Enforcement and Administration of Privacy Laws. Privacy and Surveillance Graham Greenleaf L ast revised September 2008. ‘ Responsive Regulation’ Enforcement pyramid Objectives of enforcement Complaints & remedies for individual breaches Investigation powers
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Enforcement and Administration of Privacy Laws Privacy and Surveillance Graham Greenleaf Last revised September 2008
‘Responsive Regulation’ Enforcement pyramid Objectives of enforcement Complaints & remedies for individual breaches Investigation powers Enforcement notices & criminal offences Compensation and other remedies Appeals and judicial review Systemic aspects of obtaining compliance Publication of decisions & Outcomes of complaints Co-regulatory codes & exemptions - alternative compliance Preventative powers: audits, PIAs etc Privacy Commissioners Independence Roles Enforcement & Administration
‘Responsive regulation’? • ALRC wants ‘principles-based regulation’(Ch 4): focus on defining outcomes, not prescribing processes • aims to minimise the need for enforcement by ‘encouraging organisations to understand the values behind the law and change their behaviour accordingly • ‘nurturing a culture of voluntary compliance with the law’ • ALRC also wants ‘compliance-oriented regulation’ (4.62) which places (equal??) emphasis on all 3 of: • ‘Fostering compliance’ (heavy emphasis on Commissioner providing guidance); • Monitoring compliance (recommends power to require privacy compliance assessment) • Enforcing compliance - supports ‘enforcement pyramid’ approach.
Responsive regulation? (2) • CyberLPC IP sub 6-16 argues that Comm in 2007 ‘is a failure at implementing responsive regulation’. • Would current Comm practices + ALRC reforms achieve this aim?
Another categorisation • A means of individual redress; • low-cost and non-public • Appropriate range of remedies, such as: • Access to and correction of records; • compensatory damages; • injunctions or orders to enforce compliance; • Criminal penalties for serious/repeated breaches • Judicial review of administrative errors; • Appeals by either party to the Courts • Preventative/educative powers of PCO, such as: • Publication of complaint examples and outcomes • Audits of data users; • Privacy Impact Assessments (PIAs) on new proposals • Power to require reports on existing practices
Complaints and compliance - Cth Privacy Act For a summary see Greenleaf & Bygrave ‘Enforcement aspects of Australia’s Privacy Act 1988 compared with European standards’ (confidential draft)
Complaints - Overview • Investigation - public and private sectors • Complaints only re ‘interferences with privacy’: breaches of NPPs, IPPs etc (s36) • Representative complaints possible (s36(2), s38 - s39) • ‘Own motion’ investigations possible (s40(2) • Comm must not investigate unless complaint first made to respondent, unless inappropriate (s40(1A)) • If Comm is considering a s52 determination, must give both parties the opportunity of a hearing (s43(5)) • Comm’s extensive powers to investigate (ss44-47) • Comm can refuse / close / defer investigation (s41) • No right of appeal to a Court or Tribunal against Comm’s s52 determination (except on quantum of damages)
s41 dismissal of complaints • Most complaints are dealt with under s41 • Comm can refuse / close / defer investigation (s41) because • ‘not an interference’ (1)(a); ‘lacking in substance’ (1)(d) • Another law ‘provides a more appropriate remedy’ ((1)(f)) • Respondent has dealt adequately with complaint ((2)(a)) • See examples of possibly excessive use of s41: • X v Cth Agency  PrivCmr 4 - s41(2)(a) applies even if complainant dissatisfied - 11(1) PLPR note • O v Credit Provider  PrivCmrA 5 and N v Internet Service Provider  PrivCmrA 10 - refusal to investigate because O had not raised every possible issue with respondent - 11(2) PLPR notes • S v Various Cth Agencies  - despite refusals to correct records, investigation refused on (1)(f) grounds - 11(2) PLPR note • Other issues of PLPR Vol 11 contain more examples
s41 dismissal of complaints • ALRC recommendations (2008) • R 49-1: More powers to Comm to dismiss complaints under s41 where … ‘(c) an investigation, or further investigation… is not warranted having regard to all the circumstances’. • Rejects CyberLPC submissions IP 6-16 and DP 72-142 that complainants should be given a right to require a s52 determination if there is a s41 dismissal (and that any extension of s41 is otherwise unsafe).
