Asia pacific privacy commissioners black holes collective inaction
This presentation is the property of its rightful owner.
Sponsored Links
1 / 34

Asia-Pacific privacy Commissioners - Black holes & Collective inaction PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Asia-Pacific privacy Commissioners - Black holes & Collective inaction. Graham Greenleaf Professor of Law, University of New South Wales 11 September 2003 See for updates / details

Download Presentation

Asia-Pacific privacy Commissioners - Black holes & Collective inaction

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Asia pacific privacy commissioners black holes collective inaction

Asia-Pacific privacy Commissioners - Black holes & Collective inaction

Graham Greenleaf

Professor of Law, University of New South Wales

11 September 2003

See for updates / details

Parallel Session 6: " A Safe and Open Society: the role of privacy regulators"


1Two black holes: Reporting and remedies

What evidence is there that Commissioners do their job?

Arguably most important function: resolving complaints

Is there accountability for public monies spent?

‘Black holes’: complaints go in, but what comes out?

Outcomes of complaints - who gets a remedy?

Reporting complaints - do we know what law they apply?

2Regional standards and collective action

What Asia-Pacific regional standards are developing?

Are regional Commissioner providing sufficient input?

Collective input from regional experts: the APPCC


Black hole 1 outcomes does anyone get a remedy

Sources of evidence available?

√ Annual Reports - only public source

examined 01/02; some 00/01

? websites? - could extract from reported cases (have not) - should provide continuous data

? FOI requests? - ‘document’ available? (have not done)

Only some jurisdictions considered

Privacy Comms - Australia; HK; NZ; Canada

Information Commissioners not considered - mainly access, some correction, some broader

Black hole #1: Outcomes - Does anyone get a remedy?

Outcomes australian pc

2001-02 Annual Report - no statistics!

Complaints tripled with private sector coverage (611)

AR contains summaries of 11 complaints, of which one resulted in $5000 compensation

No statistics given of complaint outcomes at all

2000-01 AR included some outcome stats

133 closed complaints; uncertain % breaches found

9 cases in AR involved $52,000 compensation

No information about other remedies

No genuine s52 determinations in 15 years

No appeal right; No substantive case on the Act ever before a Court for judicial review

Outcomes - Australian PC

Outcomes nsw pc

latest Annual Report 1999-2000 before new Act commenced (1/7/00)

No statistics or complaint resolutions yet available under new Act

Since 2000, about 20 cases to NSW ADT

7 decided as yet - 7 more than the Cth!

AR 1999-2000 relevant to ‘non-IPP’ complaints, as they still apply

4 complaint resolutions summarised

Outcomes - NSW PC

Outcomes hong kong pc

PC Annual Report 2000/01 (01/02 is similar)

789 complaints (up 39%);

68% vs private sector;14% vs government;18% vs 3rd Ps

Over 50% allege breaches of DPP 3 (use)

52 formally investigated (14% of 531 finalised)

26 (50%) found to involve contravention of PD(P)O

10 warning notices; 12 enforcement notices - but no idea what actions required, or what results

4 referals to Police for prosecution but in 3 Police found insufficient evidence; one unresolved

Not one HK $1 compensation paid under s66;

any by mediation? A Rep does not say

Outcomes - Hong Kong PC

Comparison 4 pcs annual reports

‘Will I get a remedy - and if so, what?’ is largely unanswered - evidence is not there

Some evidence of the % of successful complainants

Little evidence of what remedies result

Compensation? - a few examples from Aus and NZ

All of the PCs are below ‘best practice’

A systematic and comparable standard of reporting is needed

Asia-Pacific PCs could develop standards

Comparison - 4 PCs Annual Reports

Asia pacific privacy commissioners black holes collective inaction

Will I get a remedy? Evidence from Privacy Commissioners Annual Reports 2001/02(see web page for explanatory notes) √= yes; ?= can’t tell

Black hole 2 publication of commissioners decisions

For detailed criticisms of reporting practices:

Greenleaf ‘Reforming reporting of privacy cases’ <>

Bygrave ‘Where have all the judges gone?’ (2000)

European Commissioners were little better - improved?

