Privacy Law and Policy Reporter
This article is based on a paper prepared for a workshop at the International Conference of Privacy and Data Protection Commissioners, Cardiff, UK, September 2002.
Privacy Commissioners in Asia-Pacific jurisdictions that have information privacy laws have widely differing practices in how (or whether) they report the results of the complaints they investigate. This article compares these practices in the jurisdictions of Hong Kong, New Zealand, the Australian jurisdictions (Federal, New South Wales and Victoria) and the Canadian jurisdictions (Federal, British Columbia, Ontario and Quebec). Other Australian and Canadian jurisdictions receive brief mention.
The first part of this article puts forward proposals for the systematic reporting of complaints investigated which could provide a basis for a more uniform approach, and would result in improvements to various practices. The second part of the article is a critical description of the existing practices in each jurisdiction ,on which the proposals are based.
In those Asia-Pacific jurisdictions that have information privacy laws, provision is usually made for complaints about breaches of the law to be made to a statutory official, most commonly known as a Privacy Commissioner.
Few cases under information privacy laws ever reach the courts, whether in Asia-Pacific or European jurisdictions. The reasons vary between jurisdictions, and in some cases include the lack of sufficient rights to appeal or to seek judicial review. Whatever the reasons, the result is that the overwhelming majority of complaints ,of breach of privacy laws are resolved by Privacy Commissioners, whether by mediation or by exercise of binding dispute resolution powers where they have them. Since only a tiny number of issues requiring legislative interpretation will ever reach the courts, on most points the law is in effect what the Privacy Commissioner says it is.
If details of these complaint resolutions by Privacy Commissioners are not effectively available to the interested public, the consequences are generally adverse. Some adverse consequences are as follows.
Of course, there are countervailing factors. Publication of complaint resolutions is only one aspect of the transparency and educational role of a Privacy Commissioner, and different views can be taken of where Privacy Commissioners, who often have inadequate resources, should place their priorities. Some Commissioners with a very effective record in other forms of public communication are very poor at reporting complaints, but we should not over-emphasise this since it is much easier and less contentious to publish ‘feel good’ information exhorting compliance with an Act than it is to identify those who fail to comply.
The need for complaint reporting is also sometimes difficult to reconcile ,with the desire to mediate a settlement between the parties, but this can usually be dealt with by anonymisation. Where ,it cannot, it should be a matter of case ,by case assessment, not a general reason for non-publication. This is discussed later.
This article suggests improvements to the reporting practices of some Privacy Commissioners who already implement many good practices. In other instances ,it is more critical. However, it should ,be borne in mind that current Commissioners may have inherited practices from their predecessors, and ,not yet had adequate opportunity, or resources, to remedy them.
There have been occasional calls for more effective reporting of complaints ,by Commissioners, but this issue has not yet commanded the attention it deserves. I have occasionally raised the matter. The problems caused by lack of sufficient reporting have been noted ,in relation to other jurisdictions by Bygrave, who gives details of the inadequacies of Norwegian reporting practices. He calls for more extensive reporting as a solution, but does not provide details of what this requires. ,The need for greater disclosure and transparency in the handling of ,decisions was also raised at the launch ,of the Australian Federal Privacy Commissioner’s public opinion research, and illustrated by demands from Canadian lawyers to the Canadian Privacy Commissioner.
This article focuses on current practices in the publication of decisions. There are three related issues touched ,on in passing at various points, the comprehensive coverage of which ,would require separate papers.
The first factor is the extent to which privacy legislation in the various jurisdictions either requires or prohibits the publication of decisions, or prohibits certain aspects of publication such as the identification of one or both parties. These matters are discussed at various points, but comprehensive discussion would require another article. However, it may be stated that in general there are relatively few legislative requirements one way or the other, except in some cases relating to identification of complainants. The scope and nature ,of publication is left to a large extent ,to the discretion of Commissioners.
Another related issue is the extent to which Privacy Commissioners publish ,or make accessible the legislation under which they operate. This includes not only the primary legislation (which is almost always available), but more importantly the delegated legislation that affects them, whether it is made by governments (for example, regulations) or is made by the Privacy Commissioner in the form of guidelines, determinations, codes, exemptions and the like. A separate study would be required to compare these publication practices and their adequacy.
