Commissioner’s 21st Annual Meeting held in Hong Kong this past September as a viable alternative to the European model.
The Hawaii version of the Asian-Pacific model is an effective mechanism for the protection of personal information. The legislation sets forth basic privacy standards and establishes regulatory authority in the OIP including the ability to conduct audits and investigations, the ability to receive and act on complaints and other powers. Finally, it allows the director of the OIP to adopt codes of practice.
The Hawaii legislation is good for individuals and business. For individuals it sets forth clear standards that give them control of their own personal information. Individuals will have the power of consent, the power of access and correction, and they have the ability to bring complaints outside of the judicial system to the OIP.
For industry, the Hawaii legislation will create consumer confidence and trust by ensuring consistency and fairness in the way personal information is handled.
The Hawaii legislation has the potential to keep government regulation to a minimum, while giving industry a voice in that regulation. While industry specific codes of practice must meet standards set forth in the legislation, they will require the industry’s ‘expertise’ in their development. This means that a code of practice will be much more suitable for that industry than would a ‘one size fits all’ proposal.
For example, different industries could propose codes of practice that provide for complaints or dispute resolution to be handled by industry associational groups with a right of review to the Director of OIP.
Finally, having clear, enforceable standards will allow the State of Hawaii to become an acceptable portal of global information flows.
It is significant that Hawaii may look to its Asia Pacific neighbours, rather than North America, for its model for privacy protection.
In most respects the Bill appears to meet the EU’s standards for the ‘adequacy’ of laws of a whole jurisdiction, which would give Hawaii an advantage over other US States in its dealings with the EU. However, there does not seem to be any general provision by which the Director can make orders providing compensatory damages, which is one of the standards of adequacy proposed by the EU’s art 29 Committee (see lead story in this issue). Nor is the question of onward transfers (including to other States of the US) addressed directly. v
In 1999 the Queensland Parliament referred the Freedom of Information Act 1992 (Qld) (FOIQ) to the Legal, Constitutional and Administrative Review Committee (LEARC) for review. LEARC has issued Discussion Paper No 1, Freedom of Information in Queensland (February 2000, available at <http://www.parliament.qld.gov.au/committees/lcarcFOI.htm>), and has called for submissions.
The review has important implications for privacy in Queensland because the FOIQ is the only significant legislation in that State allowing individuals to access and correct their own records. The importance of the FOIQ to privacy is indicated by the Queensland Information Commissioner’s 1999 statistics showing that the vast majority of external review applicants are citizens seeking personal information.
Among the privacy issues of significance raised in the discussion paper are the following.
The discussion paper raises many other issues relevant to privacy —these are merely some of the highlights. Submissions close on 7 April 2000 and may be sent to by email to <firstname.lastname@example.org>.
Data Protection & Privacy Practice is a new UK publication edited by Dr Chris Pounder and published by Masons Solicitors. The first issue contains very extensive and practical analyses of the operation of UK data protection legislation and news from other jurisdictions, particularly in Europe. Subscription details are available at Masons’ website <www.masons.com> or from <email@example.com>.