Reporting privacy complaints:  Part I: A proposal for systematic reporting  of complaints in Asia-Pacific jurisdictions

Graham Greenleaf

[Published in 9 Privacy Law & Policy Reporter 41]

This paper was prepared for a Workshop at the International Conference of Privacy and Data Protection Commissioners, Cardiff UK, September 2002 Part II of this paper 'Complaint reporting practices of Asia-Pacific Privacy Commissioners' will appear in a subsequent issue of PLPR.

  • Why reporting is needed
  • A neglected issue
  • Factors needing further consideration
  • Publication requirements and prohibitions
  • Access to legislation and delegated legislation
  • The legal effects of Commissioner's decisions
  • Complaint reporting practices of Asia-Pacific Commissioners
  • Reporting of decisions about Commissioners and privacy Acts
  • A proposal for systematic complaint reporting
  • Choice of complaints reported
  • Naming of respondents and complainants
  • Level of detail in reports
  • Indexing
  • Regularity of reporting
  • Reporting of decisions about Commissioners, and other decisions
  • Methods of publication
  • Self-publication
  • Secondary publishers
  • Official citations for complaints
  • Reporting under Codes of conduct
  • Desirable outcomes

  • Privacy Commissioners in Asia-Pacific jurisdictions that have information privacy laws have widely diiffering practices in how (or whether) they report the results of the complaints they investigate. This paper compares these practices in the jurisdictions of Hong Kong, New Zealand, the Australian jurisdictions (Federal, New South Wales and Victoria), and the Canadian jurisdictions (Federal, British Columbia, Ontario and Québec). Other Australian and Canadian jurisdictions, receive brief mention.

     The first part of this paper puts forward proposals for systematic reporting of complaints investigated which could provide a basis for a more uniform approach, and would result in improvements to various practices. The second part of the paper is a critical description of the existing practices in each jurisdiction, on which the proposals are based.

    Why reporting is needed

    In those Asia-Pacific jurisdictions that have information privacy laws, provision is usually made for complaints about breaches of the law to be made to a statutory official[1], most commonly known as a Privacy Commissioner.

     Few cases under information privacy laws ever reach the Courts, whether in Asia-Pacific jurisdictions or in European jurisdictions[2]. The reasons are various between jurisdictions, and in some cases include the lack of sufficient rights to appeal or to seek judicial review[3]. Whatever the reasons, the result is that the overwhelming majority of complaints of breach of privacy laws are resolved by Privacy Commissioners , whether by mediation, or by exercise of binding dispute resolution powers where they have them. Since only a tiny number of issues requiring legislative interpretation will ever reach the Courts, on most points the law is in effect what the Privacy Commissioner says it is.

     If details of these complaint resolutions by Privacy Commissioners are not effectively available to the interested public, the consequences are generally adverse. Some adverse consequences are as follows:

    Of course, there are countervailing factors. Publication of complaint resolutions is only one aspect of the transparency and educational role of a Privacy Commissioner, and different views can be taken of where Privacy Commissioners, who often have inadequate resources, should place their priorities. Some Commissioners with a very effective record in other forms of public communication are very poor at reporting complaints, but we should not over-emphasise this since it is much easier and less contentious to publish 'feel good' information exhorting compliance with an Act than it is to identify those who fail to comply.

     The need for complaint reporting is also sometimes difficult to reconcile with the desire to mediate a settlement between the parties, but this can usually be dealt with by anonymisation. Where it cannot, it should be a matter of case-by-case assessment, not a general reason for non-publication. This is discussed later.

     This paper suggests improvements to the reporting practices of some Privacy Commissioners who already implement many good practices. In other instances it is more critical. However, it should be borne in mind that current Commissioners may have inherited practices from their predecessors, and not yet had adequate opportunity, or resources, to remedy them.

    A neglected issue

    There have been occasional calls for more effective reporting of complaints by Commissioners, but this issue has not yet commanded the attention it deserves. I have occasionally raised the matter[5]. The problems caused by lack of sufficient reporting have been noted in relation to other jurisdictions by Bygrave[6], who gives details of the inadequacies of Norwegian reporting practices. He calls for more extensive reporting as a solution, but does not provide details of what this requires. The need for greater disclosure and transparency of the handling of decisions was also raised at the launch of the Australian Federal Privacy Commissioner's public opinion research, and illustrated by demands from Canadian lawyers to the Canadian Privacy Commissioner[7].

