Privacy Law and Policy Reporter
A fuller version of this paper was delivered to the APEC Symposium On Data Privacy Implementation Mechanisms in Santiago, Chile on 23-24 February 2004. In the paper, Blair Stewart, Assistant Privacy Commissioner from New Zealand, discusses aspects of the why, who,
when and how of cross-border cooperation on privacy law enforcement matters. A major part of the paper is devoted to canvassing what the principal international privacy instruments have to say about enforcement and cross-border cooperation. The paper includes illustrations of cross-border cooperation in data privacy matters within the APEC region.
THE “WHY” OF CROSS-BORDER COOPERATION
“Cooperation” seems instinctively to be a “good thing”. It has positive connotations. But why does cooperation matter in data privacy enforcement? I explore this question from several points of view:
• the information controller
• the individual.
Most international data privacy standards have, in a general sense, emphasised two themes:
• the protection of individuals – establishing rights and entitlements viewed variously as fundamental human rights, consumer or citizen entitlements, fair information practices
• a desire to avoid unnecessary barriers to transborder data flows – providing compatible and meaningful privacy protections diminishes the need at national level to stop or squeeze information flows at borders.
These themes have informed data privacy discourse for the last 25 years. Both parts of the equation are important. In different forums one or other may be emphasised over the other but most analysis generally returns to the notion that transborder data flows may be harmed if there is not assurance of effective and credible protection of personal information. Sometimes the interruption of data flows will be abrupt, through the application of data export controls, in other cases more subtle, through countless individual decisions of businesses and individuals. In recent times, the idea is sometimes characterised by saying that effective privacy protection is a prerequisite to establishing trust in e-commerce across borders. Essentially, no country can ensure compatible and effective data privacy protections in other jurisdictions: to do that requires cooperation on the part of neighbours and trading partners.
I now turn to the principal international instruments on privacy as they relate to enforcement.
An appropriate starting point is the Universal Declaration of Human Rights (1948), accepted by all nations. Article 12 states:
“No-one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to protection of the law against such interference or attacks.”
The significance for present purposes is that “everyone has the right to the protection of the law against such interference or attacks”. In other words, privacy as a human right is not merely an aspirational matter but states must provide legal protection.
The International Covenant on Civil and Political Rights takes matters only a modest step forward. Ratification of the ICCPR does bring obligations such as the requirement to report on compliance to the Human Rights Committee (HRC). However, by itself the ICCPR does not provide a means for enforcement. An Optional Protocol adds a means of enforcement:. Communications can be made to the Committee by or on behalf of an individual who has exhausted available domestic remedies. If the HRC upholds a complaint its opinion will have much considerable force. However, since the means of enforcement rely upon communications from directly affected people to a single worldwide complaints body, without any enforcement apparatus, there is little scope for cooperative enforcement activity. Indeed, a complaint to the HRC is typically as a result of there being no available domestic remedy (rather than being an area where domestic enforcement bodies might cooperate to bring cases before the HRC).
Mention should be made of the UN Guidelines for the Regulation of Computerised Data Privacy Files (1990). These are not especially well known and added little that was original to data privacy discourse. However, their significance is that they were adopted by the UN, the global international body. Article 8 dealt with “supervision and sanctions” and stated that:
“The law of every country shall designate the authority which, in accordance with its domestic legal system, is to be responsible for supervising observation of the principles set forth above. This authority shall offer guarantees of impartiality, independence vis-a-vis persons or agencies responsible for processing and establishing data, and technical competence.”
The clause goes on to state that in the event of violation of provisions of the national law implementing the principles, criminal or other penalties should be envisaged together with the appropriate individual remedies.
Although the UN Guidelines are a General Assembly resolution, rather than a binding treaty, it is clear that the UN system through the UDHR, ICCPR and Guidelines anticipates protection of privacy being established as a legal right with consequences for breach, allowing and requiring for enforcement. Regrettably, having established such instruments, the UN has done little to encourage their implementation. Indeed, although Part B of the Guidelines anticipates government international organisations designating an authority statutorily competent to supervise the authority of the Guidelines, few have actually done so.
Beyond the UN, three international or supranational organisations have taken the lead in developing detailed privacy standards and considering the issues of implementation.
The OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (1980) establish a set of privacy principles. Part 4 deals with “national implementation” and anticipates provision for “reasonable means for individuals to exercise their rights” and “adequate sanctions and remedies in case of failures to comply”. Perhaps less well known is Part 5 headed “International Cooperation” (paragraphs, 20-22). The first paragraph provides:
“20. Member countries should, where requested, make known to other member countries of the observance of the principles set forth in these Guidelines. Member countries should also ensure that procedures for transborder flows of personal data and for the protection of privacy and individual liberties are simple and compatible with those of other member countries which comply with these Guidelines.”
