Privacy Law and Policy Reporter
The Forum brought together Privacy Commissioners, government officials and invited observers from Pacific rim countries. Guests from France, Germany, Ireland and the European Commission, present in Auckland for a Meeting of the International Working Group on Data Protection in Telecommunications (a separate report on this meeting will appear in the next issue), also attended.
Constant reference was made to art 21 of the Council of Europe Convention No 185 on Cybercrime — Interception of content data (see <http://conventions.coe.int/>).
Canadian federal Privacy Commissioner George Radwanski outlined his Government’s Anti-Terrorism Act 2001. It includes authority for preventive arrests; easier access to financial records; easier wiretap warrants; and wider grounds for withholding personal data when access is requested by the subject. The Commissioner’s response has been to articulate four principles/tests for new powers:
Privacy is a fundamental human right. It cannot be infringed without compelling justification. Any proposal to curtail or limit privacy must, in my view, meet four tests: it must be demonstrably necessary to meet a specific need; it must be likely to be effective in meeting that need; it must be proportional to the magnitude and importance of the problem; and there must be no less privacy-invasive way of achieving the same end.
Most of the amendments passed these tests. One that didn’t was a proposal to prevent federal court judges from overriding a decision to withhold data from subject access under the Privacy Act, as the drafting would have allowed the Attorney General to issue a single blanket waiver from all Privacy Act provisions. The Commissioner has been successful in having it limited to case by case certificates. The Anti-Terrorism Act also has a sunset clause of five years.
Under separate legislation, Canadian airlines are required to release passenger information on request to overseas authorities — the US has effectively mandated this by threatening to refuse landing rights. The Commissioner is seeking to prevent Canadian Government agencies from gaining access to the same data by re-importing it from overseas authorities (except in cases concerning national security).
The Commissioner noted that separate proposals for video surveillance in public places fail all four tests of acceptability!
Irish Commissioner Joe Meade explained that ‘safeguarding the security of the state’ is an exemption from the Data Protection Act, but the police are otherwise covered. A 1983 telecommunications law gives police access to telecoms traffic records in specific cases, and carriers are required to neither confirm nor deny that they have given access. But there are much stricter controls on content — interception rules were tightened in 1981, and include six monthly audits by a High Court judge.
In January 2001 the Commissioner required internet service providers (ISPs) to register under the Data Protection Act and in the process asked them about retention periods. Most were keeping traffic records for six years even though there was hardly any use for bill queries. The Commissioner suggested six months would be sufficient, and challenged a draft Ministerial Order for a longer period on constitutional grounds. The Government now wants three years but it accepts that legislation will be required. In the meantime two carriers have voluntarily reduced their retention period to six months, and the Commissioner is issuing notices to the others.
The collaborative European police initiative Europol has a joint supervisory board comprising representatives of data protection authorities, who have to give an opinion on the adequacy of privacy protection in third countries before information is released to them.
In Germany, consideration is being given to including biometrics on passports, but the federal Data Protection Commissioner has argued successfully against a central database. The telecommunications law expressly applies interception safeguards to email up to the point where they have been downloaded by the recipient.
The UK law requires a code of conduct on the retention of traffic data, but the UK Commissioner has been very critical of the draft. (See also a December 2001 opinion of the EU Article 29 Committee.)
In France, the Government proposed in early 2001 a legislative requirement for retention for a maximum of one year to be set by decree (Executive Resolution) after consultation with the Commission Nationale de l’Informatique et des Libertés (CNIL). Following 11 September, this provision was lifted and included in emergency legislation that passed. The decree is awaited but CNIL has recommended three months (as in art 16 of the Cybercrime Convention and the Article 29 Committee 1999 opinion).
Some of the items included in the following reports have already been covered in PLPR. Information was correct as at March 2002.
The Hong Kong Commissioner (www.pco.org.hk) has issued proposed amendments to the Credit Reporting Code of Practice for comment. The changes are a liberal relaxation of time limits for which credit data can be kept and allowance of credit scoring. The Commissioner has deferred a decision on whether to allow ‘positive reporting’ (of payment history rather than defaults).
The Commissioner has also issued a draft Code of Practice on monitoring of employees/workplace privacy.
The Thai Government is considering a possible private sector privacy law by the end of 2002.
Draft legislation was issued in October 2000 for public consultation, and there has been an extensive program of public meetings, engendering considerable opposition from the states (and potential constitutional challenge), as well as business and government agencies. The Ministry of Energy, Communications and Multimedia is considering submissions.