Why reporting of Commissioners is needed

Few court decisions means Commissioners’ views in complaint resolutions are the de facto law

Identifying non-compliance is more valuable (and difficult) that ‘feel good’ exhortations to comply

Black hole #2: Publication of Commissioners’ decisions

Publication importance

Publication is possible

Requires anonymisation in most cases

Exceptions should not be the rule

Adverse consequences of lack of availability

Interpretation unknown to parties / legal advisers

No privacy jurisprudence is possible

Past remedies (‘tariff’) unknown

Privacy remains ‘Cinderalla’ of legal practice

Deficiences in laws do not become apparent

Commissioners can ‘bury their mistakes’

Justice is not seen to be done

Deterrent effect is lost

No accountability for high public expenditure

Publication - Importance

Publication australian p comm federal

AnRep has a few small ‘media grab’ summaries

No other mediation details published 1988-2002

Comm avoids making binding Determinations (2 1993, 1 2003) despite powers to do so

Dismisses matters under s40 - publication not required

Since Dec 2002, 14 useful summaries of mediations and determinations published on web

2x1993, 2x2002, 10x2003

Rate now is still only 1.25 per month

Any Federal Court decisions would be on AustLII (but there are none of relevance) - no appeal right

Publication - Australian P Comm (Federal)

Publication hk p comm

Complaint summaries on website only to 1998

Only 6 (01/02) or 8 (00/01)overly brief complaint summaries in AnRep - about 0.5 per month

No systematic reporting of significant complaints

Cases before other tribunals

AAB complaint summaries are in AnRep, but not on website; AAB cases not available on Internet

No reporting of s66 cases in AnRep or website - There is only one such case

Publication - HK P Comm

Publication nz p comm

Av 2 per month (03) reasonably detailed mediation summaries on website

Selection criteria uncertain

Website gives few details of cases on appeal or their outcome; not available elsewhere on web; P Comm publishes occasional compendiums

Overall, difficult for most people to get an overall view of the law

Publication - NZ P Comm

Publication canadian pc

Av 5 detailed PIPEDA case mediation summaries per month on website

best practice of PCs, but not Info Comms

Few Privacy Act cases on website, but usually 12 or so in AnnRep

Summaries of cases before Courts are in AnnRep (but not linked to mediation summaries) - difficult to obtain overview

Publication - Canadian PC

Publication 7 recommendations

More reporting than 2/month (% goal)

statistics on reported / resolved ratio

Publicly stated criteria of seriousness

confirmation of adherence in each AnRep

Complainants can elect to be named

In default, name public sector respondents; private sector respondents only exceptionally

Report sufficient detail for a full understanding of legal issues, and the adequacy of the remedy

Report regularly rather than in periodic batches

'One stop' reporting including reviews of Commissioner’s decisions

Encourage 3rd-P re-publication + citation standards

Publication - 7 recommendations

Publication a central location


Privacy & FOI Law Project = All specialist privacy and/or FOI databases located on any Legal Information Institute (LII)

Current coverage (all searchable in one search)

Canadian Privacy Commissioner Cases (WorldLII)

Privacy Commissioner of Australia Cases (AustLII)

New Zealand Privacy Commissioner Cases (AustLII)

Nova Scotia FOI & Privacy Review Office (CanLII)

Queensland Information Comm. Decisions (AustLII)

Western Australian Information Commissioner (AustLII)

Privacy Law & Policy Reporter (AustLII)

Being added

New South Wales Privacy Commissioner (AustLII)


Publication - A central location

Asia pacific privacy commissioners black holes collective inaction

A seach for ‘disclos* near medical’

Part 2 regional privacy standards collective action

There is no global standard

One region (Europe) has successfully developed regional standards

Council of Europe Convention 1981

European privacy Directive 1995

The Asia-Pacific is the next most advanced region in privacy protection

Far less political and economic unity or uniformity

Starting the most important international privacy developments since the EU Directive ….

Part 2 - Regional privacy standards & collective action

Toward an asia pacific standard

APEC’s privacy initiative

Chaired by Australia - US / Aust. initiative

Asia-Pacific Telecommunity (APT)

Chaired by Korea

Asia-Pacific Privacy Charter Council

A ‘civil society’ expert group

FTAA will also affect some countries

(Free Trade Area of the Americas)

Toward an Asia-Pacific standard

Apec s privacy principles progress or stagnation

Australia chairs a working group of 10 countries

Starting point: OECD Guidelines (1981)

5 draft versions in 6 months

Do not yet even reach OECD standards

Only considering very minor improvements to OECD

V2 strengthened V1, but V3 and V4 far weaker for little apparent reason (Serious US input coincides with V3)

At best it offers ‘OECD Lite’ ….

