Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Neave, Marcia --- "International regulation of the publication of publicly accessible personal information" [2003] PrivLawPRpr 55; (2003) 10(7) Privacy Law and Policy Reporter 120

International regulation of the publication of publicly accessible personal information

Marcia Neave MONASH UNIVERSITY

This paper was presented at the 25th International Conference of Data Protection & Privacy Commissioners in Sydney in September 2003. It is reproduced here by kind permission of the author and the conference host, the Office of the Privacy Commissioner, Australia.

This paper deals with the international law implications of regulating the collection of, and access to, publicly available information. I should begin with the caveat that I am not an expert in international law and that there are many people here with greater knowledge of privacy law than mine. Instead of proposing solutions to this issue, it may be more useful to identify the problems that will need to be addressed in regulating the international flow of publicly available personal information. Much of this information flow is likely to occur over the web. For that reason I focus on the publication of publicly available information on the internet.

My comments deal with three main issues. First, what are the objectives of a privacy regime which covers publicly available information? This is important because law reform is likely to be unsuccessful unless there is some agreement about the objectives it is intended to achieve. Second, I refer to current regimes for regulating the flow of personal information around the world. Finally, I will discuss some of the problems and issues that would need to be addressed in establishing a regime for regulating the dissemination of publicly available information.

Why protect publicly available information?

A wide range of personal information that is available from public sources may be of interest or value to others. Examples include electoral roll data, information about criminal convictions and civil actions published in newspapers, photographs from newspapers and other publications, information held in court records (for example probate information), material from State registers of births, deaths and marriages, data on company share registers, information about government contracts with particular businesses, and records of property ownership, land use, pet ownership^[1] and businesses held by local councils.

Much of this information will be commercially valuable for marketing or fund raising purposes. Information from public sources can assist traders to compile consumer profiles so that they can direct their products to people with particular demographic characteristics. Politicians may want access to voter profiles so they can spin their political messages to appeal to particular electorates.

Current concerns about terrorism and broader law and order debates in Australia are likely to strengthen demand for access to criminal conviction and sentencing information. The Australasian Police Ministers Council wants ‘a national register of convicted sex offenders’. I assume that access to this index will be restricted, but there is already an unofficial paedophile and sex offender index that is publicly accessible.^[2]

Finally, people may seek access to information about neighbours and acquaintances simply for reasons of curiosity and gossip. The anonymity which people living in large cities now enjoy because they are one among millions is likely to become increasingly precarious. Websites accessible to curious neighbours and acquaintances may now pull together information about individuals from a wide range of public sources.

Yahoo’s partner USSearch^[3] provides access to a vast store of information. For less than US$100, one can obtain a person’s full name, phone numbers, the names of their relatives and neighbours, bankruptcies, tax liens, small claims judgments, marriages and divorces, real property ownership and value, details of arrests, criminal charges and convictions, as well as a search which will include information from 675 media sources. The Web Detective site allows people to ‘check up on the new person who wants to date you’, ‘investigate a suspicious person or neighbour’ or ‘check out a prospective employee (or your boss)’.^[4]

Given that this information is already in the public domain in a variety of forms and documents, is there a case for limiting its dissemination over the internet? Should people have the right to correct inaccurate information that is published in this way? What balance should be struck between public interest in the free flow of information and the protection of individual privacy? Should different policies apply to the collection and dissemination of publicly available information for direct commercial purposes and its publication for other purposes, or will it prove impractical to draw such distinctions?

There are a number of reasons why individuals may be particularly concerned about dissemination of information over the internet. First, the compilation of all of a person’s publicly available information in one document through web based search mechanisms such as Web Detective is likely to provide a much more detailed description of a person than each piece of information on its own. This makes it possible to draw inferences about matters that individuals may prefer to keep private. These inferences may not be confined to facts about the person themselves, but about their relatives. For example, sources like Web Detective would make it possible to pull together media reports about whether a person’s partner or child has been charged with a criminal offence in another jurisdiction. The inferences drawn from such information may be both inaccurate and damaging.

Second, although much of this information was previously accessible through a physical documentary search, once it is published on the internet it becomes available to a much wider audience. People may be subject to unsolicited correspondence (such as email spam or harassment) if their publicly available information (such as their email address or telephone number) is accessible from anywhere in the world simply by undertaking an internet search. Research by the Office of the Federal Privacy Commissioner shows that many people are concerned about the use of publicly available information, for example information on the electoral roll, for marketing purposes.^[5]

Third, such information may expose people to the risk of criminal activity; for example, information about the location and internal arrangement of a residential property could increase the risk of burglary. The widespread publication of personal details, combined with use of credit cards for web purchases, could increase the chance of identity theft.^[6]

Finally, different information is likely to be publicly available in different jurisdictions. However, once this information is published on the internet, it is available worldwide. For example, information about old criminal convictions or about membership many years ago of an organisation later suspected of having terrorist links may prevent a person from obtaining a visa to enter some countries, even though they are law abiding citizens.

