Privacy Law and Policy Reporter
It is well accepted that privacy, however fundamental a human right, is always ‘contextual’ — breaches of privacy may be justified in certain circumstances. That justification derives from the upholding of competing interests such as the free flow of information and efficient government; that is, organisational interests. Privacy laws are characterised by an attempted balancing of individual and organisational interests.
For example, the object of the Privacy Act 1988 (Cth) is ‘to make provision to protect the privacy of individuals, and related purposes’ (my emphasis). Those related purposes are alluded to in s 29, which specifies what interests the Federal Privacy Commissioner must consider in exercising his or her powers. They include ‘the general desirability of a free flow of information’ and ‘the right of government and business to achieve their objectives in an efficient way’. The OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (1981) (OECD Guidelines) and the European Union Data Protection Directive of 1995 (EU Directive) require a similar balancing of individual and organisational interests.
This ‘balancing act’, despite its appropriateness, inherently challenges the adequacy of protection a privacy law can provide for individuals. When a law acknowledges the ‘trumping’ power of organisational interests over individuals’ interests, organisations are armed with justification for pursuing their own interests to the detriment of others. After all, it is the organisation — the possible privacy infringer — that first determines how competing interests are to be resolved, and it is unlikely an organisation will decide in favour of an individual ,if its own interests are justified and legitimate. If an individual complains against an organisation’s decision to collect or process personal information about him ,or herself, the complaint may be referred to a data protection authority (DPA) such as a Privacy Commissioner. Yet, as will be discussed further below, the independence of these agencies is questionable. Accordingly, both organisations and DPAs can make decisions biased in favour of organisations that are legitimised by paying lip service to a ‘balancing of’ (and resolution of) conflicting ‘justified’ interests.
It is unlikely an organisation will go against its own interests unless the law condemns the data processing practice contemplated by the organisation. If the ,law does not address privacy intrusive data processing practices, or otherwise adequately safeguard individuals’ privacy, the risk is that the balance sought to be struck by the privacy law will collapse in favour of organisations and the law will become a vehicle for ,the legitimisation of organisational ,data processing practices. Those data processing practices not adequately addressed by the law will be given the ‘legally compliant’ seal of approval. The protection offered by privacy laws could thus become illusory and in fact work against privacy protection, lulling the community into a false sense of security. This capability of privacy laws is already evident: in a 1999 survey, for example, 78 per cent of UK consumers were ‘concerned about “possible misuse” of their personal information’, yet most of those people (64 per cent of surveyed consumers) agreed that ‘existing laws and organisational practices provide a reasonable level of consumer privacy protection in [this] country today’.
The issues raised by the question ,in the title of this article are thus as follows.
This article will first canvass the ‘evidence’ relevant to these issues as drawn from privacy law generally. ,It will then move to more specific examination of the situation in Australia before reaching conclusions ,as to how the title question should ,be answered.
A comprehensive analysis of international privacy laws, particularly sectoral or state laws, is beyond the scope of this discussion. Accordingly, in examining the general characteristics of privacy law, reference will be made to a selection of international and national privacy instruments which arguably represent the legislative measures generally being taken to (purportedly) safeguard individuals’ privacy: namely, the OECD Guidelines, the EU Directive, the German Bundesdatenschutzgesetz (BDSG) and Teledienstedatenschutzgesetz (TDDSG), as well ,as Australia’s Privacy Act.
Privacy laws were first enacted in the Land of Hesse, Germany, in 1970, followed by national laws in Sweden (1973), the United States (1974), Germany (1977) and France (1978). Their promulgation followed the first expressions of concern (in the late 1960s) at the unprecedented power of computer systems to collect and process personal data. If not introduced in response to technological advancements, generally, privacy laws have been enacted to remedy a past injustice or address a pressing privacy issue. ,For example, Australia’s Privacy Act followed the proposed introduction by the Hawke/Keating Commonwealth Government of a national identity card (the ‘Australia Card’), an event from which ‘Australians began to reinterpret their culture through a framework of privacy’.
