Privacy Law and Policy Reporter
This paper was prepared for a conference on the International Dimensions of E-commerce and Cyberspace Regulation, organised by ,the Baker & McKenzie Cyberspace ,Law and Policy Centre, University of New South Wales, in October 2002.
The European Union (EU) has been enormously influential in the develop-ment of privacy law and practice worldwide.
This is primarily due to the provisions in the Directive on Data Protection (95/46/EC) on transborder data flow, but is also due to the sheer weight of considered policy positions emerging from the joint efforts of more than 15 individual privacy regulators and the experts that are regularly convened ,by various EU related institutions to advise and develop policy positions.
Of growing significance is the international influence of the EU’s position on privacy of electronic communications. The 1997 Telecomm-unications Privacy Directive (97/66/EC) set the initial parameters and has now been replaced by a new Directive (2002/58/EC) concerning the processing of personal data and the protection of privacy in the electronic communications sector. The new name deliberately and significantly encom-passes all electronic communications. The Directive requires revised legislation in all EU member states ,by 31 October 2003 and also sets a new benchmark for communications privacy around the world.
Often confused with the EU is the older 44 member Council of Europe (the Council), which has also had a privacy program for more than 20 years. The Council’s European Convention of Human Rights and Fundamental Freedoms (1950), which gives individuals rights which can be enforced through the European Court of Human Rights, contains a privacy principle in art 8:
Everyone has the right to respect for his private and family life, his home and his correspondence.
This right can be restricted by a public authority only in accordance ,with domestic law and in so far is it is necessary, in a democratic society, for the defense of a number of legitimate aims.
Based on art 8, the Council adopted ,a data protection Convention in 1981 which has been ratified by 21 member countries. Other members have signed the Convention with a view to ratification and even non-member countries can accede to the Convention. Since the Convention came into force ,in 1985, Council working parties of experts have drawn up numerous recommendations which have been influential in guiding policy develop-ment in member countries and more widely (Australia has attended some meetings as an observer). The Council’s most recent work was Guidelines for the protection of privacy on the internet.
A body of privacy case law has emerged from the European Court of Human Rights, including judgments ,on the use of telephone interception ,and listening devices, police powers ,to investigate sensitive medical ,records, disclosure of sensitive health information, dismissal of homosexual service personnel and records concerning transsexuals. While the ,UK seems to have been the country ,most often defending art 8 actions, there have been cases involving a range of countries including Romania, Ireland, France, Sweden and Finland.
Another Council of Europe initiative relevant to privacy is the Convention on Cybercrime, developed by the Council and other countries including the US and adopted in 2001, which encourages international co-operation ,in law enforcement, but contains some limitations and safeguards designed to preserve as far as possible fundamental rights and freedoms, including privacy.
The Council and the EU increasingly work together on issues such as privacy to ensure consistent recommendations and make best use of intellectual resources.
It is important to recognise that there are limits to the jurisdiction of EU law, imposed by the treaty establishing the EU. Expressly excluded are activities concerning public security, defence, state security and criminal law, which fall outside the scope of that treaty.
The Directive required all member states to enact compliant legislation by October 1998. Several states failed to meet this deadline, and in January 2000 the Commission took five countries to the European Court ,of Justice.
As at September 2002, only Ireland, Luxembourg and France still had their legislation under consideration. In these states, where the implementing legislation is not yet in place, individuals are entitled to invoke some of the Directive’s provisions before national courts.
The European Commission ,(the Commission) is currently reviewing the general data protection Directive. During a consultation period earlier in 2002, more than 9000 submissions were received from the public and over 1000 from data controllers, with the findings presented at a conference in late September. As at 2 February, 67 position papers from a range of business and public interest organisations were available on the ,EU website.
A report was due by the end of 2002, but has been delayed, and EU officials have been at pains to hose down expectations that the review ,will lead to changes to the Directive itself — instead their emphasis is ,on improving implementation and compliance.
The program for the September/ October conference included reports on the consultation and submissions, and workshops on implementation issues; the internet and privacy enhancing technologies (PETs); processing of sound and image data; international issues (including applicable law and jurisdiction); rights and interests of data subjects; and on improving compliance. Many of the papers prepared for the conference are available online at the EU data protection site.
A key feature of the EU Directive and the domestic legislation it has spawned is the provision to ensure ,that European individuals do not ,lose privacy protection rights when information about them is transferred to other jurisdictions (transborder ,data flow).
Articles 25 and 26 of the Directive require restrictions on transborder data flows if certain conditions are not met. These include express consent of the individuals concerned, fulfilment of contracts, legal proceedings and emergencies (art 26.1) and also imposition of adequate safeguards on a case by case basis (art 26.2). But all of these exceptions require time and effort on the part of an intending data exporter. Far easier is the provision ,in Art 25 for the restriction to be ,lifted for all data transfers where ,the destination country has a law or ,other binding scheme which provides adequate protection, in terms of both standards and remedies (art 25).