These concerns suggest that, if possible, international law should impose some limits should be imposed on the free flow of publicly available information. There is also a strong case for allowing correction of inaccurate information which is available from public sources.

Current regimes for the protection of publicly available information

Despite concerns about the use or misuse of publicly available personal information, the Office of the Federal Privacy Commissioner has observed that ‘there is little or no law anywhere in the world governing this sort of activity; there’s not much you can do about it, but at least you can be aware of it’.^[7] The quote refers to the fact that privacy regimes are generally concerned with the regulation of private, rather than publicly available, personal information. What national and international privacy protections apply to publicly available information at present?

National level: Australian Commonwealth and State privacy regimes

The Privacy Act 1988 (Cth) gives individuals some protection against the compilation of information from public sources for inclusion in a record or a generally available publication.^[8] Under National Privacy Principle (NPP) 1 the information must be collected from the individual, and not from some other source, where it is reasonable and practicable to do so, and the individual must be made aware of the matters listed in NPP 1.3.^[9] For example, a marketing organisation (other than a small business)^[10] that collects information from Who’s Who and other biographical directories and combines this with phone numbers and addresses would be bound by NPP 1.

If the information collected is sensitive information, for example information about an individual’s sexual preferences or health, the individual must normally give express or implied consent to the collection of the information (NPP 10). Because the Act has some extraterritorial effect, the NPPs give Australian citizens and others resident in Australia some protection against collection of publicly available information by organisations which were created in Australia, or carry on business in Australia and collect or hold the information in Australia (s 5B).

However, once the information has been collected and it is proposed to disseminate it in a generally available publication, NPPs relating to use and disclosure do not apply.

There is also some restriction on the situations in which an organisation in Australia can transfer personal information about someone to an organisation in another country (NPP 9). Information can be transferred in a number of situations, including where the transferee is subject to principles for fair handling of information which are substantially similar to the NPPs, where the individual to whom the information relates consents, or where the transfer is for the benefit of the individual, it is impracticable to obtain their consent to the transfer and if it were practicable the individual would be likely to give it. However, these ‘international’ applications of the Act do not apply to overseas organisations that collect information from internet sources and hold it offshore. The protection conferred by the Privacy Act is also inapplicable to information held by the majority of small businesses.

International: cross-jurisdictional privacy regimes

International privacy regimes also provide some protection for publicly available information. The Organisation for Economic Co-operation and Development’s 1980 Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data were intended to protect privacy while at the same time facilitating transborder transactions. However, these Guidelines are not legally binding.^[11]

More recently, and more controversially, the European Union has developed an extensive inter-state regulatory regime in its 1995 Directive on the Protection of Individuals with regard to the Processing of Personal Data and the Free Movement of such Data.^[12] As a result of the Directive, all EU Member States have enacted privacy laws to protect personal information in both the public and private sectors.

The Directive is controversial because it arguably subjugates business and commercial interests to individual privacy rights. Some critics have argued that European approaches to privacy are in danger of becoming ‘institutionalised’ and ‘bureaucratic’.^[13] Other commentators have applauded the Directive as a ‘modern international consensus’ that may encourage other countries to implement greater data protection regimes.^[14] The provisions are mandatory and do not rely on self-regulation.

The objectives of the Directive include respecting fundamental rights, including the right to privacy, by ensuring a uniform standard of privacy protection across the EU and facilitating the free flow of personal information across member states. The Directive regulates the use of ‘personal data’ and flow of ‘personal data’ among EU states by requiring members to implement privacy legislation reflecting the Directive’s principles. Standards are imposed in relation to the collection, recording, use and communication of personal data.

Data must be adequate, relevant and not excessive in relation to the purpose for which it is processed. Member States are normally required to prohibit the processing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life without the explicit consent of the subject, although there are a number of exceptions to this principle (see art 8).

Where information is collected from a person other than the individual, the individual has a right to be informed of the fact. The individual also has rights to obtain a copy of the data, to request corrections, to have data erased which is processed in contravention of the Directive, and to have corrections and erasures communicated to the persons to whom the data has been disclosed (art 11). These rights appear to apply to both publicly available and private ‘personal data’.^[15]

The Directive also prohibits member states from transferring ‘personal data’ to countries that do not have an ‘adequate’ regulatory regime (art 25). The Directive’s test of ‘adequacy’ has been strictly applied. In January 2001, the EU Data Protection Working Party found that Australia’s Privacy Act would have to be revised in order to be considered an ‘adequate’ privacy regime. One of the working party’s concerns was that the NPPs in the Act cease to apply when information is published in a generally available publication. The working party was concerned that this provision prevented individuals from having a right of access or right of correction with respect to such personal information.^[16] The working party was also critical of the failure of the legislation to require an individual’s consent be obtained when information is compiled for the primary purpose of direct marketing.^[17] In Australia, the working party’s report was criticised as being insensitive to the Australian emphasis on self-regulation and the development of a healthy business environment.^[18]