Increasingly however, privacy laws and other instruments appear to have been introduced or amended in order to promote electronic commerce and the free flow of information. Among such privacy instruments are the OECD Guidelines, the EU Directive, the Safe Harbor agreement between the US ,and European Union, and the recent Australian Privacy (Private Sector) Amendment Act 2000. Indeed, in the case of Safe Harbor and the Australian private sector privacy legislation, both were enacted with minimal alterations despite considerable criticism that the privacy protection offered was grossly inadequate.
Such events suggest that ‘privacy’ ,laws are increasingly more concerned with organisational interests than with providing adequate privacy protection for individuals.
It has been noted that privacy laws using the term ‘privacy’ generally fail to even define what is meant by the term. At the very most, it is an interference with privacy that is defined, as is the case in Australia. The German BDSG exemplifies this curiosity. Despite being an Act ‘to protect the individual against his right to privacy being impaired through the handling of his personal data’, it defines neither personal privacy nor its relation to data processing.
Other ambiguities plague privacy laws, and particularly Australia’s Privacy Act. For example, the Australian Act applies to the ‘collection’ of personal information but it fails to define ‘collect’, which has raised the question of whether unsolicited receipt of personal information could constitute ‘collection’. The Act also fails to clarify what amounts to ‘consent’, despite providing consent as a touchstone for justified collection or ,use of personal information or sensitive information. This ambiguity is sharply illustrated by comparison with the comprehensive provisions regarding ‘consent’ under the EU Directive ,or the German TDDSG.
The failure to define ‘privacy’ has been justified on the basis of allowing flexibility in interpreting a ‘difficult’ concept. In this author’s view, however, the detrimental consequences of failing to define privacy outweigh ,any such benefits.
First, at a superficial level, a failure ,to define the right that the law purportedly protects reflects badly on the importance ascribed to it by that law. Moreover, failure to detail the extent of the right protected undermines the ability of the relevant law to provide ‘prescriptive guidance’, particularly where a conflict arises between privacy and a competing interest. Given the inherent risks in formally recognising the legitimacy of organisational interests, ,it is important that the privacy right ,is defined carefully and vigilantly.
Second, failure to define ‘privacy’, and ambiguities in privacy laws generally, also create uncertainty, weakening the effectiveness of the laws and subjecting them to the interpretative fancies of ,code adjudicators or DPAs.
Finally, failure to define privacy perpetuates criticisms that privacy ,is too nebulous a concept.
For these reasons, it is not surprising academics have frequently expressed concern at the ambiguity of privacy laws, on the basis that the more ambiguous their provisions, the more privacy protection becomes illusory. The ideal, suggests Flaherty, is a privacy law with ‘as much explicitness as possible in the identification of privacy interests in order to facilitate, guide and inform the process of limiting surveillance’.
Privacy laws generally fail to address pertinent and current privacy issues, especially those involving new technologies. A common and significant problem is the general application of privacy laws to ‘personal information’ or ‘personal data’, which are defined variously as information from which a person’s identity is ‘apparent, or can reasonably ascertained’, or ‘any information concerning the personal ,or material circumstances of an identified or identifiable individual’ ,(my emphasis). As argued in much detail elsewhere, such definitions seem inapplicable to the type of data that is most susceptible to privacy abuse in cyberspace: email addresses, machine addresses and clickstream data. Even an Act such as the German TDDSG, which is characterised by unprecedented addressing of cyberspace privacy issues, fails to define ‘personal data’ altogether, presumably thus requiring one to refer to the older, inadequate BDSG definition.
The EU Directive goes further than ,the above definitions by providing that an ‘identifiable person’ is one who can be identified ‘directly or indirectly’, ,and ‘in particular by reference to any identification number or to one or ,more factors specific to his physical, physiological, mental, economic, cultural or social identity’. This could draw into its application static machine addresses, for example. Yet even this interpretation is strained given that IP addresses are predominantly dynamic ,or assigned dynamically within a network. Moreover, the applicability of privacy laws to ‘personal information’ as so defined misses the point altogether, failing to recognise that in cyberspace, ‘people can create new persons, change their identity, build up virtual realities and virtual entities’.
