[Previous] [Next] [Title]

2. Options for privacy protection in cyberspace

This part of the paper provides an overview of the principal options available for protection of privacy, and notes some of their strengths and limitations in relation to cyberspace.

2.1. International agreements to protect privacy

Other than the European Union privacy Directive, there are three principal international agreements which are of general relevance to information privacy: the OECD privacy Guidelines, the Council of Europe privacy Convention, and Article 17 of the International Covenant on Civil and Political Rights (ICCPR) (and its European equivalent). Each of these international instruments, summarised below, is of continuing relevance to the protection of privacy.

The OECD privacy Guidelines

The Organisation for Economic Cooperation and Development's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data[1]http://europa.eu.int/comm/dg15/en/media/dataprot/priv.htm] (OECD, Paris, 1981) are a Recommendation by the Council of the OECD[2], adopted in 1980. Recommendations of the Council are not legally binding on member States, whereas Decisions are. The Guidelines attempt to balance the protection of privacy and individual liberties and the advancement of free flows of personal data through eight privacy principles which, if observed, are supposed to guarantee a free flow of personal information from other OECD countries.

The core of the Guidelines are the eight `Basic Principles of National Application' in Part Two (Guidelines 7 to 14). These are principles concerning Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability. All 25 member countries of the OECD have adopted the Guidelines[3] but, outside Europe, only New Zealand and Québec (Canada) have implemented them in full by legislation covering both the public and private sectors. Other countries like Australia[4] have implemented them in part only.

Guideline 19 concerning the means of enforcement of the Guidelines to be adopted in national legislation is vague in its requirements, in supporting both legislation and self-regulation, but does require both `reasonable means for individuals to exercise their rights' and `adequate sanctions and remedies in case of failures to comply'.

The Guidelines are still seen by the OECD as a basis for international self-regulation and legislative implementation, and are under active development by the OECD's Group of Experts on Security and Privacy (who have in recent years developed complementary Guidelines on Security and on Cryptography Policy), particularly in relation to international networks[5].

The Council of Europe Convention on data protection

The Council of Europe is an inter-governmental organisation, the European member countries of which are a considerably wider grouping of countries than the European Union, or the OECD's European membership. However, the OECD includes non-European countries[6].

The Council of Europe's Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (Convention No 108)[7]http://europa.eu.int/comm/dg15/en/media/dataprot/con10881.htm] became open for signature in 1981. It has been in force since 1985, and has now been signed and ratified by 18 European countries[8]. Unlike the OECD Guidelines, the Convention is a binding instrument in international law, although it does not have specific enforcement machinery[9]. Breaches of the Convention are dealt with at the diplomatic level by the Council of Ministers.

The scope of the Convention includes both the public and private sectors, but is limited to the automatic processing of personal data files, and does not apply to data processed `manually'. A party to the Convention undertakes to apply its principles to such files, but may give notice by declarations that it will not apply to certain categories of files, or that it will apply to `manual' files. Such declarations affect the extent to which parties may claim reciprocal treatment from other parties. Chapter II of the Convention contains eight Articles which constitute `Basic Principles for Data Protection', and are in many respects similar to those of the OECD Guidelines.

Despite being overshadowed by the EU privacy Directive, the Convention is still playing a significant role in European privacy developments, with ratification of the Convention being treated as a way by which non-EU counties can satisfy the Directive's data export requirements in some contexts (as is explained later).

Article 23 of the Convention allows the Committee of Ministers of the Council of Europe to allow States which are not members of the Council of Europe to accede to the Convention, provided that all of the Contracting States entitled to sit on the Committee agree. No non-member has as yet become a party to the Convention. Non-member countries may also be invited to attend meetings of the Consultative Committee of the Convention as observers (A18), and countries such as Australia have attended.

The ICCPR, A17 - `unlawful interference' with privacy

Various Asia-Pacific countries[10] are parties to the International Covenant on Civil and Political Rights (ICCPR)[11]http://www.umn.edu/humanrts/instree/b3ccpr.htm - ], Article 17 of which provides:

`1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation.;
2. Everyone has the right to protection of the law against such interference or attacks'.

Some ratifications are qualified in respect of A17, such as by Australia's declaration that A17 was accepted without prejudice to `the right to enact and administer laws which, insofar as they authorise action which infringes on a person's privacy, family, home or correspondence, are necessary in a democratic society in the interests of national security, public safety, the economic well-being of the country, the protection of public health or morals, or the protection of the rights and freedoms of others'.

