Part I - Why reporting is needed
Few cases under information privacy laws ever reach the Courts, whether in Asia-Pacific jurisdictions or in European jurisdictions[2]. The reasons vary between jurisdictions, and in some cases include the lack of sufficient rights to appeal or to seek judicial review[3]. Whatever the reasons, the result is that the overwhelming majority of complaints of breach of privacy laws are resolved by Privacy Commissioners, whether by mediation, or by exercise of binding dispute resolution powers where they have them. Since only a tiny number of issues requiring legislative interpretation will ever reach the Courts, on most points the law is in effect what the Privacy Commissioner says it is.
Of course, there are countervailing factors. Publication of complaint resolutions is only one aspect of the transparency and educational role of a Privacy Commissioner. Different views can be taken of where Privacy Commissioners, who often have inadequate resources, should place their priorities. Some Commissioners with a very effective record in other forms of public communication are very poor at reporting complaints, but we should not over-emphasise this since it is much easier and less contentious to publish 'feel good' information exhorting compliance with an Act than it is to identify those who fail to comply.
The need for complaint reporting is also sometimes difficult to reconcile with the desire to mediate a settlement between the parties, but this can usually be dealt with by anonymisation. Where it cannot, it should be a matter of case-by-case assessment, not a general reason for non-publication. This is discussed later.
This study suggests improvements to the reporting practices of some Privacy Commissioners who already implement many good practices. In other instances it is more critical. However, it should be borne in mind that current Commissioners may have inherited practices from their predecessors, and not yet had adequate opportunity, or resources, to remedy them.
Inadequacies of Commissioners' reporting practices is a neglected issue. There have been occasional calls in Canada[6], Australia[7] and Europe[8] for more effective reporting of complaints by Commissioners, but this issue has not yet commanded the attention it deserves.
However, to go beyond such simple propositions is difficult, because of differences in the administrative law of the ten or so Asia-Pacific jurisdictions that have Privacy Commissioners. Laws may differ concerning such matters as what constitute relevant/irrelevant considerations that administrators may/may not take into account, requirements of consistency in administrative actions, requirements of administrators to adhere to announced policies, and the conditions under which judicial review of administrative action is available. These matters are beyond the scope of this article.
Irrespective of these administrative law differences, we can generalise to say that the publication of Commissioners' decisions will increase the likelihood that apparently inconsistent decisions of Commissioners will be subjected to judicial review, and that Commissioners would feel more constrained (irrespective of the legal position) to act consistently if inconsistencies are likely to be pointed out to them by dissatisfied parties, critics and others[9]. These effects are generally desirable.
Terminology has been simplified in order to make comparisons easier. Although the officials responsible for privacy have different names in different jurisdictions, 'Privacy Commissioner' is used most frequently and I have used that as the generic. Similarly, the expression 'IPP' is used generically to refer not only to 'Information Privacy Principles', but also 'National Privacy Principles', 'Data Protection Principles', 'Privacy Protection Principles' and the like.
In order to make sense of the different types of reporting practices between jurisdictions, we must distinguish between four broad categories of reports:
The availability of decisions of Tribunals or Courts in appeals against, or judicial review of, Privacy Commissioners' decisions varies a great deal between jurisdictions.
In Australia, once decisions on privacy complaints go beyond Commissioners by way of judicial review or appeal[11], all Australian jurisdictions provide accessible reports of the decisions of the succeeding levels of dispute resolution. The decisions of the relevant Australian appellate tribunals and Courts[12] are all included on the Internet[13]. There is therefore no theoretical issue concerning the availability of these decisions[14] in Australia, and no practical issue for those who know where to look. However, most businesses, some complainants, and even inexperienced advisors, would not know how to find these decisions. It is highly desirable, and takes little effort, for the websites of Australian Privacy Commissioners to provide links to these decisions. The Federal Commissioner's site does not provide this as yet[15]. As to NSW, see below.
In contrast, decisions of the Administrative Appeals Board in Hong Kong, which hears appeals against the Privacy Commissioner's decisions, are not yet available on the Internet, and their existence and content is only known to a small group of people in government and at the Bar. Similarly, the almost non-existent level of free Internet access to caselaw of New Zealand Courts and Tribunals[16] means that there is little effective public access to the decisions of some of the bodies that review decisions of the Privacy Commissioner. Under these circumstances the best that can be expected of Privacy Commissioners is that their websites identify those decisions that have reviewed the Privacy Commissioner's decisions and (if possible) provide a brief summary of the decision. The NZ Commissioner does not do this. The HK Commissioner does, but the decision summaries are scattered across the Annual Reports on his site, and difficult to locate.
Similarly, some privacy legislation provides rights that can only be pursued before a Court or Tribunal, and the Privacy Commissioner is not necessarily involved in these decisions. Examples are s66 of the Hong Kong Personal Data (Privacy) Ordinance[17]http://www.hklii.org/hk/legis/ord/pdo275/s66.html], which requires court proceedings if a complainant wishes to obtain compensation, and s98 of the Australian Federal Privacy Act 1988[18], which allows any person to seek an injunction against breaches of the Act. If there are cases interpreting these provisions (there is one in Hong Kong but none in Australia), then it would be very desirable if the Commissioners' websites could provide links to them. Neither does so. The NSW Commissioner's site does provide such links to ADT decisions on appeals against agency decisions[19], and furthermore publishes summaries of ADT decisions in print and on its website as part of a 'Newsletter for Privacy Contact Officers '[20].
The Commissioner provides complaint statistics in his Annual Report. For example, in 1999-2000, of 303 complaints formally completed, 137 (45%) were resolved through mediation, 13% found to be unsubstantiated on investigation, and 24% were withdrawn. Of the 56 (18%) formally resolved, 29 were found to involve contraventions of the Ordinance. These resulted in 21 warning notices, requiring written undertakings to implement remedies, with only 4 resulting in enforcement notices directing remedial actions.
The HK Commissioner reports anonymised summaries of both complaints and enquiries on its web site, and complaint case notes in his Annual Report . The web site of the HKPCO provides both Complaint Case Notes[22]http://www.pco.org.hk/english/casenotes/case_complaint.php] and Enquiry Case Notes[23]http://www.pco.org.hk/english/casenotes/case_enquiry.php]. They are both indexed by the DPP or section of the Ordinance to which they relate, and by their subject matter ('Sector/Business'). There is a special search engine for complaints and enquiries which is quite effective, at least with recent browsers[24] .The general search engine for the site does not search complaints and enquiries[25], and it suggests that users use the special search engine instead.
A lot of Enquiry Case Notes are provided, they are helpful, and they have not been updated since 2001. There are few Complaint Case Notes (which are more important) available online, and they are rather brief and only duplicate case notes found in the Annual Report. Unfortunately, they only date from the Annual Reports of 1997-98 (20 case notes) and 2001-02 (6 case notes). The five years since 1998, most of the life of the Commissioner's office, are therefore absent (with a handful of exceptions). This is the crucial aspect of the Commissioner's site (from the perspective of this study), and it is at present defunct. The Commissioner's office says it is reviewing its publication practices[26].
Section 48 of the Personal Data (Privacy) Ordinance[27]http://www.hklii.org/hk/legis/ord/pdo275/s48.html] provides 'the Commissioner may, after completing an investigation and if he is of the opinion that it is in the public interest to do so, publish a report' detailing the results of the investigation, his recommendations and comments. However, it must 'prevent the identity of any individual being ascertained from it' (s48(3)), but this right of anonymity does not apply to data users (s48(4)(b)), only to complainants and other third party individuals[28]. There has apparently been only one report which has named a data user, and it is not available on the Commissioner's website.
A deficiency of the Commissioner's reporting practices is that there is no comprehensive reporting of those complaints that have gone to the stage of formal resolution and a decision under s50 whether to issued an enforcement notice (56 in 1999-2000). Such reporting would need to include significant decisions not to issue notices, as well as those where notices are issued. Given that the Commissioner does have some types of enforcement powers (eg power to award compensation), comprehensive reporting of at least significant complaints resolved under s50 would be valuable.
