Privacy Law and Policy Reporter
This is an edited and updated version of a paper first delivered to a plenary session of the 21st International Privacy and Data Protection Commissioners Conference in Hong Kong in September 1999. The concept of an Asia-Pacific model of privacy regulation, introduced in the paper, has subsequently been taken up in official inquiries in several jurisdictions. The most significant revision is, sadly, the downgrading of the proposed Australian legislation from the most advanced form of the model. Further details released in December 1999 of the Federal Government’s proposals suggest a major retreat and lost opportunity because of some far reaching exemptions and a failure to provide adequate enforcement mechanisms. Nevertheless, the structure of the model remains, in the author’s view, an attractive ‘third way’.
The questions posed to contributors to this session were ‘Is the EU Directive a model for the world or an unnecessary hurdle to international data sharing?’ and ‘Is there a “right way” to protect personal privacy?’.
To declare my hand at the outset, my answers are ‘Neither’ and ‘No, but there are some essential elements’.
Nearly a year on from the EU Directive coming into force, other governments and interested parties can be forgiven for wondering if the Europeans are bluffing about restrictions on transborder transfers of personal information. At the time of writing, no transfers have to my knowledge been blocked by European supervisory authorities since the Directive came into force in October 1998, and no such challenges are pending. This can partly be explained by the delay in some EU Member States in amending their domestic data protection legislation. But even where ‘export prohibition’ provisions are already in place, there has been little sign of enforcement action.
Despite the lack of action the European authorities, in their discussions with the US Government, continue to demand a higher standard than the Americans have so far been prepared to concede. In their response to the revised (April 1999) ‘safe harbour’ proposals, the EU’s Article 29 Working Party found fault with several aspects of the US scheme. Consistent with the EU view from the outset of the discussions, the Working Party emphasised the need for a more general right of ‘subject access’ and for more effective monitoring and enforcement mechanisms. The US authorities addressed the perceived weaknesses through a set of frequently asked questions which would have the status of ‘authoritative guidance’. (As at March 2000, it appears that the EU Commission has effectively accepted the US ‘safe harbour’ scheme as providing ‘adequate protection’, although it remains to be seen if this satisfies either the individual EU data protection laws and Commissioners, or — probably more importantly — the growing pressure for effective protection from US consumers.)
And yet the two year deadlock was largely about means rather than ends. Of the European Working Party’s outstanding criticisms, only its insistence on strong subject access rights can be truly characterised as being about ends or objectives. Some of the other improvements suggested by the Working Party seem designed more to force others to accept the European means of achieving the underlying objectives, rather than being about the objectives themselves. One example is the criticism of the ‘notice’ principle for not requiring specific and highly detailed matters to be included in notices to individuals. Surely informing individuals that data is ‘collected only to the extent necessary to fulfil the purposes of collection’, and about the type of information collected, is at worst redundant (self-evident), and at best not a ‘touchstone’ matter to be dictated by the EU? Many of the non-European privacy laws contain ‘notice’ principles which vary considerably in the detail which they require. It has generally been assumed that the exact specification of such a principle can be a matter left to each jurisdiction.
The ‘tone’ of prescriptive and wordy regulation, also evident in the Working Party’s suggested wording of the access principle, regrettably feeds the perception by many Americans, and others, that the model of data protection being required by Europeans is an alien form of heavy handed regulation.
In the debate with the US, the EU and its member state representatives seem to fail to present the true position, which is that the minimum standards for adequate protection they have been proposing for almost two yearsare almost entirely about ends rather than means. They have not emphasised enough the major differences between what the Directive requires of Member States, and the aspirational nature of its approach to adequacy in third countries.
It would have helped to have communicated more clearly those aspects of the European model which the EU was not attempting to impose on third countries. These include, crucially:
On the face of the six core criteria as set out in the EU Working Party’s First Orientations paper, third countries are left with a wide range of options for delivering the desired outcome, to which the US and other OECD members are already committed in principle through their adoption of the 1980 Guidelines.
