3. Privacy protection in international agreements and via data export prohibition laws
3.1. Privacy in human rights treaties
3.1.1. ICCPR A17
3.1.2. Australia and ICCPR A 17
Applicability of the ICCPR in Australian domestic law
The ICCPR and Executive decision-making
Complaints to the Human Rights Committee under the First Optional Protocol
ICCPR functions of HREOC
3.1.3. Hong Kong and ICCPR A 17
Enforcement of the ICCPR in HK
ICCPR and Bill of Rights Ordinance
Related provisions in the Basic Law
3.1.4. New Zealand and the ICCPR
3.1.5. Decisions of the UN Human Rights Committee concerning A17
Information privacy and ICCPR A17
3.1.6. European Convention on Human Rights (ECHR) A 8
Significance of A 8 for countries outside Europe
3.1.7. ECHR A 8 and data protection
3.1.8. Principles of A 8 jurisprudence
3.1.9. Application of A 8 ECHR in domestic law (UK examples)
3.2. The OECD's privacy and TBDF Guidelines (1980)
3.2.1. The OECD's 8 Principles for national legislation
3.2.2. Implementation requirements of the OECD Guidelines
3.2.3. The OECD's TBDF provisions
The OECD's 4 Principles concerning trans-border data flows
3.3. The Council of Europe data protection Convention (1981)
3.3.1. Scope and content of the Convention
3.3.2. Recommendations for sectoral legislation
3.4. The European Union's privacy Directive (1995)
3.4.1. The content of the EU Directive
3.4.2. Operation of the Directive in European domestic laws (UK example)
3.4.3. European precedents and interpretation of Asia-Pacific privacy laws
3.5. Other international agreements concerning privacy
3.5.1. United Nations Guidelines Concerning Computerized Data Files
3.5.2. International trade agreements - WTO
3.6. Data export prohibitions (1): The EU Directive's 'adequacy'
3.6.1. Operation of the EU data export prohibitions
Standards applied in determining adequacy
3.6.2. Position of regional countries in relation to A25(1) 'Adequate protection'
United States
Canada
Australia
Hong Kong
New Zealand
3.7. Data export prohibitions (2): in Asia-Pacific laws
3.7.1. Jurisdictions with export prohibitions
Hong Kong
Australian private sector - NPP 9
Extra-territorial effect of the Privacy Act 1988
Australian federal public sector
NSW public sector
Victorian public sector
3.7.2. An Asia-Pacific privacy convention?
3.8 The APEC Privacy Framework
Implementation mechanisms

3. Privacy protection in international agreements and via data export prohibition laws

Graham Greenleaf - last updated 24 March 2003; link updates August 2005
allprivacy-300.jpg../http://www2.austlii.edu.au/itlaw/required.gif= compulsory reading (in addition to the text below)
Objectives
International law developments toward privacy protection have a complex history, principally since the early 1980s. This Part summarises the principal international agreements affecting privacy, and examines in more detail the most significant recent development, the European Union's privacy Directive (1995).
An area of major importance is personal data export restrictions (otherwise known as 'trans-border data flows' or TBDF) in national laws and international agreements. These restrictions attempt to prevent international flows of personal data to countries that do not provide sufficient privacy protection to that information. The EU privacy Directive (1995) is of particular importance here as an attempt to require parties in non-EU countries to adhere to an international standard (or at least a European standard) when dealing with personal information concerning Europeans.
How the law of particular countries deals with data export issues will be covered in subsequent Reading Guides.
Resources on international agreements and data exports
• A most useful general source is the allprivacy-300.jpg ../http://www2.austlii.edu.au/itlaw/required.gifData Protection page of the European Commission's Internal Market directorate. Please look at this page.

3.1. Privacy in human rights treaties

The protection of privacy in general human rights treaties stems from the Universal Declaration of Human Rights 1948 Art 12, which states "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks".
Provisions with similar wordings are now found in the International Covenant on Civil and Political Rights 1966 (ICCPR) A 17; American Convention on Human Rights (ACHR) 1969, A 11, and the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) A8. The African Charter on Human and People's Rights 1981 has no equivalent provision.
See for details Lee Bygrave Data Protection Pursuant to the Right to Privacy in Human Rights Treaties (1998) 6 Int J of Law and Information Technology, no 3, 247-284 - '2. Relevant provisions on the right to privacy in international human rights instruments'

3.1.1. ICCPR A17

The International Covenant on Civil and Political Rights 1966 (ICCPR)[1] Article 17 provides:
`1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation.
2. Everyone has the right to protection of the law against such interference or attacks'.
• Lee Bygrave Data Protection Pursuant to the Right to Privacy in Human Rights Treaties (1998) 6 Int J of Law and Information Technology, no 3, 247-284 - This article, though mainly about A8 of the ECHR, compares the ICCPR with the ECHR in relation to privacy protection.
allprivacy-300.jpg../http://www2.austlii.edu.au/itlaw/required.gifSee the part headed 'Article 17 of the ICCPR'

3.1.2. Australia and ICCPR A 17

[Note: This part on Australia and A17 is adapted from G Greenleaf 'Implications for Australia of international privacy requirements', Protecting Information Privacy Conference, IIR Conferences, 1994, revised 1995 - These notes are old, and the Bygrave paper is more up to date. The links to PLPR and other articles also update this extract, particularly in relation to Toonen and to the Optional Protocol, and the Teoh case and its aftermath]
• For an extremely brief summary, see G Greenleaf 'Australia's international privacy obligations - ICCPR A17' (in Greenleaf 'The European Union's privacy Directive - New orientations on its implications for Australia' (1997) The 1997 Australian Privacy Summit, IBC Conferences, Sydney)
Australia is a party to the ICCPR and the First Optional Protocol (allowing individuals to take complaints ('communications') to the Human Rights Committee of the UN.
Australia's ratification was qualified by a declaration that A17 was accepted without prejudice to `the right to enact and administer laws which, insofar as they authorise action which infringes on a person's privacy, family, home or correspondence, are necessary in a democratic society in the interests of national security, public safety, the economic well-being of the country, the protection of public health or morals, or the protection of the rights and freedoms of others'[2]. These words are very similar to A8 of the European Convention on Human Rights (discussed later). Australia is therefore bound to observe the Covenant, subject to the effect of these words of reservation[3]. The declaration was not relied on by Australia in Toonen, discussed below.

Applicability of the ICCPR in Australian domestic law

../http://www2.austlii.edu.au/itlaw/required.gifSee generallly one of the following:
• Glen Cranwell Treaties and Australian Law --Administrative Discretions, Statutes and the Common Law [2001] QUTLJJ 5 - a detailed analysis
• Terry Gygar At last - Enforceable privacy rights in australia? - the potential for treaties to give protection against uninvited media attention (Bond Law Review) - a brief analysis ( HTML version also)
Although the ICCPR has not been incorporated into Australian domestic law, and is therefore not of binding force in Australia, cases confirm that it can nevertheless be influential.
• G Greenleaf Casenote: Young - Applicability of ICCPR in Australian Courts .(1994) 1 PLPR 30
In Young v Registrar, Court of Appeal [No 3][4], both Kirby P and Handley JA considered that international conventions, particularly those which enshrine fundamental principles of human rights, provide an important tool of reference for the exposition and development of law (Mabo v Queensland [No 2] (1992) 175 CLR 1 considered). Where there is no hint of ambiguity in the law and a direct conflict between domestic law and the international covenant occurs, domestic law prevails. However in cases where domestic law is ambiguous, international covenants should be used as a guideline for interpretation.
Kruger v Commonwealth (The Stolen Children Case) (1997) 146 ALR 126 (HCA)
Although decided after the Howard Government's Executive Statement re the effect of treaties, and comprised of a complex set of separate judgments, this High Court decision can be interpreted as confirming that legislation which is ambiguous should be interepreted in accordance with 'Australia's obligations under international law ... particularly when they are undertaken in a treaty to which Austrlia is a party' (per Dawson J). Other members of the Court stressed fundamental rights and principles arising from the common law (Gaudron J) and established principles of international law (Dawson J and Gaudron J), as means of resolving ambiguity. [See the articles cited above for discussion]

The ICCPR and Executive decision-making

• Minister for Immigration & Ethnic Affairs v Teoh (1995) 183 CLR 273
Teoh involved the application of the UN Convention on the Rights of the Child in respect to a deportation order.The HCA held there may be a legitimate expectation that officers of the executive government will act in conformity with international treaties pending implementation, in the absence of a statutory or executive statement to the contrary. It can give rise to breaches of natural justice if a treaty obligation is not to be adhered to and the person affected is not afforded a hearing.
• Executive Statement on the Effects of Treaties in Administrative Decision Making (1997) - Explicitly provided that the act of entering a treaty 'does not give rise to any legitimate expectations which could form the basis for challenging any adminstrative decision ...'
Although the effect of Teoh has been nullified to a large extent, considerable areas of uncertainty remain (see the article by Cranwell cited above).