    Factors needing further consideration

    This paper focusses on current practices in the publication of decisions. There are three related issues touched on in passing at various points, the comprehensive coverage of which would require separate papers.

    Publication requirements and prohibitions

    The first factor is the extent to which privacy legislation in the various jurisdictions either requires publication of decisions, or prohibits publication, or prohibits certain aspects of publication such as the identification of one or both parties. These matters are discussed at various points, but comprehensive discussion would require a different paper. However, in general, there are relatively few legislative requirements one way or the other, except in some cases in relation to identification of complainants, and the scope and nature of publication is left to a large extent to the discretion of Commissioners.

    Access to legislation and delegated legislation

    Another related issue is the extent to which Privacy Commissioners publish or make accessible the legislation under which they operate. This includes not only the primary legislation (they almost always do), but more importantly the delegated legislation that affects them whether it is made by governments (eg regulations) or is made by them in the form of Guidelines, Determinations, Codes, Exemptions etc. A separate study would be required to compare these publication practices, and their adequacy.

    The legal effects of Commissioner's decisions

    Unlike some Courts, administrative officials like Privacy Commissioners are not bound to follow their own previous decisions (nor of course those of Commissioners in any other jurisdiction). On the other hand, it is unlikely that Privacy Commissioners would be prohibited from considering how they had dealt with previous similar complaints before them, or how other Commissioners had dealt with similar complaints, if only to inform themselves of the range of issues that had been taken into account on previous occasions and that it might be relevant for them to consider.

     However, to go beyond such simple propositions is difficult, because of differences in the administrative law of the ten or so Asia-Pacific jurisdictions that have Privacy Commissioners. Laws may differ concerning such matters as what constitute relevant/irrelevant considerations that administrators may/may not take into account, requirements of consistency in administrative actions, requirements of administrators to adhere to announced policies, and the conditions under which judicial review of administrative action is available. These matters are beyond the scope of this article.

     Irrespective of these administrative law differences, we can generalise to say that the publication of Commissioners' decisions will increase the likelihood that apparently inconsistent decisions of Commissioners will be subjected to judicial review, and that Commissioners would feel more constrained (irrespective of the legal position) to act consistently if inconsistencies will be pointed out to them by dissatisfied parties, critics and others. These effects are generally desirable.

    Complaint reporting practices of Asia-Pacific Commissioners

    The complaint reporting practices in each of the major jurisdictions in the Asia-Pacific that have information privacy laws are outlined in Part II. They are assessed against two main criteria: (i) do they help all interested parties understand how the Privacy Commissioner is interpreting the privacy law(s) of the jurisdiction; and (ii) do they help all relevant parties understand the range of outcomes reached in individual complaints and whether those outcomes provide reasonable redress for the complainants, and only impose reasonable burdens on the respondents.

     Terminology has been simplified in order to make comparisons easier. Although the officials responsible for privacy have different names in different jurisdictions, 'Privacy Commissioner' is used most frequently and I have used that as the generic. Similarly, the expression 'IPP' is used generically to refer not only to 'Information Privacy Principles', but also 'National Privacy Principles', 'Data Protection Principles', 'Privacy Protection Principles' and the like.

     In order to make sense of the different types of reporting practices between jurisdictions, we must distinguish between four broad categories of reports:

    Comprehensive reporting practices require all four types to be addressed.

    Reporting of decisions about Commissioners and privacy Acts

    Although this article focuses on the reporting of dispute resolutions by Privacy Commissioners (the first two categories above), the responsibilities of Privacy Commissioners should also extend to making accessible the decisions of Courts and Tribunals about Privacy Commissioners and the legislation that they administer (the third and fourth category above).

     The availability of decisions of Tribunals or Courts in appeals against, or judicial review of, Privacy Commissioners' decisions varies a great deal between jurisdictions.

    In Australia, once decisions on privacy complaints go beyond Commissioners by way of judicial review or appeal[9], all Australian jurisdictions provide accessible reports of the decisions of the succeeding levels of dispute resolution. The decisions of the relevant Australain appellate tribunals and Courts[10] are all included on AustLII[11]. There is therefore no theoretical issue concerning the availability of these decisions[12] in Australia, and no practical issue for those who know where to look. However, most businesses, some complainants, and even inexperienced advisors, would not know how to find these decisions. It is highly desirable, and takes little effort, for the websites of Australian Privacy Commissioners to provide links to these decisions. The Federal Commissioner's site does not provide this as yet[13]. As to NSW, see below.