Third countries were unfortunately given the impression that while the words seem to invite flexibility and alternative approaches, the Europeans were in effect seeking to impose a set of requirements which can only eventually be satisfied by a data protection law along the lines of those required within Europe by the EU Directive. This perception is, I suggest, re-inforced by much of the detail in the art 29 Working Party’s papers (although the reported ‘settlement’ in March 2000 would obviously make it clear that the EU was not prepared, in the end, to even require the minimum level of enforceable protection that had appeared to be their ‘bottom line’).
Resistance to the imposition of a European model law appears to have been based on two main categories of argument: firstly, that the model is an outdated response to the ‘problem’ of privacy intrusion that has failed to take into account either technological or structural and organisational changes; and secondly, that the model places too much faith on the efficacy of centralised supervisory authorities. There is also, increasingly, a third and more fundamental basis of criticism: that not only the European model, but also the underlying OECD Principles, need to be reviewed in light of changing perceptions of the nature of privacy, which are exposing the fragile nature of the consensus about privacy as a value to be protected.
There has been general agreement to date that the principles in the OECD Guidelines of 1980 are still an appropriate and suitable foundation for data protection laws, although there is clearly room for differences of opinion about how these principles translate into more specific rules, particularly in relation to choice and consent. The OECD itself has only recently re-affirmed the relevance of the 1980 Principles. The other set of ‘foundation’ principles — those in the Council of Europe (CoE) Convention — parallel the OECD model and are still forming the basis of contemporary advice on specific technological issues.
Data protection authorities have found it relatively easy to adapt the guidance they give on compliance with data protection or privacy principles to the circumstances of new technologies such as smart cards and the internet.
While this is the ‘official’ position of governments and many regulators, there are many critics who have argued, to varying degrees, that the OECD Principles do need reviewing in light of technological change. They point to such developments as relational databases, geographic information systems and decision-making algorithms which only bring data together for a brief instant of processing. These developments, they argue, invalidate the assumption of an identifiable set of data, held for one or more specified purposes, which underlies the OECD Principles. Critics also point out that the OECD Guidelines only specify standards for fair information handling, and are silent on the nature of remedies and enforcement mechanisms.
Less well documented and debated has been the effect of structural and organisational changes on the relevance of the OECD Guidelines (and the Council of Europe Convention). These changes include greater diversification within business groups and the growth of joint ventures, including loyalty programs. These developments are blurring the traditional boundaries between legal entities, such that it is becoming increasingly difficult to say with confidence who is the owner or custodian of any particular data. In the course of conducting privacy reviews or audits it is often very difficult to get some managers to even understand the concept of custodianship of data, which is often seen as a shared, common resource to be used or ‘mined’ for different purposes and different beneficiaries.
The same phenomena is found in the public sector, where efficiency and cost reduction pressures, together with the administrative potential of matching and profiling, have led formerly autonomous departments and agencies to come together to share data. Increasingly, we find ‘whole of government’ and even intergovernmental information management strategies which emphasise accessibility and commonality. It is often difficult to get these strategies to pay more than lip service even to statutory privacy requirements, let alone the underlying principles of purpose limitation and consent.
In both the public and private sectors, pressures to share data for cross-selling or administration are encouraged by the growth of outsourcing. Contracting out non-core functions, including data processing, has become commonplace, and there is an obvious temptation for the contractors to seek cost savings and efficiencies by sharing and cross-matching data held for different clients. Express contractual conditions can seek to prevent such uses, but it has not always been easy to gain recognition for privacy principles in the outsourcing process. There is also a growing concern, in relation to outsourcing of government functions, that contractual provisions can never substitute completely for the range of accountability mechanisms which apply within the public sector. Also, in many jurisdictions, contractual terms can only be enforced by the parties to the contract, leaving individuals affected by privacy breaches by a contractor without any direct recourse. In Australia, the Federal Government has accepted the need for the existing privacy law, which covers government agencies, to be extended to cover contractors providing services to those agencies, although the legislationhas been delayed in Parliament.
One response to perceived inadequacies of the traditional (OECD and CoE) benchmarks has been to call for new international instruments. Proposals to this effect have been advanced by Greenleaf, Bennett, the International Standards Organisation and Reidenberg. Whether it is necessary to go to this trouble is doubtful. There may be a need to add additional principles, such as those on anonymity, no disadvantage and justification included in the Australian Privacy Charter, developed under the chairmanship of Justice Michael Kirby.But the problems of interpretation, and of application in practice, that arise with the OECD based principles are equally likely to arise with any new formulation. Reaching agreement on implementing the already agreed principles is proving difficult enough, without opening up the possibility of disagreement on a revision of the principles.
