AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 2003 >> [2003] PrivLawPRpr 1

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Ford, Peter --- "Implementing the EC Directive on Data Protection - an outside perspective" [2003] PrivLawPRpr 1; (2003) 9(8) Privacy Law and Policy Reporter 141


Implementing the EC Directive on Data Protection — an outside perspective

Peter Ford

This paper, written in August 2002, was presented to the European Commission conference reviewing the implementation of the EU Data Protection Directive 95/46/EC, held in Brussels on 30 September and 1 October 2002 — Associate Editor.

I have called this an outside perspective because my experience in this area is ,that of someone who has been coming to Brussels for about five years now for discussions on the Directive on Data Protection (Directive 95/46/EC) (the Directive) with European Commission officers. As any trip from Australia to Europe, or the other way, is a major undertaking, our discussions were arranged to follow meetings in Paris of the Organisation for Economic Co-operation and Development’s (OECD) Working Party on Information Security and Privacy. In December 2000, Australia amended its Privacy Act 1988 (Cth) to cover the private sector. The nature of the discussions changed accordingly to focus on the meaning and application of particular provisions of the amended Act.

Before addressing the issues from an Australian perspective however, which I will do in the second half of this paper, I would like to address them in my capacity as chair of the OECD’s Working Party on Information Security and Privacy. In so doing I must emphasise that I am not speaking on behalf of the Working Party, which has not yet completed its report on the privacy issues that have been referred to it, but in a personal capacity. In relation to Australian Government policy, I am, of course, speaking as a professional public servant.

The Directive greatly advanced the protection of privacy in Europe. Having ,regard to the size of the European Union (EU), its global significance in providing protection for personal information which flows across national borders is ,difficult to overstate. The Directive has also been of fundamental importance in promoting a greater level of confidence within Europe in electronic communication and commerce.

Beyond Europe however, the Directive has also raised some difficult issues in its application to data transfers across national borders. The accommodation reached between the US and Europe in the US Safe Harbor Principles seemed, at first, to indicate a measure of flexibility on the part of the European Commission (the Commission); however, our experience has been that what is acceptable from the US will not necessarily be accepted from other countries. I should note that the charge that there has been an inconsistency of application of the adequacy test has been vigorously rejected by the Commission and I will return to it later. The other objectionable feature, I will argue, is an excessively regulatory approach flowing ,from a tendency to use the Directive as a template for the laws of non-EU ,countries.

OECD privacy principles

First, it is opportune to recall the language of Part Three of the OECD’s Information Privacy Principles, contained in the OECD Guidelines ,on the Protection of Privacy and Transborder Flows of Personal Data ,of 1980 (the Privacy Guidelines):

Basic Principles of International Application: Free Flow and Legitimate Restrictions

15. Member countries should take into consideration the implications for other member countries of domestic processing and re-export of personal data.

16. Member countries should take all reasonable and appropriate steps ,to ensure that transborder flows ,of personal data, including transit through a Member country, are uninterrupted and secure.

17. A Member country should refrain from restricting transborder flows ,of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export ,of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature ,of those data and for which the other Member country provides ,no equivalent protection.

18. Member countries should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data that would exceed requirements for such protection.

This language is, I suggest, hardly consistent with a restrictive, Eurocentric assessment of the privacy laws of countries outside the EU. On the contrary, it suggests that the test ,for ‘adequacy’ should be based on an assessment of substantive outcomes rather than legalistic analysis of the minutiae of privacy regulation.

Since the development of the Privacy Guidelines, the OECD has continued ,to work in the area of privacy, particularly in relation to the digital economy. In 1997 and 1998 the OECD held conferences that gave broad political attention to online privacy issues. These culminated in a Ministerial level conference in Ottawa in October 1998 entitled ‘A Borderless World: Realising the Potential of Global Electronic Commerce’.

The Ottawa conference adopted a Ministerial declaration that recognised the 1980 Privacy Guidelines as representing an international consensus on privacy standards and providing guidance on the collection of personal information in any medium. The Guidelines were also seen as a foundation for privacy protection ,on global networks.