     In contrast, decisions of the Administrative Appeals Board in Hong Kong, which hears appeals against the Privacy Commissioner's decisions, are not yet available on the Internet, and their existence and content is only known to a small group of people in government and at the Bar. Similarly, the pathetic state of Internet access to caselaw of New Zealand Courts and Tribunals means that there is little effective public access to the decisions of some of the bodies that review decisions of the Privacy Commissioner. Under these circumstances the best that can be expected of Privacy Commissioners is that their websites identify those decisions that have reviewed the Privacy Commissioner's decisions and (if possible) provide a brief summary of the decision. The NZ Commissioner does this, but the HK Commissioner does not.

     Similarly, some privacy legislation provides rights that can only be pursued before a Court or Tribunal, and the Privacy Commissioner is not necessarily involved in these decisions. Examples are s66 of the Hong Kong Personal Data (Privacy) Ordinance[14]], which requires court proceedings if a complainant wishes to obtain compensation, and s98 of the Australian Federal Privacy Act 1988[15], which allows any person to seek an injunction against breaches of the Act. If there are cases interpreting these provisions (there is one in Hong Kong but none in Australia), then it would be very desirable if the Commissioners' websites could provide links to them. Neither does so. The NSW Commissioner's site does provide such links to ADT decisions on appeals against agency decisions[16], and furthermore publishes summaries of ADT decisions in print and on its website as part of a 'Newsletter for Privacy Contact Officers '[17].

    A proposal for systematic complaint reporting

    Informed by the above review, this part now sets out under eight headings the elements that need to be included in a comprehensive complaint reporting system.

    It appears that there is nothing to prevent Privacy Commissioners at least publishing anonymised reports of complaints determined or mediated, but the position concerning identification differs between jurisdictions. As set out in the introduction to this paper, there are very strong public interest reasons for systematic publication of such reports.

    Choice of complaints reported

    It is unrealistic and unnecessary to expect Commissioner's offices to prepare for reporting details of the outcomes of every complaint they resolve: many will be trivial or repetitive of settled matters and only of statistical interest (which is a separate question).

     It is sufficient if 'significant' complaints are reported, but it is not a simple matter to define what is 'significant', and there are no clear standards in the existing practices. Some suggested factors are:

    Commissioners should state publicly the criteria on which they report complaint resolutions.

     In the absence of agreement on a standard of significance, Commissioners should report matters that they consider significant, and explain their criteria. If and when a standard emerges it can be applied prospectively.

    Naming of respondents and complainants

    Naming of either respondents or complainants in the reports of complaints is not essential for a valuable reporting system, but naming of both may be valuable in some situations (as proposed below). The privacy Acts in each jurisdiction may also impose limitations on identified reporting but not on de-identified reporting. This must be considered separately in each jurisdiction.

     In default, the complainant should not be named because the nature of privacy complaints is such that to do so would exacerbate the harm of interference with privacy. However, some complainants will prefer to be named, as this helps to provide public vindication of the complainant. A reporting system should allow a complainant to elect to be named, except where this is inconsistent with a mediated settlement.

    In relation to public sector respondents, the default position is that they should be named, as is the practice in most jurisdictions considered. Where disclosure of the respondent would prejudice the position of a successful complainant (eg an employee of a small public agency who could be identified if the agency was named), the agency should not be named. It is undesirable for public bodies to attempt to hide their breaches of the law behind settlements which require that they not be named (or Commissioner's practices to this effect). Within their powers, Commissioners should insist that public body respondents be named, unless the agency provides a compelling public interest reason not be to named (which should be disclosed, as far as possible, in the report). All complaints where agencies raise non-naming demands should automatically be reported, as that is itself an issue of significance.

     In relation to private sector respondents, the practice of Commissioners seems to be to recognise that there are often good reasons not to name them, but different standards are applied as to when they should be named. Good reasons for non-naming include:

    Subject to what is allowed by law, any of the following should be sufficient reason for identifying a private sector respondent: In relation to private sector respondents, these proposals could be interpreted as a default position of non-identification, coupled with a readiness to identify where the interests of the complainant, others who may have been harmed by the conduct, or the public interest, justify identification, and subject to any strong reasons which would make identification unfair in the particular case.