In order to avoid cross-jurisdictional skirmishes, in May 2000 the United States of America entered into the Safe Harbor Agreement with the EU. The agreement affects data collected by US companies in the course of their European business. American organisations can voluntarily join the Safe Harbor Agreement by adhering to its requirements and declaring their compliance with the Agreement. A company can comply with the Agreement by developing a privacy policy based on self-regulation (or by joining a self-regulatory privacy program). By entering the Safe Harbor agreement, the company is guaranteed to be treated by all European Union members as providing ‘adequate’ privacy protection (and thus meeting the test required by art 25 of the Directive).^[19] However, the European Parliament has been critical of the failure of the Agreement to provide monetary compensation for breaches.^[20]

To summarise, current regulatory regimes provide some protection in relation to the collection of publicly available information at national level and the collection and dissemination of information at international level. However, this protection is inadequate to meet concerns about internet dissemination of information available from public sources.

Although Australian law places some limits on collection of personal information from publicly available sources, this does not necessarily prevent its publication on the internet, or give individuals any right to correct inaccurate information. Nor does it prevent dissemination of information collected for the primary purpose of direct marketing.

Australian and US laws give individuals less protection in relation to publicly available information than the EU Directive.

United States companies are actively marketing internet sites that contain huge quantities of personal information compiled from publicly available sources. However, the American Safe Harbor website indicates that only 350 US companies have voluntarily joined the US Safe Harbor Agreement.

Some problems and issues raised by the protection of publicly available information

Three core problems arise in regulating the flow of publicly available personal information on the internet. First, it is self-evident that information published on the internet has an international nature. This makes it difficult, if not impossible, to regulate internet content on a national basis. Jurisdictional differences currently hinder, for example, the enforcement of national decisions. The problem is illustrated by the Yahoo! case^[21] where a French Court made various orders against Yahoo!, an American internet portal, prohibiting it from auctioning Nazi memorabilia to French citizens on its website. A US Court held that the French orders did not apply to the American company, because the Court was required to take account of American constitutional guarantees of freedom of speech. Thus the US Court would not enforce the decision of the French Court.

One solution to this problem would be the development of a global treaty concerning the dissemination of publicly available information on the internet. A formal body could be established to co-ordinate enforcement across member states. This has been proposed as a way of dealing with identity theft over the internet, for example. The Council of Europe Draft Convention on Cybercrime also provides a model for an international regime to deal with aspects of internet use.^[22]

There are obvious barriers to the negotiation of such a treaty. Any international agreement would inevitably have to address different national attitudes to the protection of privacy. These could be particularly acute if the issue involved information which was already available to the public within a jurisdiction. Philosophical differences about the balance to be struck between protecting individual privacy and promoting commercial interests, which are currently reflected in differences between US, Australian and European privacy regimes, may obstruct the development of a minimum standard for the use and dissemination of publicly available information.

An alternative way of dealing with jurisdictional divergence could be to develop cross-jurisdictional agreements (such as the Safe Harbor Agreement). Under international copyright conventions, for example, a publication that is protected in its place of original publication is also protected in any state that is a signatory to the Berne Convention. Could a similar approach be adopted in relation to privacy, so individuals entitled to privacy protection in one member country are entitled to privacy protection in relation to information published elsewhere?

A second problem is the inherently difficult nature of regulating internet publications in general. As Gellman has commented, ‘Information technology is eroding traditional jurisdictional theories used to apply laws to individuals, corporations and data. ... Technology has overwhelmed some traditional approaches to privacy protection and some legal assumptions on which the approaches apply.’^[23] The internet is borderless and is therefore a major challenge to territorially based jurisdictional rules.

Recently, for example, in Dow Jones & Co Inc v Gutnick,^[24] the High Court of Australia was asked to determine whether it had jurisdiction to hear a case about defamatory material that was published on the internet. The facts of the case were that Dow Jones had published an allegedly defamatory article about businessman Joseph Gutnick on one of their websites. While Dow Jones is located in the United States, Joseph Gutnick conducts most of his business in Victoria, Australia. The Court considered whether jurisdiction attached to the territory where:

• the information was loaded onto the internet;

• the publisher’s server is located; or

• the information was downloaded.

Gutnick argued that in bringing the case, his main concern was the defamatory effect of the article in Victoria. However, because Australia’s defamation laws are much stricter than those applicable in the US, Dow Jones argued that Australian courts did not have jurisdiction over the claim. The High Court held that it did have jurisdiction as the defamatory article was read and downloaded in Australia. It was noted that the article had caused no harm until its comprehension (at [26]). Similarly, it could be argued that the publication of personal information on the internet only breaches a person’s privacy once someone else has downloaded it.