The Ministers re-affirmed their commitment to the protection of privacy online networks and agreed ,to take steps necessary to ensure the effective implementation of the Privacy Guidelines on global networks.

Since the Ottawa conference, the Working Party on Information Security and Privacy has focused much of its work on the implementation of six elements for online privacy protection.

1. Encouraging the adoption of privacy policies

The OECD Privacy Policy Statement Generator was developed as an educational internet technology tool which provides organisations with a step by step guide to implementing privacy protection consistent with the Privacy Guidelines. The generator assists organisations to review their current privacy practices and makes ,use of a questionnaire to learn about the organisation’s practices. A draft policy statement is then created by ,the generator, which provides an indication of the extent to which ,the organisation’s practices adhere ,to the Privacy Guidelines.

2. Encouraging the online notification of privacy policies to users

By making the Privacy Policy Statement Generator freely available, ,the OECD has contributed to both business and individual awareness of online privacy issues. The generator ,has made it easier for business to provide consumers with online notice,of their privacy policies.

3. Ensuring that enforcement and redress mechanisms are available to users in cases of non-compliance with privacy standards

The OECD has done a considerable amount of work on online alternative dispute resolution (ADR) mechanisms for business in consumer privacy and consumer disputes. It has given member countries guidance as to how best to use ADR by providing comprehensive information about:

In addition to its work on ADR, the OECD undertook to survey and analyse enforcement mechanisms that are available to address non-compliance ,with privacy principles. The completion of this analysis, hopefully by early next year, will provide a better understanding of how privacy safeguards and enforce-ment mechanisms can enhance the implementation of the Privacy Guidelines and generate better privacy outcomes.

4. Promoting user education and awareness about online privacy and the means of protecting privacy

Promoting user education and aware-ness was seen early on as an important tool to assist the implementation of the Privacy Guidelines. The OECD took the view that education had to be more than simply the dissemination of information. It is a process of communication that must take into account the diversity of interests of the various users of global networks. Efforts have been made to understand the cultural and other differences between users. More dedicated work may be undertaken ,on this in the future.

5. Encouraging the use of privacy enhancing technologies

Privacy enhancing technologies (PETs) have been of great interest to the OECD. They can empower individuals to choose their own level of privacy and control their own personal data. However, these technologies vary in their ability to respond to different privacy concerns. The OECD produced an inventory of PETs to analyse their availability and variety; consider the factors affecting their adoption; and form a basis for policy makers to consider their deployment. OECD member countries have agreed that PETs are helpful tools and to encourage both individual and corporate users to deploy them.

6. Encouraging the use and development of contractual solutions for online transborder data flows

The OECD prepared a report on transborder data flow contracts as part of the wider framework for online privacy protection. The report examines the issues raised by applying contractual analysis to business to consumer online communications.

Member countries recognised the potential benefits of business to business model contracts. They therefore welcomed the work being carried out ,in this area by other international organisations, including the Commission. It is hoped that through co-operative efforts, effective contractual privacy solutions can be achieved.

I should add here, though, that the Australian experience with model contractual provisions is not entirely positive. While excellent work has been done to create model clauses, the clauses themselves are still based on the regulatory environment of the Commission. As a result, they do not necessarily fit well within the Australian commercial environment. We are involved in continuing discussions with the Commission on this issue and are hopeful of resolving our differences.

Australian Privacy Act

Turning now to the Australian Privacy Act 1988 (the Act), I will speak for the remainder of this paper in my capacity as Australian negotiator in relation to the Directive. I will preface my remarks with a comment I have often heard from a colleague in the OECD working party; that is that my criticisms are intended to be constructive and I hope they will be received in that light. Also, my criticisms are directed not towards the staff of the Commission, for whom I have great respect, but at the process of assessing adequacy.

