The core of the Guidelines are the eight `Basic Principles of National Application' in Part Two (Guidelines 7 to 14). These are principles concerning Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability. All 25 member countries of the OECD have adopted the Guidelines[3] but, outside Europe, only New Zealand and Québec (Canada) have implemented them in full by legislation covering both the public and private sectors. Other countries like Australia[4] have implemented them in part only.
Guideline 19 concerning the means of enforcement of the Guidelines to be adopted in national legislation is vague in its requirements, in supporting both legislation and self-regulation, but does require both `reasonable means for individuals to exercise their rights' and `adequate sanctions and remedies in case of failures to comply'.
The Guidelines are still seen by the OECD as a basis for international self-regulation and legislative implementation, and are under active development by the OECD's Group of Experts on Security and Privacy (who have in recent years developed complementary Guidelines on Security and on Cryptography Policy), particularly in relation to international networks[5].
The Council of Europe's Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (Convention No 108)[7]http://europa.eu.int/comm/dg15/en/media/dataprot/con10881.htm] became open for signature in 1981. It has been in force since 1985, and has now been signed and ratified by 18 European countries[8]. Unlike the OECD Guidelines, the Convention is a binding instrument in international law, although it does not have specific enforcement machinery[9]. Breaches of the Convention are dealt with at the diplomatic level by the Council of Ministers.
The scope of the Convention includes both the public and private sectors, but is limited to the automatic processing of personal data files, and does not apply to data processed `manually'. A party to the Convention undertakes to apply its principles to such files, but may give notice by declarations that it will not apply to certain categories of files, or that it will apply to `manual' files. Such declarations affect the extent to which parties may claim reciprocal treatment from other parties. Chapter II of the Convention contains eight Articles which constitute `Basic Principles for Data Protection', and are in many respects similar to those of the OECD Guidelines.
Despite being overshadowed by the EU privacy Directive, the Convention is still playing a significant role in European privacy developments, with ratification of the Convention being treated as a way by which non-EU counties can satisfy the Directive's data export requirements in some contexts (as is explained later).
Article 23 of the Convention allows the Committee of Ministers of the Council of Europe to allow States which are not members of the Council of Europe to accede to the Convention, provided that all of the Contracting States entitled to sit on the Committee agree. No non-member has as yet become a party to the Convention. Non-member countries may also be invited to attend meetings of the Consultative Committee of the Convention as observers (A18), and countries such as Australia have attended.
`1. No one shall be subjected to arbitrary or unlawful interference with his
privacy, family, home or correspondence, nor to unlawful attacks on his honour
or reputation.;
2. Everyone has the right to protection of the law
against such interference or attacks'.
Some ratifications are qualified in respect of A17, such as by Australia's declaration that A17 was accepted without prejudice to `the right to enact and administer laws which, insofar as they authorise action which infringes on a person's privacy, family, home or correspondence, are necessary in a democratic society in the interests of national security, public safety, the economic well-being of the country, the protection of public health or morals, or the protection of the rights and freedoms of others'.
Article 8 of the European Convention on Human Rights (1950) is in very similar terms, and considerable case law by the European Court of Human Rights has elaborated its meaning. The ICCPR is therefore very different from the OECD Guidelines or the European Convention, as it contains only a very general statement of privacy as a right.
A few Asia-Pacific countries[12] have also acceded to the First Optional Protocol[13]http://www.umn.edu/humanrts/instree/b4ccprp1.htm - ] to the ICCPR, thereby agreeing to individuals taking complaints (`communications') that they have breached a provision of the ICCPR to the United Nations Human Rights Committee. The Human Rights Committee is made up of 18 experts from different countries, elected for four year terms by countries that are ICCPR parties.
Article 17 has been used to protect privacy. In Toonen v Australia[14]http://www.austlii.edu.au/au/other/ahric/Primary/hrcomm/toonen.html] the Committee held that Australia was in breach of the privacy protection of A17 because of legislation in an Australian State (Tasmania) which criminalised homosexual conduct in private. The Australian Commonwealth government then legislated to nullify the effect of the Tasmanian legislation (Human Rights (Sexual Conduct) Act 1994 15), and the Tasmanian legislation was eventually repealed[16].