Complaints to the Human Rights Committee under the First Optional Protocol

Australia acceded to the First Optional Protocol to the ICCPR on 25 September 1991 (effective 25 December 1991), thereby agreeing to individuals taking complaints (`communications') that Australia has breached a provision of the ICCPR to the United Nations Human Rights Committee.
The Toonen case (UN Human Rights Committee) was the first time Australia had been taken to the Committee under the First Optional Protocol, and the case concerned A17. The case and its aftermath are discussed in the following:
allprivacy-300.jpg../http://www2.austlii.edu.au/itlaw/required.gifG Greenleaf Casenote: Toonen v Australia (1994) 1 PLPR 50 - An Australian complaint to the UN Human Rights Committee under ICCPR A17.
Toonen v Australia (Australia - Communication No. CCPR/C/50/D/488/1992) [1994] UNHRC 9 (full text of case)
• G Greenleaf Human Rights (Sexual Conduct) Bill 1994 - Federal legislation to deal with the 'Toonen problem'
• G Greenleaf The Sexual Privacy Saga (1994) 1 PLPR 200 - Report on the passage of the Bill
ICCPR functions of HREOC
Investigation of complaints The Human Rights and Equal Opportunity Commission Act 1986 (Cth) empowers the Human Rights and Equal Opportunity Commission (HREOC) to investigate complaints of a breach of A17, but only in relation to the actions of Commonwealth government agencies and, in effect, the A.C.T.[5]. The Preamble to the Privacy Act 1988 (Cth) also recites Australia's commitment to implement A17.
Intervention in other cases However, s11(1)(o) of the Act also gives HREOC a `function', `where the Commission considers it appropriate to do so, with the leave of the court hearing the proceedings and subject to any conditions imposed by the court, to intervene in proceedings that involve human rights issues'. HREOC may (potentially) therefore become an intervener in any case before an Australian court which raises a potential infringement of privacy rights under A17 of the ICCPR. Despite the strict approach that Australian courts have usually taken in granting leave to intervene, it is likely that leave would be granted to HREOC because of this statutory function[6]. The Privacy Commissioner does not have such an intervener function in the Privacy Act 1988 (Cth), but (although he is no longer a member of HREOC), the Commission could intervene in privacy cases. The only two reported cases of HREOC interventions have concerned freedom of religion and multicultural freedom of minorities in a planning case, and sexual harassment[7]. [at date of writing]

3.1.3. Hong Kong and ICCPR A 17

[Most of the links to HKLII are now broken.]
The UK ratified the ICCPR in 1976 both for the UK and for Hong Kong, but with certain reservations applying to Hong Kong (Yash Ghai, 1999, pgs 406-410).
Because of the entrenchment of the ICCPR by s39 of the Basic Law, it is of particular importance in Hong Kong.
See generally:
• Johannes Chan 'The Hong Kong Bill of Rights: An Introduction' in Annotations to the Hong Kong Bill of Rights Ordinance, Butterworths, 1999 (hereinafter 'J Chan, 1999') - This is a brief and very useful introduction to the Bill of Rights and the ICCPR.
• Yash Ghai Hong Kong's New Constitutional Order (2nd Ed., 1999) Hong Kong University Press (hereinafter, 'Ghai, 1999')

Enforcement of the ICCPR in HK

There are three methods of enforcement of the ICCP (see Yash Ghai, 1993, p410), but only the two less important methods apply to Hong Kong, thereby diminishing its importance to Hong Kong:
• State parties must provide reports to the UN Human Rights Committee concurring implementation of the ICCPR rights (this is compulsory). The PRC, although it is not yet a party to the ICCPR, has agreed that the HK SAR can continue to submit reports (J Chan, 1999, p5). See below for the outcome of the most recent (1999) report.;
• One State party can complain to the UN Human Rights Committee concerning violations by another State party. The UK accepted this jurisdiction. This is 'a dead letter which has never been invoked' (J Chan, 1999, p4).
• An individual 'under the jurisdiction' of a State can complain to the UN Human Rights Committee of breaches, but only if the State has adopted the First Optional Protocol to the ICCPR, and the UK did not do so in relation to Hong Kong. J Chan considers it unlikely that the PRC will adopt the First Optional Protocol (J Chan, 1999, p5). The ICCPR cannot therefore be enforced by individuals.
However, A39 of the Basic Law means, in effect, that the provisions of the ICCPR are entrenched as part of Hong Kong law, and that subsequent legislation cannot be inconsistent with the ICCPR without being inconsistent with the Basic Law. Because the Bill of Rights Ordinance to a significant extent implements the ICCPR, the Bill of Rights is treated as if it is entrenched, and other Ordinances are measured against it for consistency (see Yash Ghai, 1993, pgs 419-422 for discussion). However, it is really measured against the ICCPR, as implemented by A39 Basic Law.
Examples of statues held invalid as a result of A17 ICCPR (as implemented in BORO A14):
R. v. Yu Yem Kin [1994] HKCFI 41 - s.52 of the Dangerous Drugs Ordinance held partially invalid insofar as it granted a power of warrantless search and seizure to 'any police officer', as inconsistent with A14 BOR and other provisions. However, the Court declined to use s6 BORO to hold the evidence obtained inadmissable.
Rights under the Basic Law are available to residents of the HK SAR (with some exceptions not relevant here), and in general are only available to natural persons, not corporations, though this is not free from doubt (see Yash Ghai, 1993, pgs 424-426).
United Nations Concluding Observations of the Human Rights Committee on the Report of the Hong Kong Special Administrative Region of the People's Republic of China in the light of the International Covenant on Civil and Political Rights (1999) - Note para 13 where the Committee criticised the HKSAR government concerning the power of authorities to intercept telecommunications, which it considered to violate the right to privacy under A17 ICCPR.

ICCPR and Bill of Rights Ordinance

../http://www2.austlii.edu.au/itlaw/required.gifArticle 14 Hong Kong Bill of Rights Ordinance - implementing ICCPR Art. 17, which provides 'No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence ...'
Section 7 'provides that the Ordinance binds only (a) the Government and all public authorities, and (b) any person acting on behalf of the Government or a public authority. The Bill of Rights therefore has no direct effect on inter-citizen relationship.'
The HK Court of Appeal held (Tam Hing Yee v Wu Tai Wai [1992] 1 HKLR 185) that the Bill of Rights Ordinance did not apply to 'legal relations between private citizens, even when the relationship was created by legislation' (J Chan, 1999, p3). This means that the ICCPR has not been implemented fully in Hong Kong (see Chan, 1999, for an account of attempts to do so).
'Nonetheless, since section 6 of the Ordinance provides that a court in an action for breach of the Ordinance "may grant such remedy or relief, or make such order, in respect of such a breach, violation or threatened violation as it has power to grant or make in those proceedings", it is arguable that an individual has a cause of action for breach of the right to privacy' against government authorities or public bodies.' ../http://www2.austlii.edu.au/itlaw/required.gifsee HKLRC 1999 [1.4]-[1.8] ..
This right seems to have been relied on infrequently as yet. R. v. Yu Yem Kin HCCC000111/1993 - [1994] HKCFI 41 - The right of privacy under A14 was the basis of an unsuccessful argument that the exercise of a power of search and seizure interfered with that right.
Decisions on the interpretation of the ICCPR A 17 (and its equivalent, ECHR A 8) are therefore of direct relevance to domestic law in Hong Kong, at least insofar as the actions of government are concerned.