The full text of AAB decisions are not yet available via the Internet, nor published in any convenient form, and so are generally only available to government agencies and barristers involved in this area.
The Commissioner releases periodic sets of complaint summaries both in print and on his website[32] (up to date to 2003). There were 20 summaries in 1994, 24 summaries in 2001, but only 14 in 2002. None are yet published for 2003. The level of detail is considerably greater in more recent summaries. While very helpful, some of the earlier complaints did not usually provide enough detail of the legal considerations involved in the complaint. They are one of the better examples of the reporting of mediated complaints as distinct from formal determinations/decisions. However, as Evans notes[33] it is surprising that there are so few, with only 150 casenotes in a decade.
They have useful catchwords indicating the IPP involved, but no index by IPPs or subject matter. The search engine will search the tables of contents of decisions. The Commissioner's office does publish printed compilations of all casenotes periodically, including an indexed compilation of 120 casenotes from 1993 to December 2001[34]. The index, not yet on the website, identifies casenotes by sector/agency, words and phrases interpreted, IPP and statutory provision interpreted.
Since November 2002 the NZ Commissioner has agreed to publish all of the complaint summaries since 1994 in a database on AustLII and WorldLII. It now contains summaries back to 1998[35], and earlier years are being added progressively. The Commissioner has also agreed to use a citation method compatible with that recommended in this paper (see later).
The Commissioner's Guide to Preparing Privacy Commissioner's Case Notes[36] states that
'The purpose of a case note is to enable someone who has not read the Commissioner's formal opinions to understand the essential conclusions that he reached. ... The case note writer must express clearly the Commissioner's opinion and the reasons for it. ... The case note needs to briefly set out the facts relevant to the legal points at issue and the Commissioner's findings.'
'the respondent will not be named unless it is essential to the understanding of the case, or if the Commissioner has decided to publicly identify the respondent'. It is usually (but not always) necessary to name government departments to enable the case note to make sense. For example, a case note involving the Police will always identify the respondent as the Police and not simply as "a respondent", "a government department" or a "law enforcement authority", as any such label may lead to misunderstandings. On the other hand, a case concerning a government department's disciplinary records in respect of which the identity of the respondent was irrelevant could be reported in more generic terms.'Public sector respondents will often be named, but private sector ones will normally not be named although there are some exceptions. The basis on which the Commissioner will decide to name a private sector respondent is not discussed in the Guide. Perusal of year 2002 complaints reported by the Commissioner shows that some private sector respondents are identified ('Fourth Estate Holdings Limited', a media body), but some are not ('a life assurance company', 'a club'), and most but not all government agencies are identified.
In addition, the Commissioner's Annual Report does name the year's 'Top 10 Respondents', most of whom were public sector agencies but Telecom and Baycorp Advantage (a credit bureau and debt collector) are private sector bodies[38]. Where respondents are dominant private sector bodies such as this, there seems to be little reason to treat them any differently from large public agencies, and the Commissioner sensibly treats them the same way by identifying them.
Decisions of the Human Rights Review Tribunal are not available online. AustLII has unsuccessfully requested the Tribunal for permission to publish its decisions online[42]. At the least, the NZ Commissioner could list the title of all enforcement actions to the Tribunal, their outcomes, and the titles of any further appeals. He could also list any other Court actions in which his Office is involved, or actions of which he is aware that involve the Act.
Brief details of a handful of complaints are provided in his annual reports. For example, his Annual Report 1998-99 gives brief details of nine settled complaints (out of 91 closed that year), but not even the details of all of those resulting in compensation. Even these minimal details were dropped from the 1999-2000 Annual Report, but the 2000-01[48] and 2001-2 reports reinstate the practice of reports on about a dozen complaints, each of a couple of paragraphs in length. The details are usually not enough for anyone to understand the legal significance (if any) of the issues addressed by the Commissioner in resolving the complaint, though this has improved in the 2001-2 report. This reporting is more in the nature of a public relations exercise, and does not provide any useful guidance on how the Commissioner interprets the Act, or guidance on the types of remedies that the Commissioner typically negotiates. The Commissioner's website[49] did not until the end of 2002 include any details of the resolution of particular complaints[50]. It has therefore not been possible to find any consolidated set of examples of how the Commissioner deals with complaints.
Since the initial publication of this study the Commissioner has reviewed his reporting policy, and since the end of 2002 has commenced online publication of selected complaints, resulting in the publication of twelve complaint summaries from December 2002 to July 2003[51]. The Commissioner states that 'Most cases chosen for inclusion in case notes involve new interpretation of the Act or associated legislation, illustrate systemic issues, or illustrate the application of the law to a particular industry'. The complaint summaries published as yet are reasonably detailed, averaging 1.5 pages, giving more detail than has been found previously in Annual Report summaries, referring specifically to those privacy principles and sections of the legislation on which resolution of the complaint turned, indicating whether the Commissioner's Office considered that the complaint appeared to involve breaches[52], and indicating the remedies provided to the complainant. Any prospective complainant or respondent, or their advisers, would find them very helpful.
The Commissioner's Office has also adopted the form of complaint report citation recommended later in this article. It has also agreed that the complaint report summaries may be republished on the AustLII website in addition to its own website, and this has occurred[53]. The Commissioner's Office has also adopted the good practice of sending an email to its PRINET mailing list each time a complaint summary is published.
The value of the complaint summaries publishes so far illustrates how damaging it has been to the public understanding of privacy law in practice that no equivalent summaries have been published from 1989 to late 2000. Even at the current rate of two complaint summaries per month, there would be a body of over 300 complaints to draw on by now. The Canadian Federal Commissioner, the closest point of comparison, publishes on average 5 complaint summaries per month. It would still be valuable if the Australian Commissioner could institute a programme of retrospective publication of the most significant complaints investigated by his office in the last decade, even if this only amounted to a few per year.
As noted above, very few complaints are dealt with under s52. Most complaints are dealt with under s41(2)(a), as the Commissioner explains[54]:
"This process [conciliation] has been very successful in the existing jurisdiction and usually results in our Office closing the complaint under s.41(2)(a) on the grounds that the respondent has adequately dealt with the matter. Moreover, in the vast majority of complaints over the last five years, resolution has not involved monetary compensation. Less than 6% of complaints have involved financial compensation. In all but a few serious matters, the amounts have been very modest. ($500 - $2,000)."Section 52 does require that a written determination be provided to the parties but does not require broader publication although that has been the practice of past and current Commissioners. In contrast, s41 does not require any written report on a complaint, it merely allows the Commissioner to decide not to investigate further. Under s41(2)(a), it is the Commissioner's opinion that the respondent has dealt with the matter adequately, not necessarily the complainants view[55]. The Commissioner's office states that it always explains the reasons supporting his decision to close a complaint under s41[56], but it is not clear whether the parties receive a written explanation, or one setting out the interpretation of the Act on which the Commissioner thinks it would be sensible for them to settle their complaint.
Are all complainants and respondents dealt with under s41 genuinely satisfied with the resolution? Do complainants settle because they consider that the terms offered, even if inadequate, are the best they will get from a Commissioner's determination in any event, and because they have no right of appeal[57]? Respondents may be equally dissatisfied, believing that the Commissioner has induced them to make a settlement offer that they consider unjustified, because he otherwise proposes to make a formal determination. The Commissioner's Office states that one of the factors leading parties to accept what the Commissioner considers are reasonable settlement terms is the alternative that the Commissioner will go ahead and make a formal determination based on these terms[58].
Investigations may also be terminated because the Commissioner thinks there is no breach of the Act (s41(1)(a)), or because 'the complaint is frivolous, vexatious, misconceived or lacking in substance' (s41(1)(d)). In these latter two cases, the Commissioner could proceed to make a determination under s52(1)(b) 'dismissing the complaint', and this would require a written determination to be made setting out reasons. A complainant has no right to insist upon a s52 dismissal determination. Would one be given on request? This would at least give the complainant a clear basis on which to seek judicial review. Of course, if complainants knows enough administrative law, he or she can get a statement of reasons for a s41 decision under the Administrative Decisions (Judicial Review) Act 1977, and they can even subject the Commissioner to judicial review of his s41 decision. Complainants do receive an information sheet from the Commissioner which refers to the availability of judicial review, but it is questionable how many complainants would understand that they have rights of review even where there is no formal decision against them. There is at least one Federal Court decision where the Commissioner's refusal under s41 to investigate further was remitted back to the Commissioner for reconsideration[59], but the only published decisions of judicial review of decisions by the Commissioner suggest that the requests for review were misconceived[60].