The Council and the European Parliament have given the Commission the power to determine, on the basis ,of art 25.6 of the Directive, whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into.
The adoption of a Commission decision based on art 25.6 involves:
The effect of such a decision is that personal data can flow from the 15 EU member states and three EEA member countries (Norway, Liechtenstein and Iceland) to the third country without any further safeguard being necessary.
As at September 2002, the Commission had recognised Switzerland, Hungary, Canada and the US Department of Commerce’s Safe Harbor Privacy Principles as providing adequate protection. The Commission is conducting discussions with several other countries but has publicly indicated that it finds the current Australian law ‘inadequate’ in several significant respects (detailed more fully below). Even the NZ law, ,which is far more comprehensive in its coverage, is missing some key features like an ‘onward transfer’ provision and complete coverage of non-residents.
The decision on Safe Harbor was widely seen as a pragmatic concession to the economic and political power of the US, since the scheme meets only a few of the criteria for adequacy set out by the Commission.
The EU’s specific criticisms of the Australian federal law in relation to ‘adequacy’ assessment are most clearly set out in a paper from the Working Party of Data Protection supervisory authorities set up under the Directive.
The criticisms include:
Most of these criticisms had already been made by domestic interests, with ,a warning that they could prevent the amended law being assessed as adequate. But despite its declaration of EU compliance as one of its objectives, ,the Federal Government stubbornly refused to make what in some cases would have been fairly minor amendments (although the exemptions were a major point of principle). The Article 29 working party’s opinion is that all of these weaknesses would need to be rectified before a finding of adequacy could be made.
However, it is important to recognise that the Article 29 working party does not get the final say — as explained above, decisions on adequacy are ultimately made by the Commissioners on advice from their public servants and representatives of member states. This explains why the US Safe Harbor scheme was approved despite significant reserv-ations by the Article 29 working party. It is quite likely that provided the Australian Government can satisfy some of the major objections, Australia could be declared under art 25.6 to have adequate laws despite some outstanding criticisms. The Federal Attorney-General’s Department have been negotiating with the Commission since the criticisms were made, and its response to the criticisms is set out in the lead article in this issue. The article indicates that the Government has already agreed in principle to an amendment to address the sixth criticism — concerning ‘non-Australian’ data — in advance of the planned ,2003-4 review of the Act.
Pending any action by EU member states to restrict information flows, the greater impact of the Directive has been its influence on the content of privacy laws in other jurisdictions, including Australia. In the hope of ensuring that the EU would assess their domestic laws as providing adequate protection, most privacy laws passed since the mid-1990s have included most of the elements of the Directive, including specifically a transborder data flow principle based on arts 25 and 26.
In Australia, the Privacy Act 1988 (Cth) now includes, as one of the National Privacy Principles applying to the private sector, a transborder data flow principle (NPP 9). The same language is used in IPP 9 in the Information Privacy Act 2000 (Vic) applying to Victorian public sector agencies. The Privacy and Personal Information Protection Act 1998 (NSW) contains a similar provision as part of IPP 12 (s 19) which will apply to NSW government agencies but has to be activated by a code of practice to be issued by the Privacy Commissioner by July 2002, but which was still under development in September 2002.
Privacy Commissioners worldwide have shared a reluctance to initiate action to disrupt transborder data ,flows — the stakes are high in terms ,of trade and inter-governmental operations. The potential impact of transborder data flow principles in State laws is even greater than in national laws given the volume of interstate information exchanges.
The Hong Kong law includes a similar provision but this has yet to be commenced and the HK Privacy Commissioner has recently suggested that it not be, on the basis that the provision cannot be enforced if ,Hong Kong’s business interests in ,Asia are to be safeguarded. Privacy commissioners in EU member states have also been very guarded in their enforcement of the transborder data flow principles which have been included in their domestic laws, in most cases at least since 1998 and often before.
While the EU’s approval to date of four laws or schemes represents the beginnings of a ‘white list’, no one has dared to openly place any jurisdiction on a ‘black list’. Most privacy commissioners, and the international business community, have tried hard ,to avoid passing negative judgment on any particular jurisdiction and have concentrated their efforts on devising appropriate forms of contract to satisfy art 26.2. Both the EU and the Council have issued ‘model’ contracts, as have the International Chamber of Commerce and the HK Privacy Commissioner.
To date, the Australian Privacy Commissioners have not issued any advice on the implementation of their respective transborder data flow principles beyond effectively suggesting that data exporters take expert legal advice.