The explanatory memorandum comments upon paragraph 20 (information exchange and compatible procedures):
“The provision on national procedures assumes that the Guidelines will form a basis of continued cooperation. Data protection authorities and specialised bodies dealing with policy issues in information and data communications are obvious partners in such a cooperation. In particular, the second purpose of such measures, contained in paragraph 21(ii), i.e. mutual aid in procedural matters and requests for information, is future oriented: its practical significance is likely to grow as international data networks and the complications associated with them become more numerous.” (paragraph 73)
Finally, paragraph 22 of the Guidelines provides:
“22. Member countries should work towards the development of principles, domestic and international, to govern the applicable law in case of transborder flows of personal data.”
The explanatory memorandum notes that the expert group devoted considerable attention to issues of conflicts of laws. In the first place to the questions as to which courts should have jurisdiction over specific issues (choice of jurisdiction) and which system of law should govern specific issues (choice of law). The experts decided not to put forward specific, detailed solutions, but did recommend that member countries should work towards the solution of some of the problems.
Accordingly, it is part of the scheme of the OECD Guidelines to promote international cooperation in enforcement and related matters covering at least the following:
• letting other countries know what is being done to observe the Guidelines
• ensuring procedures for transborder flows of personal data are compatible with those of other countries
• establishing procedures to facilitate information exchange
• establishing procedures to facilitate mutual assistance in the procedural and investigative matters involved.
Council of Europe
The Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (1981), commonly known as Convention No 108, is a binding treaty and therefore the obligations assumed are enforceable between states. The Convention also establishes procedures for individuals to obtain enforceable remedies for breach. Chapter IV deals with mutual assistance. Article 13 requires state parties to, amongst other things, designate an authority to receive cross-border cooperation requests from individuals or data protection authorities in other countries.
The Council of Europe recently supplemented Convention No 108 with a protocol which dealt with aspects of the national supervisory authority. This provided in part that:
“... the supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.”
The European Union became active in data privacy from the 1990s and issued a data protection directive in 1995. A key driver was to remove impediments to transborder data flows within the European Union as member countries sought to develop a Europe without internal borders.
Personal information controller perspective
Information controllers may conceivably view cooperative action by enforcement authorities with indifference or hostility. Since the controllers in question will be the subject of investigation, and possibly adverse finding, they may not instinctively welcome enforcement action whether domestic, foreign or coordinated.
Not all information controllers will cooperate with enforcement authorities. They may challenge any actions that appear to go beyond an authority’s normal domestic remit. While much may be achieved with goodwill, in some cases only clear legal compulsion will prevail. Statutory enforcement authorities will need to be sure of their status before getting too far into cross-border enforcement.
However, on a more positive note, responsible information controllers will appreciate that complaints handling, investigation and ultimately enforcement are all parts of any credible information privacy scheme. For information based business, such as an e-commerce trader, some level of customer complaint may be inevitable and require to be dealt with internally or through external agencies be they self-regulatory or statutory. An information controller carrying on B2C business across jurisdictions must expect that if their actions lead to customer complaints that they may be faced with the laws and enforcement authorities for more than one jurisdiction. It will also be a fact of life for multi-national companies.
Therefore in some circumstances information controllers will likely recognise some benefit in cooperation between enforcement agencies. For example, a single set of events might lead to investigation by numerous different enforcement authorities. Coordination between the investigative authorities may avoid duplication and lead to a saving of resource on the part of both the information controller and the authorities.
However, I suspect that the most benefit for information controllers in terms of enforcement will be found in the standard setting that precedes enforcement. Information controllers trading in more than one economy will want data privacy standards that are broadly compatible so that steps can be taken to ensure compliance across boundaries. These comments are, of course, directed towards compliance strategies rather than cooperation in enforcement. To a certain extent, the issues cannot be completely unbundled. However, if things go wrong and enforcement is needed, the information controller, like the individual consumer, will hope to have a fairly clear route through to identifying the applicable law, how the legal requirements are interpreted and applied and how the complaint can be satisfactorily resolved.
The individual has a key interest in having in place regimes that protect his or her personal information while transacting on-line. Many individuals are quite reluctant to do so through a lack of trust in protection of their privacy. Having mustered the courage to transact on-line, the individual will hope that the trader with whom they are dealing, and the infrastructure surrounding their transaction, adhere to the various consumer and privacy frameworks that are supposed to protect their interests.