Article 8 of the European Convention on Human Rights (1950) is in very similar terms, and considerable case law by the European Court of Human Rights has elaborated its meaning. The ICCPR is therefore very different from the OECD Guidelines or the European Convention, as it contains only a very general statement of privacy as a right.

A few Asia-Pacific countries[12] have also acceded to the First Optional Protocol[13]http://www.umn.edu/humanrts/instree/b4ccprp1.htm - ] to the ICCPR, thereby agreeing to individuals taking complaints (`communications') that they have breached a provision of the ICCPR to the United Nations Human Rights Committee. The Human Rights Committee is made up of 18 experts from different countries, elected for four year terms by countries that are ICCPR parties.

Article 17 has been used to protect privacy. In Toonen v Australia[14]http://www.austlii.edu.au/au/other/ahric/Primary/hrcomm/toonen.html] the Committee held that Australia was in breach of the privacy protection of A17 because of legislation in an Australian State (Tasmania) which criminalised homosexual conduct in private. The Australian Commonwealth government then legislated to nullify the effect of the Tasmanian legislation (Human Rights (Sexual Conduct) Act 1994 15), and the Tasmanian legislation was eventually repealed[16].

The European Union privacy Directive

The European Union's privacy Directive of 1995 is the most significant international statement of information privacy principles since the early 1980s.

The Directive is a directive to Member States of the EU to amend their respective laws (where necessary) to comply with the standards set out in the Directive. The information privacy principles set out in Chapter II are framed in terms of 'processing' personal data, but are in general terms similar to the information privacy principles found in the OECD Guidelines and the Council of Europe Convention. A rough comparison of the Articles in Chapter II with the titles of the OECD's 8 principles is as follows: Collection limitation principles (A10, A11, parts of A7); Data quality principles (A6); Purpose specification principle (A6); Use limitation principle (A16); Security safeguards principle (A17); Openness principle (A21); Individual participation principle (A12, A14); and Accountability principle (definition of 'controller'). Other articles cover matters not always found in previous sets of principles, such as purpose justification (A7), 'sensitive' data (A8), automated decision-making (A15), and notification (A18, A19, A20).

The Directive is in many respects the culmination of the model of data protection reflected the two previous international agreements. However, the principles in the Directive go beyond that `1970/80s model' in some respects, including the following:

Many of these elements derive from previous national privacy laws of particular EU member States, but in that form their impact was limited. Their `percolation up' into the EU Directive makes them Europe-wide standards, with potential to become part of a world-wide standard via that route.

The relevance of international agreements to cyberspace

The present international agreements concerning privacy have very significant limitations as privacy protections in a world of pervasive international telecommunications.

Deficiencies in principles?

The privacy principles that they all embody are a product of 1970s and 1980s thinking, and do not address (or at least do not do so directly enough) some of the privacy issues made more important by cyberspace. A few of the issues which are not addressed in current principles are: Additional information privacy principles may be needed to deal with cyberspace issues, or existing ones rephrased, but by and large it seems that the principles developed over the last thirty years are still essentially sound as a means of analysing most cyberspace privacy issues.

Deficiencies in enforcement mechanisms?

Current international agreements have only a limited amount to say about the jurisdictional problems which cyberspace issues always raise. The EU Directive reduces, and probably goes a good distance toward eliminating, the significance of the jurisdictional problem within Europe by providing an agreed European standard of protection, and means of trans-national assistance through cooperation between national Data Protection Commissioners.

To the extent that some similar approach to that taken within Europe can spread across the world through international agreements, they reduce the jurisdictional problem globally. There will for a long time be `dirty data havens', jurisdictions with no effective privacy laws from which privacy-invasive practices can occur out of the reach of national laws. However, international agreements can progressively reduce the problem even without developing any special trans-national tribunals to deal with privacy issues.

2.2. Self-regulation as a national solution

In the last couple of years a number of governments have attempting to consciously turn away from information privacy legislation for the private sector in favour of voluntary self-regulation. The United States and Japan are leading proponents of this view at present[25]. Australia was a proponent, but may be about to defect, as discussed below.