Taken together, the lack of any rights of appeal for complainants, the Commissioners' practice to avoid making s52 determinations, the lack of court decisions concerning judicial review of s41 refusals to investigate further, and the Commissioner's practice (until now) not to publish any meaningful details of mediated or dismissed complaints, had prevented any accountability by the Commissioner for his handling of complaints. The Australian Privacy Commissioner's office had become a 'black hole': many complaints enter, but no privacy law or practices ever escaped to receive public scrutiny. This may now be changing.
I have no way of determining whether the dangers inherent in non-reporting have been realised in incorrect decisions and inadequate remedies: the lack of public information prevents accountability. Even if the Australian federal Commissioner's staff were scrupulous in avoiding the dangers described, justice was not being seen to be done. Systematic reporting practices will ameliorate some of these deficiencies in the legislation. The recent changes to the Commissioner's practices (described above) will reduce these problems if they are continued, but only if they are expanded to include most significant complaints (as discussed in the next Part).
"The Office includes in its annual report some cases studies on complaints it has handled and investigations it has carried out. These are reported in summary form and do not generally identify the complainant or respondent. With the new private sector provisions, the Office plans to add to this approach by publishing more frequent, de-identified case notes on complaints it has handled. The aim of these will be to help organisations and the community understand the way the Office applies the provisions of the Act and, where relevant, the provisions of approved codes."The circumstances where respondents (companies etc) will be named are as follows:
"On occasion there may be some merit in making public the circumstances of a particular complaint or investigation. This may be, for example, where there is already publicity around a particular matter before it reaches the Office or where, despite all the other approaches the Office has taken, an organisation continues to engage in behaviour that constitutes an interference with privacy. This would clearly be a serious step which could have commercial consequences for the organisation concerned. It would only be appropriate in rare circumstances. In the ordinary course of events, the Commissioner would not consider such a step unless:This conjunction of requirements ('and') means that, no matter how repeatedly or seriously a company has breached the Act, if it demonstrates an intention to mend its ways it will not be named at the Privacy Commissioner's initiative. It would be more appropriate if a more flexible approach was taken, based around these factors. 'Name and shame' has been unnecessarily blunted as a weapon in this Commissioner's armoury.* an organisation either repeatedly or very seriously breaches the Privacy Act;
* the organisation demonstrates by its actions that it does not intend to comply with its legal obligations; and
* all other measures have failed to change the organisation's behaviour."
As it stands, the only likely way that the identities of privacy-invading companies will be known is where complainants have the courage to go public and the media to report them, or the complainant pushes for a formal determination under s52. The three s52 determinations made to date have identified the respondent public sector agencies, but Information Sheet 13 is silent on whether that practice will be followed in future in relation to private sector respondents.
The Commissioner has named public sector respondents in his three s52 determinations to date, including one in 2003. In his 2001-2 Annual Report he does not name public sector respondents in the few (conciliated) cases reported, in contrast to the NZ Commissioner and in contrast to his approach to determinations.
This provision produces an anomalous result: code complaint bodies have explicit and strong reporting requirements, whereas the Commissioner does not[63].
The Privacy (Private Sector) Regulations 2001 set out in Schedule 1 'Prescribed standards for procedures relating to complaints', which gives the Commissioner his instructions from the government as to what industry codes he can and cannot approve. Part 5 'Accountability' states under the sub-heading 'Principle' that 'Reports of determinations and information about complaints must be published...', but in fact only mentions determinations. It requires in cl 5.2 that '(1) Written reports of determinations by an independent adjudicator must ... (b) be made available to any other interested person or body', However, Part 5 says nothing about publication of details of other complaints which are resolved by mediation not by a determination. It seems therefore, that the Regulations are narrower than what the Act requires.
However, the reporting of identified complaints is completely eliminated in relation to codes because the Regulations in cl 5.2 (4) state 'A report must not: (a) name any complainant or respondent organisation'. The 'determinations' made by Code adjudicators are supposed to be the same as those made under s52 (s18BB(3)(d)), so there appears to be an inconsistency between the Commissioner's practice (Information Sheet 13) and the Regulations in relation to publishing the identity of private sector respondents.
None of this has yet been tested, because the only approved code which includes its own complaint body (for the insurance industry) has not yet finally determined any complaints.
The two year lag in Annual Reports means that no reporting in print of complaint resolutions under the new Privacy And Personal Information Protection Act 1998[66] has yet occurred. At present, no details of complaint resolutions by the Commissioner are available on the Commissioner's website[67] either, with one exception mentioned below. Not even (old) Annual Reports are included. However, the website does provide two other important forms of information about complaint enforcement under the Act.
The website includes a link to all appeals[68] to the NSW Administrative Decisions Tribunal under the Act (as discussed above), and will presumably also include links to Court decisions once any arise. The Commissioner's office also publishes its own detailed summaries of most ADT privacy decisions[69] on the website. It has agreed to publish these summaries on AustLII as the first part of a more general database of complaint resolutions summaries (once it starts to publish these)[70].
However, the ADT decisions listed on the site do not quite give a comprehensive picture of judicial consideration of the Act, as a search over AustLII reveals five additional decisions mentioning the Act, at least one of which is of some significance. This is merely raised to illustrate the point that Court or Tribunals other than those which may have an explicit role in appeals or judicial review under an Act may contribute to its interpretation, and it is valuable for Commissioner's sites to list all judicial sources of interpretation.
The Act makes specific provision for written reports on complaints under s50 and s65. The Commissioner's website includes links to special reports to Parliament by the Commissioner under s65. Since 1998, the Commissioner has made two such reports[71], identifying the respondents and criticising their conduct. The permissible content of s65 reports was contested during the Aquilina investigation[72] and this has not yet been resolved by the Courts.
The Commissioner does not publish all s50 investigation reports because s50 restricts publication to the parties concerned. Legal advice received by the Commissioner is that s65 (special reports to parliament) are the only means of publishing more widely the details of complaints unless one of the following apply: (i) the matter has been the subject of a Special Report to Parliament, or (ii) Privacy NSW has obtained the consent of the complainant, and the consent of the respondent if the respondent's personal information is also at issue, or (iii) the complaint has been de-identified.[73].
The Privacy Commissioner has therefore stated[74] that he will only speak or write about a complaint publicly in the following circumstances:
The Queensland Information Commissioner[78] publishes the full text of all his decisions[79], and maintains details of all judicial reviews of his decisions[80]. However, these are only binding determinations on access and correction complaints, the Act does not deal with other IPP complaints. Similarly, the Western Australian Information Commissioner[81] publishes the full text of all decisions since 1994[82], and indexes them by sections of the Act, by catchwords etc. Once again these are limited to access and correction complaints, as the legislation deals only with FOI.
The fully reasoned decision of both Information Commissioners are good examples of reasoned determinations by Commissioners (not complaint resolutions by conciliation, however), and the majority of their decisions deal with access to and correction of personal records. These are important aspects of IPPs, and it is hard to see why questions of collection, disclosure, security and use are so much harder to document than access and correction decisions.
Since 2001, under a new Commissioner and covering an additional Act affecting the private sector (the Personal Information Protection and Electronic Documents Act (PIPEDA)), substantial improvements have been made to both the print and website information about complaint resolution. Many good aspects of the Canadian Federal approach pre-date the 2000-01 Report, but the comments below are based on what is contained in that Report and the current website.
From June 2001 the website has now added the Privacy Commissioner's findings on complaints[87] made under both federal privacy laws, published in advance of their inclusion in any Annual Report. Postings appear to be made every few weeks, on average, so it is quite up-to-date. This method of complaint reporting will make the complaint summaries in the Annual Report increasingly less relevant, except that the most important complaints will presumably be spot-lit in that way, and the Annual Reports reach a different audience than the website.