Other pertinent issues generally not addressed by privacy laws include user profiling, cookies  and biometrics. Accordingly, these practices (and most data processing activities in cyberspace) are effectively legitimised by privacy laws in general.
The strained application of privacy laws to cyberspace activities may partly stem from the fact that privacy laws primarily address the processing of data. Reflecting the more limited privacy concerns of the late 1960s and 1970s, the substance of most privacy laws is a set of data protection principles such as those of the OECD Guidelines or the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) of Australian privacy law. Today however, technology has presented ,new privacy risks. In cyberspace, for example, much privacy concern centres upon the capacity for organisations to conduct surveillance of communications by surreptitious methods such as cookies, web bugs and the monitoring ,of machine addresses. As Roger Clarke notes, these technologies do abuse information privacy, but they also converge with other forms of privacy invasion, such as the privacy of personal behaviour and the privacy of the person.
Current privacy laws, insofar as ,they focus on data protection, do not adequately safeguard the individual against these privacy intrusive practices.
To oversee, implement and enforce privacy principles, most privacy laws provide for the establishment of a theoretically independent DPA. In Australia and Germany, for example, privacy laws establish a federal Data Protection or Privacy Commissioner. DPAs are considered essential instruments by which the protection theoretically offered by privacy principles can be achieved in practice, the logic being that governments, government agencies or organisations cannot be expected to vigilantly enforce privacy principles in individuals’ favour or to have the expertise, time or inclination required to adequately safeguard those interests. On this basis, self-regulatory schemes have ,been criticised as being akin to wolves supervising the sheep for the benefit ,of the wolves.
Nevertheless, privacy laws that establish DPAs do not necessarily achieve the privacy protection they promise. A particular concern that has been raised is the independence of DPAs. Despite legislative attempts to ensure their independence, the reality ,is that DPAs are subject to under-resourcing and over-extension of resources. The people heading such authorities mostly have a limited term of office, and thus perform their roles under pressure of re-election. They are also subject to direction by government.
Perhaps as a result, DPAs have been generally reluctant ‘to punitively strike out at illegal activity with a “big stick”’ or ‘to rigorously enforce the core principles’. European and Australian experiences show that:
... the most that can be expected in the face of major surveillance proposals is a report highlighting the privacy dangers but confirming the government’s right ,to propose privacy intrusive measures where they consider other public interests to outweigh privacy protection.
Highlighting these problems, when Judge Kevin O’Connor, Australia’s ,first federal Privacy Commissioner, advocated the need for procedural protection in relation to Common-wealth data matching programs, the Attorney General’s Department obtained an advice as to whether ,he was exceeding his powers ,as Privacy Commissioner.
Such events suggest that DPAs are becoming no more than ‘toothless and blind watchdogs’, and if this is the case, given their apparent independence and their public role as ‘official protectors’, DPAs have become ,‘agents for legitimating information collecting activities and new information technology’. If privacy laws are more concerned with legitimising organisations’ data processing practices, DPAs are certainly central to achievement of that goal.
Finally, it is to be noted that data protection principles of privacy laws ,are generally accompanied by extensive exemptions or restrictions in favour of organisations. Data relating to national sovereignty, national security, defence, public security, criminal matters and journalism/media  are characteristically exempted from the reach of privacy laws. Alternatively specific agencies ,are exempted — as under Australia’s Privacy Act, which includes intelligence agencies, parliamentary departments and some government business enterprises ,in its list of exempt agencies.
This tendency to provide outright exemptions is problematic. As has been noted, national security and law enforcement agencies are ‘among the most feared agencies’ and their prior records show them to be most in need of control. Yet ‘privacy’ laws appear to legitimise their privacy intrusive practices by exempting them altogether from scrutiny. Rather, privacy laws should emphasise to those agencies ,that they are subject to democratic processes and that they must justify any interferences of privacy before taking such action.