Although Vice-President Gore has called for an `electronic bill of rights', the United States government is still intensively seeking a national self-regulatory approach, with some type of certification scheme with a logo consumers can recognise [26]http://www.thestandard.net/articles/issue_display/0,1261,460,00.html].

The Canadian example

It seemed, for a while, that Canada might embrace voluntary self-regulation when there was such intense interest in the Canadian Standards Association's `Model Code', but the move toward technical standards as some general solution seems to have faltered (see below), and Canada's government stated its intention in September 1996 to have comprehensive national laws by 2000[27].

A discussion paper[28]http://strategis.ic.gc.ca/sc_mrksv/privacy/engdoc/homepage.html ] on how the Federal government could legislate for privacy in the private sector in the Canadian Federal structure was issued in January 1998 and events are moving rapidly since then[29]:

The Industry Department was asked to develop a policy and draft a bill. It is expected that the bill will be finalised by the northern autumn. According to the Canadian Federal Privacy Commissioner, the aim of the Federal Government is to enact privacy laws that will meet the test of adequacy envisaged by the EU Directive, including by having the necessary oversight and enforcement mechanisms if the data protection principles are contravened.

It appears, therefore, that idea of voluntary self-regulation as a national solution has retreated in Canada.

The Australian example

One of the most comprehensive recent attempts is the Australian Commonwealth Government's decision in March 1997 to abandon its own draft national private sector privacy laws in favour of voluntary self-regulation[30], and requested all Australian State and Territory governments to do likewise.

The Australian Privacy Commissioner, at the Prime Minister's behest[31], has spent the last year attempting to develop a national scheme for voluntary self-regulation, but the process has so far shown little sign of resulting in any serious national self-regulation[32].

One outcome has been a set of `National Principles for the Fair Handling of Personal Information'[33]http://www.austlii.edu.au/hreoc/privacy/natprinc.htm] which the Privacy Commissioner developed in conjunction with business groups and privacy and consumer advocates (who were willing to discuss principles, but not self-regulation)[34]http://www2.austlii.edu.au/itlaw/articles/4PLPR181.html]. The `National Principles' are a more `plain English' version of conventional information privacy principles than is found in Australian public sector privacy legislation[35], and do contain a small number of innovations as well as deficiencies[36]http://www.anu.edu.au/people/Roger.Clarke/DV/NPPFlaws.html]:

The attempt to implement these `National Principles' through pure voluntary self-regulation never gained any credence[37] and now seems to have failed, for these reasons: It therefore appears that Australia is heading toward complex overlapping State laws covering the private sector, unless the Commonwealth government abandons its opposition to national laws.

Self-regulation and cyberspace

There is little evidence as yet that providers of internet services are in any `spontaneous' way adopting good privacy protections. A recent survey[39]http://www.epic.org/reports/surfer-beware.html] by the Electronic Privacy Information Center (EPIC) of the 100 most popular internet sites in the USA found that 49 sites collected personal information, but only 17 had privacy policies stated on the site. Only one site allowed users to access information collected about them, and 24 used `cookies' to collect information about users. However, there was still a widespread practice of allowing users to browse sites anonymously (other than for disclosure of TCP/IP addresses by browsers), and EPIC saw this as the best current protection of on-line privacy.

2.3. Privacy protective technologies

Platform for Privacy Preferences (P3P)

The World Wide Web Consortium (W3C) is developing the Platform for Privacy Preferences (P3P)[40]http://www.w3c.org/P3P/], an internet protocol which attempts to provide a framework to increase trust between web service providers and users of their services. As Roger Clarke explains[41]http://www.anu.edu.au/people/Roger.Clarke/DV/P3POview.html ], the purpose of the P3P specification is to enable:
`In effect, it is to provide means whereby an individual can have sufficient information that he or she can make an informed decision on whether to permit further use of the data, or decline further use of the data. Moreover, that decision is to be able to be delegated to a software agent acting on behalf of the individual.'[42]

P3P is a protocol which is intended to be able to be applied to support negotiations in a variety of internet contexts, including explicit data provision (eg answers to questions on web forms), implicit data provision (eg capture of the `click stream' or URLs of pages visited in succession), and explicit data provision from third sources (eg a web user's stored profile of preferences, demographic details etc). How it can be applied to some extensions to basic HTML such as cookies, Java etc is not yet determined. P3P allows web users to have multiple personae (digital pseudonyms), allowing a user to choose between a `data-poor' or `data rich' personality depending on the site visited[43].

