Implementing the Data Protection Directive - An Outside Perspective

This paper was published in [2003] 9 PLPR141

 

Peter Ford
 
 

This paper, written in August 2002, was presented to the European Commission conference reviewing the implementation of the EU Data Protection Directive 95/46/EC, held in Brussels on 30 September and 1 October 2002.

 I have called this an outside perspective because my experience in this area is that of someone who has been coming to Brussels for about 5 years now for discussions on the Directive with European Commission officers. As any trip from Australia to Europe, or the other way, is a major undertaking, our discussions were arranged to follow meetings in Paris of the OECD's Working Party on Information Security and Privacy. In December 2000, Australia amended its Privacy Act to cover the private sector. The nature of the discussions changed accordingly to focus on the meaning and application of particular provisions of the amended Act.

 Before addressing the issues from an Australian perspective however, which I will do in the second half of this paper, I would like to address them in my capacity as chair of the OECD's Working Party on Information Security and Privacy. In so doing I must emphasise that I am not speaking on behalf of the Working Party, which has not yet completed its report on the privacy issues that have been referred to it, but in a personal capacity. In relation to Australian Government policy, I am, of course, speaking as a professional public servant.

 The Directive greatly advanced the protection of privacy in Europe. Having regard to the size of the European Union, its global significance in providing protection for personal information which flows across national borders is difficult to overstate. The Directive has also been of fundamental importance in promoting a greater level of confidence within Europe in electronic communication and commerce.

 Beyond Europe however, the Directive has also raised some difficult issues in its application to data transfers across national borders. The accommodation reached between the United States and Europe in the `US Safe Harbor Principles' seemed, at first, to indicate a measure of flexibility on the part of the Commission; however, our experience has been that what is acceptable from the US will not necessarily be accepted from other countries. I should note that the charge that there has been an inconsistency of application of the adequacy test has been vigorously rejected by the Commission and I will return to it later. The other objectionable feature, I will argue, is an excessively regulatory approach flowing from a tendency to use the Directive as a template for the laws of non-EU countries.
 
 

The OECD Privacy Principles

First, it is opportune to recall the language of Part Three of the OECD's Information Privacy Principles of 1980.
`Part Three - Basic Principles of International Application: Free Flow and Legitimate Restrictions
15. Member countries should take into consideration the implications for other member countries of domestic processing and re-export of personal data.
16. Member countries should take all reasonable and appropriate steps to ensure that transborder flows of personal data, including transit through a Member country, are uninterrupted and secure.
17. A Member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other Member country provides no equivalent protection.
18. Member countries should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data that would exceed requirements for such protection.'
This language is, I suggest, hardly consistent with a restrictive, Euro-centric assessment of the privacy laws of countries outside the European Union. On the contrary, it suggests that the test for `adequacy' should be based on an assessment of substantive outcomes rather than legalistic analysis of the minutiae of privacy regulation.

 Since the development of the 1980 Privacy Guidelines, the OECD has continued to work in the area of privacy, particularly in relation to the digital economy. In 1997 and 1998 the OECD held conferences that gave broad political attention to online privacy issues. These culminated in a Ministerial level conference in Ottawa in October 1998 entitled "A Borderless World: Realising the Potential of Global Electronic Commerce".

 The Ottawa conference adopted a Ministerial declaration that recognised the 1980 Privacy Guidelines as representing an international consensus on privacy standards and providing guidance on the collection of personal information in any medium. The Guidelines were also seen as a foundation for privacy protection on global networks.

 The Ministers reaffirmed their commitment to the protection of privacy online networks and agreed to take steps necessary to ensure the effective implementation of the Privacy Guidelines on global networks.

