Privacy Law and Policy Reporter
The APEC privacy process has helped renew interest in the Asia-Pacific in models of privacy protection. This paper has been updated for publication from an earlier version prepared for the Second Asia Pacific Forum on Privacy and Data Protection, Hong Kong, 1999. The second part of this article will compare the independence of data protection authorities and their functions. (General Editor).
We are in the midst of a third wave of interest in designing laws to better protect privacy and personal data.
The first tentative steps were taken in the 1970s. Sweden and the United States are usually credited with having the first modern information privacy laws. However, in the Asia Pacific we also saw the creation of a statutory privacy committee in New South Wales1 and the appointment of a Privacy Commissioner to supervise a law enforcement databank in New Zealand.
The second sustained wave of legislative activity occurred in the 1980s following international standard setting by the OECD and Council of Europe. Most Western European countries enacted data protection legislation in the 1980s with many OECD countries taking measures of various sorts. For instance, in our region, Australia enacted a privacy law in 1988.
The third wave of interest started in the early 1990s and has not yet slackened. A principal reason has been the prospect of a European Union law to prohibit data exports to countries which fail to provide “adequate protection” to personal data transferred from Europe. In our region, Hong Kong, which did not previously have a data protection law, legislated in part because of the implications for trade with Europe. The current interest in privacy laws cannot solely be explained by the EU Directive. Countries have adopted data protection laws based upon their intrinsic merits - the EU may have merely hastened action. Nations that wish to ensure proper respect for human rights, to empower individuals, and to hold governmental and other institutions accountable, see the value in data protection principles. Other important influences have included:
• technological developments - with arguments in favour of data protection couched in terms of the need to address new challenges to privacy and, more recently, the need to establish consumer confidence in order to establish electronic commerce;
• further international standard setting - drawing attention to the desirability of compatible data protection regimes in the context of globalisation.
A significant feature of nearly all successful data protection laws is an independent data protection supervisory authority (referred to in this paper as a “DP agency”). The existence of such an authority is seen by most informed commentators as being a highly desirable, if not essential, feature of an effective information privacy or data protection regime. For instance article 28 of the EU Directive requires member countries to have an independent supervisory authority as does a protocol to the Council of Europe Convention. European Union scrutiny as to the “adequacy” of data protection in third countries is likely to have regard to the existence or absence of a national data protection authority.
This paper brings together some basic information as to the organisation and role of DP agencies by reference to those already in existence and to EU and UN instruments. It should not be assumed that existing DP agencies are identical. Authorities in Hong Kong, Canada, Australia and New Zealand differ from European counterparts in various ways. Even within Europe there is a variety between populous states like the UK and France and small jurisdictions such as some of the Swiss cantons, the Isle of Man, and the Channel Islands (each of which has a DP agency). Although the Data Protection Commissioners in Germany work in one of the world’s wealthiest countries, the same cannot be said of the Data Protection Ombudsman in neighbouring Hungary.
Accordingly, there is already a broad range of experience to draw upon in designing new DP agencies. Clearly “one size fits all” cannot apply in the diverse Asia Pacific region which encompasses tiny Pacific island states and populous nations like India and China. Nonetheless, study of the form and function of existing authorities is likely to be a useful starting point in the task of considering what might be adopted locally.
Form of data protection agencies
This part of the paper presents some simple comparative information concerning the form of data protection agencies. The information is intended to be a starting point for jurisdictions that do not yet have a DP agency which may wish to find answers to:
• how are data protection agencies typically structured?
• what features do existing agencies have in common and how do they differ?
how have agencies been structured to guarantee their independence as human rights institutions and to perform the various tasks placed upon them?
Laws adopted under various constitutional structures
The Asia Pacific encompasses a range of states which have large populations, tiny populations and many in between. There are examples of island nations, “city states” and large continental countries. Jurisdictions represented will include unitary and federal states and, amongst the federal states, delegates from state and federal institutions.
A few examples of data protection laws by constitutional structure
Main structural models
In setting up a new DP agency, there will be a range of choices available to any government. The most common options involve vesting authority in :
• a single individual - typically called a “Commissioner”;
• a group of appointed individuals - typically called a “Commission”;
• an agency with additional functions compatible with data protection.