However, individuals know that sometimes things go wrong. This is not always deliberate. More frequently it is the result of carelessness or systems problems. When things go
wrong individuals want them put right quickly and with least harm to themselves. With a more serious problem, the
individual will want to be restored to the position that they had before they were harmed. They
will generally express the desire to see systems fixed so that no-one else
suffers as they did.
Cross-border cooperation between enforcement authorities may benefit the consumer in a situation where it may be difficult for an individual to achieve a remedy alone. In the domestic context, consumers frequently advance their case by visiting a retailer personally, or repeatedly telephoning until the problem is sorted out. The dynamics change in the cross-border environment where face-to-face confrontation is not possible. The consumer may feel helpless about the business based overseas. They may have difficulty knowing their rights or who to complain to.
Cross-border cooperation could assist for example, by:
• delivering in a simple way, possibly through a “one stop shop” web site, relevant information about the applicable foreign laws and redress mechanisms
• enabling access through coordinated portals to complaints or enforcement processor
• empowering a local complaints body to transfer the complaint overseas or to maintain an on-going “post box” role convenient to the individual.
THE “WHO” AND “WHEN” OF CROSS-BORDER COOPERATION
There are a variety of data privacy enforcement mechanisms existing in APEC economies and no doubt more
will emerge. It may be helpful to canvass a few examples of those involved in data privacy enforcement to better understand where cooperation might be of benefit.
The first group are the specialist data privacy authorities. Examples include the privacy commissioners from Australia, Canada, Hong Kong and New Zealand. They follow a model found in Europe and elsewhere (e.g. Argentina) involving establishment by statute, formal independence in the performance of functions, specialism in data privacy and an appropriate range of functions with the necessary powers to carry these out including enforcement or complaints functions.
The second group are general enforcement authorities which include some aspect of data privacy enforcement within their wider role. An example would be the Federal Trade Commission in the United States that performs certain enforcement functions under sectoral data privacy laws, such as those regulating credit reporting, and more generally targets some data privacy issues in relation to misleading representations by businesses.
Both the specialist and generalist data privacy enforcement authorities perform reasonably similar tasks in some core enforcement areas. Both might be viewed, for example, as the “designated authority” anticipated by the UN Guidelines for the Regulation of Computerised Personal Data Files.
The third group of enforcement agencies would be those established at industry level, perhaps pursuant to a self-regulatory scheme. These may take several forms. Some may be established under a code of conduct for a membership organisation. For example, a complaints committee of a national direct marketing association. A specialist data privacy example would be the web seal programmes associated with some membership organisation. Another example would be the complaints bodies recognised by co-regulatory codes issued under the Australian Privacy Act.
A fourth group would be associated with opt-in enforcement arrangements whereby an information controller chooses to sign up to a set of standards which are then held to be enforceable against that organisation. An example would be web seal programmes not associated with membership of an organisation. Another would be the “Safe Harbor” arrangements administered by the US Department of Commerce. The Australian Privacy Act also provides for businesses to opt-in to the obligations of the Privacy Act where they might otherwise take the benefit of certain broad exemptions.
The fifth group are enforcers at individual organisation level. Sometimes this might be a Chief Privacy Officer. Not all CPOs could properly be considered enforcers in any meaningful sense but some might if given a degree of corporate independence akin to, say, an internal auditor with suitable powers, within certain limits, to act with autonomy and to bind the organisation in settlement of complaints. The US Congress established a statutory CPO position for the Department of Homeland Security which has been statutorily or administratively embued with some independence and compliance powers.
There are other models to mention but I will finish with enforcement through regular courts at the initiative of the aggrieved individual. An example would be the US Privacy Act 1974 which has no enforcement authority but instead allows individuals to take their own court cases. This is not a model which leaves much room for discussion of cooperation in cross-border enforcement.
Some jurisdictions have favoured a stand alone specialist authority, such as a privacy commissioner, whereas others have, for perfectly good domestic reasons, favoured bundling data privacy enforcement functions within one or more existing enforcement authorities. Added to this mix are some private sector players at agency and industry level. While it is clear that there is merit in a degree of cooperation between these various enforcers, it would not necessarily follow that the same cooperative arrangements could sensibly apply between every single one of them. For example, while general information sharing (or education) about privacy issues and methodology for improving compliance might be beneficial for all, confidential information on actual investigations must obviously be tightly controlled. More detailed cooperation may be most valued where the agencies are alike in constitution and functions.
When do cross-border issues arise?
It would seem logical to predict that matters requiring enforcement having a cross-border dimension are likely to grow in importance. The principal driver is, of course, e-commerce. ICT advances, and globalisation generally, mean that individuals are likely to transact an ever greater portion of personal and other business on-line with the attendant transborder data flows. With a greater number of jurisdictions having data privacy laws, it will be harder to ignore the cross-border dimensions of enforcement in the future.