The Attorney-General has characterised the Act as embodying ‘light touch regulation’ based on the OECD Privacy Guidelines. A public response from Brussels, if not from the Commission itself, is set out in two documents which make it possible to discuss the issues ,in a public forum without breaching confidences. The first is a submission ,to the Senate Standing Committee on Legal and Constitutional Affairs when the legislation that became the Act was before the Australian Parliament, and ,the second is an advisory opinion of the ,Data Protection Commissioners under Article 29 of the Directive dated 26 January 2001 (the Article 29 opinion). For convenience, I will limit my references to this document, noting ,that it does not necessarily represent ,the view of the Commission itself.

Australian law also borrows some concepts from the Directive but not its regulatory underpinnings. In essence, the Australian approach is to set minimum standards and allow industry, if it so wishes, to develop its own codes which must be approved by the Privacy Commissioner if they are to operate in place of the statutory standards. A code can be approved only if it ‘incorporates all the National Privacy Principles or sets out obligations that, overall, are at least the equivalent of all the obligations set out in those Principles’: s 18BB(2)(b) of the Act.

While true to the OECD Privacy Guidelines, the National Privacy Principles (NPPs) have been written collaboratively with user representatives and contain practical exemptions and exceptions. The Privacy Commissioner, who is vested with the power to hear complaints and with a range of educative and regulatory functions, has announced a strategy of building, over time, a ‘culture of privacy’. It is a matter of some pride that, in the 14 years of the Act’s operation in the public sector, and the first year of its operation in the private sector, it has not been necessary to use the formal powers conferred on the Privacy Commissioner in order to resolve complaints.

The strategy of building a culture of privacy is one which we believe we share with the EU. We are very serious about ,it and pay great attention to what is happening in practice in transactions between business and consumers. Wherever possible, we endeavour to utilise market forces in encouraging privacy protection.

In summary, this legislation, which encourages the development of voluntary codes but with enforceable minimum standards, builds on the strengths of both the OECD and the Commission models. At the Attorney-General’s request, the legislation applying to the private sector, which, of course, is still ,in its infancy, will be reviewed by the Privacy Commissioner in 2003.

The two Commission documents ,to which I have referred are consistent ,in that they enumerate a number of objections to the legislation as follows.

Non-Australian data

To date, this is the only objection ,that has been accepted by the Attorney-General as legitimate and requiring an amendment of the Act. At present, the Act applies only to Australian data and no remedy is provided for a person outside Australia who feels his or her privacy has been infringed in Australia. The Attorney-General has announced his intention to introduce an amendment to provide such a remedy as soon as it can be done within the constraints of the Government’s legislative program.

In this connection, it is also important to note that non-Australian data is, in fact, covered by the Act. It is only the Privacy Commissioner’s power to enforce the protection of such material that is at issue.

Generally available publications

The Article 29 opinion says:

The collection of data for the purpose ,of including it in a generally available publication falls within the scope of NPPs 1 (collection), 2 (use and disclosure) and 3 (data quality) but once the information is compiled in a format such that it comes within the definition of a generally available publication, the remaining Privacy Principles are not applied. ,This excludes all individual rights ,such as access and correction.

The working party notes that excluding publicly available personal data and in particular the secondary uses thereof ,from any protection is contrary to the ,line taken by the directive. Moreover ,the 1980 OECD Guidelines contain no such general exemption.

With respect, it is difficult to imagine what useful purpose might be served by a requirement for a right of access to a document which is already publicly available. Further, the discussion of a right of correction is highly theoretical and unrealistic when it is considered that NPP 6 provides an access and correction right that is in accordance with the OECD Individual Participation Principle.

The application of the NPPs to publicly available information will, however, be monitored. In this connection, the Privacy Commissioner has issued a consultation paper on Privacy and Collection of Publicly Available Personal Information. He has announced that following this consultation, he will finalise an information sheet on this issue which, although non-binding, will aim to help organisations apply the Act and the NPPs.