Singapore has set up a National Internet Advisory Committee which has formulated a Private Sector Model Data Protection Code; the National Trust Council is currently consulting on it with a view to issuing it for voluntary adoption in late 2002. The model Code takes the OECD Guidelines, EU Directive and Canadian CSA Model Code (now incorporated in the Canadian federal law) as starting points. (See review of the Singapore initiative by Graham Greenleaf in (2002) 8(9) PLPR 169.)
The South Korean delegation tabled a very comprehensive paper in English by the Korea Information Security Agency on the history and current state of privacy regulation in South Korea.
Following a March 2001 Cabinet decision, a Personal Information Privacy Bill (for the private sector) was introduced, but is still in the Diet awaiting passage. On 15 March 2002 Cabinet approved a replacement public sector Bill, which has also been introduced.
A written report was tabled on the JIPDEC privacy mark scheme, which had 330 signatories to March 2002. Since 1 April 2001, there has been a reciprocal arrangement with BBB Online (a US privacy mark), but only four businesses have taken it up.
Oral reports were made by the NSW and Victorian Commissioners, and the WA Information Commissioner reported that public sector privacy legislation is likely in WA in 2002. OFPC was not represented at this meeting due to the Commissioner’s unavoidable last minute absence, but a comprehensive written report was tabled. The federal Attorney-General’s Department representative mentioned the Children’s Privacy Working Group and the NOIE led inquiry into unsolicited email (spam) announced recently (see <www.noie. gov.au>).
A comprehensive written report was tabled. The Commissioner anticipates a major increase in applications for data-matching activity (strict rules apply under the Privacy Act 1993 (NZ)). An opinion survey has produced similar findings to the Australian survey in 2001, and rebuts some of the media claims that the Act is unwanted and unnecessary. The Law Commission has a reference reviewing the rationale for the Privacy Act and the Commissioner. (The Commission’s discussion paper recently issued — see <www.lawcom.govt.nz/> — is widely seen as poorly researched.)
The European Commission representative explained the process for assessment of third country adequacy. Both the Article 29 Committee (Data Protection Commissioner representatives) and the Article 31 Committee (government representatives) are asked to give an opinion, but the decision is for the Commission to make (subject to being overturned by the Council of Ministers within three months). Decisions have been made to date in relation to Hungary, Switzerland, the US (the safe harbour scheme) and Canada. Third countries can invite the Commission to assess their adequacy, but Australia has not done so — negotiations between the Commission and the federal Attorney-General’s Department are continuing. Similar discussions are currently under way with New Zealand and Argentina.
The representative also summarised the main potential barriers to an adequacy finding as: scope (for example, the US financial sector not being covered by the safe harbour scheme); horizontal (such as the Australian exemption for employment data); general (for example, delayed implementation); enforcement (although some problems can be overcome with binding codes); discrimination about non-nationals (as in Australia and NZ); and poor or missing onward transfer provisions.
The Commission has also issued a decision on acceptable model contract clauses, and another on consent (which must be informed, and generally requiring prior consent). The Commission is undecided on the role of codes of practice. In defence of the US safe harbour decision, the Commission argues that it needs to be seen in the wider context of the legal environment. A Commission report on progress of safe harbour at the end of 2001 highlighted some problems of perception and of inadequate promotion of rights to the public. The US Dept of Commerce is addressing the latter problem.
Questioned on the situation of applicant countries for EU membership, the representative explained that transitional arrangements could apply to data protection requirements as they do in many other areas.
The EU is in the process of appointing an internal Data Protection Commissioner to oversee EU Institutions compliance with the EU DP Directive (required by Amsterdam Treaty Article 286). The former head of the Commission’s data protection unit has been detached to administer this process. A December 2000 Regulation adopted a privacy standard based on Directive 95/44. Article 41 establishes a ‘supervisor’ to be appointed by the Council and Parliament on a recommendation from the Commission. The post is expected to be graded as equivalent to the EU Ombudsman, which in turn equals an EU judge. There will be an open competition before the end of 2002.
Regrettably, the EU Ombudsman has objected to the data protection rules as a potential barrier to openness/transparency and accountability — art 255 establishes transparency rules but has no supervisory mechanism equivalent to those in art 286 for the data protection rules. The EU Ombudsman is moving to fill this gap — see <europa.eu.int/comm/internal_market/en/dataprot/index.htm>.
Other sessions of the Forum discussed the theory and practice of privacy impact assessments (a new handbook is available from the NZ Commissioner), privacy auditing and initiatives in education and awareness (various papers tabled), as well as an explanation of the work of the International Working Group on Data Protection in Telecommunications (there will be a separate report on this in the next issue).
Nigel Waters, Associate Editor.