The Commissioner has formalised definitions explaining the meaning of complaint outcomes under PIPEDA[88] (Not well-founded / Well-founded / Resolved / Discontinued), and under the Privacy Act[89] (Not well-founded / Well-founded / Well-founded + Resolved / Resolved / Settled / Discontinued). This is very useful and provides a degree of consistency in reporting outcomes that is often lacking in other jurisdictions, in relation to both complaint reporting and complaint statistics.
The website complaint reporting has the following features:
Beardwood[90] has suggested other publication improvements: publication only of final findings (interim findings cause confusion if reversed); more details of facts in each finding; and ending the practice of combining 'almost identical' complaints into one finding. He also criticises inconsistency in the application of the law.
The Commissioner has agreed the republication of his decisions on WorldLII, as part of a central facility for location of Asia-Pacific privacy cases[91].
One problem is that the cases are referred to only by name (eg 'Privacy Commissioner v. Canada Labour Relations Board') with no indication of where they are reported in print or on the web. It should be possible to provide citations and/or URLs for all cases. and this would increase the utility of these summaries a great deal.
The Commissioner's website does not make it clear from its table of contents that it contains information about such Court decisions, though they are in fact available as part of the Annual Report. This defect would be easy to remedy (at least annually) simply by providing hypertext links to the relevant parts of the HTML version of the Annual Reports. It would be even better if an ongoing index of Court decisions could be maintained online, in advance of each Annual Report.
The reporting practices of Ontario's Commissioner are therefore primarily relevant as examples of reporting mediated complaints (or more, accurately, where mediation fails - see below), not determined complaints (except in relation to access and correction). The Commissioner's website provides online Orders, Privacy Complaint Reports and Judicial Reviews[95]. It can be seen from the Privacy Complaint Reports listed under ss37-53 of the Provincial Section Index[96] that the Commissioner has published reports since 1988 on over 200 IPP complaints excluding the hundreds of 'refusal of access' complaints under s49. This is therefore one of the largest sources of reports of mediated complaints in the region.
An Investigation Report by the Commissioner's office, although it can only result in a recommendation by the Commissioner to the agency concerned to comply with one of the IPPs, nevertheless gives full details of the relevant facts, and all legal reasoning involved, with references to the relevant sections of the Act and any other legislation. It is a fully-reasoned decision, little different from what it would be if the Commissioner had statutory power to enforce the recommendation.
In a number of high profile investigations, special reports have been published[97]. Extensive statistics on privacy complaints, and details of judicial reviews, are also included in the Annual Report[98]. The provincial government office responsible for FOI and privacy also provides access to the Commissioner's published privacy reports[99].
The 'What's New' page[100] of the website lists 'Orders and Privacy Complaint Reports issued this week' (and the previous week), so the site is clearly updated frequently. A minor drawback is that is not possible to see a list of matters decided in chronological order beyond these two weeks.
The Commissioner does not publish on the web details of all IPP complaints investigated, but only those which result in a recommendation being made to an agency (a 'Privacy Complaint Report')[101]. Complaints that are dismissed or are settled during investigation are not reported in this way. There is a danger in this practice, that significant interpretations of the Act may not come to public notice if they are hidden in settled or dismissed complaints.
The Ontario Commissioner therefore has a high quality system for reporting complaints where mediation has not resulted in settlement, but not for reporting the outcomes of other significant complaints.
There are also tables indicating progress and outcomes of judicial review of the Commissioner's Orders in FOI matters (including access to and correction of personal information)[104], which give citations to the resulting court decisions where available. The outcome of the review is stated (eg 'Institution's appeal allowed by Court of Appeal August 8, 2001; IPC application for leave to appeal to the Supreme Court of Canada dismissed June 13, 2002 '), but no summaries of the Court proceedings are available, since no court actions have yet transpired[105]. Links to web reports of cases are not provided yet but will be soon[106].
The Commissioner has authority to conduct investigations (following complaints or on own motion) into any alleged privacy breach by public bodies regarding collection, use or disclosure of personal information (ie 'IPP complaints'). The Commissioner states that Investigation Reports include 'outcomes of investigations that are of significant public interest, or which could provide guidance to public bodies in order to prevent similar violations'. There have only been 17 such reports since 1994[107]. Another form of IPP report is under s42, where the Commissioner has 'power to authorize a public body to indirectly collect personal information about an individual', but there has only been one such report[108].
The website of the Information and Privacy Commissioner provides detailed reporting of Orders and Other Decisions[109] (ie FOI matters including access to and correction of personal records). An index of decisions by sections of the Act is provided[110], and it lists about 40 decisions under Part 3 of the Act..
The BC Commissioner also has a very useful email subscription service for Commissioner's reports, where the full text of reports are mailed to subscribers.
The Commissioner's website provides the full text of all Orders since 1996 (with summaries included in each order), Investigation Reports (IRs) since the Commissioner started making them in 1998, and External Investigator Reports (there are only two as yet). All are searchable by keywords or Order/IR number.
Judicial reviews of the Commissioner's decisions are listed on the Commissioner's website, but without a direct hypertext link to the text of each decision. However, a link is given to the front of the separate 'Freedom of Information and Protection of Privacy' website of the Alberta Government[113], where the full text of the decisions by the Court of Queen's Bench can be found[114]. There seems little reason why direct links could not be provided to these decisions from the Commissioner's own site.
The Alberta government site also contains both summaries and the full texts of all of the Commissioner's Orders, IRs etc, and provides a more sophisticated search engine by which they may be searched than is provided by the Commissioner's own site. The Alberta government site is therefore an example of (free access) secondary publication of the Commissioner's decisions. Residents of Alberta seem to be well served by a choice of free access mechanisms to assist them to understand the operation of Alberta FOI and privacy laws.
CAI publishes a yearly digest entitled: "Décisions de la Commission d'accès à l'information" [118] which contains summaries and full text of about one hundred recent decisions by the CAI and by judicial tribunals. Prior to their appearance in the annual digest, they appear quarterly in the journal, l'Accès à l'information Express (A.I.E.). The annual digest also contains 'a table of the names of the parties, a table of cited legislation, a table of cited cases, a table of cited doctrine, a classification plan, a table of interpretation (interpreted terms and laws), a table of correlation with l'Accès à l'information Express and a table of follow-ups'[119]. Appeals against CAI decisions (and their result if known) are also noted. CAI recommends that decisions in its digest be cited in the form 'title [2001] C.A.I. 134' (where '134' is the page number in the Digest).
For paid access, the case summaries are also available weekly, and with all summaries searchable back to 1986, in the database AZIMUT Judicial documentation online, in the RÉSUMÉS SOQUIJ database[120]. The full text of all CAI decisions (published or not) since 1993 are also available in the "Banque de textes intégraux" (the full text service) of SOQUIJ. the SOQUIJ databases also contain the texts of the judicial decisions of appeals against CAI decisions. A CD-ROM Accès à l'information et protection des renseignements personnels contains, among other things, the CAI summaries to 1997 and full text decisions 1992-97.
For free access, the CAI publishes the full text of some of its decisions on its website[121], but not all decisions (access is only available from SOQUIJ), and not the decisions of appellate judicial bodies. Only decisions made in the past 12 months are included on the CAI's website - the rest back to 1986 are only available from SOQUIJ. A search engine is provided. The decisions that are published are detailed statements of the facts and legal reasoning involved. No formal method of citation is given for the decisions on the CAI website. The CanLII[122] free access service does not include either decisions of the CAI, or appeals against its decisions[123]. It appears therefore that electronic free access to privacy decisions in Québec is somewhat inferior to paid access.
Other Canadian jurisdictions have not been reviewed for this study.