 Since the Ottawa conference, the Working Party on Information Security and Privacy has focussed much of its work on the implementation of six elements for online privacy protection:

1. Encouraging the adoption of privacy policies.

The OECD Privacy Policy Statement Generator was developed as an educational Internet technology tool which provides organisations with a step by step guide to implementing privacy protection consistent with the Privacy Guidelines. The generator assists organisations to review their current privacy practices and makes use of a questionnaire to learn about the organisations' practices. A draft policy statement is then created by the generator which provides an indication of the extent to which the organisations' practices adhere to the Privacy Guidelines.

2. Encouraging the online notification of privacy policies to users.

By making the Privacy Policy Statement Generator freely available, the OECD has contributed to both business and individual awareness of online privacy issues. The generator has made it easier for business to provide consumers with notice online of their privacy policies.

3. Ensuring that enforcement and redress mechanisms are available to users in cases of non-compliance with privacy standards.

The OECD has done a considerable amount of work on online alternative dispute resolution mechanisms (`ADR') for business on consumer privacy and consumer disputes. It has given member countries guidance as to how best to use ADR by providing comprehensive information about the types of online ADR mechanisms that are available; developing an educational instrument for potential parties to online ADR; and surveying potential legal issues concerning the online resolution of cross border disputes.

 In addition to its work on ADR, the OECD undertook to survey and analyse enforcement mechanisms that are available to address non-compliance with privacy principles. The completion of this analysis, hopefully by early next year, will provide a better understanding of how privacy safeguards and enforcement mechanisms can enhance the implementation of the Privacy Guidelines and generate better privacy outcomes.

4. Promoting user education and awareness about online privacy and the means of protecting privacy.

Promoting user education and awareness was seen early on as an important tool to assist the implementation of the Privacy Guidelines. The OECD took the view that education had to be more than simply the dissemination of information. It is a process of communication that must take into account the diversity of interests of the various users of global networks. Efforts have been made to understand the cultural and other differences between users. More dedicated work may be undertaken on this in the future.

5. Encouraging the use of privacy-enhancing technologies

Privacy Enhancing Technologies (`PETs') have been of great interest to the OECD. PETs can empower individuals to choose their own level of privacy and control their own personal data. However, these technologies vary in their ability to respond to different privacy concerns. An inventory of privacy enhancing technologies was produced by the OECD to analyse the availability and variety of privacy enhancing technologies, consider the factors affecting their adoption and form a basis for policy makers to consider the deployment of PETs. OECD member countries have agreed that PETs are helpful tools and to encourage both individual and corporate users to deploy them.

6. Encouraging the use and development of contractual solutions for online transborder data flows

The OECD prepared a report on transborder data flow contracts as part of the wider framework for online privacy protection. The report examines the issues raised by applying contractual analysis to business to consumer online communications.

 Member countries recognised the potential benefits of business to business model contracts. They therefore welcomed the work being carried out in this area by other international organisations, including the EC. It is hoped that through cooperative efforts, effective contractual privacy solutions can be achieved.

 I should add here, though, that the Australian experience with model contractual provisions is not entirely positive. While excellent work has been done to create model clauses, the clauses themselves are still based on the regulatory environment of the EC. As a result, they do not necessarily fit well within the Australian commercial environment. We are involved in continuing discussions with the EC on this issue and are hopeful of resolving our differences.

Australian Privacy Act

Turning now to the Australian Privacy Act, I will speak for the remainder of this paper in my capacity as Australian negotiator in relation to the Directive. I will preface my remarks with a comment I have often heard from a colleague in the OECD working party. That is that my criticisms are intended to be constructive and I hope they will be received in that light. Also, my criticisms are directed not towards the staff of the Commission, for whom I have great respect, but at the process of assessing adequacy.

 The Attorney-General has characterised the Australian Act as embodying `light touch regulation' based on the OECD Principles. A public response from Brussels, if not from the Commission itself, is set out in two documents which make it possible to discuss the issues in a public forum without breaching confidences. The first is a submission to the Senate Standing Committee on Legal and Constitutional Affairs when the legislation was before the Australian Parliament and the second is an advisory opinion of the Data Protection Commissioners under Article 29 of the Directive dated 26 January 2001 (`the Article 29 Opinion'). For convenience, I will limit my references to this document, noting that it does not necessarily represent the view of the Commission itself.