The Directive is a directive to Member States of the EU to amend their respective laws (where necessary) to comply with the standards set out in the Directive. The information privacy principles set out in Chapter II are framed in terms of 'processing' personal data, but are in general terms similar to the information privacy principles found in the OECD Guidelines and the Council of Europe Convention. A rough comparison of the Articles in Chapter II with the titles of the OECD's 8 principles is as follows: Collection limitation principles (A10, A11, parts of A7); Data quality principles (A6); Purpose specification principle (A6); Use limitation principle (A16); Security safeguards principle (A17); Openness principle (A21); Individual participation principle (A12, A14); and Accountability principle (definition of 'controller'). Other articles cover matters not always found in previous sets of principles, such as purpose justification (A7), 'sensitive' data (A8), automated decision-making (A15), and notification (A18, A19, A20).
The Directive is in many respects the culmination of the model of data protection reflected the two previous international agreements. However, the principles in the Directive go beyond that `1970/80s model' in some respects, including the following:
To the extent that some similar approach to that taken within Europe can spread across the world through international agreements, they reduce the jurisdictional problem globally. There will for a long time be `dirty data havens', jurisdictions with no effective privacy laws from which privacy-invasive practices can occur out of the reach of national laws. However, international agreements can progressively reduce the problem even without developing any special trans-national tribunals to deal with privacy issues.
Although Vice-President Gore has called for an `electronic bill of rights', the United States government is still intensively seeking a national self-regulatory approach, with some type of certification scheme with a logo consumers can recognise [26]http://www.thestandard.net/articles/issue_display/0,1261,460,00.html].
A discussion paper[28]http://strategis.ic.gc.ca/sc_mrksv/privacy/engdoc/homepage.html ] on how the Federal government could legislate for privacy in the private sector in the Canadian Federal structure was issued in January 1998 and events are moving rapidly since then[29]:
The Industry Department was asked to develop a policy and draft a bill. It is expected that the bill will be finalised by the northern autumn. According to the Canadian Federal Privacy Commissioner, the aim of the Federal Government is to enact privacy laws that will meet the test of adequacy envisaged by the EU Directive, including by having the necessary oversight and enforcement mechanisms if the data protection principles are contravened.
It appears, therefore, that idea of voluntary self-regulation as a national solution has retreated in Canada.
The Australian Privacy Commissioner, at the Prime Minister's behest[31], has spent the last year attempting to develop a national scheme for voluntary self-regulation, but the process has so far shown little sign of resulting in any serious national self-regulation[32].
One outcome has been a set of `National Principles for the Fair Handling of Personal Information'[33]http://www.austlii.edu.au/hreoc/privacy/natprinc.htm] which the Privacy Commissioner developed in conjunction with business groups and privacy and consumer advocates (who were willing to discuss principles, but not self-regulation)[34]http://www2.austlii.edu.au/itlaw/articles/4PLPR181.html]. The `National Principles' are a more `plain English' version of conventional information privacy principles than is found in Australian public sector privacy legislation[35], and do contain a small number of innovations as well as deficiencies[36]http://www.anu.edu.au/people/Roger.Clarke/DV/NPPFlaws.html]:
`In effect, it is to provide means whereby an individual can have sufficient information that he or she can make an informed decision on whether to permit further use of the data, or decline further use of the data. Moreover, that decision is to be able to be delegated to a software agent acting on behalf of the individual.'[42]
P3P is a protocol which is intended to be able to be applied to support negotiations in a variety of internet contexts, including explicit data provision (eg answers to questions on web forms), implicit data provision (eg capture of the `click stream' or URLs of pages visited in succession), and explicit data provision from third sources (eg a web user's stored profile of preferences, demographic details etc). How it can be applied to some extensions to basic HTML such as cookies, Java etc is not yet determined. P3P allows web users to have multiple personae (digital pseudonyms), allowing a user to choose between a `data-poor' or `data rich' personality depending on the site visited[43].
P3P is the first important privacy initiative to have emerged from the consultative and self-regulatory structures of internet governance (although dominated by W3C staff members), and for that reason alone is of considerable significance.
Clarke compares what P3P is attempting to deliver against the OECD privacy Guidelines[44]http://www.anu.edu.au/people/Roger.Clarke/DV/P3PCrit.html], and concludes that it only addresses parts of three of the OECD Principles (data collection directly from the individual concerned; limitations on use and disclosure, and openness about use and disclosure policies), but does not address other principles relating to collection from third parties, subject access to data held by the web-site operator, retention of data and security. This is not necessarily a criticism, merely a limitation of one tool, but it would seem that some of these matters could be addressed by the same protocol in order to give more comprehensive privacy protection.