Related provisions in the Basic Law

Article 28 Basic Law of the Hong Kong SAR: 'The freedom of the person of Hong Kong residents shall be inviolable. No Hong Kong resident shall be subjected to arbitrary or unlawful arrest, detention or imprisonment. Arbitrary or unlawful search of the body of any resident or deprivation or restriction of the freedom of the person shall be prohibited. Torture of any resident or arbitrary or unlawful deprivation of the life of any resident shall be prohibited.'
Article 29 Basic Law of the Hong Kong SAR: : ' The homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident's home or other premises shall be prohibited.'
• The HKLRC 1999 comments that A28 and A29 together are similar to the 4th Amendment to the US Constitution. See later Reading Guide for further discussion of the application of these provisions to electronic surveillance.

3.1.4. New Zealand and the ICCPR

NZ is a party to the ICCPR.

3.1.5. Decisions of the UN Human Rights Committee concerning A17

The Human Rights Committee is made up of 18 experts from different countries, elected for four year terms by countries that are ICCPR parties .
See Decisions of the Human Rights Committee (on WorldLII)). Try a search like ‘article 17 or (interference w/5 privacy)’ to find the main privacy cases at the head of the list.

Information privacy and ICCPR A17

The Human Rights Committee has commented (General Comment 15(32) on A17, 1989) on the applicability of A17 to information privacy:
The gathering and holding of personal information on computers, databanks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. Effective measures have to be taken by states to ensure that information concerning a person's private life does not reach the hands of persons who are not authorised by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. In order to have the most effective protection of his private life, each individual should have the right to ascertain in an intelligible form whether, and if so what, personal data are stored in automatic data files, and for what purposes. Every individual should be able to ascertain which public authorities or private individuals or bodies control or may control their files. If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.'[8]
See
• Lee Bygrave Data Protection Pursuant to the Right to Privacy in Human Rights Treaties (1998) 6 Int J of Law and Information Technology, no 3, 247-284 - ../http://www2.austlii.edu.au/itlaw/required.gifPart 3 'Article 17 of the ICCPR'; Bygrave says 'Case law developed around Art 17 of the ICCPR provides the clearest indication that the right to privacy in international law harbours core data protection principles. '; he says that the above General Comment 'clearly establishes that Art 17 necessitates protection of persons from interferences by private bodies' data-processing practices.
As noted by the Hong Kong Law Reform Commission, the Committee's comment sketches a set of data protection principles which, while they contain many elements found, say, in the OECD Guidelines, are narrower in their reference to `automatic data files', and probably narrower in referring to `information concerning a person's private life' rather than `personal data' or `personal information'[9].
Nevertheless, the Committee is reading into A17 many of the elements of information privacy principles found elsewhere, and it could therefore be expected that they would favourably entertain complaints (communications) based on the lack of information privacy legislation in either Australian State and Territory jurisdictions or in the private sector.

3.1.6. European Convention on Human Rights (ECHR) A 8

The Council of Europe is responsible for the European Convention on Human Rights (1950), Article 8 of which provides:
`1. Everyone has a right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.'
References:
• Lee Bygrave Data Protection Pursuant to the Right to Privacy in Human Rights Treaties (1998) 6 Int J of Law and Information Technology, no 3, 247-284 - ../http://www2.austlii.edu.au/itlaw/required.gifPart 4. 'Article 8 of the ECHR'

Significance of A 8 for countries outside Europe

Taking into account the terms of Australia's declaration concerning A17, the terms of A8 and A17 are almost identical, except of course that A8 does not deal with `honour and reputation'. The similarities were evident in Modinos v Cyprus (1993) 16 EHRR 485, a case decided on facts almost identical to Toonen, where the European Court of Human Rights held that a Cypriot statute that rendered male homosexual conduct in private between adults a criminal offence violated A 8 despite a policy of non-enforcement by Cypriot authorities.
Article 8 is significant for countries outside Europe because a considerable body of case law has built up around it, much more so that A 17 of the ICCPR.

3.1.7. ECHR A 8 and data protection

[Note: The rest of this part on A 8 is modified from G Greenleaf 'Implications for Australia of international privacy requirements', Protecting Information Privacy Conference, IIR Conferences, 1994, revised 1995 - the Bygrave paper is more up to date and comprehensive, but these few paragraphs may give those new to the ECHR a quick introduction.].
A 8 has been applied flexibly by the European Commission of Human rights and the European Court of Human Rights to apply to such issues as wire tapping, file inter-connection, and unauthorised access to personal data. The President of the European Court of Human Rights argues that:
`In decisions such as Klass, Malone, Leander, Huvig and Kruslin., our Court has demonstrated the continuing resilience of the protection afforded by Article 8 when it comes to technological innovations and data processing. The decided cases suggest that this Article may develop towards a right of informational self-determination, in that the collection, storage and processing of personal information by public powers may constitute an interference with the right enshrined in the first paragraph of Article 8.'[10]
In Leander v Sweden (1987) 9 EHRR 433 the use of secret information relating to an application for a security-sensitive post was considered to be an interference with privacy, although a justified one. In Gaskin v United Kingdom (1989) 12 EHRR 36 the failure of Liverpool City Council to allow a person to access the file that was the only record of his formative years was held to be a breach of A8(1)'s positive obligation to respect a person's `private and family life'. The Law Reform Commission of Hong Kong raises the question whether A17 may be more limited in only providing a negative obligation to avoid `interference' with privacy[11].
During 1993 violations of A8 were found in a trio of cases against France because of the wide search and seizure powers of customs officials which could be exercised in the absence of judicial warrants[12]. In Niemietz v Germany [1993] 16 EHRR 97 the Court found that a warrant to search a lawyer's offices to reveal the location of third party sought in a criminal investigation was breach of A8 because to interpret `private life' and `home' `as including certain professional and business activities was consistent with the object and purpose of A8...', and even though it was authorised by law this interference `was not necessary in a democratic society as the search complained of was not proportionate to the legitimate aims to be achieved', particularly as there were no special procedural safeguards and it impinged on the professional secrecy of the lawyer.
In Herczegfalvy v Austria (1993) 15 EHRR 437 the Court found that the practice of sending all letters by a prisoner in a psychiatric institution to a curator for review and selection could not be justified and was a breach of A8. The Austrian law was very vaguely worded and did not specify the conditions under which the power could be exercised, and therefore `did not offer the minimum degree of protection against arbitrariness required by the rule of law in a democratic society'.
These European cases illustrate the types of `complaints' that may be made against Australian under A17 of the ICCPR, and the findings that could be made. Similarly, they illustrate the types of precedents that could be valuable in Hong Kong for actions brought under the HK Bill of Rights.

3.1.8. Principles of A 8 jurisprudence

Some of the general principles derived by Bygrave (1998) can be summarised as follows:
• "the Court and Commission have put weight on the basic object and purpose of the ECHR when interpreting its provisions. The object and purpose have been defined in terms of protecting human rights and promoting the ideals and values of democratic society."
• "Article 8 does not merely oblige a state party to abstain from interfering with private life; it additionally creates "positive obligations" on the state party to take action to ensure that private life is effectively respected."
• "the issue of whether or not Art 8 provides protection against the data-processing activities of private bodies has not been conclusively determined " but "It is extremely doubtful that the Court or Commission would not interpret Art 8 as providing some measure of protection against the data-processing activities of private bodies, "
In relation to specific privacy issues, some of the principles Bygrave sees as emerging are:
• "The mere existence of laws and practices allowing state agencies to carry out secret surveillance of citizens may be sufficient to interfere with citizens' rights under Art 8(1)"
• "the Court's decision in Malone indicates that some data of ordinarily trivial character may be processed in ways that are found to interfere with the data subject's right under Art 8(1)"
• there are numerous cases where non-consensual collection or storage of data has been held in breach of A 8;
• Three main factors emerge: "(i) the nature of the data in question (eg, to what extent do the data concern "private life"?); (ii) the manner in which the data are processed (eg, are they processed with the knowledge or consent of the data subject?); and (iii) the context for the data processing (eg, are the data found in a register that allows potentially negative assessments to be made of the data subject's character?)"
• In relation to justification under A 8(2), the interference must be (i) "in accordance with the law"; (ii) "necessary in a democratic society"; and (iii) in furtherance of at least one of the aims listed in paragraph 2 (ie, "national security", "public safety", "economic well-being of the country", "prevention of disorder or crime", "protection of health or morals" or "protection of the rights and freedoms of others").
• Re (i), The type of legal basis which is sufficient will depend upon the seriousness of the interference.
• Re (ii), "The criterion of necessity has been interpreted ... as satisfied when the interference "corresponds to a pressing social need" and is "proportionate to the legitimate aim pursued"."
• "Generally speaking, the more intimate or sensitive the data are judged to be, the more stringent will be the application of the necessity/proportionality criterion."
• "One safeguard is the existence of rules to ensure data confidentiality."
• "Another safeguard ... is the existence of an independent control body to monitor activities contravening Art 8(1)."