P3P is the first important privacy initiative to have emerged from the consultative and self-regulatory structures of internet governance (although dominated by W3C staff members), and for that reason alone is of considerable significance.

Clarke compares what P3P is attempting to deliver against the OECD privacy Guidelines[44]http://www.anu.edu.au/people/Roger.Clarke/DV/P3PCrit.html], and concludes that it only addresses parts of three of the OECD Principles (data collection directly from the individual concerned; limitations on use and disclosure, and openness about use and disclosure policies), but does not address other principles relating to collection from third parties, subject access to data held by the web-site operator, retention of data and security. This is not necessarily a criticism, merely a limitation of one tool, but it would seem that some of these matters could be addressed by the same protocol in order to give more comprehensive privacy protection.

The more substantial criticism is that P3P says nothing about measures to ensure that it is complied with. If the web service provider breaches the practices that it has told the user that it adopts during a P3P `negotiation' what can the user do about it (assuming he or she ever finds out in the first place)? Some aspects of this problem are:

P3P may become `one important element among many others' (as Clarke concludes), but it will be of little use unless it meshes with law and organisational practices. Until it does that, it could be little more than a framework for deception.

The Electronic Privacy Information Center (EPIC) identifies a different danger in that it considers that a what is in effect framework for efficient collection of personal information as a condition of entry to web sites (with the possibility of increasing exclusion of those who value their privacy) may be counter-productive to privacy, compared with simply opposing the increased collection of personal information[45]http://www.nytimes.com/library/tech/98/06/cyber/articles/02privacy.html].

2.4. Standards, certification and audits

Another form of self-regulatory proposal, one which has emerged largely from a business context, is the idea of embodying privacy principles as a technical Standard such as are developed by the International Standards Organisation by similar national Standards bodies. Such schemes usually involve a certification process involving periodic auditing of the practices of companies that purport to adhere to the standard, and issue and withdrawal of certification as a result.

The Canadian (CSA) initiative - a litmus test?

The Canadian Standards Association (CSA) Model Code for the Protection of Personal Information was adopted in 1996. The Code is based on the OECD Guidelines, and involves a certification scheme[46]. The CSA privacy Code looked at that stage as though it might become one 'litmus test' of whether the EU will accept that Codes of Conduct which have no enforceability at law can provide `adequate protection' or even one-off 'adequate safeguards'. This had strong opponents, particularly within Canada, but the issue is less significant since the Canadian government committed itself to national legislation by 2000 and issued a discussion paper in January 1998[47] http://strategis.ic.gc.ca/SSG/pv01169e.html].

In terms of its content, it is debatable whether the CSA Model Code's principles are strong enough to provide `adequacy' in terms of the content of the EU Directive[48]. For example, it does not provide restrictions on onward transfers. However, the main problem with any `standards' approach is that it does not normally provide any enforcement mechanisms that can be used by the individuals concerned, or can provide any remedies for them. Loss of accreditation is a typical sanction, but that provides no benefit to the individuals concerned, and is not a strong sanction provided that the accreditation remains voluntary. Such standards would not, of themselves, meet the criteria in `Judging industry self-regulation'. Colin Bennett, one of the main developers of the CSA Model Code, sees it as only one useful element in establishing adequacy, but not sufficient in itself[49]. The President of Québec's data protection authority, Paul-André Comeau, praised the Code as 'a step in the right direction', but said[50] that

There is a major flaw in the code, stemming from the philosophy of voluntary compliance: the code does not provide for any form of recourse before an impartial judge. It relies essentially on the good will of those concerned. The authors of the code are counting on the use of audits to compensate for this failing.

The ISO initiative stalls

The CSA hoped that its Code to be adopted by the International Standards Organisation (ISO)[51]. The ISO's Ad Hoc Advisory Group on privacy (AHAG) including representatives from 12 countries including Canada, the USA and Australia, to advise the ISO's Technical Management Board (TMB) on the desirability and practicability of such a standard. AHAG met in New York in May 1997, and Brussels in September 1997. It reported to the TMB in June 1998 that it was unable to achieve consensus. AHAG's recommendation concludes:
'Given the increased level of interest in data protection , as well as the differing views, outstanding issues, and major initiatives expected to develop in the next six to twelve months, the AHAG is of the view that it is premature to make a determination on the desirability/practicality of ISO undertaking the development of International Standards relevant to the protection of personal information.'

