Privacy Law and Policy Reporter
EU criticises Safe Harbor implementation
The European Commission has released a ‘Staff Working Document’ that reports on the implementation of the EU data privacy Directive’s Safe Harbor Agreement with the United States. This report was based on a soon-to-be released comprehensive study conducted for the Commission by an international team of researchers (Yves Poullet, Jan Dhont, Maria Veronica Perez Asinary from the Centre de Recherches Informatique et Droit at the University of Namur, Belgium, Lee Bygrave at the University of Oslo, Norway and Joel Reidenberg of Fordham Law School).
Joel Reidenberg has commented that ‘While both this study and the Commission’s staff paper found significant levels of non-compliance with the Safe Harbor by self-certified companies, the Commission has taken a conciliatory approach and not called for the termination of the Safe Harbor Agreement. In going forward, many Safe Harbor companies will need to make significant improvements in the substance of their privacy policies to meet safe harbor standards and will need to make their privacy policies publicly available’.
The Commission’s conclusions, in summary, were:
• It was ‘encouraging’ that over 400 US organisations had embraced the Safe Harbor scheme, but uncertain what this represented in market share in various sectors.
• The Department of Commerce (DoC) website was not very transparent. ‘In particular, the DoC web site should provide a box for organisations to state their commitment to comply with the advice given by the EU panel in the event of a dispute without which the FTC would be unable to enforce compliance with the advice of the EU panel’.
• Concerning enforcement mechansisms ‘some alternative recourse mechanisms still fail to comply with applicable Safe Harbour requirements, including the obligation to provide for sanctions such as the publication of findings of non compliance’.
• ‘[G]iven that up to 30 percent of the companies that subscribe to the Safe Harbour Principles do so to import human resources data clear guidance as to whether the FTC is competent to enforce the Principles in this area is needed’.
Another US academic, Peter Swire (formerly a White House privacy adviser) has commented on the inter-relationship between enforcement of the Directive and more general international trade issues: ‘It is entirely believable that there is under-compliance with Safe Harbor. To get a sense of the “success” of Safe Harbor, however, it is relevant to compare compliance with the level achieved by companies that are based in countries covered by the Directive. In assessing how “conciliatory” the Commission is being, there are ongoing international trade issues if the Commission ... takes discriminatory actions against non- domestic companies and does not take similar actions against domestic companies that violate the same rules.’
(The Staff Report is at: http://europa.eu.int/comm/internal_market/privacy/docs/adequacy/sec-2004-1323_en.pdf The Safe Harbor Agreement Implementation Study is to be released at http://europa.eu.int/comm/internal_market/privacy/index_en.htm .)
Regulatory implications of VoIP
The Australian Communications Authority (ACA) has issued a discussion paper reviewing telecommunications regulation relevant to voice over Internet protocol (VoIP) services. The aim is to look at how well the current regulatory arrangements deal with VoIP services and what adjustments, if any, are required to accommodate this technique. The ACA will issue a final report on the matters raised in this paper in early 2005. Comments on the draft are sought by Friday 31st December 2004.
Privacy Act complaints statistics
The latest complaints and enquiries statistics published by the Office of the Federal Privacy Commissioner show that in the first quarter of 2004-05 complaints (317), telephone enquiries (5782) and written enquiries (551) are all at levels which if maintained for the other three quarters would give similar totals as in the last full year.
NZ Commissioner joins biometrics debate
New Zealand Privacy Commissioner Marie Shroff, speaking at a Biometrics Institute Conference in Wellington on 1 October, canvassed the benefits and privacy risks associated with the use of biometric technologies. She also floated the possibility of her Office developing a Code of Practice, although without any direct reference to the Institute’s draft Privacy Code already submitted to the Australian Privacy Commissioner.
Parties respond to Election Challenge
The Australian Privacy Foundation issued a challenge to the political parties contesting the recent Australian Federal election, asking them to put their position on a range of topical and long-term privacy issues. Four parties – Liberal, Labor, Greens and Democrats – responded, in varying degrees of detail. The responses, and the initial challenge, can be seen on the APF website at
Three newcomers to global Commissioners Club
The world’s privacy and data protection Commissioners at the 26th International Conference on Privacy and Personal Data Protection (Wroclaw, Poland, September 2004) accredited the following authorities in accordance with the Criteria and Rules for Credentials Committee:
(a) National authorities – Korea - Korea Information Security Agency
(b) Authorities with a limited sub-national territory - Spain - Catalonia: Catalan Data Protection Agency (Agència Catalana de Protecció de Dades)
(c) Authorities within an international supra-national body - European Union: European Data Protection Supervisor (Contrôleur européen de la protection des données). The Credentials Committee recommended the grant of voting rights to the European Data Protection Supervisor (Clause 2 of the Addendum to the Rules for the Credentials Committee provides that accredited authorities within international or supranational bodies are not entitled to vote unless the conference has specially decided to grant them voting rights at the time of accreditation. )
Tasmanian Privacy Bill progresses
The Personal Information Protection Bill 2004, introduced into Parliament in September by Justice Minister Judith Jackson, received its Second Reading on 20 October.
Guidance on PIAs
The Victorian Privacy Commissioner has issued a Guide to Privacy Impact Assessments (PIAs). While it is directed to Victorian public sector agencies which are subject to the Information Privacy Act 2000, it is a useful general resource, and is the first such guide issued in Australia since the PIA checklist included by the federal Privacy Commissioner in his Privacy and Public Key Infrastructure Guidelines in 2001. The Victorian Guide draws on the PIA Handbook published by the New Zealand Commissioner in 2002.