Privacy Law and Policy Reporter
This year’s meeting of the International Privacy and Data Protection Commissioners, and the associated conference, were held in Venice, Italy in late September. Unlike at last year’s conference in Hong Kong, there was a relatively small contingent from Australasia, with the proceedings dominated by European and North American voices.
This brief report does no more than give a flavour of the proceedings, some of which are available online at <www.garanteprivacy.it>. David Flaherty’s review of the role of privacy impact assessments is reprinted elsewhere in this issue of PLPR. PLPR will seek to carry edited versions of other papers in forthcoming issues.
Among the more interesting papers was an overview of the different approaches to privacy regulation from Joel Reidenberg of Fordham University and Colin Bennett of the University of Victoria, as well as a very detailed and thought provoking paper entitled ‘The Death of Privacy?’ by Michael Froomkin of the University of Miami.
The conference is always a good opportunity for a simple factual update on regulation around the world. US Presidential Privacy Adviser Peter Swire reminded delegates of the substantial volume of law and rule-making in the US over the last year, including: enforceable rules for medical and financial privacy and websites targeting children; a prohibition on genetic discrimination in federal employment; and a range of measures to improve privacy compliance in federal agencies. He pointed out that the liberalisation of export controls on encryption technology will also contribute to better security for personal information. Swire also claimed that the Safe Harbour agreement was already leading to significant improvements in voluntary compliance with privacy principles by the private sector. Other delegates nevertheless continued to express scepticism about the level of effective privacy protection in the US lying behind the many ‘proposals’ and declarations of intent.
Raymond Wacks from the University of Hong Kong reviewed privacy regulation in the Asia-Oceania region and issued a timely warning to look beneath superficial ‘paper’ commitments to privacy — pointing out that there are states with constitutional guarantees of human rights, including privacy, where there are appaling records of abuses.
Ann Cavoukian, Privacy Commissioner of Ontario, called for more joint action between commissioners, drawing on her office’s experience of joint projects with the Dutch Commission and, more recently, with the Australian Federal Commissioner on online privacy seals. Cavoukian argued for the use of the existing OECD Guidelines as a basis for joint action. While acknowledging that they were in need of a review and probable update, she argued that they are quite good enough in the interim, and that priority should be given to implementing this agreed minimum standard rather than on ‘academic’ attempts to agree on a new and higher standard. Dutch Commissioner Peter Hustinx reported on moves by the Council of Europe to update Convention 108 to include reference to the important role of supervisory bodies, and delegates were also told that the EU would be reviewing and updating the Telecommunications Privacy Directive (97/66).
Various speakers, including David Banisar and Simon Davies from Privacy International, warned that Commissioners and data protection laws are at risk of ‘missing the boat’ on crucial systems design decisions that will determine the achievable level of privacy in the future. Decisions being taken in relatively unaccountable forums concerned with telecommunications, the internet and law enforcement are limiting the scope for anonymity or pseudonymity.
Another recurrent theme, highlighted by both Michael Froomkin and by Spiros Simitis, was the risk of the ‘commodification’ of privacy — reducing it to a tradeable commodity.
Australian Federal Privacy Commissioner Malcolm Crompton, presenting the regulatory response in Australia and his office’s strategic plan for promoting privacy compliance, made the good point that Privacy Commissioners are no longer the only privacy regulators — competition and fair trading bodies have a significant role to play in holding businesses to their privacy promises.
The closing plenary session featured Professor Spiros Simitis (arguably the pre-eminent elder statesman of privacy), Mark Rotenberg of the Electronic Privacy Information Centre and Privacy International, and Graham Watson, Chair of the European Parliament’s relevant committee. Simitis called for a return to basics, arguing that too many concessions have been made in many jurisdictions to competing public interests. His suggested ‘starting principles’ include a greater emphasis on non-collection — placing an obligation on data controllers to develop means not to use personal data; taking a risk on denying secondary uses of personal data even where it might serve other public interests; requiring more and more detailed notification of data subjects; and greater powers for supervisory authorities. While applauding the strength of Simitis’ arguments, conference host Stefano Rodota, the Italian Commissioner, warned of the strength and diversity of opposing forces.
Marc Rotenberg argued for the importance of the notice principle, not so much as a protection as a warning and awareness raising device. He also contrasted the need for greater transparency in the public sphere with the right to immunity from transparency (privacy) in private life. Rotenberg also reminded delegates that while there is a remarkable degree of consensus on fair information practices across jurisdictions, there are as yet no effective mechanisms to protect individuals as they increasingly transact across national borders. Like his colleagues Banisar and Davies, and Rodota, he warned of the forces arrayed against privacy — including international organisations pursuing trade and law enforcement objectives — and argued for parity for the privacy and consumer protection perspective, and the vital role of non-government organisations (NGOs).
Graham Watson reinforced the Privacy International view by flagging a forthcoming battle to defend cultural values, including privacy, in the next WTO round of trade liberalisation negotiations, and by referring to the ongoing controversy over the ECHELON communications surveillance system, which has arguably infringed the sovereignty of most countries as well as the privacy of individuals worldwide.
In keeping with a trend in recent years, the Commissioners issued a statement at the conclusion of the conference, titled the Venice Declaration. This is reproduced below.
Nigel Waters, Associate Editor.