3.1.9. Application of A 8 ECHR in domestic law (UK examples)

The Human Rights Act 1998 (UK), in effect from 2 October 2000, create new rights. Under s6.1, it is now unlawful for a public authority to act in a way which is incompatible with a right under the ECHR. The ECHR was also being taken into account in UK law prior to 2000.
Both before and after the coming into force of the Human Rights Act, there have been a series of UK cases testing against A 8 ECHR the way in which the UK government operates various types of 'public registers', including the electoral roll and a paedophile register. Most have failed until Robertson.
../http://www2.austlii.edu.au/itlaw/required.gifRobertson v Home Office [2001] EWHC Admin 915 (16th November, 2001, Kay J) - R objected to the sale by the UK Electoral Registration Officers (EROs) of copies of the electoral Register to commercial interests. "In September 2000 he received the form whereby, each year, an application has to be made for inclusion on the Register. Only those who appear on the Register are eligible to vote. It is a criminal offence to fail to return the form, duly completed. On 6 October 2000 [R] wrote to the ERO in Wakefield stating that he did not intend to complete the form because the practice of selling copies of the register to commercial interests was something he opposed." The ERO told him it intended to add his name to the list anyway. R sought judicial review on two grounds, one related to A 14 of the EU privacy Directive, and one based on A 8 of the ECHR.
(See [26] Ground (2): Article 8 of the ECHR ) The Court accepted uncontested evidence that the sold copies of the electoral register were used for direct marketing purposes and by credit bureaux (see details at [27]). Kay J rejected the view that 'a person's name and current address, without more, are not protected under Article 8'. He accepted R's argument that '[i]t is necessary to examine not just the information which is disclosed but also the anticipated use to which it will be put', which meant that its likely use for direct marketing and credit reporting could be considered. This gave rise to a prima facie case under A 8. The question is then whether the particular interference is justified under A 8.2, in particular whether it is in accordance with law, in pursuit of a legitimate objective and proportionate. Kay J found that:
(i) Previously he had found that the ERO practice was not according to law because (as R submitted) "it is not in accordance with the law because, to the extent that the Regulations permit or, more recently, require the sale of the Register without a right of objection, they fall foul of Article 14(b) of the Directive". [If incorrect on this ground (iii) would still apply.]
(ii) supplying commercial organisations with the Register was a legitimate objective (it was accepted that there were some benefits to consumers and businesses);
(iii) 'the absence of an individual right of objection' , in the factual context of the known use of the Register, was 'a disproportionate way in which to give effect to the legitimate objective in question'; it was not ' a proportionate interference with the Article 8 rights of electors who have provided their details under legal compulsion and for public purposes'.
R's Article 8 rights had therefore been breached.
The decision is a significant illustration of how A 8 (and A 17 ICCP in jurisdictions such as Hong Kong) could be used against administrative practices involving unfair information use, whether or not such practices were allowed by data protection laws and authorised by other laws. In particular, this approach could be used in relation to public registers which fall outside data protection laws.
However, Courts will often give a far greater scope for what are 'proportional' measures where the legitimate objectives are as important as the protection of children. See for example:
Queen v. Worcester County Council Secretary Of State For Department Of Health ex parte "S.W." [2000] EWHC Admin 392 (2nd October, 2000); inclusion of applicant in paedophile register.
Queen v. Chief Constables of 'C' and 'D' ex parte 'A' [2000] EWHC Admin 408 (25th October, 2000); disclosure of police investigations not resulting in any conviction

3.2. The OECD's privacy and TBDF Guidelines (1980)

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD, Paris, 1980) were one of the first formulations of a comprehensive set of IPPs, and continue to be influential, particularly outside Europe. In 1984 Australia announced its intention to adhere to the Guidelines. The Preamble to the Privacy Act recites that `Australia has informed that Organisation that it will participate in the recommendation concerning those Guidelines". The OECD Guidelines are the only international instrument dealing specifically with data protection to which Australia is a party.
Resources :
OECD Privacy and TBDF Guidelines (in full) (on OECD) ( Note there are both full guidelines and explanatory memorandum located here)
• OECD Privacy and TBDF Guidelines (extract) - 8 `principles of national application' (on Roger Clarke's pages).
• A very brief summary of the Guidelines in G Greenleaf 'The OECD privacy Guidelines' (in Greenleaf 'The European Union's privacy Directive - New orientations on its implications for Australia' (1997) The 1997 Australian Privacy Summit, IBC Conferences, Sydney)
• Roger Clarke Beyond the OECD Guidelines: Privacy Protection for the 21st Century (unpublished, 2000) - This is a very detailed critique of the OECD Guidelines which ' catalogues the deficiencies that were inherent in the 'fair information practices' tradition that the OECD's 1980 Guidelines codified, together with the additional problems that have arisen since their formulation. It represents a comprehensive agenda for 21st century privacy protection.' This paper is best read after the other materials below.
• Justice Michael Kirby Privacy protection, a new beginning: OECD principles 20 years on (1999) 6 PLPR 25 - The Chairman of the Expert Group that drew up the OECD Guidelines reflects on their history and significance.
[The following is an extract from G Greenleaf 'Implications for Australia of international privacy requirements', Protecting Information Privacy Conference, IIR Conferences, 1994, revised 1995]
The Organisation for Economic Co-operation and Development is an inter-governmental organisation, the members of which comprise the European Union countries, Switzerland, Turkey, the former Yugoslav states, Canada, the United States, New Zealand, Australia and Japan. [Note: Other countries have since joined.]
The OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD, Paris, 1981) are in the form of a Recommendation by the Council of the OECD, adopted in 1980. Recommendations of the Council are not legally binding on member States, whereas Decisions are. The Guidelines were developed by an Expert Group chaired by Justice M D Kirby, then Chairman of the Australian Law Reform Commission. Australia announced its intention to adhere to the OECD Guidelines in 1984.
The Guidelines are proposed as minimum standards for the protection of privacy and individual liberties. They attempt to balance two `essential basic values': the protection of privacy and individual liberties and the advancement of free flows of personal data. `While accepting certain restrictions to free trans-border flows of personal data, they seek to reduce the need for such restrictions and thereby strengthen the notion of free information flows between countries'. The Guidelines apply to both the public and private sectors. Guidelines 2 to 5 recognise that the Guidelines may be applied in a different manner to different categories of personal data, depending upon its content or how it is collected, stored, processed or disseminated. '

3.2.1. The OECD's 8 Principles for national legislation

The core of the Guidelines are the eight `Basic Principles of National Application' in Part Two (Principles 7 to 14). These are principles concerning Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability. They are supplemented by definitions in Guideline 1, and by Guideline 19 concerning the means of enforcement of the Guidelines to be adopted in national legislation.
Collection Limitation Principle 7. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Data Quality Principle 8. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Purpose Specification Principle 9. The purposes for which personal data are collected should be specified not later than at the time of collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
Use Limitation Principle 10. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [Principle 3] except: (a) with the consent of the data subject; or (b) by the authority of law.
Security Safeguards Principle 11. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
Openness Principle 12. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
Individual Participation Principle 13. An individual should have the right:- (a) to obtain from the a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him (i) within a reasonable time; (ii) at a charge, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is readily intelligible to him; (c) to be given reasons if a request made under sub-paragraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.
Accountability Principle 14. A data controller should be accountable for complying with measures which give effect to the principles stated above.
The 11 Information Privacy Principles in the Privacy Act 1988 (Cth - Australia) are intended to implement the OECD's 8 Principles insofar as personal information held by Commonwealth public sector agencies are concerned. The various methods of enforcement of the Principles provided in the Act implement Guideline 19.