 The Australian law also borrows some concepts from the Directive but not its regulatory underpinnings. In essence, the Australian approach is to set minimum standards and allow industry, if it so wishes, to develop its own codes which must be approved by the Privacy Commissioner if they are to operate in place of the statutory standards. A code can be approved only if it `incorporates all the National Privacy Principles or sets out obligations that, overall, are at least the equivalent of all the obligations set out in those Principles'.

While true to the OECD Privacy Principles, the National Privacy Principles (`NPPs') have been written collaboratively with user representatives and contain practical exemptions and exceptions. The Privacy Commissioner, who is vested with the power to hear complaints and with a range of educative and regulatory functions, has announced a strategy of building, over time, a `culture of privacy'. It is a matter of some pride that, in the 14 years of the Act's operation in the public sector, and the first year of its operation in the private sector, it has not been necessary to use the formal powers conferred on the Commissioner in order to resolve complaints.

 The strategy of building a culture of privacy is one which we believe we share with the European Union. We are very serious about it and pay great attention to what is happening in practice in transactions between business and consumers. Wherever possible, we endeavour to utilise market forces in encouraging privacy protection.

 In summary, this legislation, which encourages the development of voluntary codes but with enforceable minimum standards, builds on the strengths of both the OECD and the EC models. At the Attorney-General's request, the legislation applying to the private sector, which, of course, is still in its infancy, will be reviewed by the Privacy Commissioner in 2003.

 The two European Commission documents to which I have referred, are consistent in that they enumerate a number of objections to the legislation.

Non-Australian data: Of these, one has been accepted by the Attorney-General as legitimate and as requiring an amendment of the Act. At present, the Act applies only to Australian data and no remedy is provided for a person outside Australia who feels his or her privacy has been infringed in Australia. The Attorney has announced his intention to introduce an amendment to provide such a remedy as soon as it can be done within the constraints of the Government's legislative programme.

 In this connection, it is also important to note that non-Australian data is, in fact, covered by the Privacy Act. It is only the Privacy Commissioner's power to enforce the protection of such material that is in issue.

`Generally available publications': The Article 29 opinion says:

 `The collection of data for the purpose of including it in a generally available publication falls within the scope of NPPs1 (collection), 2 (use and disclosure) and 3 (data quality) but once the information is compiled in a format such that it comes within the definition of a generally available publication, the remaining Privacy Principles are not applied. This excludes all individual rights such as access and correction.

 The working party notes that excluding publicly available personal data and in particular the secondary uses thereof from any protection is contrary to the line taken by the directive. Moreover the 1980 OECD guidelines contain no such general exemption.'

 With respect, it is difficult to imagine what useful purpose might be served by a requirement for a right of access to a document which is already publicly available. Further, the discussion of a right of correction is highly theoretical and unrealistic when it is considered that National Privacy Principle 6 provides an access and correction right that is in accordance with the OECD Individual Participation Principle.

 The application of the NPPs to publicly available information will, however, be monitored. In this connection, the Privacy Commissioner has issued a consultation paper on 'Privacy and Collection of Publicly Available Personal Information'. He has announced that, following this consultation, he will finalise an information sheet on this issue which, although non-binding, will aim to help organisations apply the Privacy Act and the NPPs.

Use and disclosure: Next, objection is taken to an exception to the `use and disclosure' principle which applies where the use or disclosure is `required or authorised by or under law'. The Article 29 Data Protection Working Party commented:

 `In the working party's view it is acceptable to provide for an exception when organisations are faced with conflicting legal obligations, but to widen the exception to cover all options offered by sector specific laws, past present and future, risks undermining legal certainty and devoid the content of the basic protection. The wording "authorized" as opposed to "specifically authorized" which existed in the January 1999 edition of the National Principles can also be read to mean that all secondary purposes that are not forbidden are allowed. In the working party's view such a wide exemption would virtually devoid the purpose limitation principle of any value.'