For example, the Commissioner in the largest English-speaking country in Europe[127], the UK Information Commissioner (formerly Data Protection Registrar), is starting to provide via her web site[128] decisions by the Data Protection Tribunal (under 'Guidance and Other Publications' - only one available as yet), but not any details of complaint determinations (`assessments' as they are now called). The Commissioner's latest Annual Report[129] indicates that her office receives about 10,000 complaints annually, and about 5% of these (ie 500) result in `verified assessments suggesting compliance unlikely' (the closes the Commissioner gets to finding a breach of the Act)[130]. However, of these 500 annual `substantiated' breaches, neither the Annual Report nor the website provide one useful summary. The Annual Report is populated with `soundbite' size `Case Studies' of less than 100 words, but these are too short to give anyone who is serious about understanding privacy law any useful information, particularly as they contain no references to relevant provisions of the Act. Many of the `Case Studies' are headed `Convicted', and the report indicates that there were 66 prosecutions resulting in 33 convictions during the year. However, there is no list or summary to be found of these obviously serious breaches of the Act. In contrast, 12 pages of the report is given over to extracts from recent developments caselaw on the common law of privacy. This is very useful because such cases do affect the interpretation and administration of the Act, particularly in the context of European human rights law, and are the third category of caselaw I suggest that Commissioners should publicise. However, it indicates an unusual sense of priorities in relation to the near total absence of complaints and cases resolved under the Act and illustrating its day-by-day practical interpretation.
There does not seem to be any comprehensive reviews of the reporting practices of European Commissioners[131], so it is difficult to make any general comparisons between European and Asia-Pacific practices. The review in this article is intended to provide a start for comparative studies of complaint reporting practices in one part of the world, but a global comparison, and development of global standards of good practice, is needed.
It appears that there is nothing to prevent Privacy Commissioners at least publishing anonymised reports of complaints determined or mediated, but the position concerning identification differs between jurisdictions. As set out in the introduction to this paper, there are very strong public interest reasons for systematic publication of such reports.
It would seem to be sufficient if 'significant' complaints are reported (which would be a minority of all complaints investigated), but it is not a simple matter to define what is 'significant', and there are no clear standards in the existing practices.
In the Asia-Pacific jurisdictions under consideration, the publication of decisions by Courts or Tribunals usually presents fewer problems, for a number of reasons. There is a general principle of open justice which provides a default rule in favour of the Courts making the full texts of their decisions available for publication (even if the Court itself does not publish decisions). In some cases a minority of decisions are not made available on grounds of triviality. Third party publishers are therefore able to exercise independent judgment concerning which judgments are significant enough to deserve publication, whether in summary form or in full text plus summary (headnote). It is also now common for the full text of all judgments (without summaries) available from a Court or Tribunal to be published via Internet[133]. Questions concerning the need for anonymisation or suppression of some decisions remain, but these affect the minority of publications and are usually on specific and well-defined grounds. The default position is that decisions are publishable, with independent decisions as to significance.
The contrast with Privacy Commissioners is stark. The default position is non-publication of full text because of the necessity for privacy protection. There is therefore no opportunity for independent decision as to which complaints are significant enough to deserve summary reporting. If Privacy Commissioners choose which decisions to report, there is a risk that their decisions will be self-serving (as discussed in Part I), or that they will not allocate sufficient resources to the task (as is evidenced in the past practices in Australia, or current practices in HK).
There is therefore a need for two elements: (i) publicly stated criteria of seriousness, on the basis on which Commissioners report summaries of complaint resolutions; and (ii) some method of confirming or verifying that the criteria are being adhered to.
I suggest that the following criteria are relevant:
A variety of verification mechanisms are possible. A crude but useful measure is the percentage of reported complaints as against resolved complaints, excluding those dismissed because of 'no jurisdiction' (and possibly some other grounds which indicate large numbers of trivial or misconceived complaints). A reporting rate of 10% (say) would indicate similar performance by a Commissioner's office receiving a small number of complaints compared with a larger office.
However, while this may give some positive indication of reporting performance, it does not deal with the more difficult question of ensuring that there are not important (but for one reason or other embarrassing) cases which are not reported. Probably the most realistic verification mechanism in this regard is simply for a Commissioner to publish in each year's Annual Report the criteria on which his or her publication practices are based, and to confirm that all completed complaints that fell within those criteria in the past year have been published. If this was done, then unless there was some evidence it was being abused, further steps involving independent audit would seem to be overkill.
In default, the complainant should not be named because the nature of privacy complaints is such that to do so would exacerbate the harm of interference with privacy. However, some complainants will prefer to be named, as this helps to provide public vindication of the complainant. A reporting system should allow a complainant to elect to be named, except where this is inconsistent with a mediated settlement.
In relation to public sector respondents, I suggest that the default position is that they should be named, as is the practice in most jurisdictions considered. Where disclosure of the respondent would prejudice the position of a complainant (eg an employee of a small public agency who could be identified if the agency was named), the agency should not be named, provided the complainant requests this. It is undesirable for public bodies to attempt to hide their breaches of the law behind settlements which require that they not be named (or Commissioner's practices to this effect). Within their powers, Commissioners should insist that public body respondents be named, unless the agency provides a compelling public interest reason not be to named (which should be disclosed, as far as possible, in the report). All complaints where agencies raise non-naming demands should automatically be reported, as that is itself an issue of significance.
In relation to private sector respondents, the practice of Commissioners seems to be to recognise that there are often good reasons not to name them, but different standards are applied as to when they should be named. Reasons relevant to non-naming include:
Most Commissioners do not have a policy which clearly covers the whole field, and to the extent they do have policies they often fall short of those recommended above.
One touchstone (at least in the Australian context) is the administrative law requirement in most Australian jurisdictions that a person can request an official to give a statement of reasons for a decision, along the lines of a statement which sets out the findings on material questions of fact, referring to the evidence or other material on which those findings were based and give the reasons for the decision[135]. Although the mediation of a complaint may sometimes not technically involve the making of a 'decision'[136], this nevertheless gives the type of standard that Commissioners should aim to meet.
Existing reporting practices of Commissioners are very variable
in this respect, even where Commissioners make a conscientious effort to
publish complaint resolutions.
Good examples of the standard of reporting that can be achieved are
those of the Canadian Federal Commissioner (for PIPEDA complaints), the
Ontario Commissioner (for IPP complaints), the recent reports by the Australian
Federal Commissioner and (to a lesser extent) the NZ Commissioner.
In Australia and in Canada, the best examples of quality reporting are in reports of access and correction complaints by the Ontario and British Columbia Information and Privacy Commissioners and the Queensland and Western Australian Information Commissioners. As mentioned earlier, it is hard to see why questions of collection, disclosure, security and use are so much harder to document than access and correction decisions. Perhaps the discipline of having to write determinations on FOI matters makes such offices more effective than others in documenting privacy complaints. This deserves further investigation than is possible in this study.
To some extent, the need for such intellectual indexing is reduced if a good search engine is available to search the text of decisions, but it is always the case in information retrieval that accessibility is maximised by providing a combination of both methods of retrieval.
Whether either or both methods are used, or even more primitive preliminaries such as locating all reports in the one location ordered by date to start with, the point is that Commissioners must consider the accessibility of the whole set of complaint data they produce, and the likely research uses of the collection. Commissioners should accept that they have an obligation to maximise its research effectiveness, within their resource constraints.
The benefits of public reporting of complaint resolutions are to a significant extent diminished in proportion to the delay in public availability. Potential complainants and their advisers, and potential critics, need to be aware of practices as soon as possible so as to act in response to them. Those preparing secondary reports of complaints for publication (newsletters, journals, newspapers etc) are usually not able to deal with large batches of them, but would prefer to receive them regularly, and as soon as possible after they are dealt with (while they are still 'news').
A Commissioner should have a publicly stated standard that complaint reports will be prepared within a fixed time of a complaint being finalised. A month would seem a desirable standard, but this is a matter which is of course subject to the resources available in a Commissioner's office. An alternative view, put forward by the NZ Commissioner's Office[137] is that about three months between completion and reporting is a safeguard against the likelihood of inadvertent identification, and against complaints that revive after being thought to be completed.
Good practices in regularity of reporting are found in the practices of the Commissioners of Ontario, federal Canada and federal Australia ( but only recently).