APEC’s privacy Principles - Progress or stagnation?

Apec s oecd lite

Examples of weak and outdated standards

Based on Chair’s V4 (Aug 03) - now behind closed doors

No objective limits on information collection (P1)

No explicit requirement of notice to the data subject at time of collection (P3)

Secondary uses allowed if ‘not incompatible’ (P3)

OECD Parts 1, 3, 4 and 5 all missing as yet

Farcical national self-assessment proposed (V1)

Even OECD allows strong export controls

Why start from a 20 year old standard?

This would be laughable in other areas of law

Most regional countries are not members

Recognised as inadequate (eg Kirby J 1999)

APEC’s ‘OECD Lite’

The alternative a real asia pacific standard

Look to actual standards of regional privacy laws

Eg Korea, Canada, Hong Kong, New Zealand, Taiwan, Australia, Japan, Argentina

Principles stronger than OECD are common (examples over)

We need to adopt and learn from 25 years regional experience, not ignore it

More input into APEC is needed from Commissioners and other experts to identity this standard

Some individual PCs input is filtered through governments

Regional PCs need a better collective role in APEC

No equivalent yet to A29 Committee - provides protection

Santiago (Feb 04) only offers input on implementation

Asia-Pacific NGO experts are developing the APPCC

The alternative: A real Asia-Pacific standard

Examples of high regional standards in asia pacific

Collection objectively limited to where necessary for functions or activities (HK, Aus, NZ - Can stricter)

Notice upon collection (Aus, NZ, HK, Kor)

Secondary use only for a directly related purpose (HK, NZ, Aus - Kor stricter)

Right to have recipients of corrected information informed (NSW, NZ)

Deletion after use (HK, NZ, NSW, Kor)

Examples of high regional standards in Asia-Pacific

Apt privacy guidelines draft

Asia-Pacific Telecommunity (APT)

Agreement of 32 states via Telecomms ministries (etc)

Guidelines on the Protection of Personal Information and Privacy (draft), July 2003

Drafting by KISA (Korea), with Asian Privacy Forum input

Attempts to take a distinctive regional approach

Explicitly not based solely on OECD or EU (cl8)

Says OECD Guidelines ‘reflect … the 70s and 80s’

‘Concrete implementation measures’ unlike OECD

Allows more variation between States that EU

Emphasises role of government, not litigation

Adds new Principles in at least five areas …

APT privacy Guidelines (draft)

Apt guidelines implementation

Legislation required + self-regulation encouraged

A privacy supervisory authority required

Supervision and complaint investigation

Data export limits may be ‘reasonably required’ to protect ‘privacy, rights and freedoms’;

free flow of information otherwise required

Limits on these guidelines only by legislation; only to the extent necessary for other public policies

Common character string need to deal with spam

APT Guidelines - implementation

Apt guidelines new principles

No disadvantage for exercising privacy rights (A5(2))

Notification of corrected information to 3rd party recipients (A6(4))

‘Openness’ of logic of automated processes (A7)

No secondary use without consent (A 14(2))

Deletion if consent to hold is withdrawn (A16)

Duties on change of information controller (A19)

Special provision on children’s information (A34)

Personal location information Principle (A30)

Unsolicited communications Princple (A31)

APT Guidelines - new Principles


Why are APEC and APT so different?

Membership similar except for the USA

US/Australia APEC initiative has a defensive and outdated starting point (OECD)

Inadequate process: no collective expert input, and now behind closed doors

OECD Guidelines were by an ‘expert group’

A more consultative, confident, and region-based APEC initiative is needed


Coda the appcc a regional expert initiative

Asia-Pacific Privacy Charter Council


35 non-government privacy experts from 10 regional countries, and growing

On 12/11/03, meeting to consider 1st working draft

Headings of Principles under consideration for Charter are over - only a first draft

Covers surveillance and intrusions as well as IPPs

An attempt to develop a positive regional standard

Coda: The APPCC - a regional expert initiative

Appcc draft part i general principles

APPCC draftPart I - General Principles

Appcc draft part ii information privacy principles

APPCC draft - Part II - Information Privacy Principles

Appcc draft part iii surveillance limitation principles

APPCC draft - Part III - Surveillance limitation principles

Appcc draft part iv intrusion limitation principles

APPCC draft - Part IV - Intrusion limitation principles

Appcc principles part v implementation and compliance principles

APPCC principles - Part V - Implementation and compliance principles

  • Login