The EU has consistently argued the need for an independent supervisory authority. Given that this seemed, for much of the last two years, to be one of the main sticking points in the EU-US discussions, it is worth re-examining the value and track record of the existing supervisory authorities.
It may not be a popular move to criticise Commissioners at their own conference, but a little healthy self-examination is probably overdue. These events can too easily turn into an exercise in mutual admiration and congratulation. While deserved in some respects, the value of Commissioner’s offices is by no means self-evident. Take two tests of their contribution — public recognition and their effectiveness in limiting surveillance.
How well known are the existence and functions of the Commissioners among their citizenry? A secondary indicator is the level of use of their services — how many enquiries and complaints do they handle? Neither of these indicators should necessarily be taken as the only, or even the most significant performance measure, and the regrettable tendency of government auditors and finance ministries to focus exclusively on these measures should be resisted. Commissioners are right to point out that many breaches of privacy principles never come to the notice of the individuals affected, and that their activities are more valuable in preventing privacy intrusive practices than in remedying them after the event.
Nevertheless, Commissioners should not be satisfied with the generally low level of public awareness and understanding of their existence and role.
It is difficult to know how to raise public awareness, as privacy is not a salient issue for most people most of the time — and when it does hit the headlines, it is all too often portrayed in an unduly exaggerated and alarmist light which can be readily dismissed by government or corporate spokespersons. The media also tend to favour the easily reported but comparatively trivial issues like direct marketing and security breaches over the more complex but more significant privacy intrusions such as telecom-munications interception and biometric identification.
While innovative ways of increasing public awareness can and should be tried, it is doubtful if Privacy Commissioners can ever become household names. It would be better to see them as working largely behind the scenes to orchestrate the ‘mainstreaming’ of privacy issues into people’s everyday life experiences.
Another performance indicator for Privacy Commissioners is their ability to act as a brake on privacy intrusion. There is the perennial question of whether supervisory authorities, with inevitably limited capacity to stop privacy intrusive developments from being authorised, may serve more to legitimate surveillance than to constrain it. This was essentially the thesis of David Flaherty’s seminal book Protecting Privacy in Surveillance Societies,and I doubt if seven years as British Columbia’s Information and Privacy Commissioner has done anything other than reinforce his fears.
Has the existence of data protection supervisory authorities in Europe, in some cases for more than 20 years, significantly restricted the growth of governmental and private sector surveillance? Do the citizens of European countries enjoy greater freedom from surveillance that their counterparts elsewhere?
The absence of supervisory authorities does not seem to inhibit the popular response in the US to major privacy intrusive initiatives. The recent reaction to the surveillance potential of both the Pentium III Chip identifier and of the proposed ‘Know your Customer’ law are only the most recent examples of effective and ultimately successful ‘grassroots’ campaigns. Particularly in relation to the bank monitoring, it is doubtful if government appointed Privacy Commissioners would have felt able to articulate and lead the campaign, or to have assisted more than marginally. Many countries with data protection laws, and Commissioners, have meekly accepted levels of financial surveillance far in excess of what was proposed in the US.
Judging from European and Australian experience the most that can be expected in the face of major surveillance proposals is a report highlighting the privacy dangers but confirming the government’s right to propose privacy intrusive measures where they consider other public interests to outweigh privacy protection. It is only rarely that Privacy Commissioners have felt able to take a public position firmly opposing a major government initiative.
Admittedly, the surveillance limiting role of privacy laws, and of Commissioners, is not universally accepted. There is strong support, particularly in government, for the view that data protection is primarily about safeguards and rights, locking onto whatever level of surveillance or intrusion is decided in other forums. Critics of interventionist Commissioners argue that they overreach their legitimate functions by challenging initiatives by representative governments or major commercial decisions.
It can be argued that having an independent watchdog at least able to research and report on privacy dangers, as the UK Registrar did in relation to the British government’s ID card proposals in 1996, can only help by providing ammunition for less constrained campaigners.