    Level of detail in reports

    In a nutshell, the level of detail needed is that which is sufficient for interested parties to obtain a full understanding of the legal issues involved and the essential steps in the Commissioner's reasoning leading to their resolution. In relation to remedies, sufficient of the factual circumstances are needed for the adequacy of the remedy to be understood in relation to the seriousness of effect on the complainant, and to allow comparison with potentially comparable complaints (subject to the privacy interests of the complainant).

     One touchstone (at least in the Australian context) is the administrative law requirement in most Australian jurisdictions that a person can request an official to give a statement of reasons for a decision, along the lines of a statement which sets out the findings on material questions of fact, referring to the evidence or other material on which those findings were based and give the reasons for the decision[18]. Although the mediation of a complaint may sometimes not technically involve the making of a 'decision'[19], this nevertheless gives the type of standard that Commissioners should aim to meet.

     Existing reporting practices of Commissioners are very variable in this respect, even where Commissioners make a conscientious effort to publish complaint resolutions.
    Good examples of the standard of reporting that can be achieved are those of the Canadian Federal Commissioner (for PIPEDA complaints), the Ontario Commissioner (for IPP complaints), and (to a slightly lesser extent) the NZ Commissioner.

     In Australia and in Canada, the best examples of quality reporting are in reports of access and correction complaints by the Ontario and British Columbia Information and Privacy Commissioners and the Queensland and Western Australian Information Commissioners. As mentioned earlier, it is hard to see why questions of collection, disclosure, security and use are so much harder to document than access and correction decisions. Perhaps the discipline of having to write determinations on FOI matters makes such offices more effective than others in documenting privacy complaints.


    Various forms of indexing of reported complaints make them much more accessible, but indexing is always labour-intensive and difficult to do well. Indexing by addition of catchwords or lists of sections / IPPs considered, and/or by creation of consolidated indexes of complaints based on either method, has been undertaken by the Ontario and NZ Commissioners.

    To some extent, the need for such intellectual indexing is reduced if a good search engine is available to search the text of decisions, but it is always the case in information retrieval that accessibility is maximised by providing a combination of both.

     Whether either or both methods are used, or even more primitive preliminaries such as locating all reports in the one location ordered by date to start with, the point is that Commissioners must consider the accessibility of the whole set of complaint data they produce, and the likely research uses of the collection.

    Regularity of reporting

    The best practice, both from the perspective of the Commissioners' offices, and the needs of the recipients, is for complaints to be reported and disseminated as they are completed, rather than in periodic batches such as in Annual Reports.

    The benefits of public reporting of complaint resolutions are to a significant extent diminished in proportion to the delay in public availability. Potential complainants and their advisers, and potential critics, need to be aware of practices as soon as possible so as to act in response to them. Those preparing secondary reports of complaints for publication (newsletters, journals, newspapers etc) are usually not able to deal with large batches of them, but would prefer to receive them regularly, and as soon as possible after they are dealt with (while they are still 'news').

     A Commissioner should have a publicly stated standard that complaint reports will be prepared within a fixed time of a complaint being finalised. A month would seem a desirable standard, but this is a matter which is of course subject to the resources available in a Commissioner's office. An alternative view, put forward by the NZ Commissioner's Office[20] is that about three months between completion and reporting is a safeguard against the likelihood of inadvertent identification, and against complaints that revive after being thought to be completed.

     Good practices in regularity of reporting are found in the practices of the Ontario, federal Canada, and New Zealand Commissioners.

    Reporting of decisions about Commissioners, and other decisions

    Privacy Commissioners should report on their own websites at least minimal details of appeals and judicial review of their own decisions to enable interested parties to obtain further details. A Commissioner's Office is in the best position of anyone in a jurisdiction to know of all case law affecting the Commissioner and the legislation, as they must know this to carry out their own duties.

    Publication of this information puts the publication of the Commissioner's own decisions in context, and prevents them being misleading, because of lack of reference to decisions overturning or affirming positions the Commissioner has taken. Providing references to all decisions in a jurisdiction affecting the privacy legislation is also an important part of a Commissioner's educational responsibilities, and an efficient use of scarce resources. Many people interested in privacy law in a jurisdiction will only know to look at the website of the Privacy Commissioner, and so to have a 'one stop shop' for information about decisions is very valuable to them.