The TMB has deferred further consideration until its September meeting, but it seems that the moves toward an international technical standard have stalled.

The Japanese `privacy mark' - a co-regulatory hybrid

Japan's MITI has in 1998 launched[52] a number of initiatives, summarised by Nigel Waters[53]:
"New MITI Guidelines for the private sector, amending the 1989 guidelines in light of the EU Directive, were issued in March 1997, and a supplementary Memorandum November 1997. In February 1998, MITI established a Supervisory Authority for the Protection of Personal Data to monitor a new system for the grant of 'privacy marks' to businesses committing to the handling of the personal data in accordance with the MITI guidelines and to promote awareness of privacy protection for consumers. The 'privacy mark' system was introduced on 1 April, and is administered by the Japan Information Processing Development Center (JIPDEC) - a joint public/private agency. Companies that do not comply with the industry guidelines will be excluded from relevant industry bodies and not granted the privacy-protection mark - it is assumed that they will then be penalised by market forces. However, in addition, the new Supervisory Authority will investigate violation cases and make suggestions as necessary to the relevant administrative authorities."
The most striking thing about the new Japanese system is that it is a hybrid which is much more like government-directed co-regulation than voluntary self-regulation. MITI issues guidelines, including sectoral versions. There is an official national Supervisory Authority which investigates and reports breaches to the Administrative Authority responsible for the relevant market sector. The organisation which grants `privacy marks' (JIPDEC) is a public/private hybrid.

2.5. Finding the right mix

Only thing that seems clear from the current international debate about the best means of implementing privacy protection. The model of national information privacy laws developed through the 1970s and 1980s (mainly in Europe and influenced strongly by the OECD privacy Guidelines and Council of Europe privacy Convention of the early 1980s) is no longer sufficient in itself and needs to be made more flexible so that it can better complement (or be complemented by) various forms of self-regulation, and new forms of international agreements.

Victoria's proposed `third generation' law

With its announced Data Protection Bill of 15 June 1998, the Australian State of Victoria is the latest sub-national jurisdiction to follow the pattern set by Québec and Hong Kong in setting higher privacy standards than at national level. The Victorian Minister responsible for the legislation, Alan Stockdale, says[54]http://www.stockdale.vic.gov.au/] it will be `light handed' legislation which will `bridge the gap between voluntary codes and a legislative scheme' and provide a new generation of privacy law. The legislation will support and encourage industry codes of conduct by providing that any industry code which is approved[55] by the Privacy Commissioner will result in those who adopt the code, and adhere to it, being exempted from most of the provisions of the Act, including most of its enforcement aspects. However, there will be an appeals mechanism where industry-based resolution methods fail. Those who do not adopt a code will be bound by the statutory `National Principles' and enforcement mechanisms. There will be penalty provisions for `flagrant and repeated breaches'.

It remains to be seen whether the Victorian approach can provide a new and more flexible form of privacy protection. The New Zealand Privacy Act 1993 has contained provisions for a code of conduct issued by the Commissioner (after consultation with industry, consumers etc) to replace the privacy principles in the Act for that sector. However, in the five years of the Act's operation, only a handful of industry codes have been issued, and the Commissioner states that most sectors have preferred to simply `live with' the statutory provisions rather than go through the expensive process of negotiating their own Code and training staff to abide by it. The Victorian approach is even more ambitious (and therefore potentially expensive for industry) than the New Zealand one, in that it will require industry sectors to develop and absorb the costs of operating all aspects of a self-regulatory scheme. It therefore remains to be seen how many industry sectors will wish to take the opportunity under the Victorian Act to have a sectoral scheme, rather than `live with' statutory principles and enforcement mechanisms.

However, the potential for greater flexibility, with due recognition being given by a statutory scheme to various aspects of self-regulation such as industry-based complaints mechanisms, privacy standards and audit mechanisms, and technological protections such as P3P implementations, could all be provided by the Victorian approach if the announced approach matures into flexible and inventive legislation.