Unlike some courts, administrative officials like Privacy Commissioners ,are not bound to follow their own previous decisions (nor, of course, ,those of Commissioners in any other jurisdiction). On the other hand, it is unlikely that Privacy Commissioners would be prohibited from considering how they had dealt with previous complaints similar to the one before them, or how other Commissioners had dealt with similar complaints, if only to inform themselves of the range of issues that had been taken into account on previous occasions and that it might ,be relevant for them to consider.
However, to go beyond such simple propositions is difficult because of differences in the administrative law of the 10 or so Asia-Pacific jurisdictions that have Privacy Commissioners. Laws may differ concerning such matters as what constitutes:
These matters are beyond the scope ,of this article.
Irrespective of these administrative law differences, we can generalise to say that the publication of Commissioners’ decisions increases the likelihood that apparently inconsistent decisions by Commissioners will be subjected to judicial review, and that Commissioners would feel more constrained (irrespective of the legal position) to act consistently if inconsistencies will be pointed out to them by dissatisfied parties, critics and others. These effects are generally desirable.
The complaint reporting practices in each of the major jurisdictions in the Asia-Pacific that have information privacy laws will be outlined in Pt 2 ,of this article. They are assessed ,against two main criteria.
1. Do they help all interested parties understand how the Privacy Commissioner is interpreting the privacy law(s) of the jurisdiction?
2. Do they help all relevant parties understand the range of outcomes reached in individual complaints and whether those outcomes provide reasonable redress for the complainants, and only impose reasonable burdens ,on the respondents?
Terminology has been simplified in order to make comparisons easier. Although the officials responsible for privacy have different names in different jurisdictions, ‘Privacy Commissioner’ is used most frequently and I have used that as the generic. Similarly, the expression ‘IPP’ is used generically to refer not only to ‘Information Privacy Principles’, but also ‘National Privacy Principles’, ‘Data Protection Principles’, ‘Privacy Protection Principles’ and the like.
In order to make sense of the different types of reporting practices between jurisdictions, we must distinguish between four broad categories:
Comprehensive reporting practices require all four types to be addressed.
Although this article focuses on the reporting of dispute resolutions by Privacy Commissioners (the first two categories above), the responsibilities ,of Privacy Commissioners should ,also extend to making accessible the decisions of courts and tribunals about Privacy Commissioners and the legislation they administer (the third ,and fourth category above).
The availability of decisions of tribunals or courts in appeals against, ,or judicial review of, Privacy Commissioners’ decisions varies a ,great deal between jurisdictions.
In Australia, once decisions on privacy complaints go beyond Commissioners by way of judicial review or appeal, all Australian jurisdictions provide accessible reports of the decisions of the succeeding levels of dispute resolution. The decisions of the relevant Australian appellate tribunals and courts are ,all included on AustLII. There is therefore no theoretical issue concerning the availability of these decisions in Australia, and no practical issue ,for those who know where to look. However, most businesses, some complainants, and even inexperienced advisors, would not know how to find these decisions. It is highly desirable, and takes little effort, for the websites of Australian Privacy Commissioners to provide links to these decisions. The Federal Commissioner’s site does not provide this as yet. (As to NSW, see below).
In contrast, decisions of the Administrative Appeals Board in Hong Kong, which hears appeals against the Privacy Commissioner’s decisions, are not yet available on the internet, and their existence and content is only known to a small group of people in government and at the Bar. Similarly, the pathetic state of internet access to case law of New Zealand courts and tribunals means that there is little effective public access to the decisions of some of the bodies that review decisions of the Privacy Commissioner. Under these circumstances, the best ,that can be expected of Privacy Commissioners is that their websites identify those decisions that have reviewed the Privacy Commissioner’s decisions and (if possible) provide a brief summary of the decision. The ,NZ Commissioner does this, but the HK Commissioner does not.
Similarly, some privacy legislation provides rights that can only be pursued before a court or tribunal, and the Privacy Commissioner is not necessarily involved in these decisions. Examples are s 66 of the Hong Kong Personal Data (Privacy) Ordinance, which requires court proceedings if a complainant wishes to obtain compensation, and s 98 of the Privacy Act 1988 (Cth), which allows any person to seek an injunction against breaches of the Act. If there are cases interpreting these provisions (there is one in Hong Kong, but none in Australia), then it would be very desirable for the Commissioners’ websites to provide links to them. Neither does so. The NSW Commissioner’s site does provide such links to Administrative Decision Tribunal (ADT) decisions on appeals against agency decisions, and furthermore publishes summaries ,of ADT decisions in print and on its website as part of a ‘Newsletter for Privacy Contact Officers’.