 This is a fundamental misreading of Australian law. This exception is primarily for the purpose of ensuring that personal information can be disclosed in circumstances when the Parliament has deemed disclosure to be appropriate. Such authorisations will almost invariably be specific but there may be some instances where a more general kind of authority would suffice such as, for example, the authority inhering in a Parliamentary committee. In our system of government, it would be inappropriate to include the word `specific' in the text of legislation. It would also give rise to new problems with the Australian States.

 Some examples of legislation authorising disclosures are:

Consideration is also being given to the granting of authority to particular government agencies in circumstances involving the use of biometric data.

 These examples show that `authorised by law' is a fairly tightly delineated concept. Moreover, the rules of statutory interpretation require courts to interpret the Privacy Act in a way that furthers its objectives.

 The application of this exception where the use is authorised by the common law is an issue of some complexity which will be monitored. In some cases, the application of the common law may be very important. For example, the right of a Parliamentary Committee to require the production of documents to assist it in discharging its responsibilities depends, to some extent, on principles which have not been expressed in statute law.

 With regard to the Working Party's concern about future laws, as a matter of constitutional law, future laws will apply in any event. Even if the Privacy Act were to be declared to be a fundamental law, Parliament would not be limited in its power to make new laws overriding privacy protections. The primary protection against such action is the role of the Attorney-General in scrutinising new Bills that are under preparation for the Parliament.

`Sensitive data': The opinion then objects to the treatment of `sensitive data' on the grounds that, while the collection of such data is subject to additional safeguards, its subsequent use is not. The Australian position is that it is sufficient to impose such regulation at the stage of collection; further regulation is unnecessary.

`Trans-border data flow': The Australian law on transborder data flow follows that of the Directive but also adds another provision allowing transfers where `the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles'.

 While this attracted adverse comment from the Article 29 Working Party, the substantive point of the criticism was linked to the objection about non-coverage of non-Australian data. As mentioned above, this objection has been accepted and is being addressed.

Employee data: In relation to employee data, the Working Party observed:

 `Employee records are defined in subsection 6(1) in the broadest sense including information about the engagement, terms and conditions of contract, evaluative material over the performance of the contract, employee's emergency contacts, trade union membership, recreation long leave, taxation, banking affairs, etc.

 The working party notes that employee related data often contains sensitive data and sees no reason to exclude it at least from the protection given by NPP 10 for sensitive information. Moreover the exemptions allow information about previous employees to be collected and disclosed to a third party (eg, a future employer) without the employee being informed.

 It is the working party's opinion that the risk of privacy violations makes it all the more important to impose additional safeguards when exporting this type of data to Australia and recommends that the operators put into place appropriate means to do so (for example, through contractual clauses).'

 Again, this mis-states the position. The exclusion of employee data is limited as explained in the following extract from the Explanatory Memorandum to the Bill:

 `The Government has agreed that the handling of employee records is a matter better dealt with under workplace relations legislation. An act or practice engaged in by a current or former employer of a person in relation to an employee record will be exempt from the operation of the legislation if the act or practice is directly related to the current or former employment relationship. The requirement of a direct link to the employment relationship has been included to ensure that employers cannot use employee records for commercial purposes unrelated to the employment context.

 An employee record is defined broadly as a record relating to the employment of an employee and includes the types of records typically held by employers on personnel files.'

 The exemption does not allow a past employer to forward information to a prospective employer without the employee being informed. The prospective employer would have to comply with the collection principle and notify the individual of the collection.

 Moreover, the practical implications for the EU of this exclusion are not very substantial given that Australian companies are not major employers of European labour.

Small business: Understandably perhaps, the Working Party expresses concern over an exception relating to small business. Again however, the law is not well understood.

 The Article 29 Opinion states that the complexity of the small business exemption renders it necessary to assume that all data transfers to Australian businesses are potentially to a small business operator which is not subject to the law, unless the name of the small business is in the Privacy Commissioner's Register.