Publication of this information puts the publication of the Commissioner's own decisions in context, and prevents them being misleading, because of lack of reference to decisions overturning or affirming positions the Commissioner has taken. Providing references to all decisions in a jurisdiction affecting the privacy legislation is also an important part of a Commissioner's educational responsibilities, and an efficient use of scarce resources. Many people interested in privacy law in a jurisdiction will only know to look at the website of the Privacy Commissioner, and so to have a 'one stop shop' for information about decisions is very valuable to them. Commissioner's offices must be aware of all decisions concerning 'their' legislation, so it is little extra burden for them inform others.
Examples from various jurisdictions of where such reporting is important, particularly given the poor availability of case law on the Internet in some jurisdictions, has been given earlier.
Good practices in this regard have already been instituted by the Commissioners in New South Wales, Canada (federal), Ontario, and (but only in print) New Zealand. Hong Kong practice could easily be made worthwhile by increasing accessibility to work already done. However, none are as thorough or as informative as they could be with only a little more effort.
Provision of all of the following elements should be considered in relation to cases of appeal, judicial review or interpretation of privacy legislation:
Print publication is however a valuable complement, in that it helps to avoid exclusion of those without Internet access or familiarity, it can be used to reach different audiences, and it can be used as a means of archiving.
Self-publication can take various forms:
If a relatively consistent form of publication could be developed, this would facilitate Commissioners, scholars and others developing an Asia-Pacific privacy jurisprudence, based on the similarity and inter-relatedness of much of our regional privacy legislation.
The search facility, called 'All Privacy & FOI Databases', is located in the World Legal Information Institute's (WorldLII's) Full Search Form[141], as illustrate below. At this stage, the databases included in the facility are as follows (some still being added, marked 'agreed'):
WorldLII - Choice of 'All Privacy & FOI Databases' with insurance search
The search results below in this example are for a search for references to insurance (insurance, insured, insurable etc) near (within 50 words) of references to disclosure (disclose, disclosure, disclosed etc). The results show that, of the seven highest relevance-ranked documents of the 65 documents found, some came from all six of the different sources that have already been added. It would be very difficult to do a search like this using any other combination of facilities.
Extract from search results - derived from six different sources
More databases will be added from other Asia-Pacific jurisdictions, and more privacy-related journals, as this facility develops[142].
Some Privacy Commissioners such as those in Ontario and New Zealand have adopted numbering systems for complaint reports, but these are not full citation systems in that they do not have a consistent way of referring to the Commissioner as the decision-making body. For example, NZ casenotes have names like ' CASE NOTE: 19740'; Ontario reports have names like 'Privacy Complaint PC-010015-1 Ministry Of Finance' and 'Investigation I94-084P The Ministry Of Housing'; and Hong Kong reports have names like 'Case No.: ar9798-13 Access request to employment-related personal data '. These are essentially internal identifiers which, taken out of context, give the reader little idea of which Privacy Commissioner made the decision (or issued the report), or when, or (in some cases) in relation to which types of parties.
A consistent system of 'Court designated citation' has now been adopted by most Australian Courts and Tribunals, and implemented most extensively by the databases on AustLII. CanLII and HKLII are also working toward the adoption of consistent 'court-designated' citation systems in their jurisdictions. For example, citations for decisions of the Federal Court of Australia, Federal Court of Canada, Court of Appeal, NSW ADT, and VCAT (all relevant to decisions of Privacy Commissioners) are:
Since the publication of the first version of this study in 2002, the New Zealand, Australian federal Canadian federal, NSW and Victorian Privacy Commissioners have agreed to adopt the citation method recommended by this study, of adopting the naming convention used for other Courts and Tribunals, and using 'PrivCmr' as the designator for 'Privacy Commissioner'[143].
The problem of providing meaningful citations for Privacy Commissioners' decisions is exacerbated by the need to anonymise the complainant (in most cases) and the respondent (in many cases).
The NZ Privacy Commissioner's Office has now adopted a succinct but descriptive approach to case titles, instead of initials for complainants. The NZ PCO internal case reference number is retained as part of the title. Government respondents are often named (at least by abbreviation such as 'ACC'). Examples of cases from 2002 are as follows:
The Australian Privacy Commissioner, after discussions with AustLII, has also now adopted the same citation method as NZ, but has adhered closer the case title method suggested above. The first four examples published are:
The NSW Privacy Commissioner will be including summaries of ADT cases among its own reported conciliation resolutions. For its ADT summaries, it proposes to use a citation method which adheres to the suggestions of this study[144] but also incorporates the ADT citation. An example will be:
Further, all reporting on Code compliance body websites should be at least linked, and preferably searchable, from the Privacy Commissioner's site, to ensure that users may obtain comprehensive information about how IPPs or other provisions are being interpreted.
Consistent practices by the most established Privacy Commissioners in the region would provide a compelling model for complaint reporting in the many jurisdictions in the Asia-Pacific which have newly introduced or are considering privacy laws and Privacy Commissioners.
Extensive and consistent complaint reporting would be a big step toward encouraging the development of a regional jurisprudence of privacy, and is a precondition for its development. Over the past decade there has been discussion of the emergence of an 'Asia-Pacific model' of privacy legislation,[147] and calls for an Asia-Pacific privacy Convention[148].
In 2003 moves toward regional minimum standard privacy laws have accelerated
suddenly, both through the development of the Asia-Pacific Telecommunity
(APT) Guidelines on the Protection of Personal Information and Privacy[149]
and the APEC privacy Initiative[150].
Whatever eventual form a regional standard takes, it is likely to involve
some controls on data exports which will involve assessments of the effectiveness
of privacy laws in other jurisdictions. Demonstrated effectiveness of a
Commissioner's complaint handling procedures through publication of the
outcomes in significant cases will be a significant (and possibly a necessary)
way by which jurisdictions will in future show that they provide effective
protection for the personal data of citizens of other countries.
This first version of this study was prepared for a Workshop at the International Conference of Privacy and Data Protection Commissioners, Cardiff UK, September 2002. It was published in Privacy Law and Policy Reporter, Vol 9, 2002. This version has been updated to take into account developments to mid-2003. This study i s part of the larger project 'Making Privacy laws Work' being carried out at the Baker & McKenzie Cyberspace Law and Policy Centre - see <http://www.BakerCyberlawCentre.org/Research_Project_Privacy.htm>. This research is supported by the UNSW University Research Support Program in 2001 and 2002.
For valuable suggestions on drafts of this paper, thanks to Anna
Johnston, Greg Keeling, Lee Bygrave, Jill Matthews, Blair Stewart, Roger
Clarke, Dan Svantesson, John Corker, Carolyn Bond, Tim Dixon, George Radwanski,
Karim Benyekhlef, Nicolas Vermeys, Philip Chung, Brant Pridmore and Paul
Chadwick. The responsibility for final content remains with me. Declaration
of interest: I have various interests in the publication of decisions on
privacy. I am a Co-Editor of Privacy Law & Policy Reporter (Butterworths),
and Co-Director of AustLII, and WorldLII, free-access Internet law services
which are University-based.
[2] L Bygrave Where have all the judges gone? Reflections on judicial involvement in developing data protection law Part 1 (2000) 7 PLPR 11 and Part II (2000) 7 PLPR 33
[3] G Greenleaf 'Tabula Rasa': Ten Reasons Why Australian Privacy Law Does Not Exist - [2001] UNSWLJ 4 - <http://www.austlii.edu.au/au/journals/UNSWLJ/2001/4.html>
[4] cf Bygrave n2
[5] See for example John Beardwood 'Tea leaves and goat entrails: A review of the Privacy Commissioner's significant findings under new Canadian privacy legislation' Computer und Recht International (CRI), December 2002; Katrine Evans 'The NZ Privacy Commissioner's case notes - an analysis' (2003) 9(10) Privacy Law and Policy Reporter 191; see also regular reports of Australian Federal Privacy Commissioner's cases notes in Privacy Law and Policy Reporter since (2003) vol 9 (9) when the Commissioner commenced publicattion.
[6] Beardwood, op cit, concludes with a number of criticisms, discussed later.