Conciliation / mediation • Act currently does not specify anything about conciliation role • ALRC 2008 recommends • R 49-5(a) - if Comm considers successful conciliation ‘reasonably possible’, must attempt it • R 50–4: Comm should be able to accept an undertaking that an agency or organisation will take specified action to ensure compliance; if they breach undertaking, Comm can seek compliance order in Federal Ct
Right to s52 determination • Currently no such right and Comm does not accept that complainants have any right to a s52 determination • ALRC 2008 recommendations: • R 49-5(b) - if conciliation fails ‘the complainant or respondent may require that the complaint be resolved by determination’ • Criticism: Any right under (b) to a s52 determination is therefore dependant on Comm’s subjective decision under (b) that mediation is possible (CyberLPC submission was that any complainant should be able to so require)
S52 Determinations • Determinations under s52 are the only ‘enforceable’ orders Comm can make • Dismissing complaint • never used - s41 (ab)used instead • That conduct should not be repeated • Never used • Performance of reasonable acts • TICA determinations 2004/1-4: PC only identifies conduct in breach, refuses to specify acts to be performed • ALRC 2008 R 49–6 : Comm should be able to prescribe the steps that an agency or respondent must take to ensure compliance with the Act.
S52 determinations (2) • Compensation - only one contested example • C v ACT Govt Solicitor  PrivCmrACD 1- $1,000 compensation • Can compensate ‘feelings or humiliation’ • ‘correction, deletion or addition to a record’ • Never used • Reimbursement for ‘expenses reasonable incurred’ •  PrivCmrACD 1- $1,300 costs
Determinations in practice • Determinations practice to date • Determinations are published by the PCO and republished by WorldLII • 1989-2002: zero substantive determinations (2 fakes in 1993) Why none after that? • 2003/1 - ACT govt (disclosure) • 2004/1 - ACT govt (disclosure) • 2004/2-5 - 4 x TICA (first re private sector) • 2004-08 - None by the current Commissioner • Is this responsive regulation?
Determinations - enforcement • Enforcement of s52 determinations (ss 54-55B) • s55 - respondent must comply with determination • s55A - if respondent does not comply, must proceed de novo in Fed Ct / Mag Ct for enforcement • Has not occurred as yet • Evidence before Commissioner is admissable • s55B - Certified copy of Comm’s determination is prima facie evidence of facts found by him • Onus is on respondent to rebut facts • Onus is still on complainant to show breach of IPP/NPP • Is this biased in favour of respondents? • Consider different position of TICA parties
Review of Determinations / Appeals against Commissioner • Complainant currently has no right of appeal against determination • Respondent has de facto right of appeal • ALRC 2008 R 49–7: either party should be able to apply to AAT for merits review of a determination • Complainant can seek judicial review • (of s41 dismissals or s52 determinations) • For errors of law or procedural errors • But not against the substance of the determination • How may complainants could understand (or afford) judicial review? Appeals are simpler.
Injunctions • Privacy Act 1988, s98 - unique provision • Covers Cth public sector, private sector • allows ‘any person’, including P Comm, to seek injunction to enforce IPPs and NPPs • Based on s80 Trade Practices Act • Against anyone ‘engaging or is proposing to engage’ in breach of Act • Orders restraining breach or ‘requiring the person to do any act or thing’ • Risk of costs against party seeking injunction, and damages (particularly in the case of interim injunctions) - not so in complaints to P Comm • Also risk to respondent of costs against, but no provision for Fed Ct to award damages for breach
Injunctions (2) • Channel 7 v MEAA  FCA 637 • See summary by Gunning • Rejected submission that only P Comm could enforce Act under s52; distinguished Day v Lynn  FCA 87 and other cases • Injunction granted against MEAA and Connect for multiple breaches of NPPs • What orders will Channel 7 draft? • Costs against MEAA $10,000 • Despite only one injunction in 20 years, ALRC did not make any recommendations
Representative complaints • Cth Act provides - s36(2) • ss38-39 - special conditions for rep. complaints • See Connolly and Isaji ‘Representative Privacy Complaints’ (2004) 10(8) PLPR 16 - survey • TICA Determinations #1 - #4: first example • Most successful enforcement action yet under Act • Would have been impossible for an individual complainant (particularly tenants)
Own motion investigations • Comm can carry out ‘own motion’ investigations (s40(2)) • Currently can make any enforceable orders as a result • Does not disclose what investigations launched • ALRC 2008 recommends: • R 50-1 Comm should be able to ‘issue a notice’ requiring ‘specified action’ to ensure compliance with Act, enforceable in Fed Ct or FMC. • This would differ from a s52 determination, no capacity to award compensation to individuals.