[1] Available at

[2] An inter-governmental organisation, the members of which comprise the European Union countries, Switzerland, Turkey, the former Yugoslav states, Canada, the United States, New Zealand, Australia and Japan

[3] Tucker, G `Present situation and trends in privacy protection in the OECD area', Committee for Information, Computer and Communications Policy, OECD, Paris, 1988

[4] Australia announced its intention to adhere to the OECD Guidelines in 1984. The 11 Information Privacy Principles in the Privacy Act 1988 (Cth) are intended to implement the OECD's 8 Principles insofar as personal information held by Commonwealth public sector agencies are concerned. The various methods of enforcement of the Principles provided in the Act implement Guideline 19. State and Territory Freedom of Information Acts implement the Individual Participation Guideline in relation to State and Territory public sectors, but not the other Guidelines. Insofar as the private sector is concerned, it would be difficult to argue that the Guidelines have been implemented in any sector except that relating to credit reporting (Privacy Act 1988, Pt IIIA (Cth)). So Australia has still failed to comply with the Guidelines for thirteen years after announcing its adherence.

[5] The Group of Experts on Security and Privacy (OECD) meeting on 19 May 1998 agreed that a Ministerial Statement would be developed stating that the 1980 OECD Guidelines on Privacy are still sound but need to be implemented, and that Ministers urge the private sector to apply them particularly in the context of global networks. They will ask the OECD to prepare a background report giving guidance on how to apply the Guidelines in the networked environment, and to review progress in two years time and revisit the issue.

[6] Canada, the United States, New Zealand, Australia and Japan


[8] Austria, Belgium, Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Luxembourg, Netherlands, Norway, Portugal, Slovenia, Spain, Sweden and the United Kingdom: see Privacy Laws & Business, May 1997.

[9] The Vienna Convention and other general principles would apply.

[10] Including Australia, Canada, Chile, Democratic People's Republic of Korea, Fiji, Japan, New Zealand, Philippines, Republic of Korea, USA, Vietnam: Status of International Instruments, Chart of Ratifications as at 31 July 1992, United Nations, New York 1992

[11] International Covenant on Civil and Political Rights, G.A. res. 2200A (XXI), 21 U.N. GAOR Supp. (No. 16) at 52, U.N. Doc. A/6316 (1966), 999 U.N.T.S. 171, entered into force Mar. 23, 1976.

[12] Including Australia, Canada, Chile, New Zealand, Philippines, Republic of Korea: ibid

[13] Optional Protocol to the International Covenant on Civil and Political Rights, G.A. res. 2200A (XXI), 21 U.N. GAOR Supp. (No. 16) at 59, U.N. Doc. A/6316 (1966), 999 U.N.T.S. 302, entered into force March 23, 1976.

[14] - Toonen v Australia (Views of the Human Rights Committee under article 5,paragraph 4, of the Optional Protocol to the International Covenant on Civil and Political Rights - Fiftieth session concerning Communication No. 488/1992); see 1 Privacy Law & Policy Reporter 50

15 Greenleaf, G Human Rights (Sexual Conduct) Bill 1994', (1994) 1 PLPR 121

[16] After Croome and Toonen successfully obtained leave from the High Court to challenge the Tasmanian legislation's consistency with the Commonwealth legislation, the Tasmanian Parliament in May 1997 finally repealed the sections which had led to the complaint to the UN. The Coalition Government was considering Australia withdrawing from the First Optional Protocol so as to prevent other cases going to the Human Rights Committee, in which case Australia will be the first county to so withdraw.

[17] National laws can provide either for objection after the data subject has been informed that the data is to be used for direct marketing, or merely at the data subject's request.

[18] The 1990 draft was limited to decisions `involving an assessment of conduct', and referred to `personality or profile'. The Parliament recommended that this only apply to assessments of `character', that there should be an exception where there is consent, but that there would be a right to be informed of and to challenge any such automated processing. The 1992 draft referred to processing defining a personality profile.

[19] The authority must be notified of such proposed operations by the controller or the data protection official (A20(2)).

[20] Subject to numerous exceptions: A8(2)-(4).

[21] These can only be kept under official authority: A8(5).

[22] The Working Party On The Protection Of Individuals With Regard To The Processing Of Personal Data, Recommendation 3/97 Anonymity on the Internet (December 1997) -

[23] See 3 PLPR 88 for a discussion of the Robot Exclusion Standard; `Rogue' is used tongue-in-cheek because there are many robots that do not adhere to this voluntary standard at present, for technical reasons: see

[24] See International Working Group on Data Protection in Telecommunications `Data protection on the internet - Report and Guidance (Budapest Draft)' (1996) 3 PLPR 110

[25] President Clinton stating in a speech to the World Trade Organisation on 18 May 1998 that `the Japanese Prime Minister, Mr Hashimoto, and I agreed to move forward together with a market-oriented, private-sector-led approach to enhance privacy ...'