The following material discusses these and mentions two variations: a commissioner with a committee and contracting the services of another jurisdiction’s DP agency.
The Commissioner model is probably the most widely used.
The most common titles (in English or English translation) are “Data Protection Commissioner” or “Privacy Commissioner”. Occasionally “Data Protection Ombudsman” or “Data Protection Registrar” have been adopted highlighting the complaint/investigation and registration functions respectively. In jurisdictions where the functions are combined with freedom of information responsibilities the titles sometimes given is “Information and Privacy Commissioner”.
Data protection laws using the Commissioner model provide for the appointment of a Commissioner who establishes an office and employs staff to undertake the work. Some laws provide for the appointment of a deputy to undertake particular functions or to share the load generally. The Commissioner may delegate functions to staff.
Particular advantages of the Commissioner model include:
• flexibility and responsiveness - having a single individual in charge allows for rapid appropriate reaction to data protection challenges and may avoid formalism;
• personification of data protection in a public figure - a Commissioner may develop a strong public profile to champion data protection;
• the model can meet the needs both of large offices/jurisdictions and very small ones;
• simplified decision making - no need to obtain consensus of a committee or to await formal resolutions or periodic meetings.
Disadvantages of the Commissioner model may include:
• the effectiveness of the office will depend upon a good choice of Commissioner - one who does not adequately perform may seriously impair the effectiveness of the law and tarnish the reputation of staff and successors;
• a single Commissioner can act as a bottleneck preventing the timely completion of the office’s work - although this can be ameliorated by the use of delegation powers and deputy Commissioners;
• the personification of data protection in a single individual can encourage stakeholders to bypass institutional procedures to deal directly with the Commissioner.
Examples of Commissioners can be found throughout Europe, Canada, Australasia and in Hong Kong.
A data protection law using this model will provide an appointment process for members of a Commission. All powers and functions conferred by the law are then to be exercised by the Commission although there will usually be power for the Commission to delegate particular functions to a presiding or other member, a subcommittee of the Commission or to staff. Commissions may include a mixture of full time and part time members and terms of office may start and finish on different dates. The law may specify that certain constituencies are to be represented or that the appointment process ensure a mix of expertise relevant to a range of data protection functions.
Occasionally other titles are used as an alternative to “Commission”. In English, “Board” is the most common.
Principal advantages of the Commission model include:
• the ability to obtain a range of specialist expertise which would not necessarily be contained in a single Commissioner;
• representation of stakeholders relevant to data processing such as individuals or consumers, data holders, government, academics, business;
• consensus decision making;
• the development and retention of institutional knowledge notwithstanding the change in individual membership from time to time;
• the ability for a constant renewal through the addition of replacement membership.
Principal disadvantages of the Commission model include:
• the expense of maintaining a large committee of decision makers compared with a single Commissioner;
• elaborate bureaucracies and inefficient decision making;
• disagreement and stalemate on contentious issues;
• the difficulty of presenting a “public face” of data protection instead leaving an impression of a faceless committee (sometimes ameliorated by emphasising a leading member of the Commission, such as a President or Chief Commissioner).
Examples of commissions include:
• in France, the Commission Nationale de l’informatique et des Libertés - informally known as “CNIL”;
• in Canada, the Commission d’accès à l’information du Québec
• in Korea, the Personal Information Dispute Mediation Committee of the Korea Information Security Agency.
Some jurisdictions have found it convenient to combine the functions of a DP agency with other related or compatible functions. The motivation for combining the functions into a multipurpose agency usually relate to the cost of establishing separate agencies and perceived savings and synergies of a combined operation. Governments sometimes believe that the data protection oversight can be enhanced through bringing relevant information-related functions together.
The commonest combining of functions relates to the bringing together of data protection and freedom of information (FOI) oversight functions. In most of the Canadian provinces a “Privacy and Information Commissioner” exercises both data protection and FOI functions. These functions are also combined in the data protection laws of Hungary, several lander in Germany and in the UK.
In some jurisdictions data protection functions have been conferred upon existing Ombudsmen. For instance, in Manitoba and New Brunswick the Ombudsmen receive privacy complaints under the provinces’ privacy laws and carry out the other functions of a data protection agency.