3.2.2. Implementation requirements of the OECD Guidelines

Principle 19 of the OECD Guidelines indicates the methods of implementation required for compliance with the Guidelines:
19. In implementing domestically the principles set forth in Parts Two [Basic Principles of National Application] and Three [Basic Principles of International Application], Member countries should establish legal, administrative or other procedures or institutions for the protection of privacy and individual liberties in respect of personal data.
Member countries should in particular endeavour to:
a) adopt appropriate domestic legislation;
b) encourage and support self-regulation, whether in the form of codes of conduct or otherwise;
c) provide for reasonable means for individuals to exercise their rights;
d) provide for adequate sanctions and remedies in case of failures to comply with measures which implement the principles set forth in Parts Two and Three; and
e) ensure there is no unfair discrimination against data subjects.

3.2.3. The OECD's TBDF provisions

The OECD's Guidelines contain four basic principles of international application concerning the free flow of, and legitimate restrictions on, TBDF (Principles 15-18). In 1985 the Ministers of the OECD Member countries adopted a Declaration on Transborder Data Flows agreeing to undertake further joint work on TBDF issues.

The OECD's 4 Principles concerning trans-border data flows

15. Member countries shall take into consideration the implications for other Member countries of domestic processing and re-export of personal data.
16. Member countries should take all reasonable and appropriate steps to ensure that transborder flows of personal data, including transit through a Member country, are uninterrupted and secure.
17. A member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other member country provides no equivalent protection.
18. Member countries should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data that would exceed requirements for such protection.
The main thrust of these OECD Principles is that member countries should avoid restrictions on the free flow of personal data between themselves, with three exceptions in Guideline 17. The first exception in Guideline 17 is where the other member country `does not yet substantially observe these Guidelines' (including the Principles of domestic application). The OECD Guidelines apply to both the public and private sectors.

3.3. The Council of Europe data protection Convention (1981)

The Council of Europe's Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (Convention No 108) 1981 (Convention No 108) 1981 was developed at the same time as the OECD Guidelines.
[Extract from G Greenleaf 'Implications for Australia of international privacy requirements', Protecting Information Privacy Conference, IIR Conferences, 1994, revised 1995]
The Council of Europe is an inter-governmental organisation, of which 27 countries in Europe are members [now many more], including Austria, Cypres, the Czech and Slovak republics, Finland, Hungary, Malta, Poland and Turkey. It is therefore a considerably wider grouping of countries within Europe than is the OECD. However, the OECD includes non-European countries[13].
The Council of Europe's Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (Convention No 108) became open for signature in 1981. It has been in force since 1985, and has now been signed by 19 countries and ratified by 14[14]. Unlike the OECD Guidelines, the Convention is a binding instrument in international law, although it does not have enforcement machinery. Breaches of the Convention are dealt with at the diplomatic level by the Council of Ministers.
Although Australia is not a member of the Council of Europe, Article 23 of the Convention allows the Committee of Ministers of the Council of Europe to allow States which are not members of the Council of Europe to accede to the Convention, provided that all of the Contracting States entitled to sit on the Committee agree. No non-member has as yet become a party to the Convention. Countries such as Australia may also be invited to attend meetings of the Consultative Committee of the Convention as observers (A18), and Australia has attended.

3.3.1. Scope and content of the Convention

The scope of the Convention includes both the public and private sectors, but is limited to the automatic processing of personal data files, and does not apply to data processed `manually'. A party to the Convention undertakes to apply its principles to such files, but may give notice by declarations that it will not apply to certain categories of files, or that it will apply to `manual' files. Such declarations affect the extent to which parties may claim reciprocal treatment from other parties.
Chapter II of the Convention contains eight Articles which constitute `Basic Principles for Data Protection', and are in many respects similar to those of the OECD Guidelines.

3.3.2. Recommendations for sectoral legislation

Once the drafting of the Convention was completed, the Council of Europe's Project Group on Data Protection (formerly the Committee of Experts) commenced development of `sectoral' recommendations, as it was considered that the general principles of the Convention needed more detailed elaboration for certain categories of data. Recommendations are made when they are adopted unanimously by the Committee of Ministers. Recommendations are not binding on Members who are parties to the Convention, who are only required to consider in good faith whether a recommendation should be implemented[15].

3.4. The European Union's privacy Directive (1995)

The Directive is significant both as the most recent international restatement of the content of IPPs, and in that it makes it mandatory on member countries of the EU to prohibit the export of personal information to any country (such as Australia) where the Directive's requirements for privacy protection are not satisfied. The data export restrictions in the Directive came into force in October 1998.
Resources:
• The most useful source for information about the Directive and its implementation is the ../http://www2.austlii.edu.au/itlaw/required.gifData Protection page of the European Commission's Internal Market directorate. Please look at this page and its sub-pages to gain an idea of the range of documents available about the Directive and about data protection generally. You will find there, among other things:
o The text of the ../http://www2.austlii.edu.au/itlaw/required.gifEU privacy Directive, 1995 (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data).
o Related EU and European privacy laws
o Documents adopted by the Data Protection Working Party - This committee of EU national data protection Commissioners plays an important role under the Directive
o Data Protection Conference and Report on the implementation of Directive 95/46/EC Brussels, 30 September - 1 October 2002 - The EU is reviewing the Directive but has not completed doing so.

3.4.1. The content of the EU Directive

Details of the Directive and its significance are found in:
• A detailed analysis of the Directive is in G Greenleaf 3. The European Union privacy Directive(in G Greenleaf Proposed Privacy Code for Asia-Pacific Cyberlaw Journal of Computer-Mediated Communications, (JCMC) Vol 2 No 1 (1996) [referred to below as `Greenleaf (1996) JCMC']); see in particular:
o ../http://www2.austlii.edu.au/itlaw/required.gif3.3. Structure and scope of the Directive allprivacy-300.jpg
o ../http://www2.austlii.edu.au/itlaw/required.gif3.4. The Directive's 'information privacy principles' allprivacy-300.jpg
• The significance of the privacy principles in the EU Directive is assessed in 'The EU Directive - A cause for celebration?' in G Greenleaf surveillance: Beyond 'efficiency' and the OECD' (1996) 3 PLPR 148

3.4.2. Operation of the Directive in European domestic laws (UK example)

../http://www2.austlii.edu.au/itlaw/required.gifRobertson v Home Office [2001] EWHC Admin 915 (16th November, 2001, Kay J) (see earlier for facts). R argued that UK domestic law was required to comply with the Directive but failed to comply with A 14(b) which provides the data subject's right to object to processing (See [5]). National implementation of the Directive by EU States was required by 24 October 1998. The UK Data Protection Act s11 is specifically concerned with the right to prevent data processing for the purposes of direct marketing. R argued this was insufficient implementation.
Points of general significance from the judgment of Kay J are that, if UK law did not comply with the Directive by 24 October 1998, UK Courts are required to implement it in two ways:
• By interpreting legislation "as far as possible, in the light of the wording and the purpose of the directive in order to achieve the result pursued by the latter" (see [17])
• A Member State "may not, against individuals, plead its own failure to perform the obligations which the directive entails. Thus ... those provisions may in the absence of implementing measures adopted within the prescribed period, be relied upon as against any national provision which is incompatible with the directive or insofar as the provisions define rights which individuals are able to assert against the State" (Francovich v. Italy) (see [19])
Here, Kay J found that the UK Data Protection Act s11 did comply with A14(b) of the Directive, but that the "EROs have administered the Register without regard to the Directive and section 11 of the Data Protection Act.. [and] they were wrong to do so... [and] it is incumbent upon the courts to construe the 1986 and 2001 Regulations in a manner which is Directive compliant and consistent with the Data Protection Act". The UK electoral regulations had to be construed in a way that gave effect to the Directive, which means it must be interpreted as subject to s11 of the Data Protection Act, and that R had a right to object to the SRO passing on his information to commercial concerns. (see [24])

3.4.3. European precedents and interpretation of Asia-Pacific privacy laws

Unlike the decisions of the European Court of Human Rights interpreting A 8 ECHR, there is no pan-European Court to interpret the Directive. Important interpretations may arise from the decisions of the Commission and from the opinion of the Working Party of Data Protection Commissioners (the A19 Committee).
One implication of the principles brought out by the Robertson decision is that we can find in the decisions of European national Courts (particularly since 24 October 1998) a body of law interpreting and applying the EU privacy Directive directly, as well as law interpreting and applying the domestic data protection legislation which has been enacted to implement the Directive. Due to the close similarities between the IPPs implemented in the Directive and EU national laws and the IPPs in the laws of jurisdictions such as Hong Kong, Australia and New Zealand, these European sources of interpretation are likely to become the most valuable and extensive sources available.
This is particularly so given the shortage of case law on privacy from Courts in the Asia-Pacific.