From this discussion, it can be persuasively argued that privacy laws are generally more concerned with organisational interests than with individual interests. It is also arguable that in many respects, privacy laws have failed to adequately safeguard the right of individuals to privacy, particularly in their ambiguity and their failure to address pressing and relevant privacy intrusive practices. On these bases, and given the questionable independence of DPAs, it can be argued that privacy laws have generally become vehicles for the legitimisation of organisational data processing practices.
Any reservations one might hold in making the above conclusions disappear in relation to Australian privacy law, particularly as it applies to the private sector. After all, Australia’s Privacy (Private Sector) Amendment Act 2000, which extended privacy regulation to the private sector, has been awarded the title of ‘business protection legislation’ and ‘an actively “anti-privacy” statute’.
Clear examples of Australian privacy law’s concern with legitimising organisational data processing practices over safeguarding individuals’ privacy include the following.
The core privacy principles as they apply to businesses are known as the NPPs. These principles are largely based on the OECD Guidelines. However, ,the principles are rather extensively qualified. Particularly:
References to ‘practicability’ and ‘reasonableness’ also imbue the principles with ambiguity, which ultimately undermines the law’s ,efficacy.
NPP 1.1 limits collection of personal information to where the information ,is ‘necessary’ for the organisation’s functions or activities. The organisation must ‘take reasonable steps’ to make the individual aware of the purposes for collection (NPP 1.3) and pursuant to NPP 2.1, it may not use the information for a secondary purpose (as the general rule).
There is no further requirement, however, that the purpose of collection be legitimate or justified on public interest grounds. Given the wording ,of NPP 1.1, it appears a ‘legitimate’ purpose for collecting personal information under Australian privacy law is simply the pursuit of an organisation’s interests. In contrast, the EU Directive requires personal data to be ‘collected for specified, explicit and legitimate purposes’. Under art 7, ‘legitimacy’ is founded upon the individual’s consent, a legal obligation upon the organisation, public interest, or, if processing is only in pursuit of ,the organisation’s interests, where the processing is ‘necessary’ to pursue ,those interests and the interests are ,not ‘overridden by the interests or fundamental rights and freedoms of ,the data subject’. While this does call into question the inherent problems ,in allowing organisations to balance competing interests, the EU Directive ,at least makes explicit that individuals’ privacy interests must be considered, unlike Australia’s Privacy Act.
An example showing even more vigilant protection of individuals’ privacy in light of competing interests is found in s 3(1) of the German TDDSG, which provides:
Personal data may be collected, processed and used by providers for performing teleservices only if permitted by this Act or some other regulation or ,if the user has given his consent.
Moreover, as highlighted above, the requirements for valid consent under the TDDSG are comprehensive, unlike the Australian Act, which nevertheless uses consent as a standard of legitimacy.
Of all defects in the Australian Act, this perhaps suggests most strongly ,that Australian privacy law is more concerned with legitimising organisations’ data processing practices.
The lack of a purpose justification principle also has ramifications for the direct marketing industry. If a direct marketing company is collecting personal information for the primary purpose of direct marketing, the NPPs will not condemn its actions. The company need not even offer an individual the opportunity to opt out.
Additionally, NPP 2.1(c) explicitly allows personal information, if not sensitive, to be used for the secondary purpose of direct marketing subject to conditions including that the individual be offered an opportunity to opt out. The NPPs have legitimised what was otherwise a questionable organisational data processing practice.