Criminal offences - Australia • Federal Act • Public sector and private sector enforcement does not involve significant criminal enforcement • Part IIIA credit reporting does involve offences • NSW PPIPA ss62-s63 • breaches of DPPs do not constitute crimes • offences of corrupt disclosure and use of personal information by public officials • offence of offer to supply personal information disclosed unlawfully • Cth and NSW cybercrime legislation relevant
Penalties for repeated breaches • No current general penalty provisions • there are criminal offences in credit provisions • Other jurisdictions (eg HK) rely on prosecutions for enforcement, Australia relies on compensation etc • ALRC 2008 recommends • R 50–2: Comm to be abel to seek a civil penalty in the Fed Ct or FMCA where there is a ‘serious or repeated interference with privacy’ • An attempt to improve the ‘pointy end’ of the ‘enforcement pyramid’ / responsive regulation • R 50-1: Comm should develop and publish enforcement guidelines setting out the criteria for seeking civil penalties
Complaints and compliance - NSW Act For a recent summary see Greenleaf & Bygrave ‘Data protection in New South Wales – An assessment of strengths and weaknesses’ (Confidential draft)
Complaints - NSW Act - Overview • see Jenner (2004) 10(9) PLPR 169 overview • Commissioner can investigate any complaint (IPP or ‘non-IPP’) • IPP complainants re NSW agencies have a choice of Pt 4 investigation or Pt 5 internal review / ADT • Only‘Part 5’ complaints to agencies can lead to the ADT and enforceable remedies (after internal review) • Only Privacy NSW can investigate (under Part 4): • Non-IPP complaints against NSW agencies • Non-IPP private sector complaints • Complaints against bodies / conduct exempt from Cth legislation (will not investigate if NPPs cover)
Complaints - NSW Act - Pt 4 Investigations by P.Comm • Investigation of complaints by P.Comm (Pt 4 Div 3) • See P. Comm’s Complaints Protocol • can only conciliate and make recommendations (s49) (like old Privacy Committee) • has extensive powers, including compulsory conferences (s49) • May investigate ‘own motion’ complaints (s45 ‘or by’) • For IPP complainant to get to ADT, must first seek internal review by agency under Pt 5 (s53) • Standards applied in Pt 4 investigations • Physical privacy - ‘US privacy tort’ standard (Morison Report, 1973) • IPP complaints outside PPIPA - own ‘Data Protection Principles’
Complaints - NSW Act - representative complaints? • No express provision for representative complaints to P.Comm • Cf Victorian Act s25(3) allows representative complaints but only with the consent of all the individuals concerned • No express requirements for ‘representative’ internal review or ADT findings • Recent cases on who is an ‘aggrieved person’ create some flexibility: • An aggrieved person is not necessarily the person who is the subject of the personal information • GA v Dept Ed & NSW Police (No 2)  NSWADT 10 - GA not one where only acting previously on behalf of his sons - see 11(7) PLPR note
Complaints - NSW Act - Internal review and ADT • Pt 5 complaints - agency internal review and ADT • Applicant must seek internal review of conduct by agency (s53) • Agency must conduct internal but independent review (s53(4)); consider provision of the full range of remedies (7); and deal with the matter within 60 days of receipt (6); notify applicant in writing, including appeal rights (8) • Agency must inform P.Comm of review and its progress, and accept submissions from him (s54) • Dissatisfied applicant may apply to ADT for review (s55) • ADT may award damages to $40,000 and other remedies (s55(2)) • No s55(2) awards unless applicant has ‘suffered financial loss, or psychological or physical harm’ (s55(4)) • Either party may apply to ADT Appeal Panel for further review • Appeals from ADT go to Supreme Court
Complaints - NSW Act - litigation under NSW Act • 26 reported cases (to 1/6/04) - 17 of them in the previous 112 months • Extensive legal interpretation (contra Cth) • Note: Privacy NSW does case summaries • No case has yet resulted in damages paid • Practice - see Jenner (2004) 10(9) PLPR 169 • Note differing and limited roles of Privacy NSW in internal reviews and before the ADT • Note obligations on agencies in internal reviews • Note checklists for complainants and advocates
Complaints and compliance - Hong Kong Ordinance UNSW students may omit these materials
Complaints and compliance: Hong Kong See ‘The Commissioner and enforcement of the Ordinance’ in McLeish & Greenleaf Chapter • Investigation • Compliance orders • Appeals and reviews • Compensation • Criminal offences
Hong Kong: Investigation Pt V: Inspections, Complaints and Investigations • Complaints (s37) must be by data subject against a specific data user • Jurisdictional conditions: s39(1)(d) makes any of the following sufficient: • (i)(A) complainant resident in HK; or (ii) in HK at the relevant time • (i)(B) data user able to control ‘in or from Hong Kong’ the collection etc of the data at the relevant time [complainant may be overseas] • (iii) in PC’s opinion, the enforcement of a right or privilege ‘acquired or accrued in HK by the complainant’ will by prejudiced - meaning? • Will s39(1)(d) satisfy the EU re data transfers to HK? • (I)(B) will usually suffice to protect EU residents against acts in HK