But against this ‘resource’ role must be weighed the critical benefit to the government of being able to ‘reassure’ the public that the existence of the supervisory authority, its demonstrated ability to make critical comment and its continuing role in ensuring compliance with the law are sufficient safeguards.
Europeans are not necessarily more trusting of government, but tend to see legislation and oversight bureaucracies as a useful potential check and balance, even against government itself. In contrast, many Americans have a much more deep-seated mistrust of any governmental action or instrumentality, preferring to rely on direct lobbying and on vigorous use by private individuals of both the common law and, where absolutely necessary, targeted statute law to limit the power of the state or big business.
On both these tests, public recognition and surveillance limitation, the value of external supervisory authorities acting alone has to be questioned. Flaherty’s worst fears have not been realised — it would be unfair to condemn them as ‘toothless and blind watchdogs’ — and they have at least succeeded in keeping the flame of privacy alive, if flickering fitfully, in the face of massive pressures. But as many Commissioners recognise, their efforts can only scratch the surface of compliance, exercise of individual rights, and defence against further privacy intrusion. A greater role for self-regulatory (or co-regulatory) initiatives and for individual self-help must accompany regulatory action if the ‘mainstreaming’ of privacy is to be accomplished.
Acceptance of data protection principles, whether the OECD version or one of the many variants, still leaves a lot of room for different interpretations and outcomes in their application. It has long been clear that understanding of what privacy means varies considerably both between and within jurisdictions.
At a personal level, most people (even Commissioners) are somewhat schizo-phrenic about the issue. Most of us have strong feelings about some other issues — public health, pornography, child abuse, tax fraud, vandalism — which tend to override our ‘default’ position on privacy.
There are also different cultural starting points in communities which have made different trade-off between competing public interests. Very different public attitudes in different countries to ID cards, compulsory voting or immunisation, scrutiny of financial transactions and openness of tax records are just some examples. While it is dangerously simplistic to associate these differences with ethnicity (there is, for instance, no evidence for the existence of a distinct set of ‘Asian’ values), there do appear to be factors of historic and socio-political experience which influence these cultural baselines.
In most jurisdictions, support for privacy can be found across the political spectrum — it is not a ‘cause’ that is traditionally associated with either the left or the right. Like some other ‘civil liberties’ issues it has attracted support from socialists, liberals and conservatives on grounds of fundamental human rights and freedoms. Unlike many such issues, it also has an appeal to hard-nosed business interests which can see the economic advantages of satisfying consumer concerns in order to facilitate trade. This, after all, was the main reason for the development of the 1980 Guidelines by the OECD — an organisation focused on economic growth and trade.
The breadth of this support can be a strength but also a weakness; the fact that political opponents are espousing the same cause makes many politicians instinctively suspicious, and as a result their support for privacy is often lukewarm and opportunistic rather than principled. Political support for privacy rights rarely survives in the inevitable cases where those rights are exercised by someone who is perceived by the community as a ‘wrongdoer’.
Politicians’ support for a consistent and principled application of privacy is also weakened by direct self-interest. Self-serving interpretations of the principles to avoid accountability are all too common, sitting uncomfortably alongside a wilful disregard for the privacy of others when their rights get in the way of political point scoring. In Australia, the federal Parliament has so far resisted the suggestion that Members, who are currently exempt from the Privacy Act, should subject themselves to a code of conduct incorporating the information privacy principles, despite repeated urging by the Privacy Commissioner, following a number of unfortunate privacy breaches.
Aside from the fickleness of political support for privacy, there are also good reasons why more general public support for privacy rights is only shallow. It is difficult to be passionate about a right which has to be so heavily qualified, and so often must defer to other important public interests. Compared to other human rights or consumer issues, privacy is never absolute. Few seek to deny that racial discrimination, or deceptive trade practices, are always wrong. But as Fred Cate has pointed out, privacy is always contextual — a breach of a privacy principle may be unacceptable in many circumstances, but is usually accepted as justified in at least some circumstance.