Informed by the above review, this discussion now sets out under eight headings the elements that need to be included in a comprehensive complaint reporting system.
It appears that there is nothing to prevent Privacy Commissioners at least publishing anonymised reports of complaints determined or mediated, but the position concerning identification differs between jurisdictions. As set out in the introduction to this article, there are very strong public interest reasons for systematic publication of such reports.
It is unrealistic and unnecessary to expect Commissioners’ offices to prepare for reporting details of the outcomes of every complaint they resolve: many will be trivial or repetitive of settled matters and only of statistical interest (which is a separate question).
It is sufficient if ‘significant’ complaints are reported, but it is not ,a simple matter to define what is ‘significant’, and there are no clear standards in the existing practices. ,Some suggested factors are as follows.
Commissioners should state publicly the criteria on which they report complaint resolutions.
In the absence of agreement on a standard of significance, Commissioners should report matters that they consider significant, and explain their criteria. ,If and when a standard emerges it ,can be applied prospectively.
Naming of either respondents ,or complainants in the reports of complaints is not essential for a valuable reporting system, but naming of both may be valuable in some situations (as proposed below). The Privacy Acts in each jurisdiction may also impose limitations on identified reporting, but not on de-identified reporting. This must be considered separately in each jurisdiction.
In default, the complainant should not be named because the nature of privacy complaints is such that to do ,so would exacerbate the harm to or interference with privacy. However, some complainants may prefer to be named, as this helps to provide public vindication of the complainant. A reporting system should allow a complainant to elect to be named, except where this is inconsistent with ,a mediated settlement.
In relation to public sector respondents, the default position is that they should be named as is the practice in most jurisdictions considered. Where disclosure of the respondent would prejudice the position of a successful complainant (for example an employee of a small public agency who could be identified if the agency was named), the agency should not be named. It is undesirable for public bodies to attempt to hide their breaches of the law behind settlements requiring that they not be named (or Commissioners’ practices to this effect). Within their powers, Commissioners should insist that public body respondents be named, unless the agency provides a compelling public interest reason not be to named (which should be disclosed, as far as possible, in the report). All complaints where agencies raise non-naming demands should automatically be reported, as that is itself an issue of significance.
In relation to private sector respondents, the practice of Commissioners seems to be to recognise that there are often good reasons not to name them, but different standards are applied as to when they should be named. Good reasons for non-naming include the following.
Subject to what is allowed by law, any of the following should be sufficient reason for identifying a private sector respondent.
In relation to private sector respondents, these proposals could be interpreted as a default position of non-identification, coupled with a readiness to identify where the interests of the complainant, others who may have been harmed by the conduct, or the public interest, justify identification, and subject to any strong objections which would make identification unfair in ,the particular case.
In a nutshell, the level of detail needed is that which is sufficient for interested parties to obtain a full understanding of the legal issues involved and the essential steps in the Commissioner’s reasoning leading to their resolution. Sufficient factual circumstances should be included ,for the adequacy of the remedy ,to be understood in relation to ,the seriousness of effect on the complainant, and to allow comparison with potentially comparable complaints (subject to the privacy interests of the complainant).
One touchstone (at least in the Australian context) is the administrative law requirement in most Australian jurisdictions that a person can request an official to give a statement of reasons for a decision, along the lines of a statement which sets out the findings on material questions of fact, referring to the evidence or other material on which those findings were based and give the reasons for the decision. Although ,the mediation of a complaint may sometimes not technically involve ,the making of a ‘decision’, this nevertheless should be the standard ,that Commissioners aim to meet.
Existing reporting practices of Commissioners are very variable in this respect, even where Commissioners make a conscientious effort to publish complaint resolutions.
Good examples of the standard of reporting that can be achieved are those of the Canadian Federal Commissioner (for PIPEDA complaints), the Ontario Commissioner (for IPP complaints) and (to a slightly lesser extent) the NZ Commissioner.
