enforcement and administration of privacy laws n.
Skip this Video
Loading SlideShow in 5 Seconds..
Enforcement and Administration of Privacy Laws PowerPoint Presentation
Download Presentation
Enforcement and Administration of Privacy Laws

Loading in 2 Seconds...

play fullscreen
1 / 89

Enforcement and Administration of Privacy Laws - PowerPoint PPT Presentation

  • Uploaded on

Enforcement and Administration of Privacy Laws. Privacy and Surveillance Graham Greenleaf L ast revised September 2008. ‘ Responsive Regulation’ Enforcement pyramid Objectives of enforcement Complaints & remedies for individual breaches Investigation powers

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Enforcement and Administration of Privacy Laws

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  1. Enforcement and Administration of Privacy Laws Privacy and Surveillance Graham Greenleaf Last revised September 2008

  2. ‘Responsive Regulation’ Enforcement pyramid Objectives of enforcement Complaints & remedies for individual breaches Investigation powers Enforcement notices & criminal offences Compensation and other remedies Appeals and judicial review Systemic aspects of obtaining compliance Publication of decisions & Outcomes of complaints Co-regulatory codes & exemptions - alternative compliance Preventative powers: audits, PIAs etc Privacy Commissioners Independence Roles Enforcement & Administration

  3. ‘Responsive regulation’? • ALRC wants ‘principles-based regulation’(Ch 4): focus on defining outcomes, not prescribing processes • aims to minimise the need for enforcement by ‘encouraging organisations to understand the values behind the law and change their behaviour accordingly • ‘nurturing a culture of voluntary compliance with the law’ • ALRC also wants ‘compliance-oriented regulation’ (4.62) which places (equal??) emphasis on all 3 of: • ‘Fostering compliance’ (heavy emphasis on Commissioner providing guidance); • Monitoring compliance (recommends power to require privacy compliance assessment) • Enforcing compliance - supports ‘enforcement pyramid’ approach.

  4. Responsive regulation? (2) • CyberLPC IP sub 6-16 argues that Comm in 2007 ‘is a failure at implementing responsive regulation’. • Would current Comm practices + ALRC reforms achieve this aim?

  5. Another categorisation • A means of individual redress; • low-cost and non-public • Appropriate range of remedies, such as: • Access to and correction of records; • compensatory damages; • injunctions or orders to enforce compliance; • Criminal penalties for serious/repeated breaches • Judicial review of administrative errors; • Appeals by either party to the Courts • Preventative/educative powers of PCO, such as: • Publication of complaint examples and outcomes • Audits of data users; • Privacy Impact Assessments (PIAs) on new proposals • Power to require reports on existing practices

  6. Complaints and compliance - Cth Privacy Act For a summary see Greenleaf & Bygrave ‘Enforcement aspects of Australia’s Privacy Act 1988 compared with European standards’ (confidential draft)

  7. Complaints - Overview • Investigation - public and private sectors • Complaints only re ‘interferences with privacy’: breaches of NPPs, IPPs etc (s36) • Representative complaints possible (s36(2), s38 - s39) • ‘Own motion’ investigations possible (s40(2) • Comm must not investigate unless complaint first made to respondent, unless inappropriate (s40(1A)) • If Comm is considering a s52 determination, must give both parties the opportunity of a hearing (s43(5)) • Comm’s extensive powers to investigate (ss44-47) • Comm can refuse / close / defer investigation (s41) • No right of appeal to a Court or Tribunal against Comm’s s52 determination (except on quantum of damages)

  8. s41 dismissal of complaints • Most complaints are dealt with under s41 • Comm can refuse / close / defer investigation (s41) because • ‘not an interference’ (1)(a); ‘lacking in substance’ (1)(d) • Another law ‘provides a more appropriate remedy’ ((1)(f)) • Respondent has dealt adequately with complaint ((2)(a)) • See examples of possibly excessive use of s41: • X v Cth Agency [2004] PrivCmr 4 - s41(2)(a) applies even if complainant dissatisfied - 11(1) PLPR note • O v Credit Provider [2004] PrivCmrA 5 and N v Internet Service Provider [2004] PrivCmrA 10 - refusal to investigate because O had not raised every possible issue with respondent - 11(2) PLPR notes • S v Various Cth Agencies [2004] - despite refusals to correct records, investigation refused on (1)(f) grounds - 11(2) PLPR note • Other issues of PLPR Vol 11 contain more examples