One such circumstance, where privacy intrusion can often be justified, is in news and current affairs reporting. The potential for privacy rules to interfere with freedom of speech, and with the important ‘fourth estate’ role of the media, gives rise to some of the most virulent criticism of existing and proposed privacy laws. It doesn’t seem to matter how far privacy advocates bend to recognise the need for a balance in this area, or how carefully media exemptions are crafted. The EU Directive makes a considered attempt at a balance, but the implementation of the ‘journalistic’ derogation in art 9 in domestic laws is and will remain controversial.
Media organisations seem unwilling to accept that privacy rules should apply in any way to their activities, even when they are only incidentally connected with reporting of news or public affairs. They have also proved remarkably resistant to admission that even in the reporting area they are capable of excesses. Fiercely protective of self-regulation in most countries, the media have sadly failed to show themselves able to police the boundaries of privacy intrusion.
The experience of the New Zealand Privacy Commissioner, who has endured a constant barrage of misinformed criticism from the media, is salutary. In Australia, simmering opposition recently boiled over into a provocative article by a member of the Press Council entitled ‘Excessive Privacy Laws Undermine Democracy’.
Regrettably, the media are so powerful that it is almost certainly expedient not to take them on in the drafting of new privacy regimes — particularly in the US, where First Amendment rights are defended so passionately. The issue of balancing privacy and freedom of the press has always justified separate consideration. While there is no such principled reason for exempting the other activities of media organisations from privacy rules, the risk of concerted media opposition to the whole concept probably justifies a broad exemption, leaving this important issue to be settled in other forums.
There have always been some influential voices questioning the underlying premise that privacy rights matter. Often, the motives of these critics have been suspect. Some are unashamedly apologists for an unfettered ‘right’ of business to use customer information as a commodity without regard to the wishes of the individual. Similarly, there are those who genuinely believe the mantra ‘only the guilty have anything to hide’ and see privacy only as a shield for wrongdoing. One only hopes that these critics never find themselves erroneously exposed to the power of the state in law enforcement mode — or perhaps we should hope that they do, to enlighten them to the dangers!
Self-serving resistance to privacy has always been relatively easy to confront. More difficult to deal with are the seemingly increasing number of academic critiques of the traditional formulation of information privacy rights. The most recent of these comes from sociologist Amitai Etzioni, who argues that obsessive concern about the visibility of personal information is damaging individuals’ interests in maintaining control over private choices.In effect he says that advocates of accepted information privacy principles risk losing far more personal autonomy by clinging to outdated notions of ‘private space’. This is because societal interests in such areas as public health and law enforcement can be satisfied either by greater transparency (monitoring or surveillance) or by direct compulsion. If denied the former, governments will demand the latter.
Esther Dyson also calls for consumers to accept greater visibility of their ‘online’ activities, placing her faith in initiatives such as TRUSTe and P3P which can empower individuals to negotiate the terms of privacy intrusions.In similar vein, a respected Australian academic lawyer, former Commonwealth Ombudsman and current Chairman of the Australian Press Council, last year wrote provocatively about an unrealistic public expectation of privacy. He asserted that the electronic media have irreversibly raised the acceptable level of privacy intrusion and that the print media must follow suit, saying ‘the danger for Press Councils is that to stay with the language of privacy is to adopt a criterion that is fast losing any definition’.
These influential voices are lending respectability to the old familiar refrain that has been heard ever since information privacy laws were first debated in the 1960s: ‘It’s all too late — we can’t expect privacy any more.’ For most privacy advocates and regulators this is a counsel of despair, heard mainly as an uninformed ‘kneejerk’ reaction, which we constantly fight against in print and on the airwaves. But it is going to require a new level of argument to rebut the new, more sophisticated chorus leaders.
The proposition that individuals be empowered to manage their own privacy is seductive, and no one would wish to stand in the way of any such developments. But to rely on this as the only means of privacy protection in the future flies in the face of all experience. As Dyson acknowledges ‘[customers] are too busy consuming, or working, or just living regular lives’ to be good at protecting their own interests. It is quite unrealistic to expect individuals to negotiate each and every transaction, to overcome the inevitable power imbalances and to resist the economic incentives that would be offered. Personal information practices are a good example of where we need to make collective social choices to take account of broad long term implications.