3.5. Other international agreements concerning privacy

3.5.1. United Nations Guidelines Concerning Computerized Data Files

Resources:
• United Nations Guidelines Concerning Computerized Data Files adopted by the General Assembly on 14 December 1990
The United Nations Human Rights Committee adopted in 1990 Guidelines Concerning Computerized Data Files. The Guidelines have not yet been adopted by the General Assembly. The voluntary guidelines contain minimum standards for incorporation in national legislation, covering such matters as collection, accuracy, purpose specification, access, non-discriminatory use, security, trans-border data flows, supervision and penalties. The Guidelines arose from a French initiative. At the 1989 Data Protection Commissioner's Conference a number of Commissioners expressed the hope that the UN initiative would facilitate the spread of privacy legislation beyond Europe and North America.
The intervention of the United Nations could provide a fourth model around which international harmonisation of data protection laws could be based: the Council of Europe Convention, the OECD Guidelines, the European Union Directive and the UN Guidelines. However, nothing seems to have happened since 1990.

3.5.2. International trade agreements - WTO

These agreements are not likely to be sources of privacy rights, but may act as limitations on the operation of privacy laws. The issue of privacy laws being used as trade barriers could potentially be raised at the WTO.

3.6. Data export prohibitions (1): The EU Directive's 'adequacy'

The European Union Directive on privacy and free flow of personal data[56] of 1995 ('the Directive') makes it mandatory for EU member countries to prohibits the transfer of personal data to any countries which do not have privacy laws meeting the standards set out in the Directive. These changes to the laws of Member Countries to implement the Directive were required to be in force by October 1998.
The 1995 Directive is in stark contrast in this respect to the two previous major international privacy instruments, the OECD privacy Guidelines and the Council of Europe privacy Convention of the early 1980s. Neither of these agreements require their signatories to impose export restrictions on non-signatory countries, or on countries which do not provide an adequate degree of protection. They do not contain any positive requirement to restrict exports, but leave this up to the signatory countries.

3.6.1. Operation of the EU data export prohibitions

For a detailed discussion of the operation of the data export restrictions (as understood in 1998), see G Greenleaf 4. Compliance with the EU data export requirements in Global Protection of Privacy in Cyberspace - Implications for the Asia-Pacific (Self-regulation, national laws and international agreements) 1998 Internet Law Symposium, Taiwan, June 1998.
allprivacy-300.jpgThere are three distinct ways in which an export of personal data from Europe to a country such as Australia can be justified under the Directive (these explanations are as at 1998):
• Where the country (or the relevant sector within it) provides ../http://www2.austlii.edu.au/itlaw/required.gif`adequate protection' under A 25(1); [See below concerning further developments since 1998]
• Where one of the ../http://www2.austlii.edu.au/itlaw/required.gifmandatory exceptions to A25 applies (A 25(2));
• Where, ../http://www2.austlii.edu.au/itlaw/required.gifin the circumstances of the particular transaction, there are `adequate safeguards' (A 26).
o Draft Commission Decision on standard contractual clauses for the transfer of personal data to third countries (27 March 2001)
An important issue for countries without comprehensive national privacy laws, is what will be involved, and with what compliance costs, in satisfying these last two requirements.

Standards applied in determining adequacy

allprivacy-300.jpgData Protection Working Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive 1998 (extract in materials) (extract in materials)

3.6.2. Position of regional countries in relation to A25(1) 'Adequate protection'

The first tests of the meaning of A25 have now been completed with the EU's decisions on whether the USA's 'Safe Harbor' proposals, Canada's federal legislation, and the laws of Switzerland, Argentina, and various other countries constitute 'adequate protection' under A25.
The EU is actively considering the laws of Japan, New Zealand, Australia and other countries, but has not reached any final decisions yet. The Working Party of data protection Commissioners has however delivered its opinion on the Australian law.
allprivacy-300.jpgSee Commission Decisions on the adequacy of the protection of personal data in third countries for the current position in all countries, including non-EU European countries.

United States

The European Commission has made a decision in favour of the USA's 'Safe Harbour' scheme. Note that this is a decision of very limited scope.
• European Commission Data protection: draft package agreed for protection of data transferred from EU to US (see above site)
"Safe Harbor" principles
• G Greenleaf 3 Data imports - What will the EU Directive mean after 'Safe Harbor'? in Exporting and importing personal data National Privacy and Data Protection Summit, IBC Conferences - Sydney May 2000. [This was written prior to the decision, and expressed undue optimism about how strong a stand the EU would take.]
• US Department of Commerce The Safe Harbor Privacy Principles (2000) 7 PLPR 47
• G Greenleaf Safe Harbor's low benchmark for `adequacy': EU sells out privacy for US$ - [2000] PLPR 32 - a somewhat disappointing result for those wanting high international standards of data protection to be preserved!

Canada

The second 'adequacy' decison in Asia-Pacific countries concerns Canada's private sector law
• Press release Data protection: Commission recognises adequacy of Canadian regime (14 January 2002)
• European Commission Decision on on the adequate protection of personal data providedby the Canadian Personal Information Protection and Electronic Documents Act ((January 2002) - It gives EU-wide approval to transfers of data to those Canadian institutions that come under the Act, as and when they do, and subject to certain conditions. Note the mechanisms for suspending data transfers to some particular bodies if they appear to be in breach of Canadian law.
• Data Protection Working Party Opinion 2/2001 on the adequacy of the Canadian Personal Information and Electronic Documents Act

Australia

The Commission has not yet made a decision concerning Australia. However, the A29 Committee (of European Data Protection Commissioners) has indicated numerous aspects of the Australian legislation that fall short of European standards (in the sense of providing weaker protection for data concerning Europeans than it would receive while in Europe).
• Data Protection Working Party Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector) Act 2000 allprivacy-300.jpg
• Aneurin Hughes A Question of Adequacy? The European Union's Approach to Assessing the Privacy Amendment (Private Sector) Act 2000 (Cth) - [2001] UNSWLJ 5
• G Greenleaf Private Sector Bill amendments ignore EU problems (2000) 7 PLPR 41
• Peter Ford Implementing the EC Directive on Data Protection — an outside perspective (2003) 9 PLPR 141 allprivacy-300.jpg– a critical view from the Australian Government perspective; The Australian Federal Government considers that the EU Commission should not undertake the exercise of assessing the adequacy of other countries' laws at all.

Hong Kong

The Commission has not yet made a decision concerning Hong Kong, and the Data Protection Working Party has not yet expressed an opinion.
See Berthold & Wacks (2nd) pgs 37-44 for a detailed assessment of the HK Ordinance in light of the concept of 'adequacy'.

New Zealand

The Commission has not yet made a decision concerning New Zealand, and the Data Protection Working Party has not yet expressed an opinion.
• Blair Stewart 'Proposed amendments to NZ Privacy Act to give "adequate" protection' (2000) 7 PLPR 160

3.7. Data export prohibitions (2): in Asia-Pacific laws

It is not only Europe that is implementing restrictions on the flow of personal data to countries that do not have `adequate' privacy laws. Similar provisions are now found in the laws of Québec, Hong Kong and Taiwan (outlined below), as well as now being found in various Australian laws (these are covered in detail later under the Disclosure IPPs).