Use and disclosure

Next, objection is taken to an exception to the ‘use and disclosure’ principle which applies where the use ,or disclosure is ‘required or authorised by or under law’. The Article 29 data protection working party commented:

In the working party’s view it is acceptable to provide for an exception when organisations are faced with conflicting legal obligations, but to widen the exception to cover all options offered by sector specific laws, past present and future, risks undermining legal certainty and devoid the content of the basic protection. The wording ‘authorized’ as opposed to ‘specifically authorized’ which existed in the January 1999 edition of the National Principles can also be read to mean that all secondary purposes that ,are not forbidden are allowed. In the working party’s view such a wide exemption would virtually devoid the purpose limitation principle of any value.

This is a fundamental misreading ,of Australian law. This exception is primarily for the purpose of ensuring that personal information can be disclosed in circumstances when the Parliament has deemed disclosure to be appropriate. Such authorisations will almost invariably be specific but there may be some instances where a more general kind of authority would suffice such as, for example, the inherent authority of a parliamentary committee. In our system of government, it would,be inappropriate to include the word ‘specific’ in the text of legislation. It would also give rise to new problems with the Australian States.

The following are examples of legislation authorising disclosures.

Consideration is also being given to the granting of authority to particular government agencies in circumstances involving the use of biometric data.

These examples show that ‘authorised by law’ is a fairly tightly delineated concept. Moreover, the rules of statutory interpretation require courts to interpret the Act in a way that furthers its objectives.

The application of the exception where the use is authorised by the common law is an issue of some complexity which will be monitored. ,In some cases, the application of the common law may be very important. For example, the right of a parliamentary committee to require ,the production of documents to assist, it in discharging its responsibilities depends, to some extent, on principles which have not been expressed in statute law.

With regard to the working party’s concern about future laws, as a matter ,of constitutional law, future laws will apply in any event. Even if the Act were to be declared to be a fundamental law, Parliament would not be limited in its power to make new laws overriding privacy protections. The primary protection against such action is the role of the Attorney-General in scrutinising new Bills that are under preparation ,for the Parliament.

Sensitive data

The opinion then objects to the treatment of ‘sensitive data’ on the grounds that, while the collection of such data is subject to additional safeguards, its subsequent use is not. The Australian position is that it is sufficient to impose such regulation ,at the stage of collection; further regulation is unnecessary.

Transborder data flow

The Australian law on transborder data flow follows that of the Directive but also adds another provision allowing transfers where ‘the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used ,or disclosed by the recipient of the information inconsistently with the National Privacy Principles’: NPP 9(f).

While this attracted adverse comment from the Article 29 working party, the substantive point of the criticism was linked to the objection about non-coverage of non-Australian data. As mentioned above, this objection has ,been accepted and is being addressed.

Employee data

In relation to employee data, the working party observed the following:

Employee records are defined in subsection 6(1) in the broadest sense including information about the engagement, terms and conditions of contract, evaluative material over the performance of the contract, employee’s emergency contacts, trade union membership, recreation long leave, taxation, banking affairs, etc.

The working party notes that employee related data often contains sensitive data and sees no reason to exclude it at least from the protection given by NPP 10 ,for sensitive information. Moreover the exemptions allow information about previous employees to be collected and disclosed to a third party (eg, a future employer) without the employee being informed.

It is the working party’s opinion that the risk of privacy violations makes it all the more important to impose additional safeguards when exporting this type of data to Australia and recommends that the operators put into place appropriate means to do so (for example, through contractual clauses).

Again, this mis-states the position. ,The exclusion of employee data is limited as explained in the following extract from the Explanatory Memorandum to the Privacy Amendment (Private Sector) ,Bill 2000:

The Government has agreed that the handling of employee records is a matter better dealt with under workplace relations legislation. An act or practice engaged in by a current or former employer of a person in relation to an employee record will be exempt from the operation of the legislation if the act or practice is directly related to the current or former employment relationship. ,The requirement of a direct link to ,the employment relationship has been included to ensure that employers cannot use employee records for commercial purposes unrelated to the employment context.

An employee record is defined broadly ,as a record relating to the employment ,of an employee and includes the types ,of records typically held by employers ,on personnel files.

The exemption does not allow a ,past employer to forward information to a prospective employer without ,the employee being informed. The prospective employer would have to comply with the collection principle ,and notify the individual of the collection.