     Examples from various jurisdictions of where such reporting is important, particularly given the poor availability of case law on the Internet in some jurisdictions, has been given earlier.

     Good practices in this regard have already been instituted by the Commissioners in New South Wales, Canada (federal), Ontario, and (at least in print) New Zealand. However, none are as thorough or as informative as they could be with only a little more effort.

     Provision of all of the following elements should be considered in relation to cases of appeal, judicial review or interpretation of privacy legislation:

    Methods of publication

    Two aspects need to be considered: self-publication by Commissioners, and secondary publication by others.


    Self-publication of complaint resolutions via the web has significant advantages over print publication. It allows economical publication in greater detail, and of larger numbers of complaints. It can occur more rapidly and frequently. It allows complaint reports to be accumulated over time in one location (as opposed to scattered through Annual Reports), opening up the possibility of comprehensive searching using a search engine, or indexing (cataloguing). The Ontario Commissioner's site is one that illustrates many of these virtues.

     Print publication is however a valuable complement, in that it helps to avoid exclusion of those without Internet access or familiarity, it can be used to reach different audiences, and it can be used as a means of archiving.

     Self-publication can take various forms:

    Secondary publishers

    Commissioners should encourage re-publication of their complaint resolutions, or commentaries on them, as one of the most effective ways to improve knowledge of privacy law in a jurisdiction. The most valuable steps that they can take are: Various forms of secondary publication are desirable and should be facilitated: If a relatively consistent form of publication could be developed, this would facilitate Commissioners, scholars and others developing an Asia-Pacific privacy jurisprudence, based on the similarity and inter-connectedness of our privacy legislation.

    Official citations for complaints

    It should be possible for all those who wish to refer to a complaint report to do so by an official citation that unambiguously refers to the same report, and has an accepted designator for the Privacy Commissioner or other body publishing the report. It diminishes the benefit of publication of complaint outcomes if those who wish to refer to them cannot do so in an unambiguous and convenient way.

     Some Privacy Commissioners such as those in Ontario and New Zealand have adopted numbering systems for complaint reports, but these are not full citation systems in that they do not have a consistent way of referring to the Commissioner as the decision-making body. For example, NZ casenotes have names like ' CASE NOTE: 19740'; Ontario reports have names like 'Privacy Complaint PC-010015-1 Ministry Of Finance' and 'Investigation I94-084P The Ministry Of Housing'; and Hong Kong reports have names like 'Case No.: ar9798-13 Access request to employment-related personal data '. These are essentially internal identifiers which, taken out of context, give the reader little idea of which Privacy Commissioner made the decision (or issued the report), or when, or (in some cases) in relation to which types of parties.

     A consistent system of 'Court designated citation' has now been adopted by most Australian Courts and Tribunals, and implemented most extensively by the databases on AustLII. CanLII and HKLII are also working toward the adoption of consistent 'court-designated' citation systems in their jurisdictions. For example, citations for decisions of the Federal Court of Australia, Federal Court of Canada, Court of Appeal, Queensland and WA Information Commissioners, NSW ADT, and VCAT (all relevant to decisions of Privacy Commissioners) are:

    Adopting the naming convention used for other Courts and Tribunals, the citation for the first decision for 2001 of each of the Australian, NSW and Hong Kong Privacy Commissioners, and the Ontario IPC would be in the form[24] : The problem of providing meaningful citations for Privacy Commissioner's decisions is exacerbated by the need to anonymise the complainant (in most cases) and the respondent (in many cases). The above citations would then become something like: It would be workable to use numbers instead of any names of parties (eg PC14235), but it is informative to at least include the name of a government respondent. Numbers are better kept for the citation, not the party names.

     Developing an acceptable method of citation is not simple, but it would provide many benefits.

    Reporting under Codes of conduct

    Co-regulatory codes which include dispute resolution mechanisms, such as those under the Australian Federal legislation, should impose the same reporting requirements as are complied with by a Privacy Commissioner.

     Further, all reporting on Code compliance body websites should be at least linked, and preferably searchable, from the Privacy Commissioner's site, to ensure that users may obtain comprehensive information about how IPPs or other provisions are being interpreted.