The more substantial criticism is that P3P says nothing about measures to ensure that it is complied with. If the web service provider breaches the practices that it has told the user that it adopts during a P3P `negotiation' what can the user do about it (assuming he or she ever finds out in the first place)? Some aspects of this problem are:
The Electronic Privacy Information Center (EPIC) identifies a different danger in that it considers that a what is in effect framework for efficient collection of personal information as a condition of entry to web sites (with the possibility of increasing exclusion of those who value their privacy) may be counter-productive to privacy, compared with simply opposing the increased collection of personal information[45]http://www.nytimes.com/library/tech/98/06/cyber/articles/02privacy.html].
In terms of its content, it is debatable whether the CSA Model Code's principles are strong enough to provide `adequacy' in terms of the content of the EU Directive[48]. For example, it does not provide restrictions on onward transfers. However, the main problem with any `standards' approach is that it does not normally provide any enforcement mechanisms that can be used by the individuals concerned, or can provide any remedies for them. Loss of accreditation is a typical sanction, but that provides no benefit to the individuals concerned, and is not a strong sanction provided that the accreditation remains voluntary. Such standards would not, of themselves, meet the criteria in `Judging industry self-regulation'. Colin Bennett, one of the main developers of the CSA Model Code, sees it as only one useful element in establishing adequacy, but not sufficient in itself[49]. The President of Québec's data protection authority, Paul-André Comeau, praised the Code as 'a step in the right direction', but said[50] that
There is a major flaw in the code, stemming from the philosophy of voluntary compliance: the code does not provide for any form of recourse before an impartial judge. It relies essentially on the good will of those concerned. The authors of the code are counting on the use of audits to compensate for this failing.
'Given the increased level of interest in data protection , as well as the differing views, outstanding issues, and major initiatives expected to develop in the next six to twelve months, the AHAG is of the view that it is premature to make a determination on the desirability/practicality of ISO undertaking the development of International Standards relevant to the protection of personal information.'
The TMB has deferred further consideration until its September meeting, but it seems that the moves toward an international technical standard have stalled.
"New MITI Guidelines for the private sector, amending the 1989 guidelines in light of the EU Directive, were issued in March 1997, and a supplementary Memorandum November 1997. In February 1998, MITI established a Supervisory Authority for the Protection of Personal Data to monitor a new system for the grant of 'privacy marks' to businesses committing to the handling of the personal data in accordance with the MITI guidelines and to promote awareness of privacy protection for consumers. The 'privacy mark' system was introduced on 1 April, and is administered by the Japan Information Processing Development Center (JIPDEC) - a joint public/private agency. Companies that do not comply with the industry guidelines will be excluded from relevant industry bodies and not granted the privacy-protection mark - it is assumed that they will then be penalised by market forces. However, in addition, the new Supervisory Authority will investigate violation cases and make suggestions as necessary to the relevant administrative authorities."The most striking thing about the new Japanese system is that it is a hybrid which is much more like government-directed co-regulation than voluntary self-regulation. MITI issues guidelines, including sectoral versions. There is an official national Supervisory Authority which investigates and reports breaches to the Administrative Authority responsible for the relevant market sector. The organisation which grants `privacy marks' (JIPDEC) is a public/private hybrid.
It remains to be seen whether the Victorian approach can provide a new and more flexible form of privacy protection. The New Zealand Privacy Act 1993 has contained provisions for a code of conduct issued by the Commissioner (after consultation with industry, consumers etc) to replace the privacy principles in the Act for that sector. However, in the five years of the Act's operation, only a handful of industry codes have been issued, and the Commissioner states that most sectors have preferred to simply `live with' the statutory provisions rather than go through the expensive process of negotiating their own Code and training staff to abide by it. The Victorian approach is even more ambitious (and therefore potentially expensive for industry) than the New Zealand one, in that it will require industry sectors to develop and absorb the costs of operating all aspects of a self-regulatory scheme. It therefore remains to be seen how many industry sectors will wish to take the opportunity under the Victorian Act to have a sectoral scheme, rather than `live with' statutory principles and enforcement mechanisms.
However, the potential for greater flexibility, with due recognition being given by a statutory scheme to various aspects of self-regulation such as industry-based complaints mechanisms, privacy standards and audit mechanisms, and technological protections such as P3P implementations, could all be provided by the Victorian approach if the announced approach matures into flexible and inventive legislation.