The Gutnick case, therefore, illustrates the need to develop regulatory approaches that reflect the fundamentally unique and revolutionary nature of the internet. Reforms may include the development of an international ‘internet’ (rather than territorial) jurisdiction or the development of online dispute resolution processes to deal with some of the jurisdictional issues relating to internet use.^[25] Alternatively, a more technologically based approach could be adopted. Internet service providers (ISPs) could use security measures to restrict access to certain sites or to require users to meet privacy conditions.

Finally, a third problem raised by the regulation of publicly available personal information is the difficult nature of controlling the use of information that is public. If it is deemed to be desirable to regulate the use of publicly available information (so it is not inappropriately compiled or used for marketing purposes as discussed earlier), it seems that national reform may be a first, albeit short term, step. Some nationally based initiatives may include:

• giving individuals the right to correct inaccuracies in information contained in generally available publications;

• developing restrictions on when and what personal information is made publicly available;

• imposing legislative standards on the dissemination of publicly available information for direct marketing purposes; and

• the continued encouragement of self-regulatory strategies such as the development of industry standards for internet privacy and the publication of these standards on business’ websites. l

Marcia Neave is Chairperson, Victorian Law Reform Commission, and Professor of Law, Monash University.

Much of the research for this paper was undertaken by Ms Susan Coleman, a Research and Policy Officer at the VLRC. Nesam McMillan made a substantial contribution to the preparation of the paper. Ruthbella Varson also undertook some of the research The author is most grateful for their assistance.

Endnotes

[1]. Office of the Victorian Privacy Commissioner Dogs, Cats and Their Owner’s Privacy Info Sheet 08.02 (2002) <www.privacy.vic.gov.au/ dir100/priweb.nsf/content/F378127770271CA1CA256C4D001A512C?Open Document>.

[2]. Waters N ‘Implications for privacy laws’ in James M (ed) Paedophilia: Policy and Prevention Research and Public Policy Series No 12 (1997).

[3]. <http://searchenginewatch.com/ searchday/article.php/226961> .

[4]. <http://web-detective.com/? hop=downha.search 8888> .

[5]. Office of the Federal Privacy Commissioner Privacy and the Community 2001 <www.privacy .gov.au/publications/rcommunity. html#4.30>.

[6]. Davis E S ‘A worldwide problem on the world wide web: international responses to transnational identity theft via the internet’ (2003) 12 Washington University Journal of Law and Public Policy 201.

[7]. <www.privacy.gov.au/internet/ internet_privacy/index.html>.

[8]. Privacy Act 1988 (Cth) s 16B(1).

[9]. The matters listed are the identity of the organisation collecting the information and how to contact it, the fact that the person can gain access to the information, the purposes for which the information is collected and the organisations to which it is usually disclosed, any law that requires the information to be collected.

[10]. For the definition of small business see s 6D.

[11]. For a brief history of earlier European initiatives see EU law and directives Caslon Analytics Privacy Guide <www.caslon.com.au/privacy guide4.htm>; Gellman R ‘Symposium: Article: can privacy be regulated effectively on a national level? Thoughts on the possible need for international privacy rules’ (1996) 41 Villanova Law Review 129.

[12]. Directive 95/46/EC of the European Parliament and the Council of 24 October 1995.

[13]. Gellman above note 11.

[14]. Greenleaf G ‘The European Privacy Directive — completed’ (1995) 2(5) PLPR 81.

[15]. Article 2 defines personal data to mean any information related to an identified or identifiable natural person.

[16]. Article 29 Data Protection Working Party Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector ) Act 2000 4.

[17]. As above, 5.

[18]. Attorney-General for Australia ‘European Data Protection Commissioners Opinion of Australia’s Privacy Law’ press release 26 March 2001 <www.ag.gov.au/www/attorney generalHome.nsf/0/8C9464056CE8169CCA256B5A001318DF?Open Document>.

[19]. Davis, above note 6, 214.

[20]. Davis, above note 6.

[21]. See discussion of the two cases (The League Against Racism & Anti-Semitism v Yahoo! Inc unreported 28/5/2000, Tribunal de Grande Instance de Paris, and Yahoo! Inc v LICRA 169 F Supp 2d 1181 (ND Cal 2001)) in Wolf C ‘Drawing virtual lines in the law’ (2003) Security Management Online <www.securitymanagement.com/ library/001415.html>.

[22]. As above.

[23]. Gellman, above note 11, 167.

[24]. (2002) 210 CLR 575; 194 ALR 433 in American Society of International Law (2003) 42 International Legal Materials 41.

[25]. As above 218, discussing the London Meeting Draft administered by the ABA, which proposes a ‘multi-national Global On-line Standards Commission’.