privacy legislation which covers the six `core' principles and contains serious
enforcement mechanisms something like those in Australia's Privacy Act
1988 seems to be the only certain way to obtain ready inclusion in the
proposed `white list' of countries providing `adequate protection' for A25. The
scheme proposed in the Attorney-General's 1996 Discussion Paper may well have
covered all required elements. Ratification of Convention 108, even in advance
of legislation, may be another route (and one that is in principle open to
Alternative approaches are all likely to result in considerable difficulties
for companies and agencies wishing to obtain personal data from Europe:
least insofar as companies wishing to obtain personal information from Europe
are concerned, the Australian government's argument that national privacy
protection should be abandoned because of compliance costs appears specious:
- Voluntary codes of conduct, and technical standards, are unlikely to be
regarded in themselves as `adequate protection', although they could well
contribute to such a finding when they are supported by legislation.
`Adequacy' requires not only the inclusion of `best practice' privacy
principles but also independent supervision, serious sanctions and a high level
of proven compliance. The existence of adequate protection can only be
established after investigation of a number of test cases.
- The mandatory exceptions to `adequate protection' in A26(1) are likely to
prove far less useful than they appear at first. They depend entirely on
implementation in fifteen national statutes, where they are likely to be
interpreted narrowly, with conditions, and in different terms.
- The use of contractual solutions to provide `adequate safeguards' is not
even available unless each of the fifteen national legislatures so decides (as
Greece has not). Where it is available, contracts between the individual
concerned and the exporter or the importer may be able to meet all the
conditions for `adequacy'. It is unlikely that contracts between exporter and
importer can do so, although it is possible that this may contribute to a
broader scheme of industry self-regulation. However, such adequacy will have to
be established on a case-by-case basis in each jurisdiction.
- Anything other than national legislation will result in great complexity,
and consequent costs, at the European end.
- A national scheme of voluntary self-regulation such as proposed by the
Privacy Commissioner, while unlikely to avoid compliance costs at the European
end, passes the full burden of paying for the compliance structure to those
industry bodies participating in the scheme. These `compliance costs' are
normally largely borne by the State (ultimately the taxpayer) as they are
functions carried out by the Privacy Commissioner.