[1] Available at
[2] An inter-governmental organisation, the members of which comprise the European Union countries, Switzerland, Turkey, the former Yugoslav states, Canada, the United States, New Zealand, Australia and Japan
[3] Tucker, G `Present situation and trends in privacy protection in the OECD area', Committee for Information, Computer and Communications Policy, OECD, Paris, 1988
[4] Australia announced its intention to adhere to the OECD Guidelines in 1984. The 11 Information Privacy Principles in the Privacy Act 1988 (Cth) are intended to implement the OECD's 8 Principles insofar as personal information held by Commonwealth public sector agencies are concerned. The various methods of enforcement of the Principles provided in the Act implement Guideline 19. State and Territory Freedom of Information Acts implement the Individual Participation Guideline in relation to State and Territory public sectors, but not the other Guidelines. Insofar as the private sector is concerned, it would be difficult to argue that the Guidelines have been implemented in any sector except that relating to credit reporting (Privacy Act 1988, Pt IIIA (Cth)). So Australia has still failed to comply with the Guidelines for thirteen years after announcing its adherence.
[5] The Group of Experts on Security and Privacy (OECD) meeting on 19 May 1998 agreed that a Ministerial Statement would be developed stating that the 1980 OECD Guidelines on Privacy are still sound but need to be implemented, and that Ministers urge the private sector to apply them particularly in the context of global networks. They will ask the OECD to prepare a background report giving guidance on how to apply the Guidelines in the networked environment, and to review progress in two years time and revisit the issue.
[6] Canada, the United States, New Zealand, Australia and Japan
[8] Austria, Belgium, Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Luxembourg, Netherlands, Norway, Portugal, Slovenia, Spain, Sweden and the United Kingdom: see Privacy Laws & Business, May 1997.
[9] The Vienna Convention and other general principles would apply.
[10] Including Australia, Canada, Chile, Democratic People's Republic of Korea, Fiji, Japan, New Zealand, Philippines, Republic of Korea, USA, Vietnam: Status of International Instruments, Chart of Ratifications as at 31 July 1992, United Nations, New York 1992
[11] International Covenant on Civil and Political Rights, G.A. res. 2200A (XXI), 21 U.N. GAOR Supp. (No. 16) at 52, U.N. Doc. A/6316 (1966), 999 U.N.T.S. 171, entered into force Mar. 23, 1976.
[12] Including Australia, Canada, Chile, New Zealand, Philippines, Republic of Korea: ibid
[13] Optional Protocol to the International Covenant on Civil and Political Rights, G.A. res. 2200A (XXI), 21 U.N. GAOR Supp. (No. 16) at 59, U.N. Doc. A/6316 (1966), 999 U.N.T.S. 302, entered into force March 23, 1976.
[14] - Toonen v Australia (Views of the Human Rights Committee under article 5,paragraph 4, of the Optional Protocol to the International Covenant on Civil and Political Rights - Fiftieth session concerning Communication No. 488/1992); see 1 Privacy Law & Policy Reporter 50
15 Greenleaf, G Human Rights (Sexual Conduct) Bill 1994', (1994) 1 PLPR 121
[16] After Croome and Toonen successfully obtained leave from the High Court to challenge the Tasmanian legislation's consistency with the Commonwealth legislation, the Tasmanian Parliament in May 1997 finally repealed the sections which had led to the complaint to the UN. The Coalition Government was considering Australia withdrawing from the First Optional Protocol so as to prevent other cases going to the Human Rights Committee, in which case Australia will be the first county to so withdraw.
[17] National laws can provide either for objection after the data subject has been informed that the data is to be used for direct marketing, or merely at the data subject's request.
[18] The 1990 draft was limited to decisions `involving an assessment of conduct', and referred to `personality or profile'. The Parliament recommended that this only apply to assessments of `character', that there should be an exception where there is consent, but that there would be a right to be informed of and to challenge any such automated processing. The 1992 draft referred to processing defining a personality profile.
[19] The authority must be notified of such proposed operations by the controller or the data protection official (A20(2)).
[20] Subject to numerous exceptions: A8(2)-(4).
[21] These can only be kept under official authority: A8(5).