Investigations: Hong Kong • Representative complaints are allowed • S37(2) envisages one complainant making a complaint on behalf of all data subjects affected by a practice • But there is no equivalent in s66 (compensation) • s37(1)) also covers the narrow sense of representatives authorised in writing (see defn. ‘relevant person’) • Could a lawyer or civil society group represent all affected data subjects with the written permission of only one of them? • Compare the Aust. Cth ‘class actions’ provisions and the TICA determinations to see the significance of representative complaints and the role of civil society groups • Have there been any such complaints in HK?- apparently not - PCO Press Release re Flight Attendants Union does not admit possibility of representative complaints
Investigations: Hong Kong • PC may refuse to investigate (s39(2)) if: • (a) Previous similar complaint dismissed (dangerous?) • (b) trivial practice; (c) trivial/vexatious complaint • (d) ‘any investigation or further investigation is for any other reason unnecessary’ - • Will often be because data user has (in the view of the Commissioner) remedied problem • Could be because parties have settled dispute - does PC facilitate settlements? - anecdotal evidence is ‘no’ • Could this cover ‘another remedy is available’??? • See also s39(1)(a)-(c) for other standard reasons • Refusals to investigate can be the subject of appeals to the AAB, or judicial review (see later)
Investigations: Hong Kong • Assistance to complainants, and mediation • PC obliged to assist to ‘formulate the complaint’ (s37(4)) • No specific requirement to assist in mediation of a complaint, or s8 power • Refusal to investigate, and appeals • S39(3) - Where PC does not commence formal investigation, or suspends investigation under s39(2), must give complainant notice within 45 days • B&W 14.14 interpret this as a 45 day period for ‘informal resolution’ • S39(4) gives complainant right of appeal to Administrative Appeals Board (AAB) when s39(3) notice is given • No further appeal to Courts, only judicial review
Hong Kong: Enforcement notices • PC can issue enforcement notices (s50) • If data user ‘is contravening’ or has done so and it is likely that it will continue or be repeated • No notice possible if no further contravention likely • requiring data user to ‘remedy the contravention’ • Does not require any damage to complainant to be remedied • 4 notices in 2000, 12 in 2001 • PC can instead give warning notices (21 in 2000, 10 in 2001) • Failure to comply is a criminal offence • Are there no adverse consequences for breaches, if you promise not to do it again?
Hong Kong: Compliance orders • No systematic publication of these serious complaints resulting in orders • S48 allows PCO to issue formal reports naming data users (but not others), but has only done so once • ‘Video Peeping Tom’ case (1997) - hidden video camera filmed female student in shared accommodation; undertaking given, but data user not named; victim apparently gained no other remedy • Hongkong Post pinhole camera case (2005) - see Materials - named but press had already shamed • PCO has therefore never used ‘name and shame’ power
Compliance orders compared • Closest equivalents are: • Aust Cth - s52 determinations by Comm; injunctions by Fed Ct (no standing required) • NSW - only the ADT can make orders • Vic - Comm can serve compliance notice on an organisation • but only if ‘flagrant’ or repeated breaches • Hong KongEnforcement notices (s50)
Hong Kong: Appeal structure • Appeals to AAB • S39(4) gives complainant right of appeal to Administrative Appeals Board (AAB) when s39(3) notice is given (would also apply if investigation suspended because no enforcement notice) • s50(7) gives data user 14 days to appeal against enforcement notice after it is served • No further right of appeal to a Court against AAB decision, only judicial review • Judicial review of PC decisions (2 in 2003)
Hong Kong: Compensation • PCO or AAB cannot award damages (contra Australia, NZ, Korea) • Compensation (s66) only by separate Court proceedings • Applies to ‘an individual who suffers damage by reason of a contravention’ (s66(1)); including damage to feelings (s66(3)) • General defence in s66(4) where data user can show: • Reasonable care to avoid the contravention; or • Is this fair? • If the contravention occurred because of inaccurate data, the data was received from a third party. • Is this fair? • Complainant must risk costs against; must also risk disclosure of identity; must also prove complaint ab initio even if already investigated by PCO • PC not able to assist complainants; HKLRC (2004) criticises this • Only 1 reported case, and it was dismissed - not surprising?