The following scenarios would seem to anticipate some cross-border element:
• an individual in economy A deals with a business in economy B
• an individual in economy A deals with a business in economy A which transfers personal information into economy B
• an individual in economy A deals with a business that has a presence in both economies A and B (it may not initially be clear to the individual or the enforcer where the business is based).
Obviously, these are simplified since B might further disclose information to C, D, E etc.
In these various scenarios the laws of jurisdiction A or B (or both) may apply. The location of the individual and the business may make significant differences. So may the transfer of the information. Added to the mix is the fact that the laws of jurisdiction A may sometimes have extra-territorial application in some cases with information transferred to the second jurisdiction.
In the scenarios consider also the variations in applicable enforcement agencies. Perhaps at the simplest level, both jurisdictions may have an enforcer of a recognisably similar kind. However, the individual may not know whether complain to the enforcer in A or B. It may further confuse where economy B, with which the individual is not terribly familiar, has a federal system and there may be enforcers at both state and national level. Instinctively, the individual may complain to the local institution with which he or she is most familiar. That enforcement authority may consider the complaint to be outside its jurisdiction. In such a case, does it consult an overseas authority on the complaint and transfer it? Or does it simply notify the complainant that it is beyond its jurisdiction and suggest that the individual take the matter up elsewhere?
The scenario might also be complicated if either jurisdiction has no enforcement authority or if the authority in the other jurisdiction is of a different kind (such as a web seal programme or self regulatory body). These problems are by no means insurmountable but there is a considerable likelihood that the complications and difficulties will discourage either the local authority from taking any steps at all or leave the individual unable to obtain meaningful redress.
It would be wrong to suggest that there are simple and correct answers to these dilemmas from the enforcement authority’s perspective. A lot has to do with legal powers, priorities, resources and other practical issues. However, it might tentatively be suggested that cross-border cooperation would benefit by, for example:
• considering the issues in detail when the data privacy arrangements are being settled in each jurisdiction, particularly where there is a close economic relationship between two or more economies
• devising consumer-friendly fhdfdfhfh arrangements to help the individual to get their complaint to the correct body that can handle it
• information sharing arrangements so that enforcement agencies obtain some general information about their counterparts in other jurisdictions so that when relevant complaints arise they can give the complainant a helping hand.
THE “HOW” OF COOPERATION
Some experiences to date
In the absence of a comprehensive survey of cross-border initiatives, the practical illustrations I offer are simply a few examples from my own knowledge or experience, mainly from the Asia Pacific region.
“Information sharing” can cover several different types of cooperation. For example, there is information sharing:
• on emerging problems and trends
• on enforcement techniques generally
• on training and general cooperation
• on approaches to interpretation
• on particular complaints.
Arguably, only the final one, sharing information on an actual complaint, is properly considered part of enforcement.
A few examples of cross-border cooperative initiatives follow.
Information sharing on emerging problems or trends:
• PANZA+: twice yearly a meeting is held of the Privacy Agencies from Australia (both state and federal), New Zealand and Hong Kong (and more recently Korea) in which discussion ranges over privacy issues and operational matters of particular note in an effort to make each commissioner more effective in the performance of functions and occasionally to coordinate efforts to achieve efficiencies and greater effect
• Asia Privacy Forum and ASPAC Forum – occasional meetings are held amongst authorities and officials in the Asian region, and the Asia Pacific more generally, respectively.
• At the international level there are twice yearly meetings of the International Working Group on Data Protection inTelecommunications and an annual International Conference of Privacy and Data Protection Commissioners.
Information sharing on enforcement techniques:
• occasional specialist meetings such as the International Workshop on Privacy Impact Assessment, Auckland, 2003.
Information sharing on research, training and similar activities:
• the Hong Kong Privacy Commissioner for Personal Data and the Korea Information Security Agency have established an MOU on cooperation in area of research and education.
Information sharing on common interpretation of data privacy principles:
• a number of privacy commissioners in the Asia Pacific have cooperated with an initiative by the World Legal Information Institute (WorldLII), to make case reports of commissioners’ opinions or decisions on selected cases of interest available through a joint search engine and a common citation system – see Privacy & FOI Law Project.
Transfer of complaints
I do not have specific data privacy examples concerning the transfer of complaints to enforcement agencies in other countries. In New Zealand at least, such cases are so rare as to be manageable on an individualised basis with the involvement of the complainant. If the proportion of complaints raising cross-border issues were to substantially increase, statutory provision for consultation between enforcement authorities in different jurisdictions and the transfer of appropriate complaints would be desirable. Normally, statutory secrecy provisions will make sharing of information or documentation relating to actual cases problematic.