[26] See Elizabeth Wasserman `Political Pressure Forces Action on Privacy' The Industry Standard -

[27] Announcement by Allan Rock, Minister of Justice, Canada, to 18th International Conference of Data Protection and Privacy Commissioners, Ottawa, September 1996 - see Privacy Files, Vol 2 No 1 October 1996

[28] Industry Canada/Justice Canada Task Force on Electronic Commerce Discussion Paper The Protection of Personal Information - Building Canada's Information Economy and Society (January 1998) -

[29] Nigel Waters `Reviewing the adequacy of privacy protection in the Asia Pacific Region' IIR Conference Information Privacy - Data Protection, 15 June 1998, Sydney

[30] Australian Prime Minister John Howard announced on 21 March 1997 (Press Release `Privacy Legislation'), following a Premiers Conference, that the Coalition Government had decided against enacting information privacy laws for the private sector, that he had urged State and Territory Premiers and Chief Ministers not to introduce such laws either. His stated reasons were:

"The Commonwealth opposes such proposals which will further increase compliance costs for all Australian businesses, large and small. At a time when all heads of government acknowledge the need to reduce the regulatory burden, proposals for new compulsory regimes would be counterproductive. On these grounds, the Commonwealth will not be implementing privacy legislation for the private sector." [31]
The Prime Minister also said that he had told the Premiers that the Commonwealth had offered `the services of the Federal Privacy Commissioner to assist business in the development of voluntary codes of conduct and to meet privacy standards'.

[32] This assertion is not the subject of this paper. See the special issues of Privacy Law & Policy Reporter, Vol 4 No 3 and Vol 4 No 9 for details of the Commissioner's approach.

[33] Privacy Commissisoner National Principles for the Fair Handling of Personal Information (February 1998) -

[34] See G Greenleaf and N Waters `Putting the "National Principles" in context' (1998) 4 PLPR 161 -

[35] Privacy Act 1988 (Cth) s14 `Information Privacy Principles' (IPPs)

[36] See Greenleaf and Waters op cit and R Clarke `Serious Flaws in the National Privacy Principles' -

[37] See G Greenleaf `Commonwealth abandons privacy - for now' (1997) 4 PLPR 1 for an early catalogue of reasons.

[38] For brief details see James Riley `Victoria to go it alone on privacy' The Australian 16 June 1998

[39] EPIC REPORT - "Surfer Beware: Personal Privacy and the Internet" (June 1997) -


[41] Roger Clarke `Platform for Privacy Preferences: An Overview' - This paper is an excellent simple overview of P3P.

[42] Clarke, `Overview' op cit

[43] Paragraph summarised from Clarke, `Overview' op cit

[44] Roger Clarke `Platform for Privacy Preferences: A Critique' -

[45]Jeri Clausing `Proposed privacy standards fail to please advocates of online privacy' 2 June 1998, NYT Cybertimes

[46]National Standard of Canada CAN/CSA-Q830-96


48] see G Greenleaf `Stopping surveillance: beyond `efficiency' and the OECD' (1996) 3 PLPR 148

[49] C J Bennett and C D Raab `The adequacy of privacy: The European Union Data Protection Directive and the North American response' The Information Society 13:245-263, 1997, at p257.

[50] Speech to the International Data Protection and Privacy Commissioners' Conference, Copenhagen, September 1995

[51] L Moisan 'The CSA Model Code: The new bid on the block', Privacy Files, Vol 1 No 2, November 1995, from which the above information is derived.

[52] See Ministry of International Trade and Industry (MITI) `Japan's views on the protection of personal data' (April 1998)

[53] Nigel Waters `Reviewing the adequacy of privacy protection in the Asia Pacific Region' IIR Conference Information Privacy - Data Protection, 15 June 1998, Sydney

[54] Comments by Alan Stockdale MLA, Minister for Multimedia, Information Privacy - Data Protection Conference, IIR Conferences, Sydney 15-16 June 1998 - at

[55] `The test will be whether (i) the code is effective in broadly achieving the privacy objectives of the legislation; and (ii) the code is not contrary to the public interest.'

[Previous] [Next] [Title]