  9. s41 dismissal of complaints • ALRC recommendations (2008) • R 49-1: More powers to Comm to dismiss complaints under s41 where … ‘(c) an investigation, or further investigation… is not warranted having regard to all the circumstances’. • Rejects CyberLPC submissions IP 6-16 and DP 72-142 that complainants should be given a right to require a s52 determination if there is a s41 dismissal (and that any extension of s41 is otherwise unsafe).

  10. Conciliation / mediation • Act currently does not specify anything about conciliation role • ALRC 2008 recommends • R 49-5(a) - if Comm considers successful conciliation ‘reasonably possible’, must attempt it • R 50–4: Comm should be able to accept an undertaking that an agency or organisation will take specified action to ensure compliance; if they breach undertaking, Comm can seek compliance order in Federal Ct

  11. Right to s52 determination • Currently no such right and Comm does not accept that complainants have any right to a s52 determination • ALRC 2008 recommendations: • R 49-5(b) - if conciliation fails ‘the complainant or respondent may require that the complaint be resolved by determination’ • Criticism: Any right under (b) to a s52 determination is therefore dependant on Comm’s subjective decision under (b) that mediation is possible (CyberLPC submission was that any complainant should be able to so require)

  12. S52 Determinations • Determinations under s52 are the only ‘enforceable’ orders Comm can make • Dismissing complaint • never used - s41 (ab)used instead • That conduct should not be repeated • Never used • Performance of reasonable acts • TICA determinations 2004/1-4: PC only identifies conduct in breach, refuses to specify acts to be performed • ALRC 2008 R 49–6 : Comm should be able to prescribe the steps that an agency or respondent must take to ensure compliance with the Act.

  13. S52 determinations (2) • Compensation - only one contested example • C v ACT Govt Solicitor [2003] PrivCmrACD 1- $1,000 compensation • Can compensate ‘feelings or humiliation’ • ‘correction, deletion or addition to a record’ • Never used • Reimbursement for ‘expenses reasonable incurred’ • [2003] PrivCmrACD 1- $1,300 costs

  14. Determinations in practice • Determinations practice to date • Determinations are published by the PCO and republished by WorldLII • 1989-2002: zero substantive determinations (2 fakes in 1993) Why none after that? • 2003/1 - ACT govt (disclosure) • 2004/1 - ACT govt (disclosure) • 2004/2-5 - 4 x TICA (first re private sector) • 2004-08 - None by the current Commissioner • Is this responsive regulation?

  15. Determinations - enforcement • Enforcement of s52 determinations (ss 54-55B) • s55 - respondent must comply with determination • s55A - if respondent does not comply, must proceed de novo in Fed Ct / Mag Ct for enforcement • Has not occurred as yet • Evidence before Commissioner is admissable • s55B - Certified copy of Comm’s determination is prima facie evidence of facts found by him • Onus is on respondent to rebut facts • Onus is still on complainant to show breach of IPP/NPP • Is this biased in favour of respondents? • Consider different position of TICA parties

  16. Review of Determinations / Appeals against Commissioner • Complainant currently has no right of appeal against determination • Respondent has de facto right of appeal • ALRC 2008 R 49–7: either party should be able to apply to AAT for merits review of a determination • Complainant can seek judicial review • (of s41 dismissals or s52 determinations) • For errors of law or procedural errors • But not against the substance of the determination • How may complainants could understand (or afford) judicial review? Appeals are simpler.