Access to correct privacy complaints body
It would be desirable to simplify or coordinate complainant access across jurisdictions. There are models in the consumer affairs area. One is the International Marketing Supervision Network (IMSN) which includes an on-line portal for consumers to make a complaint about cross-border e-commerce transactions.
Another example, involving non-statutory enforcement arrangements, is the joint venture between BBBOnline and the Japan privacy seal programme (JIPDEC) for their coordinated web seal showing the logos of both schemes, each of which has a different geographic predominance. In addition to the cooperation reflected in coordinated data privacy standards, the initiative can presumably simplify and enhance consumer access to the respective enforcement mechanisms across borders.
Again in the consumer affairs context, one may look to the “Internet sweep days” which involve many agencies checking whether the practices of websites are compliant. Coordination can enable greater collective media profile thereby enhancing effectiveness and hopefully achieving greater voluntary compliance.
CLOSING OBSERVATIONS AND CONCLUSIONS
Although the international instruments have signalled the need to develop further international cooperation in such matters, it seems that we have not very far advanced in cooperation in enforcement internationally although some very advanced work has been done in at least one region.
However, with the growth in e-commerce to date, and the expected advances in e-commerce and ICT, it is timely to now consider strategies in that regard.
Having reviewed the international instruments, and reflecting upon some of the practical experiences in our region to date, may I offer the following personal observations and suggestions. Not all the points are of equal significance.
1. The APEC Data Privacy Framework should seek to encourage cross-border cooperation to promote compliance. Earlier similar statements at international level have not always been carried into practical effect but perhaps APEC may do better.
2. While promoting compliance generally, don’t lose sight of enforcement in particular. Encouraging a good level of compliance is not of itself enough. Individuals must be able to obtain redress when their privacy has been seriously infringed. Don’t allow borders to be a barrier to obtaining effective remedies.
3. Cross-border cooperation should not start and finish at compliance. Much may be gained from cooperative activity in such areas as research and public education.
4. Keep the issues in proportion. The cross-border problems need to be kept into perspective. Delivering domestic data privacy enforcement effectively is a priority.
5. Take small steps first. Issues of distance, language and other priorities, means that plans for enhancing cross-border cooperation in our region will probably need to be relatively modest and achievable.
6. The Internet is a good medium for some information sharing. Initiatives such as the Privacy & FOI law project, using web databases and search engines, can be effective low cost means to disseminate comparative information such as domestic interpretations of data privacy laws. Consumer protection provide promising examples for aiding both individuals and enforcement agencies. Regional institutions may have a role to support similar initiatives which can’t easily be funded by any single enforcement agency.
7. Data privacy laws should be revised to accommodate cross-border cooperation. Enforcement authorities subject to statutory secrecy provisions may be unable to share confidential complaint documentation with foreign counterparts. Provisions allowing for consultation and transfer of complaints would be a straightforward first step. The merits of more sophisticated mutual assistance schemes should be explored.
8. Don’t forget international institutions themselves. As the UN Guidelines note, international government organisations themselves should designate a statutory enforcement body to ensure its own observance of data privacy guidelines.
Office of the Privacy Commissioner, New Zealand
The original of this paper was accompanied by two resource documents. One of these sets out extracts from international instruments. The other provides documentation illustrating examples of cross-border cooperation. They can be obtained from the author at Blair.Stewart@privacy.org.nz
 For example, the privacy case of Toonen v Australia was instrumental in changes to Tasmanian law where it was found that a prohibition on adult consensual sexual activity in private was covered by the concept of “privacy” and interfered with Toonen’s privacy in an arbitrary way. See http://www.austlii.edu.au/au/journals/PLPR/1994/33.html and http://www.austlii.edu.au/au/journals/PLPR/1994/97.html.
 The author is aware that the following international or supranational bodies have taken steps to establish and designate such authorities: Interpol, Council of Europe, European Commission.
 For more information about the Article 29 Working Group see http://www.datenschutz-berlin.de/doc/int/iwgdpt/index.htm.
 See also Blair Stewart “National Data Protection Agencies: A Comparative Survey on Form and Function”, PLPR (2004) 11.2 and 11.3.
 See http://www.worldlii.org/int/special/privacy/.
 Europe is advanced in cross-border cooperation in enforcement within Europe although it is difficult to see those particular approaches translating well to our region. Europe has done little work on cross-border cooperation between European agencies and those outside Europe.