Consideration has been given in Australia to the desirability of combining some functions under public archives law with those of privacy and freedom of information. Although not seriously considered for any major jurisdiction, the model is being pioneered in Northern Territory Information Act 2003 which created an Information Commissioner with combined functions.
Some jurisdictions have adopted sectoral data protection laws. These are not generally addressed in this paper. Such jurisdictions have found it appropriate to confer data protection functions under such laws upon existing sectoral regulatory or complaints bodies (for instance, conferring data protection oversight functions upon existing bodies set up to receive consumer complaints about health services). For instance, in the USA the Federal Trade Commission has an education and enforcement role in respect of several major sectoral privacy laws as well as general trade and consumer protection functions.
In several jurisdictions the national DP agency may receive complaints but a role is assigned to a judicial body to hear appeals or give binding determinations in cases which cannot be settled. Sometimes such bodies hear other cases as well especially where there is insufficient workload to justify a specialist tribunal. For example, in New Zealand complaints under the Privacy Act can ultimately be taken to a Human Rights Review Tribunal which, in addition to its privacy workload, determines proceedings alleging other breaches of human rights or health consumer rights.
The advantages of multi-purpose agencies are perceived to include:
• the potential savings through the avoidance of establishing new oversight agencies;
• enabling the existence of larger agencies possessing broader expertise;better co-ordination between related jurisdictions;
• suitability for very small jurisdictions for which data protection workload does not readily justify establishing a separate body.
Disadvantages of combining various functions in the one agency include:
• the loss of a clear data protection focus;
• inefficiencies through the need for staff to become familiar with a range of functions, not all of which closely inter-relate.
Variations on the models
Data protection agencies are sometimes established which have elements of both the commissioner and commission models. The most common example is where the law establishing a commissioner also sets up an advisory committee to assist. This approach seeks to graft some of the advantages of a Commission, particularly the breadth of specialist expertise, onto a Commissioner set up.
Some jurisdictions with privacy laws sometimes do not establish their own DP agency but instead arrange for an agency established in another jurisdiction to undertake some or all of the functions associated with a DP agency. This occasionally happens in federal jurisdictions where a State may contract a Federal DP agency to receive and investigate complaints concerning a breach of data protection rules. An example is the Australian Capital Territory where the Australian Federal Privacy Commissioner provides services under contract to the State. It has been reported that Gibraltar, a UK colony, had considered a similar arrangement with the UK Information Commissioner.
Blair Stewart is Assistant Privacy Commissioner, New Zealand.
 Privacy Committee Act 1975 (New South Wales).
 See Wanganui Computer Centre Act 1976 (New Zealand).
 Organisation of Economic Cooperation and Development, Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 23 September 1980 (the “OECD Guidelines”).4 Council of Europe, Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, 28 January 1981 (“Convention No 108”).
 Privacy Act 1988 (Australia).
 European Union, Directive on the Protection of Individuals with Regard to Automatic Processing of Personal Data and on the Free Movement of Such Data, 24 October 1995 (the “EU Directive”).
 Personal Data (Privacy) Ordinance 1995(Hong Kong).
 This has been the principal driver of current standard setting work by APEC which is being undertaken from its E-Commerce Steering Group.
 See, for example, United Nations General Assembly, Guidelines for the Regulation of Computerised Personal Data Files, 14 December 1990, and International Labour Office, Code of Practice on the Protection of Workers’ Personal Data, November 1996.
 See Additional Protocol for the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding Supervisory Authorities and Transborder Data Flows (CETS No. 181), 2001.
 See Freedom of Information and Protection of Privacy Act 1998 and Personal Health Information Act 1998 (Manitoba) and Protection
of Personal Information Act 1998 (New Brunswick).
 The Human Rights Review Tribunal hears proceedings under the Privacy Act 1993, Human Rights Act 1993 and the Health and Disability Commissioner Act 1994 (New Zealand).
 See for example Privacy Act 1988 (Australia), Part VII, and Personal Data (Privacy) Ordinance 1995 (Hong Kong), s.11.
 Data Protection Act 1998 (UK), s.54(5).