Other aspects of the Act that fail ,to adequately safeguard individuals’ privacy are the enforcement provisions. An individual has a right of appeal ,from a code adjudicator to the Privacy Commissioner but thereafter, they cannot appeal on the merits of the case but only on an error of law and only where the Privacy Commissioner makes a decision capable of review under ,s 52 or s 41. However, as detailed extensively elsewhere, an organisation effectively has a right of appeal on ,the merits. This is because if the organisation refuses to comply with ,a determination in favour of an individual, the individual can attempt ,to enforce the determination in the Federal Court, in which case the organisation will have their case heard in full again. Clearly, this unfairly favours organisations over individuals.
It is also uncertain from the Act whether code adjudicators will be required to publish their determinations, as required of the Privacy Commissioner. This lack of transparency has been raised by one academic as a critical deficiency in the Act that will undermine the integrity of the code process.
Even accepting these weaknesses in Australia’s Privacy Act, the fact is that ,a large proportion of organisations will not be subject to the Act’s provisions ,at all due to the number of exemptions in the Act. Indeed, the Act has been criticised as ‘more holes than cheese’.
Two exemptions in particular suggest the legislation to be more concerned with organisational interests. One of these applies to small businesses, defined as those with an annual turnover of less than $3 million. By the Government’s own admissions, this excludes approximately 94 per cent of all businesses from the Act’s provisions. The exemption may be lost if the business trades in personal information or holds health information other than as part of employee records. However, the application ,of the exemption to ‘small business operators’ rather than just ‘small businesses’ furthers the potential for organisations to evade the scope of ,the Act.
Another conditional exemption applies to acts or practices by an organisation in relation to ‘employee records’, broadly defined, if those acts or practices relate to a current or former employment relationship between the organisation and the individual. The House of Representatives Committee expressed concern at this exemption; however, ,the Government resisted the push to change or remove the exemption.
There are also exemptions for state owned government business enterprises (unconditional), political acts and practices, and, as outlined above, ,a number of government agencies.
These exemptions legitimate the ,data processing practices, however suspect, of a significant proportion of organisations, particularly in association with the Act’s inadequate definition of ‘personal information’ (which effectively legitimates organisations’ privacy intrusive practices in cyberspace). Moreover, the exemptions mislead the Australian community as to the efficacy of privacy protection provided, insofar as Australia’s Privacy Act provides a body of privacy principles that seem ,(at a superficial level) to protect individuals’ privacy but are in fact cut away by extensive exemptions and exceptions which appear outside ,that body of principles.
Given the extent to which Australia’s Privacy Act fails to adequately safeguard individuals’ privacy, Australian privacy law does appear more concerned with legitimising ,the data processing practices of organisations than with safeguarding individuals’ privacy. Nonetheless, despite the arguments and conclusions regarding the Australian legislation, this author is reluctant to make similar conclusions with regard to privacy law in general. Since the passing of the EU Directive, privacy law has generally been moving to a more adequate safeguarding of individuals’ privacy, even though a primary rationale for passing the Directive was to ensure ,the free flow of information between Member States. The Directive is not primarily concerned with principles ,for more efficiently conducting organisational data processing. Certainly, it needs to be strengthened in order to address current technologically related privacy issues. Hopefully though, the German TDDSG indicates how future privacy laws will develop, and with time, solutions will be found as to how to address issues such as the depersonalisation of data ,in cyberspace more adequately.
Halani Lloyd prepared this essay for the elective class ‘Data Surveillance and Information Privacy Law’ in the LLM program at the UNSW Law School. email@example.com.
 It is recognised in the Universal Declaration of Human Rights of 1948, the International Covenant on Civil and Political Rights of 1966 (ICCPR), and the European Convention on Human Rights.
 Waters N ‘Rethinking information privacy: a third way in data protection?’ (2000) 6(8) PLPR 121 at 125, citing Fred Cate.
 Section 29(a) Privacy Act 1988.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; available ,at <europa.eu.int/eur-lex/en/lif/dat/1995/ en_395L0046.html>.
 The OECD Guidelines recognise foremost its Member countries’ common interest in ‘protecting privacy and individual liberties and in reconciling fundamental but competing values ,such as privacy and the free flow of information’. Article 1 of the EC Directive provides that ‘Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data’, and ‘Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1’.