[22] The Working Party On The Protection Of Individuals With Regard To The Processing Of Personal Data, Recommendation 3/97 Anonymity on the Internet (December 1997) -
[23] See 3 PLPR 88 for a discussion of the Robot Exclusion Standard; `Rogue' is used tongue-in-cheek because there are many robots that do not adhere to this voluntary standard at present, for technical reasons: see
[24] See International Working Group on Data Protection in Telecommunications `Data protection on the internet - Report and Guidance (Budapest Draft)' (1996) 3 PLPR 110
[25] President Clinton stating in a speech to the World Trade Organisation on 18 May 1998 that `the Japanese Prime Minister, Mr Hashimoto, and I agreed to move forward together with a market-oriented, private-sector-led approach to enhance privacy ...'
[26] See Elizabeth Wasserman `Political Pressure Forces Action on Privacy' The Industry Standard -
[27] Announcement by Allan Rock, Minister of Justice, Canada, to 18th International Conference of Data Protection and Privacy Commissioners, Ottawa, September 1996 - see Privacy Files, Vol 2 No 1 October 1996
[28] Industry Canada/Justice Canada Task Force on Electronic Commerce Discussion Paper The Protection of Personal Information - Building Canada's Information Economy and Society (January 1998) -
[29] Nigel Waters `Reviewing the adequacy of privacy protection in the Asia Pacific Region' IIR Conference Information Privacy - Data Protection, 15 June 1998, Sydney
[30] Australian Prime Minister John Howard announced on 21 March 1997 (Press Release `Privacy Legislation'), following a Premiers Conference, that the Coalition Government had decided against enacting information privacy laws for the private sector, that he had urged State and Territory Premiers and Chief Ministers not to introduce such laws either. His stated reasons were:
"The Commonwealth opposes such proposals which will further increase compliance costs for all Australian businesses, large and small. At a time when all heads of government acknowledge the need to reduce the regulatory burden, proposals for new compulsory regimes would be counterproductive. On these grounds, the Commonwealth will not be implementing privacy legislation for the private sector." [31]The Prime Minister also said that he had told the Premiers that the Commonwealth had offered `the services of the Federal Privacy Commissioner to assist business in the development of voluntary codes of conduct and to meet privacy standards'.
[32] This assertion is not the subject of this paper. See the special issues of Privacy Law & Policy Reporter, Vol 4 No 3 and Vol 4 No 9 for details of the Commissioner's approach.
[33] Privacy Commissisoner National Principles for the Fair Handling of Personal Information (February 1998) -
[34] See G Greenleaf and N Waters `Putting the "National Principles" in context' (1998) 4 PLPR 161 -
[35] Privacy Act 1988 (Cth) s14 `Information Privacy Principles' (IPPs)
[36] See Greenleaf and Waters op cit and R Clarke `Serious Flaws in the National Privacy Principles' -
[37] See G Greenleaf `Commonwealth abandons privacy - for now' (1997) 4 PLPR 1 for an early catalogue of reasons.
[38] For brief details see James Riley `Victoria to go it alone on privacy' The Australian 16 June 1998
[39] EPIC REPORT - "Surfer Beware: Personal Privacy and the Internet" (June 1997) -
[41] Roger Clarke `Platform for Privacy Preferences: An Overview' - This paper is an excellent simple overview of P3P.
[42] Clarke, `Overview' op cit
[43] Paragraph summarised from Clarke, `Overview' op cit
[44] Roger Clarke `Platform for Privacy Preferences: A Critique' -
[45]Jeri Clausing `Proposed privacy standards fail to please advocates of online privacy' 2 June 1998, NYT Cybertimes
[46]National Standard of Canada CAN/CSA-Q830-96
[47
48]
[49] C J Bennett and C D Raab `The adequacy of privacy: The European Union Data Protection Directive and the North American response' The Information Society 13:245-263, 1997, at p257.
[50] Speech to the International Data Protection and Privacy Commissioners' Conference, Copenhagen, September 1995
[51] L Moisan 'The CSA Model Code: The new bid on the block', Privacy Files, Vol 1 No 2, November 1995, from which the above information is derived.
[52] See Ministry of International Trade and Industry (MITI) `Japan's views on the protection of personal data' (April 1998)
[53] Nigel Waters `Reviewing the adequacy of privacy protection in the Asia Pacific Region' IIR Conference Information Privacy - Data Protection, 15 June 1998, Sydney
[54] Comments by Alan Stockdale MLA, Minister for Multimedia, Information Privacy - Data Protection Conference, IIR Conferences, Sydney 15-16 June 1998 - at
[55] `The test will be whether (i) the code is effective in broadly achieving the privacy objectives of the legislation; and (ii) the code is not contrary to the public interest.'