In Australia and in Canada, the best examples of quality reporting are in reports of access and correction complaints by the Ontario and British Columbia Information and Privacy Commissioners, and the Queensland and Western Australian Information Commissioners. As mentioned earlier, ,it is hard to see why questions of collection, disclosure, security and ,use are so much harder to document than access and correction decisions. Perhaps the discipline of having to write determinations on FOI matters makes such offices more effective than others in documenting privacy complaints.
Various forms of indexing of reported complaints make them much more accessible, but indexing is always labour intensive and difficult to do well. Indexing by addition of catchwords or lists of sections/IPPs considered, and/or by creation of consolidated indexes of complaints based on either method, has been undertaken by the Ontario and NZ Commissioners.
To some extent, the need for such intellectual indexing is reduced if a good search engine is available to search the text of decisions, but it is always the case in information retrieval that accessibility is maximised by providing a combination of both.
Whether either or both methods ,are used, or even more primitive preliminaries such as locating all ,reports in the one location ordered by date to start with, the point is that Commissioners must consider the accessibility of the whole set of complaint data they produce, and the likely research uses of the collection.
The best practice, both from the perspective of the Commissioners’ offices and the needs of the recipients, ,is for complaints to be reported and disseminated as they are completed, rather than in periodic batches such ,as in annual reports.
The benefits of public reporting ,of complaint resolutions are to a significant extent diminished in proportion to the delay in public availability. Potential complainants and their advisers, and potential critics, need to be aware of practices as soon as possible so in order to respond to ,them. Those preparing secondary reports of complaints for publication (newsletters, journals, newspapers ,and so on) are usually not able to deal with large batches of them, but would prefer to receive them regularly, and ,as soon as possible after they are ,dealt with (while they are still ,‘news’).
A Commissioner should have a publicly stated standard that complaint reports will be prepared within a fixed time of a complaint being finalised. A month would seem ,a desirable standard, but this matter ,is of course subject to the resources available in a Commissioner’s office. An alternative view put forward by ,the NZ Commissioner’s Office is ,that about three months between completion and reporting is a safeguard against the likelihood of inadvertent identification, and against complaints that revive after being thought to be completed.
Good practices in regular reporting are found in the practices of the Ontario, Canada (federal), and New Zealand Commissioners.
Privacy Commissioners should report on their own websites at least minimal details of appeals and judicial review of their own decisions to enable interested parties to obtain further details. A Commissioner’s Office is in the best position of anyone in a jurisdiction ,to know of all case law affecting the Commissioner and the legislation, as they must know this to carry out their own duties.
Publication of this information puts the publication of the Commissioner’s own decisions in context and prevents them being misleading because of lack of reference to decisions overturning or affirming positions the Commissioner has taken. Providing references to all decisions in a jurisdiction affecting the privacy legislation is also an important part of a Commissioner’s educational responsibilities and an efficient use ,of scarce resources. Many people interested in privacy law in a jurisdiction will only know to look ,at the website of their Privacy Commissioner, and so a ‘one stop ,shop’ for information about decisions ,is very valuable to them.
Examples from various jurisdictions of where such reporting is important, particularly given the poor availability of case law on the internet in some jurisdictions, have been given above.
Good practices in this regard have already been instituted by the Commissioners in New South Wales, Canada (federal), Ontario and (at least in print) New Zealand. However, none are as thorough or as informative as they could be with only a little more effort.
Provision of all of the following elements should be considered in relation to cases of appeal, judicial review or interpretation of privacy legislation:
Two aspects need to be considered: self-publication by Commissioners, and secondary publication by others.
Self-publication of complaint resolutions via the web has significant advantages over print publication. It allows economical publication in greater detail, and of larger numbers of complaints. It can occur more rapidly and frequently. It allows complaint reports to be accumulated over time in one location (as opposed to scattered through annual reports), opening up the possibility of comprehensive searching using a search engine, or indexing (cataloguing). The Ontario Commissioner’s website is one that illustrates many of these virtues.
Print publication is, however, a valuable complement, in that it helps ,to avoid exclusion of those without internet access or familiarity, it can be used to reach different audiences, and it can be used as a means of archiving.
Self-publication can take various forms.
Commissioners should encourage ,republication of their complaint resolutions, or commentaries on them, as one of the most effective ways to improve knowledge of privacy law in ,a jurisdiction. The most valuable steps that they can take are to:
Various forms of secondary publication are desirable and should ,be facilitated.