Criminal offences • Hong Kong • S64creates criminal offences by data users • Supplying false information • Contravening enforcement notices, subject to defence of due diligence to comply (s46(8) • Contravening matching requirements • Contravening any other provision of the Ordinance without reasonable excuse (s64(10)) • S64 creates offences by any person • Supplying false information • Hindering Commissioner’s investigations
Enforcement & Administration Part 2 - Systemic aspects • Assessing existing compliance • External audits • Privacy Compliance Assessments (PCAs) • Privacy management planning • Privacy Impact Assessments (PIAs) • Privacy management plans • Accountability / Transparency • Complaint outcomes • Publication of decisions • Modifying / elaborating legislation • Codes, exemptions and guidelines
Assessing existing compliance • Current Australian practice • Federal Act empowers audits by PC re public sector but not private sector; however, PCO has abandoned all auditing (costs) • NSW - No audit power in Privacy NSW, but there are other controls (eg involvement in internal reviews; privacy management plans) • ALRC 2008 recommends • 47–6 Comm to be empowered to conduct ‘Privacy Performance Assessments’ of the records of PI maintained by organisations • Effectively, a new audit power re private sector
Assessing existing compliance • Hong Kong • See McLeish & Greenleaf chapter ‘Assessing compliance’ • Pt IV powers of ‘formal inspections’ by PCO (s36) • Never used • PCo can report recommendations from inspections applying to classes of data users (s48(1)); See table of improved practices • Also powers to require classes of users to submit ‘data user returns’ (s14) - never used • Instead, informal ‘compliance checks’ of alleged practices not complying with PD(P)O • Now proposing to promote voluntary internal audits or ‘Privacy Compliance Audits’ (PCAs)
Privacy Impact Assessments (PIAs) • See RG 9.9 for articles by Waters, Flaherty and Stewart for comparable practices • Aimed at assessing future impact of proposed information systems, not existing compliance • Requirements • No current provisions in any Australian Acts • No provision in HK Ordinance • PCO proposing to promote voluntary PIAs • Were some PIAs done on smart ID card • Canada (2002) made PIAs mandatory for all Federal government institutions
Privacy Impact Assessments (2) • ALRC 2008 recommends: • 47–4 Comm able to (a) direct an agency to provide to it a PIA ‘in relation to a new project or development that [Comm] considers may have a significant impact on the handling of personal information; and (b) report to Minister if it does not. • Criticism: no requirement that PIA be made public • Comm should publish PIA guidelines. • Review in 5 years whether to include private sector in PIA requirements.
Privacy Management Plans • See RG 9.10 • Where a whole organisation is required to publish how it will deal with privacy issues • Sometimes has similar effect to a PIA • NSW PPIPA 1998 s33 Preparation and implementation of privacy management plans • Example: Anne Pickles 'Protecting exposures' (2000) 7 PLPR 61 • No similar requirement in Cth or Vic Acts, but some agents have done so voluntarily
Publication - Importance • Types of publication • Summaries of complaints • Statistics of outcomes • Importance of both summaries and statistics • Past remedies (‘tariff’) unknown • Deterrent effect is lost • No accountability for high public expenditure • For critiques of current practices, see • CyberLPC submission on DP 72 ‘5.2. Transparency of the Commissioner’s complaints function’ (in materials) • CyberLPC submission on Issues Paper ‘Transparency and feedback – Inadequacy of the Commissioner’s reporting practices’ • Following slides are less up-to-date than these submissions
Complaint outcomes - Does anyone get a remedy? • Do complainants actually get the remedies that privacy laws make available in theory? • Sources of evidence available? • Annual Reports - only significant public source • Websites? • Stats provided often only show what is in Annual Reports • Reported cases can be searched for types of remedies • FOI requests would only work if a ‘document’ was available • Only some jurisdictions considered • Privacy Comms - Australian Fed; NSW ; HK; NZ; Canada • Information Commissioners not considered - mainly access, some correction, some broader
Outcomes - Hong Kong PC • See 03-04 & 04 -05 Annual Report (Materials #4) • Analysis in McLeish & Greenleaf chapter (‘Complaints and enquiries’ and ‘Reporting outcomes’) • PC Annual Report 2000/01 (01/02 is similar) • 789 complaints (up 39%); • 68% vs private sector;14% vs government;18% vs 3rd Ps • Over 50% allege breaches of DPP 3 (use) • 52 formally investigated (14% of 531 finalised) • 26 (50%) found to involve contravention of PD(P)O • 10 warning notices; 12 enforcement notices - but no idea what actions required, or what results • 4 referrals to Police for prosecution but in 3 Police found insufficient evidence; one unresolved