Moreover, the practical implications for the EU of this exclusion are not ,very substantial given that Australian companies are not major employers of European labour.

Small business

Understandably perhaps, the working party expresses concern over an exception relating to small business. Again however, the law is not well understood.

The Article 29 opinion states that ,the complexity of the small business exemption renders it necessary to assume that all data transfers to Australian businesses are potentially to a small business operator which is not subject ,to the law, unless the name of the small business is in the Privacy Commissioner’s Register.

However, the working party does not appear to understand the way the exemption will operate, and in particular, the limits on the exemption. There is no acknowledgment of the practical reality that most Australian businesses that deal with businesses in Europe or elsewhere will be covered ,by the Act. The assumption should ,be that businesses are covered rather than the reverse.

The following outlines the limits of the small business exemption in s 6(D)(A) ,— an individual, body corporate, partnership, unincorporated association or trust is not a small business operator and is therefore subject to the Act if it:

(1) has an annual turnover exceeding $A3 million;

(2) provides a health service and holds health information (except on an employee record);

(3) discloses personal information ,for benefit, service or advantage (other than with the consent of ,the individual or as required or authorised by legislation); or

(4) provides a benefit, service or advantage to collect personal information (other than with the consent of the individual or as required or authorised by legislation).

A body corporate is not a small business operator and is therefore ,subject to the Act if it is related to a body corporate that carries on a business ,that is not a small business: s 6D(9).

The Australian Government has excluded from the ambit of the legislation only those small businesses that pose no threat or a low threat to privacy. This was based on a considered view that the risk of privacy breaches from a sector that rarely trades in personal information is small and does not justify the costs of regulation in this area. For example, the local butcher may hold personal information about some ,of his or her customers solely for the purpose of satisfying customer needs or for billing purposes. Such a business does not trade in personal information. There are sound policy reasons why that small business should not be subject to privacy regulation.

However, the Australian Government recognises that there are some small businesses that do pose a risk to privacy. For example, businesses that trade in personal information pose such a risk. Businesses that provide health services and hold health information also pose ,a privacy risk because of the sensitivity of the personal information they hold. ,In addition, small businesses that are related to large businesses are considered to pose a privacy risk by virtue of their relationship to a large, more sophisticated organisation. It is for these reasons that such businesses are specifically excluded from the exemption. In other words, these high privacy risk businesses are covered by the legislation and must comply with it.

One easily identifiable way to know whether a business is covered or not is ,to check its privacy statement on its website (or other documentation). ,NPP 5 requires an organisation to be open about how it deals with personal information and to provide its policies ,to anyone who asks for them. If an organisation holds itself out as subject to, and complying with, the legislation when in practice it does not, then ,action can be taken under Pt V of the Trade Practices Act 1974 (Cth) for misleading conduct.

The effect of (3) and (4) above is ,to ensure that businesses that trade in personal information are denied the benefit of the small business exemption and are covered by the Act. This requirement provides certainty for organisations outside Australia that ,deal with Australian businesses. That ,is, if an Australian business offers to trade in personal information with ,an overseas organisation, the organisation can assume that the Australian business is subject to ,privacy regulation regardless of ,whether it is a small or large business as illustrated by the following examples.

— An Australian business X offers to provide a European business Y with personal information about all of its customers for $A1000 or in exchange for some other service from Y. In these circumstances, X can be assumed to be ‘trading in personal information for a benefit, service or advantage’ and be outside the scope of the small business exemption and therefore subject to privacy regulation.
— Australian business X offers to pay European business Y $A1000, or provide a service to it, for personal information about the customers of Y. In these circumstances X can be assumed to be ‘trading in personal information for a benefit, service or advantage’ and be outside the scope of the small business exemption and therefore subject ,to privacy regulation.

It should be noted that the exclusion of health information from the exception is of fundamental practical importance.