Another potential solution to the lack of an EU adequacy assessment lies in the use of codes of practice under the Federal Privacy Act. The Directive is clear that other binding schemes can be a substitute for law, and the Australian private sector amendments were expressly designed to allow for binding codes of practice, developed by specific organisations or sectors. The Internet Industry Association (IIA) took an initiative in 2001 to develop a code of practice which had an ‘EU compliant’ version which addressed most of the EU criticisms. The IIA discussed their draft with the Commission, which appeared to show some interest, but the initiative was suspended during 2002 pending legislative amendments to ensure that the Privacy Commissioner could approve a code which expressly extends the effective jurisdiction of the Act, and that he could handle complaints under such a code.
The other significant influence of the general Directive on Australian privacy law and practice is through the published work of the Article 29 committee. Apart from its opinions in relation to art 25 adequacy assessments, its regular meetings have generated more than 30 papers on specific topics, mostly concerning the application of the Directive’s articles to areas of new technology or particular sectors such ,as airline reservation systems, credit reporting and the media. These have proved valuable resource documents for those in Australia and elsewhere who are trying to apply similar principles ,to the same issues and sectors.
Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector was passed by the Council in July 2002. This replaces the old telecommunications privacy Directive 97/66/EC. That Directive was influential in setting an international standard for such issues as author-isation for interception (art 5); access ,to traffic data (art 6); itemised billing (art 7); calling line identification (art 8); personal information in directories ,(art 11); and unsolicited calls (art 12). EU member states were required to enact consistent domestic legislation to implement the Directive by October 2000.
While not as directly relevant to overseas law as the general Directive (because of its transborder data flow provisions), the telecommunications privacy Directive has proved useful in debate on telecommunications privacy issues elsewhere. In Australia, privacy and consumer groups have used the Directives as a benchmark in discussions over the Pts 13-15 of ,the Telecommun-ications Act 1997, amendments to the Telecommun-ications (Interception) Act 1979, and various Australian Communications Industry Forum codes of practice, including those on calling number display and the integrated public number database.
The new name of the replacement Directive deliberately and significantly encompasses all electronic commun-ications. The Directive requires revised legislation in all EU member states by 31 October 2003.
The new Directive represents some gains and some losses for privacy. On the positive side, it is more privacy protective in relation to unsolicited emails, SMS and faxes, which will have to be on an opt in basis with prior consent; and on cookies, which will have to be explained to customers, with a right to decline them. Consent will also be required for use of location data on mobile phone users, with a right to ‘block’ processing of location data (similar to the blocking of calling number display). Consumers will also have to give prior consent to inclusion in public directories, but member states can authorise reverse search (number ,to name) capability.
On the negative side, the most controversial provision is about retention of traffic data. The European Parliament abandoned attempts to restrict the ability of member state governments to require telecommun-ications companies to retain traffic data for access by law enforcement and other government agencies. The earlier Directive required data to be destroyed once it is no longer required for billing purposes, but law enforcement and intelligence agencies have been pressing for longer retention as a resource for investigations. This issue will now be left to the discretion of national legislatures.
In relation to telecommunications privacy, a working group of Inter-national Data Protection Commissioners (IWGDPT), initiated ,by EU privacy commissioners’ offices, has played a similar role to that of the Article 29 committee in relation to the general Directive. The IWGDPT has met regularly for more than a decade and has produced many authoritative and influential papers on telecommun-ications privacy issues.
Other EU legislation (Directives) will from time to time raise privacy issues. Often these may not be recognised as such, and measures are passed which necessarily lead to privacy intrusions without full and open debate. The EU, like most national governments, lacks any systematic process for identifying and considering the privacy implications of other initiatives.
One proposed Directive which has been recognised as privacy sensitive is that on the re-use and commercial exploitation of public sector information. Motivated by a desire to increase the use of public sector information for value added services, the discussion paper nevertheless recognises privacy protection as one potential constraint. The European debate on this proposal will prove useful in the context of similar debates elsewhere. In Australia the Federal Privacy Commissioner is currently considering submissions on a draft information sheet on the collection ,of publicly available personal information, and the Victorian Commissioner has recently reported publicly on access to building permit data. Both the NSW and Victorian privacy laws contain specific provisions dealing with public registers. However, both of these laws and also the federal Act are confused and inconsistent in the way they deal with public information.
One of the most widely publicised ,EU interventions in the international privacy debate has been the enquiry ,by the European Parliament into ,the ECHELON communications monitoring system operated by the UKUSA partners (US, Canada, UK, Australia and New Zealand). Widely thought to involve systematic monitoring of satellite telecommunications worldwide, this secretive project falls outside the coverage of most telecommunications interception laws, and if safeguards are in place they are not publicly acknowledged. Given understandable concerns about the potential not just for privacy intrusion but also for commercial spying, the Parliament set up a special committee ,to enquire into ECHELON and a ,final report was tabled in July 2001. It is understood that subsequent negotiations between the EU ,and the UKUSA countries about accountability and limitations on communications monitoring have ,been caught up in the general post,11 September anti-terrorism developments.