If a relatively consistent form of publication could be developed, this would facilitate Commissioners, scholars and others developing a unified Asia-Pacific privacy jurisprudence, based on the similarity and inter-connectedness of our privacy legislation.
It should be possible for all those ,who wish to refer to a complaint report to do so by an official citation that unambiguously refers to the same report and has an accepted designator for the Privacy Commissioner or other body publishing the report. It diminishes the benefit of publication of complaint outcomes if those who wish to refer to them cannot do so in an unambiguous and convenient way.
Some Privacy Commissioners, such as those in Ontario and New Zealand, ,have adopted numbering systems for complaint reports, but these are not full citation systems in that they do not have a consistent way of referring to the Commissioner as the decision making body. For example, NZ casenotes have names like ‘CASE NOTE: 19740’; Ontario reports have names like ‘Privacy Complaint PC-010015-1 Ministry Of Finance’ and ‘Investigation I94-084P The Ministry Of Housing’; and Hong Kong reports have names like ‘Case No: ar9798-13 Access request to employment-related personal data’. These are essentially internal identifiers which, taken out of context, give the reader little idea of which Privacy Commissioner made the decision (or issued the report), or when, or (in some cases) in relation ,to which types of parties.
A consistent system of ‘court designated citation’ has now been adopted by most Australian courts and tribunals, and implemented most extensively by the databases on AustLII. CanLII and HKLII are also working toward the adoption of consistent ‘court designated’ citation systems in their jurisdictions. Examples of citations for decisions of the Federal Court of Australia, Federal Court of Canada, Hong Kong Court of Appeal, Queensland and WA Information Commissioners, NSWADT, and VCAT (all relevant to decisions of Privacy Commissioners) are:
Adopting the naming convention used for other courts and tribunals, the citation for the first decision for 2001 of each of the Australian, NSW and Hong Kong Privacy Commissioners, and the Ontario IPC would be in the form:
The problem of providing meaningful citations for Privacy Commissioner’s decisions is exacerbated by the need to anonymise the complainant (in most cases) and the respondent (in many cases). The above citations would then become something like:
It would be workable to use numbers instead of any names of parties (for example, along the lines of PC14235), but it is informative to at least include the name of a government respondent. Numbers are better kept for the citation, not the party names.
Developing an acceptable method ,of citation is not simple, but it would provide many benefits.
Co-regulatory codes which include dispute resolution mechanisms, such ,as those under the Australian federal legislation, should impose the same reporting requirements as are complied with by a Privacy Commissioner.
Further, all reporting on code compliance body websites should be at least linked, and preferably searchable, from the Privacy Commissioner’s website, to ensure that users may obtain comprehensive information about how IPPs or other provisions are being interpreted.
If Privacy Commissioners took these proposals seriously, what would be ,the desirable outcomes?
The most obvious benefit would be for Privacy Commissioners in individual jurisdictions separately to improve their reporting practices, along the lines outlined (or even differently, but having thought all the issues through for their jurisdiction).
More substantial benefits would ,flow from all the Asia-Pacific Privacy Commissioners implementing a consistent set of reforms (preferably along the lines suggested). This would be a big step toward encouraging the development of a regional jurisprudence of privacy in the jurisdictions that have adopted an ‘Asia-Pacific model’ of privacy legislation, as Nigel Waters ,has described it. It would provide ,a compelling model for complaint reporting in jurisdictions with new Privacy Commissioners. It would be ,a small practical step toward the emergence of an Asia-Pacific privacy Convention and the development ,of minimum standard privacy laws across the region.
Part II of this paper, ‘Complaint reporting practices of Asia-Pacific Privacy Commissioners’, will appear ,in a subsequent issue of PLPR.
Graham Greenleaf, General Editor.
For valuable suggestions on drafts of this paper, thanks to Anna Johnston, Greg Keeling, Lee Bygrave, Jill Matthews, Blair Stewart, Roger Clarke, Dan Svantesson, John Corker, ,Carolyn Bond and Tim Dixon. The responsibility for final content remains with me. This research is supported ,by the UNSW University Research Support Program in 2001 and 2002.,Declaration of interest: I have various interests in the publication of decisions on privacy. I am a Co-Editor of the Privacy Law & Policy Reporter, and Co-Director of AustLII, HKLII and WorldLII, free access internet law services which are University based.