 However, the Working Party does not appear to understand the way the exemption will operate, and in particular, the limits on the exemption. There is no acknowledgment of the practical reality that most Australian businesses that deal with businesses in Europe or elsewhere will be covered by the Privacy Act. The assumption should be that businesses are covered rather than the reverse.

 The following outlines the limits of the small business exemption:

 * An individual, body corporate, partnership, unincorporated association or trust is not a small business operator and is therefore subject to the Act if:

 (a) its annual turnover exceeds A$3m; or

 (b) it provides a health service and holds health information (except on an employee record); or

 (c) it discloses personal information for benefit, service or advantage (other than with the consent of the individual or as required or authorised by legislation); or

 (d) it provides a benefit, service or advantage to collect personal information (other than with the consent of the individual or as required or authorised by legislation).

 * A body corporate is not a small business operator and is therefore subject to the Act if it is related to a body corporate that carries on a business that is not a small business.

 The Australian Government has excluded from the ambit of the legislation only those small businesses that pose no threat or a low threat to privacy. This was based on a considered view that the risk of privacy breaches from a sector that rarely trades in personal information is small and does not justify the costs of regulation in this area. For example, the local butcher may hold personal information about some of his/her customers solely for the purpose of satisfying customer needs or for billing purposes. Such a business does not trade in personal information. There are sound policy reasons why that small business should not be subject to privacy regulation.

 However, the Australian Government recognises that there are some small businesses that do pose a risk to privacy. For example, businesses that trade in personal information pose such a risk. Businesses that provide health services and hold health information also pose a privacy risk because of the sensitivity of the personal information they hold. In addition, small businesses that are related to large businesses are considered to pose a privacy risk by virtue of their relationship to a large, more sophisticated organisation. It is for these reasons that such businesses are specifically excluded from the exemption. In other words, these high privacy risk businesses are covered by the legislation and must comply with it.

 One easily identifiable way to know whether a business is covered or not is to check its privacy statement on its website (or other documentation). National Privacy Principle 5 requires an organisation to be open about how it deals with personal information and to provide its policies to anyone who asks for them. If an organisation holds itself out as subject to, and complying with, the legislation when in practice it does not, then action can be taken under Part V of the Trade Practices Act 1974 for misleading conduct.

 The effect of (c) and (d) above is to ensure that businesses that trade in personal information are denied the benefit of the small business exemption and are covered by the Act. This requirement provides certainty for organisations outside Australia that deal with Australian businesses. That is, if an Australian business offers to trade in personal information with an overseas organisation, the organisation can assume that the Australian business is subject to privacy regulation regardless of whether it is a small or large business.

 * For example, if an Australian business offers to disclose personal information to an overseas organisation for a benefit, service or advantage, the overseas organisation should assume that the Australian business is subject to privacy regulation.

 - Australian business X offers to provide European business Y with personal information about all of its customers for $1,000 or in exchange for some other service from the European business Y. In these circumstances, the Australian business can be assumed to be `trading in personal information for a benefit, service or advantage' and be outside the scope of the small business exemption and therefore subject to privacy regulation.

 * Similarly, where an Australian business offers a benefit, service or advantage to an overseas organisation to collect personal information from it, the overseas organisation can assume that the Australian business is subject to privacy regulation.

 - Australian business X offers to pay European business Y$1,000, or provide a service to it, for personal information about the customers of European business Y. In these circumstances the Australian business can be assumed to be `trading in personal information for a benefit, service or advantage' and be outside the scope of the small business exemption and therefore subject to privacy regulation.

 It should be noted that the exclusion of health information from the exception is of fundamental practical importance.