Direct marketing

Direct marketing also attracted attention because, although the Act requires that recipients of direct marketing be given an opportunity to ‘opt out’, it does not strictly prohibit the collection of information for the purpose of direct marketing (although ,it does circumscribe the opportunity ,for such activities). The practical ,result is that direct marketers get ,one opportunity to send marketing material without the recipient’s consent. Objecting to such an arrangement ,as ‘inadequate’ in terms of privacy protection is, I suggest, with respect, ,a mere quibble. Moreover, to descend ,to this level of detail seems to me to confuse means with ends. Accepting that it is legitimate for the EU to say what it requires by way of protection of European data, it is surely a matter for third party countries to say how they will provide such protection. Australian consumers are given an unqualified right to ‘opt out’ of receiving direct marketing.

This is an area where the test imposed on Australia also seems to be more restrictive than that imposed on the US. As I read the ‘Notice’ principle and FAQ 12 — Choice — Timing of Opt Out, information may be collected for the primary purpose of direct marketing without first obtaining consent.

Notice

Finally, the Article 29 opinion notes that the Australian collection principle allows organisations to inform individuals before, or at the time of, collection but also adds that if this is not practicable, it may inform individuals as soon as practicable thereafter. It criticises this result as a departure from the Privacy Guidelines and says that it is of importance in regard to sensitive data. This misinterprets the legal position. ,NPP 10, which applies to the collection of sensitive information, requires prior consent except in very limited circum-stances. In this connection, it is also interesting to compare FAQ 15 of the ,US Safe Harbor Principles which states the following:

It is generally not necessary to apply ,the Notice, Choice and Onward ,Transfer Principles to publicly available information unless the European trans-feror indicates that such information is subject to restrictions that require the application of those Principles.

The Act also sets out two new principles relating to anonymity and ,the use of identifiers. The ‘anonymity’ principle is that, whenever lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation. The ‘identifiers’ principle limits the right of an organisation to adopt as its own an identifier of an individual that has been assigned by ,a government agency such as a tax ,file number.

These expansions of privacy protection in Australian law are indicators of our commitment to privacy principles.

Stocktaking — current situation

I suggest there is no credible international privacy standard other than the Privacy Guidelines. The EC Data Protection Directive may serve well ,as a document for the EU but it is not ,an adequate basis for international agreement. It is no different in principle from the idea of Australia joining with NZ and Pacific island states (assuming we could reach agreement) to settle a statement of principles and seeking to impose the result on the rest of the world. Of course, the idea of imposing such a settlement would be ludicrous ,but the only difference from the EU approach is one of size and economic power. Instead, to look to the OECD for such a role is consistent with the OECD’s traditional bridging activities in global economic policy. The importance of the Privacy Guidelines has been acknow-ledged by Ambassador David Aaron, ,the US negotiator for the Safe Harbor Principles in the following terms:

Fortunately, we had the precedent ,of privacy principles that we and the Europeans had agreed upon in the ,OECD many years ago. This became ,a touchstone of the discussions.[1]

While I recognise that the EU has ,a legitimate interest in protecting the privacy of EU data that is transmitted beyond its borders, the nature of modern communications is such that any EU standard of this kind becomes, in effect, a global standard and, having regard to the nature of its comments on Australian law, I doubt whether the Commission itself would take a different view. As such, those of us who live outside the ,EU have a stake in the outcome. In the absence of an international convention, the Privacy Guidelines are the nearest ,we have to an international standard.

Of course, this is not to say that the Privacy Guidelines are necessarily the last word. A number of commentators have pointed out that they were drafted against the background of a concern, prevalent in the 1970s, about risks ,for democratic societies presented by increasingly centralised government databases. That concern, the argument runs, has been replaced by a concern with the misuse of data scattered throughout the private sector but available to many organisations through information networks. Calls for revision of the Privacy Guidelines have not, however, yet been accepted by the OECD. Most recently, the Ottawa Ministerial Conference in October 1998 recognised that the Privacy Guidelines were still applicable in that they ‘represent international consensus and guidance concerning the collection and handling of personal data in any medium, and provide a foundation for privacy protection on global networks’.