3.7.1. Jurisdictions with export prohibitions

See G Greenleaf Data export restrictions in Asia Pacific laws in Global Protection of Privacy in Cyberspace - Implications for the Asia-Pacific (Self-regulation, national laws and international agreements) 1998 Internet Law Symposium, Taiwan, June 1998; see this paper for coverage of the following jurisdictions:
• Hong Kong
• Taiwan
• Québec
See the following for coverage of other regional jurisdictions;
• Australian private sector
• NSW (Australia) public sector
• Victoria (Australia) public sector
• Norther Territory (Australia) public sector law
• New Zealand
• Canada private sector

Hong Kong

Assuming that the proposed overseas processing of the data is a permitted use of the data, s33 prohibits the export of personal information from Hong Kong unless the information will receive similar protection in the importing country to that which it is given under Hong Kong law, or certain exceptions apply (s33).
The approach taken in the Hong Kong law is to prohibit the data user from transferring personal data to a place outside Hong Kong (including to other parts of China) unless one of the following conditions apply:
• (a) the place has been specified (by the Commissioner) by a Gazette notice to have laws which are substantially similar to, or serve the same purpose as, the HK law; or
• (b) the user has reasonable grounds for believing that the place has such laws; or (
• c) the data subject has consented in writing to the transfer; or
• (d) the user has reasonable grounds for believing that the transfer is to mitigate adverse action against the data subject, who would have consented to it if it was practicable to obtain their consent; or
• (e) the data are covered by an exemption from data protection principle 3 under Part VIII ('domestic purposes', 'security', 'crime prevention', 'health', reporting news, and some others); or
• (f) 'the user has taken all reasonable precautions and exercised all due diligence' to ensure that the data will not be dealt with in any manner in that place which, if it had occurred in Hong Kong, would contravene the Ordinance.
Breach of s33 can result in an enforcement notice by the Commissioner (s50), or an action for compensation for any damage, including injury to feelings (s66). The s33 restriction applies not only to personal data which has (prior to export) been collected, held, processed or used in Hong Kong, but also to data which 'is controlled by a data user whose principal place of business is in Hong Kong'. Such a 'Hong Kong business' cannot therefore set up an 'offshore' personal data processing operation to avoid the law, even in relation to data that has never entered Hong Kong.
For example, if a Hong Kong business controls data being processed by its Singapore office or processing bureau, there cannot be data transfers between the Singapore office and Australia unless there is compliance with s33.
The Ordinance came into force generally on 20 December 1996, but s33 has not been proclaimed as yet. This was in line with a recommendation by the Commissioner, who wanted time to issue guidelines on how to comply with s33. He has now issued such guidance, as discussed below, but s33 is still not yet in force.
See B&W pgs 138-142

Australian private sector - NPP 9

• Privacy Act 1988 Schedule 3 NPP 9 Transborder data flows
• Federal Privacy Commissioner Draft National Privacy Principle Guidelines (May 2001) - Chapter 12 - Transborder Data Flows
• G Greenleaf 2.10. NPP 9 Transborder data flows in 'Private sector privacy: Problems of interpretation' [2001] CyberLRes 3
• Graham Greenleaf 'Private sector Bill amendments ignore EU problems' (2000) 7 PLPR 41
In the private sector scheme under the Commonwealth Privacy Act NPP9 Privacy Act 1988 Schedule 3 NPP 9 Transborder data flows is a principle dedicated expressly to the regulation of transfers of personal information to foreign countries. The principle is modelled on Article 25 & 26 of the EU Directive and seeks to achieve the same objective - ensuring as far as possible continued and adequate privacy protection for 'exported' data.
Unlike the earlier versions of this principle, which dealt with 'other jurisdictions' rather than foreign countries, NPP9 does not now provide any protection where personal information is transferred either to a State or Territory government which is not subject to a privacy law or to one of the large number of private sector organizations which will be exempt from the Commonwealth regime (see above).
The principle itself, in its application to 'foreign' transfers, differs in some significant respects from the terms of Articles 25 & 26.
• Under the Commonwealth Act, consent for transfer does not have to be 'unambiguous', and organizations are allowed to make an assumption about the likelihood of consent where it is impracticable to obtain it.( NPP9(b) and (e))
• Organisations are allowed to make their own assessment of whether there is 'adequate protection' in the destination country (NPP9(a)).
• The exception where 'the organization has taken reasonable steps to ensure that the information ...will not be held, used or disclosed inconsistently with the NPPs' (NPP9(f )) is much weaker than the nearest equivalent in Article 26(2) in that it addresses only standards and not safeguards and the exercise of rights.
• There is no equivalent in NPP9 to the public interest, legal claims, or vital interests derogations in Article 26, although it is assumed that the government intends to provide for these in some other way - otherwise a range of important cross border transfers - including for law enforcement or major emergencies - would be prohibited.
While the intention of NPP 9 is to provide an equivalent to Articles 25 & 26, it appears to fall short of those provisions in a number of key respects, while in other respects being more restrictive.
Extra-territorial effect of the Privacy Act 1988
This is a separate but related issue.
• G Greenleaf 3.2. Extra-territorial application - 'Australian' businesses overseas in 'Private sector privacy: Problems of interpretation' [2001] CyberLRes 3
Australian federal public sector
In relation to government agencies, the Commonwealth Act, which predates the EU Directive, contains no specific provisions relating to onward transfers to other jurisdictions, although advocates have argued that the security principle (IPP4) might require a data 'exporter' to take reasonable steps to ensure that personal information was not misused in the hands of a recipient.
The government has not taken the opportunity of the recent amendments to apply an onward transfer restriction to Commonwealth agencies. Any transfers of personal data to a Commonwealth agency will not therefore be able to meet the criteria expected in relation to the Directive's onward transfer provisions.
The NSW and Victorian Acts both expressly address the issue of onward transfer in an attempt to meet the requirements of the Directive.

NSW public sector

Under the NSW Act, the 'Special restrictions' principle (s.19(2)-(5)) which deals with sensitive data also prohibits public sector agencies from disclosing personal information outside the State unless either a relevant privacy law is in force, or the disclosure is permitted under a privacy Code of Practice. The Privacy Commissioner is required to develop a Code concerning onward transfers by 1 July 2001. He can also issue determinations as to which laws in other jurisdictions qualify as having a relevant privacy law in force.
The extent to which this provision meets the criteria expected in relation to the Directive's onward transfer provisions will depend on the content of the Code and/or basis of any determinations by the Commissioner.
Many of the general exemptions apply to this onward transfer principle - so that it does not restrict transfers which are reasonably necessary for law enforcement; authorized or required by law; or with the express consent of the individual, or made by specified investigative agencies (ss.23-28).

Victorian public sector

The Victorian Act adopts the onward transfer principle developed by the Privacy Commissioner to put limits on the flow of information outside Victoria. An organisation is only allowed to transfer personal information outside Victoria if it reasonably believes the recipient is subject to a law, or other binding obligation, which imposes restrictions on the use of that information that are substantially similar to the information privacy principles (Schedule 1, IPP 9).
Personal information may also be transferred with the individual's consent or if the transfer is necessary for the performance of a contract. If consent of the individual cannot practically be obtained, the organisation can only transfer the information if it is for the benefit of the individual and if the individual would be likely to give the consent.
As there are few exemptions from any of the principles, this provision in the Victorian Act would seem to satisfy the criteria expected in relation to the Directive's onward transfer provisions, but only if there is some mechanism for giving rulings or guidance on what constitutes an adequate level of protection in other jurisdictions.

3.7.2. An Asia-Pacific privacy convention?

Do these developments mean that there is a need for some type of international privacy agreement in the Asia-Pacific, to ensure the free flow of personal data in return for some common level of privacy protection?
This is what occurred in Europe as the spur to the development of the European Convention. It is also the positive side of 'adequacy' under the EU directive: adequate laws provide a jurisdiction-wide guarantee of free flow of personal information from Europe.
Is it feasible in the Asia-Pacific? - see G Greenleaf 6. Towards an Asia-Pacific information privacy Convention? (in the Taiwan paper, above) for one proposal.