[7] G Greenleaf 'Enforcement of the Privacy Act: Problems and potential' Privacy Law 2001 Conference, IIR Conferences, Sydney (May 2001) - at <http://www2.austlii.edu.au/~graham/publications/2001/enforcement.html>.
[8] Bygrave n 2 above gives details of the inadequacies of Norwegian reporting practices, and notes general inadequacies elsewhere. He calls for more extensive reporting as a solution, but does not provide details of what this requires.
[9] See for example the criticisms of inconsistency in Beardwood op cit.
[10] This includes, as a slight gloss, situations such as that under the Australian Federal law where a Commissioner or complainant has to seek the aid of a Court in order to enforce his decision, but the Commissioner's findings are treated as a rebuttable presumption.
[11] There may be questions of the adequacy of the rights of appeal and judicial review (and are, in the case of the Australian and NSW Commissioners), but that is a separate issue.
[12] For example, Federal Court, Federal Magistrates Court, Victorian Civil and Administrative Tribunal (VCAT) and NSW Administrative Decisions Tribunal (ADT)
[13] They are all available on the website of the Australasian Legal Information Institute (AustLII) <http://www.austlii.org/>, and in most cases the Court concerned also publishes them on its own website, or one run by the relevant State government.
[14] There are issues of privacy (as distinct from access) that can arise from the publication of any court or tribunal decisions. See the discussion below under 'Naming of respondents and complainants'.
[15] This is not a big omission as yet. The few Federal Court decisions referring to the Act are not all that important.
[16] The decisions of the Court of Appeal are on AustLII, but little else is available. The decisions o f the Human Rights Review Tribunal, which makes binding decisions on privacy complaints to the Commissioner, are not available.
[17] <>
[18] <http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s98.html>
[19] In NSW, the appealable privacy decisions are those made by agencies. The Privacy Commissioner only mediates, and there are no examples yet of judicial review of his actions.
[20]<http://www.lawlink.nsw.gov.au/pc.nsf/2cd7fe7a3db5eff44a2565f500263a91/3c11e9b948941a08ca256be4000ced42?OpenDocument>
[21] <http://www.hklii.org/hk/legis/ord/pdo275/s50.html>
[22] <>
[23] <>
[24] It does not work with older versions of Netscape, for example.
[25] For example, searches for 'Data Protection Principle 1' or 'DPP1' or 'DPP 1' do not produce any complaints or enquires, though they are found by the special search engine..
[26] Personal communication.
[27] <>
[28] See M Berthold and R Wacks Data Privacy Law in Hong Kong, Sweet and Maxwell Asia, 1997, p205 for more discussion.
[29] For example, in recent years: 1999-00 (8); 2000-01 (10); 2001-02 (4)
[30] For example, the AAB appeal summaries in the 2001-2 Annual Report are at <http://www.pco.org.hk/english/publications/overview2002_19.html>
[31] Personal communication.
[32] <http://www.privacy.org.nz/people/casenote.html>
[33] Evans op cit
[34] Published by the Commissioner, March 2002
[35] See the database New Zealand Privacy Commissioner Cases at <http://www.austlii.edu.au/nz/cases/NZPrivCmr/>
[36] 1995, revised 2002; Available on request from the NZ Commissioner.
[37] Guide, n20
[38] Annual Report 2001-2 Table 6
[39] Previously the Complaints Review Tribunal
[40] NZ Privacy Commissioner Complaints Review Tribunal Privacy Cases 1998-2002 (Vol III), NZ$45
[41] Those with even deeper pockets can find some of the decisions in Paul Roth's Privacy Law and Practice loose-leaf service (LexisNexis Butterworths NZ).
[42] No reply has yet been received to various communications over some months (personal communications).
[43] A de novo hearing before a Court is necessary in order to enforce a determination (s55A), but the determination is prima facie evidence of the facts on which it is based (s55B).
[44] See s52(2) which
[45] Federal Privacy Handbook, CCH Australia Ltd; This was overlooked the previous version of this article.
[46] Determination: Secretary, Department of Defence 1 PLPR 152 <http://www.austlii.edu.au/au/journals/PLPR/1994/116.html>; Determination: Minister for Administrative Services 1 PLPR 170 <http://www.austlii.edu.au/au/journals/PLPR/1994/127.html>
[47] Mentioned by Bygrave, n1
[48] <http://www.privacy.gov.au/publications/01annrep.pdf>
[49] <http://www.privacy.gov.au/>
[50] A minor exception is that PDF versions of the (pre-1999) Annual Reports are located obscurely - hidden in fact - on the site. They are 'hidden' in the sense that they are not listed in the table of contents or even the site map <http://www.privacy.gov.au/site-map/index.html> but can be found if you search for them (17/7/02). The contents are not searchable, only the title 'Annual Report'. This is not effective as publication
[51] <http://www.privacy.gov.au/act/casenotes/index.html>
[52] As these are settled complaints, no final decision on this point is made by the Commissioner.
[53] Available at <http://www.austlii.edu.au/au/cases/cth/PrivCmrA/>
[54] Letter by Federal Privacy Commissioner to the Australian Chamber of Commerce and Industry (ACCI), August 2001.
[55] Consumer advocates are adamant that some of their clients have very reluctantly accepted proposed settlements on the basis that the Commissioner was proposing to deal with their complaint under this section, and they feared that if they insisted on a s52 determination they would receive even less: Personal communications.
[56] Personal communication.
[57] See Greenleaf 2001, n5 above, concerning the how the lack of appeal rights is biased against complainants.
[58] Personal communication. The Office is also attempting to collect data on the satisfaction levels of the parties.
[59] Matter D17 of 2000, Federal Court, Darwin. No judgment was delivered, and the transcript is only available to the parties.
[60] Gao v Federal Privacy Commissioner [2002] FCAFC 128; Mario Riediger v Privacy Commissioner [1998] FCA 1742
[61] Federal Privacy Commissioner, n 35 above
[62] <>
[63] The previous version of this study had overlooked the effect of sub-section (ka).
[64] The most recent Annual Report, for 1999-2000, contains four brief case studies.
[65] Personal communication, Office of the NSW Privacy Commissioner
[66] <http://www.austlii.edu.au/au/legis/nsw/consol_act/papipa1998464/>
[67] <http://www.lawlink.nsw.gov.au/pc.nsf/pages/index>
[68] <http://www.lawlink.nsw.gov.au/pc.nsf/pages/cases>
[69] <http://www.agd.nsw.gov.au/pc.nsf/pages/casenotes>
[70] Personal correspondence.
[71] Investigation Report into a complaint by Carol Atkins against Mr Hugh Percy and Queanbeyan City Council Special Report No 1, September 2001 at <http://www.agd.nsw.gov.au/pc.nsf/pages/queanbeyan2>; Special Report to NSW Parliament under section 65 of the Privacy & Personal Information Protection Act 1998, Complaint by Student A and his father against Hon John Aquilina MP, Mr Walt Secord, Mr Patrick Low Special Report No 2, 7 May 2002 at <http://www.agd.nsw.gov.au/pc.nsf/pages/reported>
[72] Student A v Aquilina, Secord, and Low, Special Report No 2, 7 May 2002 at <http://www.agd.nsw.gov.au/pc.nsf/pages/reported>
[73] Personal communication, Office of the NSW Privacy Commissioner
[74] NSW Privacy Commissioner Protocol For The Handling Of Complaints, 22 July 2002, Part 2.9 Speaking publicly about complaints <http://www.lawlink.nsw.gov.au/pc.nsf/pages/complaints>
[75] <http://www.privacy.vic.gov.au/>
[76] Personal communication
[77] Personal communication
[78] See <http://www.slq.qld.gov.au/infocomm/>; also decisions 1993- on AustLII at <http://www.austlii.edu.au/au/cases/qld/QICmr/>
[79] <http://www.slq.qld.gov.au/infocomm/listdec.html>
[80] <http://www.slq.qld.gov.au/infocomm/reviews.html>
[81] <http://www.foi.wa.gov.au/ >
[82] <http://www.foi.wa.gov.au/Decisions.htm> and on AustLII at <http://www.austlii.edu.au/au/cases/wa/WAICmr/>
[83] 12 in 1998-99 - see <http://www.privcom.gc.ca/information/ar/02_04_06_e.asp#005>
[84] For 1998-99, see <http://www.privcom.gc.ca/information/ar/02_04_06_e.asp#007>
[85] For 1999-2000, see <http://www.privcom.gc.ca/information/ar/02_04_06_e.asp#007>
[86] I assume the Annual Reports were then on the website. They were erratically presented in that the 1999-2000 report had no internal navigation whereas earlier ones at least had some.