Direct marketing: Direct marketing also attracted attention because, although the Act requires that recipients of direct marketing be given an opportunity to `opt out', it does not strictly prohibit the collection of information for the purpose of direct marketing (although it does circumscribe the opportunity for such activities). The practical result is that direct marketers get one opportunity to send marketing material without the recipient's consent. Objecting to such an arrangement as `inadequate' in terms of privacy protection is, I suggest, with respect, a mere quibble. Moreover, to descend to this level of detail seems to me to confuse means with ends. Accepting that it is legitimate for the EU to say what it requires by way of protection of European data, it is surely a matter for third party countries to say how they will provide such protection. Australian consumers are given an unqualified right to `opt out' of receiving direct marketing.

 This is an area where the test imposed on Australia also seems to be more restrictive than that imposed on the US. As I read the 'Notice' principle and 'FAQ 12 - Choice - Timing of Opt Out', information may be collected for the primary purpose of direct marketing without first obtaining consent.

Notice: Finally, the Opinion notes that the Australian collection principle allows organisations to inform individuals before, or at the time of, collection but also adds that, if this is not practicable, it may inform individuals as soon as practicable thereafter. It criticizes this result as a departure from the OECD Guidelines and says that it is of importance in regard to sensitive data. This misinterprets the legal position. NPP 10, which applies to the collection of sensitive information, requires prior consent except in very limited circumstances. In this connection, it is also interesting to compare FAQ 15 of the US Safe Harbor Principles which states:

 'It is generally not necessary to apply the Notice, Choice and Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require the application of those Principles.'

 The Australian Act also sets out two new principles relating to anonymity and the use of identifiers. The 'anonymity' principle is that, whenever lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation. The 'identifiers' principle limits the right of an organisation to adopt as its own an identifier of an individual that has been assigned by a government agency such as a tax file number.

 These expansions of privacy protection in Australian law are indicators of our commitment to privacy principles.
 
 

Stocktaking - Current Situation

Where then does this leave us?

 I suggest there is no credible international standard other than the OECD Principles. The EC Data Protection Directive may serve well as a document for the European Union but it is not an adequate basis for international agreement. It is no different in principle from the idea of Australia joining with New Zealand and Pacific island states (assuming we could reach agreement) to settle a statement of principles and seeking to impose the result on the rest of the world. Of course, the idea of imposing such a settlement would be ludicrous but the only difference from the EU approach is one of size and economic power. Instead, to look to the OECD for such a role is consistent with the OECD's traditional bridging activities in global economic policy. The importance of the OECD Principles has been acknowledged by Ambassador David Aaron, the US negotiator for the 'Safe Harbor principles' in the following terms:

 'Fortunately, we had the precedent of privacy principles that we and the Europeans had agreed upon in the OECD many years ago. This became a touchstone of the discussions.' [1]

 While I recognise that the EU has a legitimate interest in protecting the privacy of EU data that is transmitted beyond its borders, the nature of modern communications is such that any EU standard of this kind becomes, in effect, a global standard and, having regard to the nature of its comments on Australian law, I doubt whether the Commission itself would take a different view. As such, those of us who live outside the EU have a stake in the outcome. In the absence of an international convention, the OECD Principles are the nearest we have to an international standard.

 Of course, this is not to say that the OECD Principles are necessarily the last word. A number of commentators have pointed out that they were drafted against the background of a concern, prevalent in the 1970's, about risks for democratic societies presented by increasingly centralised government data bases. That concern, the argument runs, has been replaced by a concern with the misuse of data scattered throughout the private sector but available to many organisations through information networks. Calls for revision of the guidelines have not, however, yet been accepted by the OECD. Most recently, the Ottawa Ministerial Conference in October 1998 recognised that the 1980 Privacy Guidelines were still applicable in that they 'represent international consensus and guidance concerning the collection and handling of personal data in any medium, and provide a foundation for privacy protection on global networks'.

 It is worth noting also that an interesting parallel development is an increasing interest within APEC in discussing privacy issues relating to the transborder flow of personal information. There is clearly some potential for the development of an alternative approach to this issue in that forum.