  17. Injunctions • Privacy Act 1988, s98 - unique provision • Covers Cth public sector, private sector • allows ‘any person’, including P Comm, to seek injunction to enforce IPPs and NPPs • Based on s80 Trade Practices Act • Against anyone ‘engaging or is proposing to engage’ in breach of Act • Orders restraining breach or ‘requiring the person to do any act or thing’ • Risk of costs against party seeking injunction, and damages (particularly in the case of interim injunctions) - not so in complaints to P Comm • Also risk to respondent of costs against, but no provision for Fed Ct to award damages for breach

  18. Injunctions (2) • Channel 7 v MEAA [2004] FCA 637 • See summary by Gunning • Rejected submission that only P Comm could enforce Act under s52; distinguished Day v Lynn [2003] FCA 87 and other cases • Injunction granted against MEAA and Connect for multiple breaches of NPPs • What orders will Channel 7 draft? • Costs against MEAA $10,000 • Despite only one injunction in 20 years, ALRC did not make any recommendations

  19. Representative complaints • Cth Act provides - s36(2) • ss38-39 - special conditions for rep. complaints • See Connolly and Isaji ‘Representative Privacy Complaints’ (2004) 10(8) PLPR 16 - survey • TICA Determinations #1 - #4: first example • Most successful enforcement action yet under Act • Would have been impossible for an individual complainant (particularly tenants)

  20. Own motion investigations • Comm can carry out ‘own motion’ investigations (s40(2)) • Currently can make any enforceable orders as a result • Does not disclose what investigations launched • ALRC 2008 recommends: • R 50-1 Comm should be able to ‘issue a notice’ requiring ‘specified action’ to ensure compliance with Act, enforceable in Fed Ct or FMC. • This would differ from a s52 determination, no capacity to award compensation to individuals.

  21. Criminal offences - Australia • Federal Act • Public sector and private sector enforcement does not involve significant criminal enforcement • Part IIIA credit reporting does involve offences • NSW PPIPA ss62-s63 • breaches of DPPs do not constitute crimes • offences of corrupt disclosure and use of personal information by public officials • offence of offer to supply personal information disclosed unlawfully • Cth and NSW cybercrime legislation relevant

  22. Penalties for repeated breaches • No current general penalty provisions • there are criminal offences in credit provisions • Other jurisdictions (eg HK) rely on prosecutions for enforcement, Australia relies on compensation etc • ALRC 2008 recommends • R 50–2: Comm to be abel to seek a civil penalty in the Fed Ct or FMCA where there is a ‘serious or repeated interference with privacy’ • An attempt to improve the ‘pointy end’ of the ‘enforcement pyramid’ / responsive regulation • R 50-1: Comm should develop and publish enforcement guidelines setting out the criteria for seeking civil penalties

  23. Complaints and compliance - NSW Act For a recent summary see Greenleaf & Bygrave ‘Data protection in New South Wales – An assessment of strengths and weaknesses’ (Confidential draft)

  24. Complaints - NSW Act - Overview • see Jenner (2004) 10(9) PLPR 169 overview • Commissioner can investigate any complaint (IPP or ‘non-IPP’) • IPP complainants re NSW agencies have a choice of Pt 4 investigation or Pt 5 internal review / ADT • Only‘Part 5’ complaints to agencies can lead to the ADT and enforceable remedies (after internal review) • Only Privacy NSW can investigate (under Part 4): • Non-IPP complaints against NSW agencies • Non-IPP private sector complaints • Complaints against bodies / conduct exempt from Cth legislation (will not investigate if NPPs cover)

  25. Complaints - NSW Act - Pt 4 Investigations by P.Comm • Investigation of complaints by P.Comm (Pt 4 Div 3) • See P. Comm’s Complaints Protocol • can only conciliate and make recommendations (s49) (like old Privacy Committee) • has extensive powers, including compulsory conferences (s49) • May investigate ‘own motion’ complaints (s45 ‘or by’) • For IPP complainant to get to ADT, must first seek internal review by agency under Pt 5 (s53) • Standards applied in Pt 4 investigations • Physical privacy - ‘US privacy tort’ standard (Morison Report, 1973) • IPP complaints outside PPIPA - own ‘Data Protection Principles’

