Privacy Law and Policy Reporter
This well established working group has been influential in assisting debate and formulation of policy responses in the area of data protection and telecommunications, broadly defined, over the last decade.
The meeting in Auckland’s National Maritime Museum, held 26-27 March 2002, was the first in the Southern Hemisphere, although within the broader Asia Pacific region the working group has met before in Hong Kong, Moscow and Washington DC. This meeting, the furthest from its Berlin Secretariat, also drew the largest attendance ever: more than 45 delegates. Australia and New Zealand were well represented and the meeting was enriched through the broad range of other Asia Pacific expertise assembled for the ASPAC Forum (see report in the last issue).
The working group has clarified its relationship with the International ,and European Data Protection Commissioners. It is no longer formally linked to them but is independent; however, it can receive references from the Commissioners and gives the Commissioners an opportunity to comment on any positions or resolutions before they are finalised. Its membership is primarily representatives from Commissioners’ offices, but also includes other experts by invitation.
See the IWGDPT website at <www. datenschutz —berlin.de/doc/int/iwgdpt/ index.htm>.
Some of the items included in the following reports from the March meeting have already been covered ,in PLPR.
The Cybercrime Convention opened for signature in November 2001. It has been signed to date by non-members Canada, Japan, US and South Africa. The Convention requires five signatories, including three members states, to take effect — a situation which is imminent. It requires signatories to enact legal requirements to retain traffic data, but guidelines to the Convention recommend that the period of retention be no longer than three months. It has been a significant achievement by privacy advocates to limit the retention periods to this. Compliance with this Convention is driving a lot of the developments in jurisdictions reported below. See <conventions.coe.int/> and <www.coe.fr/DataProtection/edocs.htm>.
The review of the Telecom Data Protection Directive has been a lengthy process. There were two rival drafts developed, with significant differences on retention of traffic data — the Council wanted to allow for a more specific legal basis for longer retention periods, while the Parliament objected to this approach. On the issue of ‘spam’, the Council wanted ‘opt in’ procedures, while the Parliament was prepared to allow ‘opt out’ for spam and also wanted an opt out basis for cookies and web bugs. However, the Parliament voted on 30 May to accept ,a compromise draft which leaves member states free to set retention periods, subject to safeguards. Spam ,is to be allowed only on an opt in ,basis, while consumers will be able to choose whether their phone numbers and email addresses appear in public directories, whether use of their mobile phone can indicate their location to third parties, and whether to allow internet cookies and similar tracking devices.
The Article 29 Committee has taken positions on traffic data retention (recommending a three month maximum) and interception controls. ,It will soon be issuing papers on data protection in the workplace and data protection in the context of world trade.
The Telecommunications Act 2001 makes various changes to regulatory environment — generally adding more controls. This legislation replaces the 1987 Act but some provisions remain ,as the Telecommunications (Residual Provisions) Act 1987, including call data warrant provisions. A new provision limits the secondary use or disclosure of information necessarily intercepted by carrier staff in the course of network maintenance.
The Privacy Commissioner has released a proposed Code of Practice and had been receiving public submissions until shortly before the meeting (see <www.privacy.org.nz>). Those received to date indicate opposition to the mandatory deletion ,of traffic data and also to the proposed role for anonymity. The right to indicate ‘no marketing calls’ in the directory is another issue.
Computer related crime provisions appear in the Crimes Amendment (No 6) Bill 1999, with some good privacy related aspects but some adverse. The Commissioner made two reports on these provisions.
The Electronic Transactions Bill 2000 follows the UNCITRAL model and the 1999 Australian Act.
The Government Communications Security Bureau Bill 2001 places the GCSB on a statutory basis. Privacy suggestions from Commissioner and Parliamentary Committee were adopted.
A new Interception Capability Bill, ,to be introduced soon (announced ,21 March 2002), will require network operators to develop interception capability — within five years for internet and email, and within 18 months for new fixed/mobile telephone services. Interception will still require ,a High Court warrant, and the knowledge and co-operation of the company concerned. There will be ,no requirement to try to decrypt intercepted material, unless the operator provides the encryption facility itself. The Government claims the Bill will bring NZ into line with other countries.
A draft regulation was issued on ,14 March 2002 requiring a ‘no marketing’ flag in directories. Fax and mobile numbers are now included in directories. The French Data Protection Commission (CNIL) is proposing a ,‘opt in’ for system inclusion of mobile numbers. France is the last country in Europe to still have a charge for unlisted numbers, and CNIL is seeking to change this (20 per cent of subscribers are unlisted). CNIL is seeking to keep carrier’ lists of all numbers out of the hands of law enforcement agencies to avoid widespread dissemination of unlisted numbers (access would presumably still be available by ,specific authorised request).
A regulation was issued on 23 August 2001 requiring consent for marketing by fax.
Discussions are taking place with media organisations about editing archives of press reports to comply with the spirit of the spent convictions laws.