 A curious feature of much of the debate over international privacy protection is that much of it ignores what is happening `on the ground'. We need to factor into policy development, for example, the results of surveys on the extent of notification by on-line service providers of their privacy policies. The Consumers International survey of 25 January, 2001, which found that, on a number of indicators, online privacy was better observed by US based websites than by EU websites, raises serious questions for advocates of European style legislation.

 Relevantly, there is substantial anecdotal evidence that non-compliance with the Directive is widespread throughout the European Union. For example, testimony by Mr Jonathan Winer, a US lawyer, before the US Congressional Sub-Committee on Commerce, Trade and Consumer Protection on 8 March 2001 included the following:

 `A few months ago, I was asked by an American company to look at the privacy policies and practices of an EU company that it was purchasing, as part of due diligence, in order to assess the potential risks of liability for the US firm in connection with the purchase. The EU company was in a consumer business that caused it to acquire, process, and manipulate sensitive consumer personal data hundreds or thousands of times every day of the kind theoretically protected by the Privacy Directive. The EU company had no on-line privacy policy. It also turned out to have no off-line privacy policy. In fact, it had no privacy policy at all, and after due diligence, we found no evidence that the EU company had ever undertaken steps to comply with the Directive. Ultimately, we advised the US company, which has comprehensive privacy policies in place, to seek indemnifications from the EU company in case the EU privacy regulator decided to sanction it. The EU company was happy to do so: it advised the US company that in this EU country at least, the actual issuance of penalties for non-compliance with the Privacy Directive and with national privacy laws, was almost unknown.'

 There are some grounds for believing that this kind of experience is not limited to US commercial lawyers.

 The impact on Australian companies would differ because, generally speaking, they are not likely to be involved in this sort of activity. They can, however, be disadvantaged in tendering for international contracts despite being prepared to sign up to EU standard form contracts simply because of the `red tape' involved.

 I should note in passing that, in any assessment of the 'adequacy' of Australia's privacy laws, it needs to be recognised that the Australian legal tradition is one that takes international obligations very seriously and gives full effect to any statutory restrictions. Respect for the law is also deeply entrenched in popular culture.

Domestically, there are arguments that privacy law should go further and countervailing arguments that it already goes too far. Sometimes the arguments are not well informed. For example, since the beginning of this year there has been a widespread and persistent, though erroneous, concern that the law may prohibit members of a religious congregation from praying for a person without that person's express consent. Such misconceived interpretations make it difficult to pursue genuine law reform. On other issues, the policy debate in Australia reflects global concerns. For example, the current work of the Australian Law Reform Commission and the Australian Health Ethics Committee on genetic privacy is of assistance in ongoing privacy policy work within the OECD.

 The potential for alternative dispute resolution in international privacy protection should also be recognised. I was one of the chairs of a joint OECD, Hague Conference on Private International Law and International Chamber of Commerce conference on the role of ADR in privacy protection and consumer affairs held in The Hague in December 2000. I well remember the impassioned debate between US and European speakers on the relative merits of ADR and judicial hearings. What remains even more clearly in my mind however, is the intervention from the floor of a Singapore delegate who said you `would have to be crazy' to opt for judicial resolution for privacy disputes in preference to ADR in an international context.

 The work carried out by the OECD's Working Party on Information Security and Privacy suggests, to my mind, that the value of ADR in resolving privacy disputes across national borders is substantial. National differences in legal frameworks for ADR may diminish its effectiveness in an international context but there is no inherent inconsistency between ADR and the implementation of the Directive.

 Another matter requiring further consideration is the lasting effect of the events of 11 September 2001. In this connection, the recent debate within the EU Parliament on data retention is instructive. As an outside observer, it seems to me that the cause of privacy was not served by an almost reflexive opposition on the part of some privacy advocates to the demands of law enforcement. Instead of fighting against a requirement for Internet Service Providers to retain data, I suggest that it would have been more productive to have focussed on what restrictions and accountability requirements should be imposed on the retention of data once it became clear that governments considered the retention of data necessary for their national security and law enforcement purposes.