  26. Complaints - NSW Act - representative complaints? • No express provision for representative complaints to P.Comm • Cf Victorian Act s25(3) allows representative complaints but only with the consent of all the individuals concerned • No express requirements for ‘representative’ internal review or ADT findings • Recent cases on who is an ‘aggrieved person’ create some flexibility: • An aggrieved person is not necessarily the person who is the subject of the personal information • GA v Dept Ed & NSW Police (No 2) [2005] NSWADT 10 - GA not one where only acting previously on behalf of his sons - see 11(7) PLPR note

  27. Complaints - NSW Act - Internal review and ADT • Pt 5 complaints - agency internal review and ADT • Applicant must seek internal review of conduct by agency (s53) • Agency must conduct internal but independent review (s53(4)); consider provision of the full range of remedies (7); and deal with the matter within 60 days of receipt (6); notify applicant in writing, including appeal rights (8) • Agency must inform P.Comm of review and its progress, and accept submissions from him (s54) • Dissatisfied applicant may apply to ADT for review (s55) • ADT may award damages to $40,000 and other remedies (s55(2)) • No s55(2) awards unless applicant has ‘suffered financial loss, or psychological or physical harm’ (s55(4)) • Either party may apply to ADT Appeal Panel for further review • Appeals from ADT go to Supreme Court

  28. Complaints - NSW Act - litigation under NSW Act • 26 reported cases (to 1/6/04) - 17 of them in the previous 112 months • Extensive legal interpretation (contra Cth) • Note: Privacy NSW does case summaries • No case has yet resulted in damages paid • Practice - see Jenner (2004) 10(9) PLPR 169 • Note differing and limited roles of Privacy NSW in internal reviews and before the ADT • Note obligations on agencies in internal reviews • Note checklists for complainants and advocates

  29. Complaints and compliance - Hong Kong Ordinance UNSW students may omit these materials

  30. Complaints and compliance: Hong Kong See ‘The Commissioner and enforcement of the Ordinance’ in McLeish & Greenleaf Chapter • Investigation • Compliance orders • Appeals and reviews • Compensation • Criminal offences

  31. Hong Kong: Investigation Pt V: Inspections, Complaints and Investigations • Complaints (s37) must be by data subject against a specific data user • Jurisdictional conditions: s39(1)(d) makes any of the following sufficient: • (i)(A) complainant resident in HK; or (ii) in HK at the relevant time • (i)(B) data user able to control ‘in or from Hong Kong’ the collection etc of the data at the relevant time [complainant may be overseas] • (iii) in PC’s opinion, the enforcement of a right or privilege ‘acquired or accrued in HK by the complainant’ will by prejudiced - meaning? • Will s39(1)(d) satisfy the EU re data transfers to HK? • (I)(B) will usually suffice to protect EU residents against acts in HK

  32. Investigations: Hong Kong • Representative complaints are allowed • S37(2) envisages one complainant making a complaint on behalf of all data subjects affected by a practice • But there is no equivalent in s66 (compensation) • s37(1)) also covers the narrow sense of representatives authorised in writing (see defn. ‘relevant person’) • Could a lawyer or civil society group represent all affected data subjects with the written permission of only one of them? • Compare the Aust. Cth ‘class actions’ provisions and the TICA determinations to see the significance of representative complaints and the role of civil society groups • Have there been any such complaints in HK?- apparently not - PCO Press Release re Flight Attendants Union does not admit possibility of representative complaints

  33. Investigations: Hong Kong • PC may refuse to investigate (s39(2)) if: • (a) Previous similar complaint dismissed (dangerous?) • (b) trivial practice; (c) trivial/vexatious complaint • (d) ‘any investigation or further investigation is for any other reason unnecessary’ - • Will often be because data user has (in the view of the Commissioner) remedied problem • Could be because parties have settled dispute - does PC facilitate settlements? - anecdotal evidence is ‘no’ • Could this cover ‘another remedy is available’??? • See also s39(1)(a)-(c) for other standard reasons • Refusals to investigate can be the subject of appeals to the AAB, or judicial review (see later)