Identifying the sources of criticism, and the false premises on which it is often based, is an essential precursor to a successful defence of privacy values. There is no point in privacy advocates complaining about the current assault on those values, or about being misunderstood. It is up to us to win the arguments and convince the doubters that we have an answer to their criticisms, however difficult that may be.
Finding a new international consensus on the best way of protecting information privacy may also be the best way of meeting the challenges of technological and organisational changes, and of changing perceptions.
There are now some useful models which combine the best of the European experience without its bureaucratic overtones. A healthy scepticism about the limits and pitfalls of state regulation can be combined with an acknowledgement that the private sector is incapable of delivering self-regulation without the stimulus of legal requirements. The EU left open the possibility of adequacy being delivered without legislation (and, judging from the reported ‘safe harbour’ settlement, has now expressly accepted a non-statutory solution). However, it remains clear that a legislative framework would avoid the complexities of assessing adequacy on a case by case or sectoral basis. (Even under ‘safe harbour’ it will still be necessary for businesses involved in particular data transfers to show that they are part of an ‘approved self-regulatory scheme’. This will remain a much less satisfactory solution than simply being able to rely on the existence of a law.)
The prototypes of a ‘third way’ model are the New Zealand and Hong Kong laws, with the draft Australian legislation having in some respects moved it into a second generation (although in other respects going backwards).
The distinctive features of this emerging alternative model are:
This model provides a central role, if desired, for industry ‘self-regulation’, even if it strictly ceases to be truly ‘self-regulatory’ in character — co-regulation is often used as a better label. In Australia there are already established Industry Ombudsman schemes in the banking, telecommunications and insurance sectors, which have the capacity to make binding determinations, including awards of monetary compensation. It is expected that these schemes, and others to be developed, will handle the bulk of privacy complaints under the proposed legislation.
It is unlikely that any of the legislation will be 100 per cent true to this abstract ‘model’. The proposed Australian federal private sector privacy law in particular falls well short in some critical respects. Nevertheless, the emerging Asia-Pacific model offers at least the potential for what even the most zealous privacy advocates would demand. Once the model has been implemented, as in New Zealand and Hong Kong, and is operating on a routine basis, any flaws or limitations should soon become apparent, and any unjustifiable exceptions will come under pressure. And in the meantime, consumers will be able to seek remedies for the vast majority of privacy intrusions, and most access and correction requests will be accepted.
Another argument for the Asia-Pacific model is that because it engages the private sector in the development and enforcement of standards, it has a better chance of planting roots in the culture of business than the ‘externally imposed’ European model. Representatives of businesses within each sector will be closely involved not only in drafting codes of practice (as they have been in crafting the principles) but will also serve on the code compliance committees — feeding back experience of adjudicating privacy disputes into their own organisations and the wider sector. Routine monitoring by the code compliance body and annual reporting requirements, customised for each sector, will ensure that businesses cannot just sit back and do nothing, taking the remote risk of an audit or inspection by an over-stretched supervisory authority.
Industry codes of practice are encouraged under many European data protection laws, but only as ways of elaborating on the application of the statutory scheme — codes are not given the same status as alternative formulations of the principles, or allowed to provide alternative first tier compliance mechanisms, as is the case in the emerging Asia-Pacific model.
The EU-US deadlock over the ‘safe harbour’ proposals appears to have been broken by a significant capitulation by the EU Commission, but this may prove to be only a short term victory for the self-regulatory approach. Domestic pressure is growing for a more comprehensive statutory solution. While the US Government has so far ruled out omnibus data protection legislation, the private sector has failed to take the opportunity to deliver an acceptable package of enforceable principles — a task that was always realistically only achievable in a few well organised sectors. A privacy law that positively embraced self-regulatory initiatives in those sectors, while providing a default ‘light handed’ statutory scheme for everyone else, might be the answer, particularly if the differences between this approach and the traditional European legislative model are emphasised.
Close examination of the emerging Asia-Pacific data protection model (rather than any particular current manifestation of it in law) may reveal to the US and other non-European countries a viable alternative to the two extremes currently being discussed. If combined with the healthy American caution about the role of centralised bureaucratic regulators, and their tradition of vigorous consumer litigation, an even better model might be crafted to serve the needs of citizens and consumers in early years of the 21st century.
Nigel Waters, Associate Editor.