 As Flaherty notes, ‘surveillance can be good or bad, depending on who does it, why it is being done, and how it is carried out’: Protecting Privacy in Surveillance Societies University of North Carolina Press Chapel Hill ,1989, p 12.
 This is a particular concern of Flaherty: above note 6 p 385.
 Westin ‘Consumers, E-Commerce and Privacy: US, UK and Germany’ presented for IBM at the Privacy and American Business, Sixth National Conference 10 November 1999; available at <www.tivoli.com/news/ press/pressreleases/en/2000/>.
 ‘Federal Data Protection Act’, ,first introduced in 1977 and amended ,in 2001.
 ‘Teleservices Data Protection ,Act’, introduced in 1997. The TDDSG is part of a federal legislative package entitled Informations — und Kommunikationsdienste-Gesetz, which comprises three Acts plus various amendments of existing Acts in light of information technology developments.
 Global Internet Liberty Campaign Privacy and Human Rights: An international survey of privacy laws ,and practice October 1998; available ,at <www.gilc.org/privacy/survey/>.
 Above note 11.
 Davies, in Agre and Rotenberg Technology and Privacy: The New Landscape MIT Press London 1997 ,p 147.
 As to Safe Harbor, see Greenleaf G ‘Safe Harbor’s low benchmark for “adequacy”: EU sells out privacy for US$’ (2000) 7(3) PLPR 45, which highlights the criticisms made by both the EU national data protection commissioners (Article 29 Committee) and the European Parliament, as well as the EU’s decision to go ahead regardless of criticisms. As to the Australian private sector legislation, for one academic’s opinion, see Greenleaf G ‘Private sector privacy Act passed (at last)’ (2001) 7(7) PLPR 125: ‘the political process has failed to deliver Australian citizens, consumers and businesses privacy legislation of world standard.’
 Bygrave L ‘The place of privacy ,in data protection law’ (2001) 24(1) UNSWLJ 277 at 278.
 Above note 15.
 Section 1(1) BDSG.
 Flaherty above note 6 at p 33.
 Greenleaf G ‘Private sector privacy: problems of interpretation’ UNSW CLE seminar, 13 March 2001 ,p 3.
 NPP 2.1(b), NPP 10.1(a).
 Article 7(a) requires ‘unambiguous’ consent, while art 2(h) provides that ‘the data subject’s consent’ shall mean ‘any freely given, specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.
 Conditions for ‘consent’ are provided in ss 3(5) and (6), which ,are to the effect that consent must be informed. Section s 3(7) provides that consent can be given electronically ,if: (1) it is given by an unambiguous and deliberate act, (2) it cannot be modified without detection, (3) the giver of consent can be identified, (4) consent is recorded, and (5) the text ,of the consent can be obtained by the giver of consent on request at any time.
 Flaherty above note 6 at p 378; Bygrave above note 15.
 Flaherty, above note 6; see also Bygrave above note 15.
 Bygrave above note 15.
 For example: Riccardi ‘The German Federal Data Protection Act of 1977’ (1983) 6(1) Boston College Int & Comp LR 243 at 267, citing Simitis. Flaherty notes ‘the best systems of data protection ... are those in which privacy interests are being most strongly articulated’: above note 6 at p 391.
 Flaherty, above note 6 at p 378.
 Section 6 Privacy Act 1988 (Cth).
 Section 3(1) German BDSG.
 See Greenleaf G ‘Privacy principles — irrelevant to cyberspace?’ (1996) 3(6) PLPR 114.
 See Bygrave L ‘Germany’s Teleservices Data Protection Act’ (1998) 5(3) PLPR 53.
 Article 2(a).
 Greenleaf above note 30 at 115.
 Hoeren ‘Electronic commerce and law — some fragmentary thoughts on the future of internet regulation from a German perspective’ (2000) 16 CL&SR 113 at 115.
 Note however that the TDDSG directly addresses the issue: s 4(4) TDDSG.