  34. Investigations: Hong Kong • Assistance to complainants, and mediation • PC obliged to assist to ‘formulate the complaint’ (s37(4)) • No specific requirement to assist in mediation of a complaint, or s8 power • Refusal to investigate, and appeals • S39(3) - Where PC does not commence formal investigation, or suspends investigation under s39(2), must give complainant notice within 45 days • B&W 14.14 interpret this as a 45 day period for ‘informal resolution’ • S39(4) gives complainant right of appeal to Administrative Appeals Board (AAB) when s39(3) notice is given • No further appeal to Courts, only judicial review

  35. Hong Kong: Enforcement notices • PC can issue enforcement notices (s50) • If data user ‘is contravening’ or has done so and it is likely that it will continue or be repeated • No notice possible if no further contravention likely • requiring data user to ‘remedy the contravention’ • Does not require any damage to complainant to be remedied • 4 notices in 2000, 12 in 2001 • PC can instead give warning notices (21 in 2000, 10 in 2001) • Failure to comply is a criminal offence • Are there no adverse consequences for breaches, if you promise not to do it again?

  36. Hong Kong: Compliance orders • No systematic publication of these serious complaints resulting in orders • S48 allows PCO to issue formal reports naming data users (but not others), but has only done so once • ‘Video Peeping Tom’ case (1997) - hidden video camera filmed female student in shared accommodation; undertaking given, but data user not named; victim apparently gained no other remedy • Hongkong Post pinhole camera case (2005) - see Materials - named but press had already shamed • PCO has therefore never used ‘name and shame’ power

  37. Compliance orders compared • Closest equivalents are: • Aust Cth - s52 determinations by Comm; injunctions by Fed Ct (no standing required) • NSW - only the ADT can make orders • Vic - Comm can serve compliance notice on an organisation • but only if ‘flagrant’ or repeated breaches • Hong KongEnforcement notices (s50)

  38. Hong Kong: Appeal structure • Appeals to AAB • S39(4) gives complainant right of appeal to Administrative Appeals Board (AAB) when s39(3) notice is given (would also apply if investigation suspended because no enforcement notice) • s50(7) gives data user 14 days to appeal against enforcement notice after it is served • No further right of appeal to a Court against AAB decision, only judicial review • Judicial review of PC decisions (2 in 2003)

  39. Hong Kong: Compensation • PCO or AAB cannot award damages (contra Australia, NZ, Korea) • Compensation (s66) only by separate Court proceedings • Applies to ‘an individual who suffers damage by reason of a contravention’ (s66(1)); including damage to feelings (s66(3)) • General defence in s66(4) where data user can show: • Reasonable care to avoid the contravention; or • Is this fair? • If the contravention occurred because of inaccurate data, the data was received from a third party. • Is this fair? • Complainant must risk costs against; must also risk disclosure of identity; must also prove complaint ab initio even if already investigated by PCO • PC not able to assist complainants; HKLRC (2004) criticises this • Only 1 reported case, and it was dismissed - not surprising?

  40. Criminal offences • Hong Kong • S64creates criminal offences by data users • Supplying false information • Contravening enforcement notices, subject to defence of due diligence to comply (s46(8) • Contravening matching requirements • Contravening any other provision of the Ordinance without reasonable excuse (s64(10)) • S64 creates offences by any person • Supplying false information • Hindering Commissioner’s investigations

  41. Part 2 - Systemic aspects of Enforcement & Administration

  42. Enforcement & Administration Part 2 - Systemic aspects • Assessing existing compliance • External audits • Privacy Compliance Assessments (PCAs) • Privacy management planning • Privacy Impact Assessments (PIAs) • Privacy management plans • Accountability / Transparency • Complaint outcomes • Publication of decisions • Modifying / elaborating legislation • Codes, exemptions and guidelines