3.8 The APEC Privacy Framework

See the Powerpoints for this topic for current material on the APEC Privacy Framework – the following only reflects the position in early 2003.
See the following for early background on the initiative, which was initiated by Australia in early 2003:
../http://www2.austlii.edu.au/itlaw/required.gifPeter Ford Implementing the Data Protection Directive - An Outside Perspective [2003] 9 PLPR141
../http://www2.austlii.edu.au/itlaw/required.gifDocuments concerning Australia's 'APEC Privacy Initiative' (First drafts by Mr Peter Ford, First Assistant Secretary of the Information and Security Law Division, Federal Attorney General's Department, Australia, as presented to an APEC working group in March 2003)
• John McGinness 'What's up in the Asia-pacific? - APEC Privacy Initiatives' (Cth Attorney-General's Department) paper presented to Privacy Issues Forum, Wellington NZ, March 28 2003 [not yet available - will be provided in full when available]
In the above paper Mr McGinness (in a paper co-authored by Peter Ford) says:
"Proposed APEC Privacy Principles The ECSG established a sub group to manage data privacy work within APEC. This sub group is now developing the proposed APEC Privacy Principles and implementation mechanisms with a view to formal discussion by member economies in August 2003. A draft of the Principles is expected to be released for public comment before that discussion. As part of the consultation process an APEC privacy workshop will be held in conjunction with the International Data Protection Conference in Sydney, Australia in September 2003. "
"At an APEC Privacy Forum held in Thailand in February 2003, Australia pressed the view that the OECD Privacy Principles of 1980[16] may represent a good starting point in drafting the proposed principles. In 1998, an OECD Ministerial Conference in Ottawa reaffirmed the relevance of the OECD principles to today's networked society and, since then, work within the OECD has focussed on practical measures to implement privacy protection in the global information society. On that basis, these principles would appear to offer a good reference point for discussion within APEC. However Australia acknowledged that the membership of the OECD[17] and APEC[18] differs and the OECD principles, having being developed in a different context, will require modification to fully meet the needs of APEC member economies. "
"The complexity of any process of developing privacy principles acceptable to all APEC economic jurisdictions must not be underestimated. This is illustrated by the contributions made at the Thailand Privacy Forum. In discussing the merits of the development of a common set of data privacy principles relevant to APEC economies, speakers at that Forum emphasised the need for balanced privacy protection approaches, flexible implementation mechanisms, and respect for APEC diversity in facilitating cross-border data transfers. The major contributions at the Forum included:..." ....
• That there may be benefits to APEC economies in looking at compatible global approaches to privacy protection to ensure cross-border data flows and privacy protection;
• That the OECD privacy guidelines may be a beginning point, not an end point, for discussion of flexible privacy principles, recognizing both their widespread influence and flexibility, but also that review is appropriate in developing guidance due to changes in the information environment since the OECD privacy guidelines were written;
• That the unique characteristics and priorities of APEC economies should be taken into account."

Implementation mechanisms

• For text of the first draft of a set of alternatives proposed by Australia, see Australia's 'APEC Privacy Initiative' - PRIVACY IMPLEMENTATION MECHANISMS (first draft by Mr P Ford, March 2003); Self-certification is the preferred Australian option.
In the above paper Mr McGinness says:
"In developing privacy principles, the APEC privacy subgroup will also be looking at the question of implementation mechanisms for privacy protection in relation to cross border transfers of personal information. It is unfortunate that to date consideration of this issue in international forums has been dominated by the European Union (EU) Data Protection Directive of 1995. The Directive provides that within the EU, privacy laws must be harmonized and each EU country must follow the same rules in dealing with the transfer of personal information to non-EU countries. Unrestricted transfers to a non EU country may only be permitted where the laws and practices of the non-EU country pass an `adequacy' test administered by the European Commission. To date, only Switzerland, Hungary, Canada, Argentina and the `Safe Harbor' arrangements of the United States have passed that test.
In practice, the apparent uniformity and rigidity of the EU privacy protection model gives way to considerable variation and flexibility within the EU. This was widely acknowledged at a conference in Brussels on 30 September -1 October 2002 which was called as part of a review of the Directive[19]. While it is still too early to say whether any significant changes will come out of the review, a more flexible and consistent approach to transfers of data to non-EU countries may be under consideration.[20]
The Australian Government's view is that the EU model is not suitable as an international standard. It is too prescriptive, it gives too much power to a bureaucracy and it does not allow for innovative developments. The Australian view is that there is no need for any externally-imposed test of `adequacy' and that observance of internationally agreed principles should be a matter upon which economies would self-certify.
Among the benefits to be gained from this proposal are a level of assurance that privacy will in fact be protected in international commerce, and the removal of one of the impediments to e-commerce being able to develop its full potential. A principles-based approach also has the flexibility to allow for improvements over time and for further innovation in privacy practices.
Some may object that self-certification offers no guarantee that protection of privacy will be observed. To this, Australia's response is that neither does a regulatory system like the EU Directive. Indeed, the non-observance of the Directive in some EU States means the regulatory prescription of a particular privacy rule may mean little in practice. A self-certification process would, however, be consistent with practice in relation to the implementation of a number of UN Conventions.
Moreover, any failure to observe accepted principles would be a matter that could be taken up through diplomatic channels. National agencies that are tasked with supervising the implementation of privacy laws and practices could be encouraged to develop appropriate liaison arrangements with their counterparts in other economies.
The details of implementation mechanisms for any APEC privacy Principles will need further discussion, but the core of the current Australian position is that the means by which privacy protection should be implemented is a matter for individual economies."
[1] See Human Rights and Equal Opportunity Commission Act 1986 (Cth) Sched. 2 for the text of the Covenant.
[2] Aust. T.S (1980) No 23, and annex. Ratified on 13 August 1980.
[3] As to which, see the Vienna Convention on the Law of Treaties, A2 meaning of `reservation', and A19-A23
[4] Court of Appeal of New South Wales (Kirby P, Handley and Powell JJA) Decision 17 November 1993
[5] See G Hughes op cit p49 et seq for the Australian history of attempts to implement the ICCPR.
[6] Discussed in CCH Australian & New Zealand Equal Opportunity Law & Practice [3-800]
[7] Discussed in CCH Australian & New Zealand Equal Opportunity Law & Practice [3-800]
[8] Paragraph 9, General Comment 15(32) on A17, Doc. CCPR/c/21/Rev.1 19 May 1989
[9] Law Reform Commission of Hong Kong op cit [2.18]
[10] R Ryssdal `Data protection and the European Convention on Human Rights' in Data protection, human rights and democratic values, Proceedings of the XII Conference of the Data Protection Commissioners, 2-4 October 1991, Council of Europe, Strasbourg, p41
[11] Law Reform Commission of Hong Kong op cit [2.26]
[12] Funke v France [1993] 1 CMLR 897; Miailhe v France (1993) 16 EHRR 332; Cremieux v France (1993) 16 EHRR 357
[13] Canada, the United States, New Zealand, Australia and Japan
[14] Austria, Denmark, France, Germany, Geurnsey, Iceland, Ireland, Isle of Man, Jersey, Luxembourg, Norway, Spain, Sweden and the United Kingdom: see Privacy Laws & Business, June 1993.
[15] See Vienna Convention on the Law of Treaties A26 for the general obligation to perform treaties in good faith.
[16] http://europa.eu.int/comm/internal_market/en/dataprot/inter/priv.htm
[17] http://www.oecd.org/oecd/pages/home/displaygeneral/0,3380,EN-countrylist-0-nodirectorate-no-no-159-0,00.html
[18] http://www.apecsec.org.sg/
[19] http://europa.eu.int/comm/privacy.
[20] closing address of Commissioner Bolkestein http://europa.eu.int/comm/internal_market/en/speeches/spch-02-439_en.htm. allprivacy-301.jpg
[Previous] [Next] [Title]