 This arises out of the definition of ‘personal information’ or ‘personal data’ adopted generally by privacy laws, which simply makes those laws inapplicable to the type of information collected by cookies. This appears to have been disregarded by the Australian Privacy Commissioner, who opined in a set of Guidelines in 2001 that collection by way of cookies was ‘unfair’ under NPP 1.2: Draft National Privacy Principle Guidelines May 2001 ch 4, reproduced at <www.privacy.gov.au/publications/ dnppg.html>.
 Clarke R ‘Beyond the OECD Guidelines: privacy protection for the 21st century’ (4 January 2000), section 6.10; available at <www.anu.edu.au/ people/Roger.Clarke/DV/PP21C.html>.
 Bygrave L ‘An international data protection stocktake @2000. Part 1: regulatory trends’ (2000) 6(8) PLPR 129.
 Flaherty above note 6 at p 381.
 Flaherty above note 6 at p 381.
 Clarke ‘Privacy as a means of engendering trust in cyberspace commerce’ (2001) 24(1) UNSWLJ ,290 at 295.
 Clarke, above note 37 at ,section 4.6.
 Note, however, the provision ,under the BDSG that the Data Protection Commissioner’s term may be renewed only once.
 Clarke above note 37.
 Bygrave above note 38.
 Davies ‘Unprincipled privacy: why the foundations of data protection are failing us’ (2001) 24(1) UNSWLJ 284 ,at 288.
 Waters above note 2 at 125.
 O’Connor J ‘Protection of personal information by law in Australia: 11 years after the passage of the Federal Privacy Act’ (1999) 6(4) PLPR 61 at 62.
 Flaherty above note 6 at p 385.
 Flaherty above note 6 at p 384.
 OECD Guideline 4.
 Article 13(a) EC Directive.
 Section 1(2) BDSG.
 Waters ‘The New Australian Privacy Landscape’ UNSW CLE Seminar 14 March 2001, p 5, referring to s 6 and Schedules to Freedom of Information Act which are ‘imported’ by reference in s 7.
 Clarke above note 37 at section 4.1.
 Clarke above note 37 at section 4.2.
 Greenleaf G ‘Editorial: a Bill not worth supporting’ (2000) 7(3) PLPR 44.
 Clarke above note 41.
 Article 6(1)(b).
 Translation as appears in an English version of the Act available at <www.datenschutz-berlin.de/gesetze/ medien/iukdge.htm>.
 In the history of the Act, the Federal Privacy Commissioner has made only two formal s 52 determinations of complaints: Greenleaf G ‘“Tabula Rasa”: Ten Reasons Why Australian Privacy Law Does Not Exist’ (2001) 24(1) UNSWLJ 262 at 266.
 See for example Greenleaf above note 19 at p 16.
 While a determination will be prima facie evidence of the facts upon which the determination was based ,(s 55B(3)), in one critic’s view, ‘this does not address the fundamental problem of unsuccessful complainants having no right of appeal’: Greenleaf above note 19 at p 17.
 Greenleaf above note 19 at p 17.
 Greenleaf above note 57.
 Greenleaf G ‘Reps Committee protects the “privacy-free zone”’ (2000) 7(1) PLPR 1 at 4.
 Section 6D(4).
 The potential to rort the small business operator exemption is outlined in Greenleaf above note 66 at 5.
 Section 7B(3).
 Section 6(1).
 Section 6C(1), (3) and (4).
 Section 7C.
 Recent years have seen the implementation by EU Member States of the Directive into national law, while many non-EU countries have also recently enacted privacy legislation in (at least) partial response to the Directive and particularly, arts 25 and 26, which generally provide that EU Member States are to transfer personal data concerning its citizens only to third countries whose data protection laws are deemed ‘adequate’ by the EU.
 Greenleaf G ‘Stopping surveillance: beyond “efficiency” ,and the OECD’ (1996) 3(8) PLPR ,148 at 148-149.