[87] <http://www.privcom.gc.ca/cf-dc/index_e.asp>
[88] <http://www.privcom.gc.ca/cf-dc/def_e.asp>
[89] <http://www.privcom.gc.ca/cf-dc/def2_e.asp>
[90] Beardswood op cit
[91] See <http://www.worldlii.org> under Canada, once this facility is completed; personal correspondence with then Commissioner Radwanski.
[92] For 2000-01 see <http://www.privcom.gc.ca/information/ar/02_04_09_01_e.asp#031>
[93] <http://www.ipc.on.ca/english/acts/acts.htm>
[94] <http://www.ipc.on.ca/english/acts/prov-act.htm#partiii>
[95] <http://www.ipc.on.ca/english/orders/orders.htm>
[96] See <http://www.ipc.on.ca/english/orders/p-index.htm> - go to <http://www.ipc.on.ca/english/orders/p-23-49.htm#s37> and scroll from s37 to s53
[97] See <http://www.ipc.on.ca/english/pubpres/reports/reports.htm> for examples.
[98] For example, see <http://www.ipc.on.ca/english/pubpres/ann_reps/ar-01/ar-01e.htm#privacy>
[99] See search provided by Management Board Secretariat at <http://www.gov.on.ca/MBS/english/fip/privacy.html>
[100] <http://www.ipc.on.ca/english/whatsnew/whatsnew.htm>
[101] <http://www.ipc.on.ca/english/our_role/how/cmpcht-e.htm>
[102] <http://www.ipc.on.ca/english/our_role/how/complain.htm>
[103] <http://www.ipc.on.ca/english/orders/jud-rev/jr-cr.htm>
[104] <http://www.ipc.on.ca/english/orders/orders.htm>
[105] Personal communication from the Commissioner's office.
[106] ibid; The texts of FOI judicial reviews have scanned and will be published on the Commissioner's site, so presumably the same would be done for privacy reviews by Courts.
[107] <http://www.oipcbc.org/orders/investigation_reports/reports.php>
[108] <http://www.oipcbc.org/orders/section42/>
[109] <http://www.oipcbc.org/orders/>
[110] <http://www.oipcbc.org/legislation/concordance.php> - referred to as a 'Concordance'
[111] See <http://www.oipc.ab.ca/orders/> for the Commissioner's website
[112] See <http://www.oipc.ab.ca/orders/>
[113] <http://www3.gov.ab.ca/foip/commissioners_orders/index.cfm>
[114] See <http://www3.gov.ab.ca/foip/commissioners_orders/judicial_reviews/index.cfm>
[115] Professor Karim Benyekhlef of the University of Montreal and his research assistant Nicolas Vermeys have assisted very significantly in obtaining the information on which this section is based, but responsibility for comments remains with the author.
[116] See <http://www.cai.gouv.qc.ca/eng/droits_en/dro_rec_en.htm> for a brief explanation.
[117] ibid
[118] Nicolas Vermeys has translated the preface to the 2001 edition in order to assist in the preparation o f this section.
[119] From the Preface, translation Nicolas Vermeys
[120] <www.azimut.soquij.qc.ca>
[121] <http://www.cai.gouv.qc.ca/eng/cai_en/cai_en.htm>
[122] Canadian Legal Information Institute - <http://www.canlii.org>
[123] See <http://www.canlii.org/qc/index_fr.html> and search for 'Commission d'Accès à l'information' (boolean)
[124] <http://www.ombudsman.mb.ca/access.htm>
[125] ibid
[126] <http://www.ombudsman.mb.ca/reports.htm>
[127] Not the only one of course, but this article does not cover Ireland or Jersey, The Isle of Man etc
[128] <http://www.dataprotection.gov.uk/>
[129] Information Commissioner Annual Report and Accounts for the year ending 31 March 2002 (June 2002)
[130] ibid, pgs 75-76
[131] Bygrave's review (see FN 2) does not indicate that European practices are any more systematic than those in the Asia-Pacific.
[132] However, this is what is required of code complaint bodies under the Australian Privacy Act 1998 (see earlier).
[133] See WorldLII <http://www.worldlii.org> for examples from many Asia-Pacific Courts and Tribunals.
[134] cf Beardwood op cit
[135] This suggestion was made by John Corker
[136] This is apparently so under the NSW Act. Under the Australian federal Privacy Act 1988, any findings under s41 disposing of a complaint would be a 'decision' susceptible to judicial review.
[137] Private communication
[138] The decisions would then be part of a 'commons' in the terminology popularised by Lawrence Lessig in relation to the Internet. For arguments since 19995 that essential legal information should be part of the commons ('public space in cyberspace') of Internet content, see our various articles about AustLII.
[139] In the Asia-Pacific there are as yet few secondary publishers of privacy case law and complaints. They include Privacy Law & Policy Reporter (PLPR) and Paul Roth's New Zealand Privacy Law and Practice loose-leaf service.
[140] AustLII <http://www.austlii.org>, CanLII <http://www.canlii.org> and HKLII <http://www.hklii.org> - see also WorldLII <http://www.worldlii.org> which they cooperatively provide.
[141] <http://www.worldlii.org/form/search/search1.html>
[142] The author is the general editor and supervisor of the facility, which is implemented by Philip Chung and the staff members of AustLII and WorldLII.
[143] In previous versions of this paper, 'PCmr' was used, but this is ambiguous as to whether it might mean 'Prices Commissioner' in some jurisdictions, so AustLII has now adopted 'PrivCmr' for the decisions of the New Zealand and Australian Privacy Commissioners, after consultation with their officers.
[144] The practice has been adopted in Australia that citations of Federal bodies end with 'A' for 'Australia' (eg 'FCA', 'HCA') whereas those for State and Territory bodies start with the abbreviation for the State. 'Cmr' is used for 'Commissioner', whereas 'Comm' is used for 'Commission'. This may be slightly inconsistent, but it is now the settled practice in Australia. It is not necessary that it be followed elsewhere.
[145] As discussed earlier, the reporting requirements on code complaint bodies are higher than those imposed on the Australian federal Commissioner by legislation.
[146] In temporal order, the New Zealand, Australian federal, Canadian federal, New South Wales and Victorian Commissioners.
[147] Nigel Waters 'Re-thinking Information Privacy - A Third Way in Data Protection?' Proc. International Data Protection and Privacy Commissioners Conference, Hong Kong, 1999; <http://www.pco.org.hk/english/infocentre/files/waters-paper.doc>
[148] See G Greenleaf 'Global Protection of Privacy in Cyberspace - Implications for the Asia-Pacific' 1998 Internet Law Symposium Science & Technology Law Center, Taiwan, June 1998, available at <http://www2.austlii.edu.au/itlaw/articles/TaiwanSTLC.html>; this paper was also the basis of a presentation to the Asia-Pacific Privacy Commissioners at the International Privacy and Data Protection Commissioners Conference, Hong Kong, 1999
[149] See G Greenleaf "APEC privacy principles Version 2: not quite so Lite, and NZ wants OECD full strength' (2003) 10 PLPR 45 at 47; for further details see <http://www.BakerCyberlawCentre.org/appcc/>
[150] See G Greenleaf 'Australia's APEC privacy initiative: The pros and cons of 'OECD Lite'' [2003] 10 Privacy Law & Policy Reporter 1, available at <http://www.BakerCyberlawCentre.org/appcc/apec_ini.htm>, and Greenleaf ibid; for further details see <http://www.BakerCyberlawCentre.org/appcc/>