CNIL issued a consultation paper on monitoring of workers, Cyber Surveillance in the Workplace, in February 2002.
The Commissioner has insisted on police control of closed circuit television (CCTV) in public places. He is also seeking agreement on an opt in for spam.
Draft codes on fixed and mobile telephone customer data are under discussion.
The law has been changed to distinguish basic telco subscriber data (covered by general data protection laws) from traffic data, which is subject to a specific communications secrecy law. Access to the latter requires a warrant from the Prosecutor’s Office.
The Data Protection Act is being revised to deal with spam — notice and opt out procedures will be required.
The final provisions of Communications and MultiMedia Act 1998 take effect from March 2002.
Data protection in telecommun-ications is the responsibility of the Ministry of Posts and Telecommun-ications. One recent piece of legislation is the Interception Act 1999. A working party on spam has led to draft Bills from the Ministry and from a private member.
The Commissioner is negotiating ,on traffic retention data rules in a proposed Anti-Terrorism Act.
The Interception of Telecommunications Ordinance took effect from January 2002. It requires telcos to develop, and pay for, interception capability. Actual interception is still governed by other laws — Criminal Procedures Act, Intelligence Services Interception ,Act and Foreign Trade Act.
The Teleservices Data Protection ,Act took effect in December 2001. ,It requires the early deletion of transactional data.
The new Prevention of Terrorism ,Act allows storage of the speech templates of foreigners (this measure was opposed unsuccessfully by the ,Data Protection Commissioners). The legislation also extended the powers ,of intelligence services to request, not demand, traffic data from carriers ,and ISPs.
A Commission on Electronic Communications was due to report on 1 April 2002 — it proposed opt in for spam and retention of traffic data for three to six months.
The Data Protection Commission has given views on banks’ recording of customers’ telephone calls, and will be issuing general recommendations. It has also taken a position on music swap sites, holding that IP addresses are personal data.
The Regulation of Investigatory Powers Act 2000 (RIPA) is now in force, and operates at two levels. Access to the content of telecommunications (including email content) requires an interception warrant. Traffic data, which includes an email subject header, can be accessed with just police authority.
The discussion led to the adoption of a working paper/position, re-affirming the earlier common positions of Commissioners on cryptography (September 1997) and interception (April 1998). The position includes support for the European Parliament recommendations on ECHELON.
Among the views put were the importance of three objectives — accountability of intelligence services, availability of encryption and education of the public — as well as the need for opportunities for redress in the event of agencies exceeding powers, and the need for new means of accountability for cross-border surveillance which maintained respect for the rights of citizens of other countries.
Main discussion of this agenda ,item was deferred pending Dutch participation at a future meeting, when it is expected the Dutch delegation ,will present a paper.
There was general agreement on ,the need to gain input to the ICANN specifications.
One view put was the importance ,of ensuring there is no requirement to have a public directory of names and addresses linked to IP addresses — ,if a contact is needed for technical problems, this need not be actual domain name holder. (See common position taken by the Working Party ,in May 2000.)
A draft working paper on the use of unique identifiers in terminal equipment (for example Ipv6, an initiative of the IETF) was finalised and adopted. This was the result of a reference from the Commissioners to discuss and revise the working paper.
A background paper was tabled on ENUM (an IETF/ITU proposal to map phone numbers to internet addresses) analysing the privacy implications of this proposal.
A working paper drafted by NZ and the UK was revised and adopted during the meeting.
There was discussion of the position in various jurisdictions — a paper from Germany was tabled, referencing OECD and EU guidelines.
There was discussion of a German suggestion (contained in a paper tabled) that the internet could perhaps be geographically (or otherwise) ‘regionalised’ so that the purpose of public registers could be served by allowing free access to a particular constituency (for example, citizens of ,a town) without exposing the details ,to wider abuse by people with no legitimate reason for access. The discussion widened to registration of alternative identities, which would attract different privileges. The implications for freedom of information and censorship need to be considered.
The meeting noted a privacy session at the forthcoming WIPO conference on digital rights management — see WIPO website at <www.wipo.org>.
The Australian Commissioner’s representative explained the recent OFPC/NOIE Guidelines.
The meeting noted a NZ Ministry of Justice paper dated July 2000, which ,has only just become available publicly, outlining the use of e-voting facilities in three test constituencies during the next general election. (Note also a UK trial in district council elections in May 2002.)
There was discussion of a working paper on this issue drafted by NZ, which was revised and adopted during the meeting.
A reprint of all common positions and working papers adopted by the IWGDPT 1996-2001 was tabled by ,the NZ Commissioner. See also the IWGDPT website at <www.datenschutz-berlin.de/doc/int/iwgdpt/index.htm>.
The next meetings of the Working Group will be held in Berlin, ,11-12 November 2002, and provisionally in Zurich, in March ,2003. l
Nigel Waters, ,Associate Editor.