The other main forum in which privacy law and regulation is being discussed and developed is the Organisation for Economic Co-operation and Development (OECD), comprising 30 developed nations including the US, Canada, Mexico, Australia, New Zealand, Korea and Japan as well as most European states. Recent developments are covered in the article by Peter Ford of the Australian Federal Attorney-General’s Department already mentioned (see p 141).
The OECD’s continuing involvement in the privacy issue reflects the fact that it was, simultaneously with the Council, an early pioneer. Its 1980 Privacy Guidelines included a set ,of principles which have formed the basis of most subsequent privacy ,laws, including the Directive on Data Protection, and were re-affirmed ,in 1998. The OECD has also ,been active, often under Australian leadership, in the related areas of IT security (1992 and 2002 Guidelines) and cryptography policy (1997 Guidelines), and in the development ,of a privacy statement generator.
Discussion of privacy developments in other international forums can be found in various articles in Privacy Law and Policy Reporter, for the last decade the main privacy journal in ,our region.
No direct mention has been made ,in this paper of all the unilateral initiatives and developments in jurisdictions around the world which are of course relevant to Australian privacy law and practice. Recent developments such as renewed interest in identity cards and biometrics, ,data matching and profiling, video surveillance and face recognition, and mobile phone location tracking, to name only a few of the most visible, are and will remain major influences. Many of these are occurring in the areas of law enforcement and national security which are expressly outside the jurisdiction of the EU. Some non-European countries have resented the perception that the Europeans have been trying to force a particular, and narrow, approach to privacy protection on the rest of the world through the application of the transborder data flow provisions in the Directive. ,There have been efforts to ensure that international privacy developments are in future focused on broader based institutions — notably the OECD. Nevertheless, within the areas of activity that the EU and the Council cover, these institutions have been enormously influential and will ,remain so.
Nigel Waters, PLPR Associate Editor and principal of Pacific Privacy Consulting.
 Directive on privacy and electronic communications July 2002. Available online through the EU Information Society Directorate website at <europa.eu.int/information_society/topics/telecoms/index_en.htm>.
 See <www.coe.fr/DataProtection/edocs.htm>.
 Convention No 108, for the protection of individuals with regard ,to automatic processing of personal data 1981.
 Recommendation R(99)5 1999.
 See ECHR case law database at <hudoc.echr.coe.int/hudoc/>.
 Convention on Cybercrime European Treaty Series No 185 November 2001. As at October 2002, there were 33 signatories but only ,one ratification (Albania). Five ratifications including three by ,Council of Europe members are required before Convention comes ,into force.
 The 1992 Maastricht Treaty on European Union, as amended by the Amsterdam Treaty of 1997.
 Articles 3 and 4 of the Treaty on the European Community list areas ,of competence and art 5 restricts the jurisdiction of the Community on all other matters. These other matters may however be within the scope of the separate Treaty on European Union which pledges co-operation on matters such as foreign affairs, defence and ,law enforcement.
 See <europa.eu.int/comm/internal_market/en/dataprot/lawreport/index.htm>.
 European Union Submission to the Senate Committee inquiry into the then Privacy Amendment (Private Sector) Bill 2000 and subsequent speeches and papers.
 Privacy Act 1993 (NZ).
 Article 29 Working Party Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector) Act 2000.
 Personal Data (Privacy) Ordinance 1995, s 33.
 South China Morning Post September 2002.
 European Union Decision 2002/16/EC; Model Contract prepared jointly by the Council of Europe, ,EU and International Chamber of Commerce 1992; HK Office of the Privacy Commissioner, Fact Sheet ,No 1, ‘Transfer of personal data outside Hong Kong: some common questions’ April 1997.
 Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles, September 2001; Office of the Victorian Privacy Commissioner, Guidelines to the Information Privacy Principles, ,Part Two, August 2002.
 See <europa.eu.int/comm/internal_market/en/dataprot/wpdocs/index.htm>.
 Directive on privacy and electronic communications, above note 1.
 See <www.acif.org.au>.
 See <www.datenschutz-berlin.de/doc/int/iwgdpt/index.htm>.
 See <www.cordis.lu/econtent/psi/pubsec.htm>.
 Privacy and Personal Information Protection Act 1998 (NSW) Pt 6; Information Privacy Act 2000 (Vic),s 16(4).
 See <www.europarl.eu.int/committees/echelon_home.htm>.
 Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data OECD Paris 1980.
 1998 Ministerial Declaration ,on the Protection of Privacy on Global Networks.
 See <www.oecd.org/EN/documents/0,EN-documents-43,-1-no-24-no-43,00.html>.
 See <www.austlii.edu.au/au/journals/PLPR/>.