It is worth noting also that an interesting parallel development is an increasing interest within Asia-Pacific Economic Cooperation (APEC) in discussing privacy issues relating to ,the transborder flow of personal information. There is clearly some potential for the development of an alternative approach to this issue in ,that forum.

A curious feature of much of the debate over international privacy protection is that much of it ignores what is happening ‘on the ground’. We need to factor into policy development, for example, the results of surveys on the extent of notification by online service providers of their privacy policies. The Consumers International survey of ,25 January 2001, which found that ,on a number of indicators online privacy was better observed by US based websites than by EU websites, raises serious questions for advocates of European style legislation.

Relevantly, there is substantial anecdotal evidence that non-compliance with the Directive is widespread throughout the EU. For example, testimony by Mr Jonathan Winer, a ,US lawyer, before the US Congressional Sub-Committee on Commerce, Trade and Consumer Protection on 8 March 2001 included the following:

A few months ago, I was asked by an American company to look at the privacy policies and practices of an EU company that it was purchasing, as part of due diligence, in order to assess the potential risks of liability for the US firm in connection with the purchase. The EU company was in a consumer business ,that caused it to acquire, process, and manipulate sensitive consumer personal data hundreds or thousands of times every day of the kind theoretically protected by the Privacy Directive. The EU company had no online privacy policy. It also turned out to have no off-line privacy policy. In fact, it had no privacy policy at all, and after due diligence, we found no evidence that the EU company had ever undertaken steps to comply with the Directive. Ultimately, we advised the US company, which has comprehensive privacy policies in place, to seek indemnifications from the EU company in case the EU privacy regulator decided to sanction it. The EU company was happy to do so: it advised the US company that in this EU country at least, the actual issuance of penalties for non-compliance with the Privacy Directive and with national privacy laws, was almost unknown.

There are some grounds for believing that this kind of experience is not limited to US commercial lawyers.

The impact on Australian companies would differ because they are not likely to be involved in this sort of activity. They can, however, be disadvantaged ,in tendering for international contracts despite being prepared to sign up to ,EU standard form contracts simply because of the ‘red tape’ involved.

I should note in passing that, in ,any assessment of the ‘adequacy’ of Australia’s privacy laws, it needs to be recognised that the Australian legal tradition is one that takes international obligations very seriously and gives ,full effect to any statutory restrictions. Respect for the law is also deeply entrenched in popular culture.

Domestically, there are arguments ,that privacy law should go further and countervailing arguments that it already goes too far. Sometimes the arguments are not well informed. For example, since the beginning of this year there ,has been a widespread and persistent, though erroneous, concern that the law may prohibit members of a religious congregation from praying for a person without that person’s express consent. Such misconceived interpretations make it difficult to pursue genuine law reform. On other issues, the policy debate in Australia reflects global concerns. For example, the current work of the Australian Law Reform Commission and the Australian Health Ethics Committee on genetic privacy is of assistance in ongoing privacy policy work within ,the OECD.

The potential for ADR in inter-national privacy protection should also be recognised. I was one of the chairs ,of a joint OECD-Hague Conference on Private International Law and International Chamber of Commerce conference on the role of ADR in privacy protection and consumer affairs held in The Hague in December 2000. I well remember the impassioned debate between US and European speakers on the relative merits of ADR and judicial hearings. What remains even more clearly in my mind, however, is the intervention from the floor of a Singapore delegate who said you ‘would have to be crazy’ to opt for judicial resolution for privacy disputes in preference to ADR in an international context.

The work carried out by the OECD’s Working Party on Information Security and Privacy suggests, to my mind, that the value of ADR in resolving privacy disputes across national borders is substantial. National differences in legal frameworks for ADR may diminish its effectiveness in an international context, but there is no inherent inconsistency between ADR and the implementation of the Directive.

Another matter requiring further consideration is the lasting effect of the events of 11 September 2001. In this connection, the recent debate within ,the EU Parliament on data retention is instructive. As an outside observer, it seems to me that the cause of privacy was not served by an almost reflexive opposition on the part of some privacy advocates to the demands of law enforcement. Instead of fighting against a requirement for internet service providers to retain data, I suggest that it would have been more productive to have focused on what restrictions and accountability requirements should be imposed on the retention of data once ,it became clear that governments cons-idered the retention of data necessary ,for their national security and law enforcement purposes.