  43. Assessing existing compliance • Current Australian practice • Federal Act empowers audits by PC re public sector but not private sector; however, PCO has abandoned all auditing (costs) • NSW - No audit power in Privacy NSW, but there are other controls (eg involvement in internal reviews; privacy management plans) • ALRC 2008 recommends • 47–6 Comm to be empowered to conduct ‘Privacy Performance Assessments’ of the records of PI maintained by organisations • Effectively, a new audit power re private sector

  44. Assessing existing compliance • Hong Kong • See McLeish & Greenleaf chapter ‘Assessing compliance’ • Pt IV powers of ‘formal inspections’ by PCO (s36) • Never used • PCo can report recommendations from inspections applying to classes of data users (s48(1)); See table of improved practices • Also powers to require classes of users to submit ‘data user returns’ (s14) - never used • Instead, informal ‘compliance checks’ of alleged practices not complying with PD(P)O • Now proposing to promote voluntary internal audits or ‘Privacy Compliance Audits’ (PCAs)

  45. Privacy Impact Assessments (PIAs) • See RG 9.9 for articles by Waters, Flaherty and Stewart for comparable practices • Aimed at assessing future impact of proposed information systems, not existing compliance • Requirements • No current provisions in any Australian Acts • No provision in HK Ordinance • PCO proposing to promote voluntary PIAs • Were some PIAs done on smart ID card • Canada (2002) made PIAs mandatory for all Federal government institutions

  46. Privacy Impact Assessments (2) • ALRC 2008 recommends: • 47–4 Comm able to (a) direct an agency to provide to it a PIA ‘in relation to a new project or development that [Comm] considers may have a significant impact on the handling of personal information; and (b) report to Minister if it does not. • Criticism: no requirement that PIA be made public • Comm should publish PIA guidelines. • Review in 5 years whether to include private sector in PIA requirements.

  47. Privacy Management Plans • See RG 9.10 • Where a whole organisation is required to publish how it will deal with privacy issues • Sometimes has similar effect to a PIA • NSW PPIPA 1998 s33 Preparation and implementation of privacy management plans • Example: Anne Pickles 'Protecting exposures' (2000) 7 PLPR 61 • No similar requirement in Cth or Vic Acts, but some agents have done so voluntarily

  48. Publication - Importance • Types of publication • Summaries of complaints • Statistics of outcomes • Importance of both summaries and statistics • Past remedies (‘tariff’) unknown • Deterrent effect is lost • No accountability for high public expenditure • For critiques of current practices, see • CyberLPC submission on DP 72 ‘5.2. Transparency of the Commissioner’s complaints function’ (in materials) • CyberLPC submission on Issues Paper ‘Transparency and feedback – Inadequacy of the Commissioner’s reporting practices’ • Following slides are less up-to-date than these submissions

  49. Complaint outcomes - Does anyone get a remedy? • Do complainants actually get the remedies that privacy laws make available in theory? • Sources of evidence available? • Annual Reports - only significant public source • Websites? • Stats provided often only show what is in Annual Reports • Reported cases can be searched for types of remedies • FOI requests would only work if a ‘document’ was available • Only some jurisdictions considered • Privacy Comms - Australian Fed; NSW ; HK; NZ; Canada • Information Commissioners not considered - mainly access, some correction, some broader

  50. Outcomes - Hong Kong PC • See 03-04 & 04 -05 Annual Report (Materials #4) • Analysis in McLeish & Greenleaf chapter (‘Complaints and enquiries’ and ‘Reporting outcomes’) • PC Annual Report 2000/01 (01/02 is similar) • 789 complaints (up 39%); • 68% vs private sector;14% vs government;18% vs 3rd Ps • Over 50% allege breaches of DPP 3 (use) • 52 formally investigated (14% of 531 finalised) • 26 (50%) found to involve contravention of PD(P)O • 10 warning notices; 12 enforcement notices - but no idea what actions required, or what results • 4 referrals to Police for prosecution but in 3 Police found insufficient evidence; one unresolved