 The question is then how might deficiencies in implementation of the Directive be addressed?

 First, and most importantly, I suggest that the process be amended to allow for discussions at political level. The process by which the Article 29 Working Party issues an advisory opinion should also be more transparent.

In our view, we have also been treated differently from the US. For example, in addition to the points already noted, it is possible under the `Safe Harbor principles' for US companies to disregard the Directive in relation to generally available publications that contain only US data. No such principle has been recognised for Australia. We understand the concern to ensure that the Directive's standard of protection in relation to particular issues is not progressively downgraded through negotiations with other countries, but it should not result in different treatment for different countries on issues of detail of this kind.

If, on the other hand, the Article 29 Opinion is based on a view that, rather than focus on a comparative assessment of particular issues, there should be an overall assessment of a country's privacy protection, it follows that there should be some flexibility where the level of privacy protection in the other country varies across the application of the OECD privacy principles. It may be that the level of privacy protection departs from the Directive's standards on some issues but, on other issues the level of protection may be higher than in Europe or than in another country with an 'adequacy' rating (eg - Australia's additional NPPs).

 Even if we are eventually successful in attracting an 'adequacy' rating for Australian law however, I suggest more needs to be done to improve international co-operation.

A new approach

A more fundamental change would be to promote the OECD Principles as the international standard. This need not require any action from the OECD itself but simply a willingness on the part of member countries to accept a declaration by another country framed in the terms of paragraph 17 (above) of the OECD Guidelines - that it substantially observes the Guidelines - as evidence of what it says. It will, of course, be objected that there would be nothing to stop declarations being made where there is insufficient privacy protection, but if this should happen one would expect that any deficiencies would soon become apparent. In that event, some kind of remedial action would need to be considered. Such a system would not be perfect but it would at least have the following advantages:

 - it would allow privacy law to develop and evolve in response to real practical issues instead of being cast in its present mould and oriented towards the resolution of highly theoretical problems;

 - it would avoid the difficulty of representatives of one group of countries sitting in judgement on the adequacy of the laws of others; and

 - it would be a move towards a `best practices' model rather than one of compliance.

 An assurance of a member country's compliance with the Principles could be provided by the Minister responsible for privacy protection.

 Companies incorporated within those countries could then self-certify that they will adhere to the Principles. If this sounds fanciful, consider that it has, in effect already been accepted by the EU in its arrangement with the US - the US Safe Harbor Principles - and that the US is not the only country that can give legal effect to such arrangements. Failure to enforce privacy protection in a particular case would then be a matter to be raised with privacy regulators. If it were not possible to resolve any such problems through discussions between regulators, it would always be possible to revert to the use of contractual clauses. Over time, it should also be possible to shift the international focus from one of compliance to one of 'privacy best practice'.

In this connection, it should be recognised that the Directive is not the final word on privacy protection any more than are the OECD Privacy Principles or any national legislation. There is a risk that if the Directive's trans-border data flow rules are applied too rigidly the effect will be to stifle innovation and development in the law of privacy protection. The achievement of a basic standard of privacy protection applicable to international data transfers is one thing; the imposition of a rigid uniformity blocking any further development of the law to confront emerging problems associated with technological change is quite another.

 In a robust exchange of views in the media with the Attorney-General on the accuracy of the EC's interpretation of Australian law, the former EU Ambassador to Australia said: `We think the concerns are a little more than niggling and certainly refute the idea we're ignorant'. Leaving aside the emotive language, the point of substance is that while we in Australia undoubtedly know less than you do about EU law, we consider, with respect, that we know more about Australian law. There is, in our view, a fundamental flaw in the implementation process in that it runs directly counter to this fact.
 
 

Peter Ford is First Assistant Secretary, Information and Security Law Division, Federal Attorney-General's Department, Australia

[1] Ambassador David Aaron, testimony to US Subcommittee on Commerce, Trade and Consumer Protection, 8 March 2001.