 The most notable exception is the US Federal Privacy Act (which allows direct recourse to the Courts instead), but Taiwan’s privacy law shares this characteristic.
 Bygrave L ‘Where have all the judges gone? Reflections on judicial involvement in developing data protection law’ Part 1 (2000) 7(1) PLPR 11 and Part II (2000) 7(2) PLPR 33.
 Greenleaf G, ‘“Tabula rasa”: Ten reasons why Australian privacy law does not exist’ (2001) UNSWLJ 4. See <www.austlii.edu.au/au/journals/UNSWLJ/2001/4.html>.
 See Bygrave above note 2.
 Problems caused by the lack of reporting are discussed in Greenleaf G, ‘Enforcement of the Privacy Act: Problems and potential’ Privacy Law 2001 Conference, IIR Conferences, Sydney (May 2001). See <www2.austlii.edu.au/~graham/publications/2001/enforcement.html>. However this paper does not include sufficient discussion ,of s 40 of the Privacy Act 1988 (Cth).
 Above note 2.
 Introductory remarks by Susanna Lobez (ABC Law Report/Law Matters), 31 July 2001.
 This could include situations such as those under the Australian Federal law where a Commissioner or complainant has to seek the aid of a court in order to enforce his or her decision, but the Commissioner’s findings are treated as a rebuttable presumption.
 There may be questions of the adequacy of the rights of appeal and judicial review (as there are in the case of the Australian and NSW Commissioners), but that is a separate issue.
 For example, Federal Court, Federal Magistrates Court, Victorian Civil and Administrative Tribunal (VCAT) and NSW Administrative Decisions Tribunal (NSWADT).
 Australasian Legal Information Institute <www.austlii.org/>.
 There are issues of privacy (as distinct from access) that can arise from the publication of any court or tribunal decisions. See the discussion under ‘Naming of respondents and complainants’.
 This is not a big omission as ,yet. The few Federal Court decisions referring to the Act are not all that important.
 See <www.hklii.org/hk/legis/ord/pdo275/s66.html>.
 See <www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s98.html>.
 In NSW the appealable privacy decisions are those made by agencies. The Privacy Commissioner only mediates, and there are no examples ,yet of judicial review of his actions.
 See <www.lawlink.nsw.gov.au/pc.nsf/2cd7fe7a3db5eff44a2565f500263a91/3c11e9b948941a08ca256be4000ced42>.
 This suggestion was made by John Corker.
 This is apparently so under the NSW Act.
 Private communication.
 The decisions would then be part of a ‘commons’ in the terminology popularised by Lawrence Lessig in relation to the internet. For arguments since 1995 that essential legal information should be part of the commons (that is, the ‘public space in cyberspace’) of internet content, see ,our various articles about AustLII.
 In the Asia-Pacific there are as yet few secondary publishers of privacy case law and complaints. They include the Privacy Law & Policy Reporter (PLPR).
 See AustLII <www.austlii.org>, CanLII <www.canlii.org> and HKLII <www.hklii.org>. See also WorldLII <www.worldlii.org> which they ,co-operatively provide.
 The practice has been adopted ,in Australia that citations of Federal bodies end with ‘A’ for ‘Australia’ (for example ‘FCA’, ‘HCA’) whereas those for State and Territory bodies start with the abbreviation for the State. ‘Cmr’ is used for ‘Commissioner’, whereas ‘Comm’ is used for ‘Commission’. This may be slightly inconsistent, but it is now the settled practice.
 Waters N ‘Re-thinking information privacy — a third way in data protection?’ Proceedings of International Data Protection and Privacy Commissioners Conference Hong Kong, 1999. See <www.pco.org.hk/english/infocentre/files/waters-paper.doc>.
 See Greenleaf G ‘Global protection of privacy in cyberspace ,— implications for the Asia-Pacific’ Internet Law Symposium Science & Technology Law Center, Taiwan, June 1998, available at <www2.austlii.edu.au/itlaw/articles/TaiwanSTLC.,html>. This paper was also the basis ,of a presentation to the Asia-Pacific Privacy Commissioners at the International Privacy and Data Protection Commissioners Conference, Hong Kong, 1999.