The question is then how might deficiencies in implementation of the Directive be addressed.

First, and most importantly, I suggest that the process be amended to allow for discussions at political level. The process by which the Article 29 working party issues an advisory opinion should also ,be more transparent.

In our view, we have also been treated differently from the US. For example, in addition to the points already noted, it is possible under the Safe Harbor Principles for US companies to disregard the Directive in relation to generally available publications that contain only US data. No such principle has been recognised for Australia. We understand the concern to ensure that the Directive’s standard of protection in relation to particular issues is not progressively downgraded through negotiations with other countries, but it should not result in different treatment for different countries on issues of detail of this kind.

If, on the other hand, the Article 29 opinion is based on a view that, rather than focus on a comparative assessment of particular issues, there should be an overall assessment of a country’s privacy protection, it follows that there should be some flexibility where the level of privacy protection in the other country varies across the application of the OECD privacy principles. It may be that the level of privacy protection departs from the Directive’s standards on some issues, but on other issues the level ,of protection may be higher than in Europe or than in another country with an ‘adequacy’ rating (for example, Australia’s additional NPPs).

Even if we are eventually successful ,in attracting an ‘adequacy’ rating for Australian law however, I suggest more needs to be done to improve international co-operation.

New approach

A more fundamental change would ,be to promote the Privacy Guidelines ,as the international standard. This need not require any action from the OECD itself but simply a willingness on the part of member countries to accept a declaration by another country framed in the terms of para 17 (extracted on ,p 142 above) of the Privacy Guidelines — that it substantially observes the Privacy Guidelines — as evidence of what it says. There will, of course, be objections that there would be nothing to stop declarations being made where there is insufficient privacy protection, but if this should happen one would expect that any deficiencies would soon become apparent. In that event, some kind of remedial action would need to be considered. Such a system would ,not be perfect but it would at least have the following advantages. It would:

An assurance of a member country’s compliance with the Privacy Guidelines could be provided by the Minister responsible for privacy protection.

Companies incorporated within ,those countries could then self-certify that they will adhere to the Privacy Guidelines. If this sounds fanciful, consider that it has, in effect, already been accepted by the EU in its arrangement with the US — the US ,Safe Harbor Principles — and that the US is not the only country that can ,give legal effect to such arrangements. Failure to enforce privacy protection in a particular case would then be a matter to be raised with privacy regulators. If ,it were not possible to resolve any such problems through discussions between regulators, it would always be possible to revert to the use of contractual clauses. Over time, it should also be possible to shift the international focus from one of compliance to one of ‘privacy best practice’.

In this connection, it should be recognised that the Directive is not the final word on privacy protection any more than are the Privacy Guidelines or any national legislation. There is a risk that if the Directive’s transborder data flow rules are applied too rigidly the effect will be to stifle innovation and development in the law of privacy protection. The achievement of a ,basic standard of privacy protection applicable to international data transfers is one thing; the imposition of a rigid uniformity blocking any further development of the law to confront emerging problems associated with technological change is quite another.

In a robust exchange of views in the media with the Attorney-General on ,the accuracy of the Commission’s interpretation of Australian law, the former EU Ambassador to Australia said, ‘We think the concerns are a little more than niggling and certainly refute the idea we’re ignorant.’ Leaving aside the emotive language, the point of substance is that while we in Australia undoubtedly know less than you do about EU law, we consider, with respect, that we know more about Australian law. There is, in our view, a fundamental flaw in the implementation process in that it runs directly counter to this fact.

Peter Ford, First Assistant Secretary, Information and Security Law Division, Federal Attorney-General’s Department, Australia.


[1] Ambassador David Aaron, testimony to US Sub-Committee on Commerce, Trade and Consumer Protection, 8 March 2001.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/2003/1.html