    Desirable outcomes

    If Privacy Commissioners took these proposals seriously, what would be the desirable outcomes?

     The most obvious benefit would be if Commissioners in individual jurisdictions separately improved their reporting practices, along the lines outlined (or even differently, but having thought all the issues through for their jurisdiction).

     More substantial benefits would flow from the Asia-Pacific Privacy Commissioners implementing a consistent set of reforms (preferably along the lines suggested). This would be a big step toward encouraging the development of a regional jurisprudence of privacy in the jurisdictions that have adopted an 'Asia-Pacific model' of privacy legislation, as Nigel Waters has described it[25]. It would provide a compelling model for complaint reporting in jurisdictions with new Privacy Commissioners. It would be a small practical step toward the emergence of an Asia-Pacific privacy Convention[26] and the development of minimum standard privacy laws across the region.

    Part II of this paper 'Complaint reporting practices of Asia-Pacific Privacy Commissioners' will appear in a subsequent issue of PLPR.

    For valuable suggestions on drafts of this paper, thanks to Anna Johnston, Greg Keeling, Lee Bygrave, Jill Matthews, Blair Stewart, Roger Clarke, Dan Svantesson, John Corker, Carolyn Bond and Tim Dixon. The responsibility for final content remains with me. This research is supported by the UNSW University Research Support Program in 2001 and 2002. Declaration of interest: I have various interests in the publication of decisions on privacy. I am a Co-Editor of Privacy Law & Policy Reporter (Butterworths), and Co-Director of AustLII, HKLII and WorldLII, free-access Internet law services which are University-based.

    [1] The most notable exception is the US Federal Privacy Act (which allows direct recourse to the Courts instead), but Taiwan's privacy law shares this characteristic.

    [2] L Bygrave Where have all the judges gone? Reflections on judicial involvement in developing data protection law Part 1 (2000) 7 PLPR 11 and Part II (2000) 7 PLPR 33

    [3] G Greenleaf 'Tabula Rasa': Ten Reasons Why Australian Privacy Law Does Not Exist - [2001] UNSWLJ 4 - <>

    [4] cf Bygrave n2

    [5] Problems caused by the lack of reporting are discussed in G Greenleaf 'Enforcement of the Privacy Act: Problems and potential' Privacy Law 2001 Conference, IIR Conferences, Sydney (May 2001) - at <>, but this paper does not include sufficient discussion of s40 of the Australian Federal Act.

    [6] Bygrave n 2 above

    [7] Introductory remarks by Susanna Lobez (ABC Law Report/Law Matters), 31 July 2001.

    [8] This includes, as a slight gloss, situations such as that under the Australian Federal law where a Commissioner or complainant has to seek the aid of a Court in order to enforce his decision, but the Commissioner's findings are treated as a rebuttable presumption.

    [9] There may be questions of the adequacy of the rights of appeal and judicial review (and are, in the case of the Australian and NSW Commissioners), but that is a separate issue.

    [10] For example, Federal Court, Federal Magistrates Court, Victorian Civil and Administrative Tribunal (VCAT) and NSW Administrative Decisions Tribunal (ADT)

    [11] Australasian Legal Information Institute <>

    [12] There are issues of privacy (as distinct from access) that can arise from the publication of any court or tribunal decisions. See the discussion below under 'Naming of respondents and complainants'.

    [13] This is not a big omission as yet. The few Federal Court decisions referring to the Act are not all that important.

    [14] <>

    [15] <>

    [16] In NSW, the appealable privacy decisions are those made by agencies. The Privacy Commissioner only mediates, and there are no examples yet of judicial review of his actions.


    [18] This suggestion was made by John Corker

    [19] This is apparently so under the NSW Act

    [20] Private communication

    [21] The decisions would then be part of a 'commons' in the terminology popularised by Lawrence Lessig in relation to the Internet. For arguments since 19995 that essential legal information should be part of the commons ('public space in cyberspace') of Internet content, see our various articles about AustLII.

    [22] In the Asia-Pacific there are as yet few secondary publishers of privacy case law and complaints. They include Privacy Law & Policy Reporter (PLPR)

    [23] AustLII <>, CanLII <> and HKLII <> - see also WorldLII <> which they cooperatively provide.

    [24] The practice has been adopted in Australia that citations of Federal bodies end with 'A' for 'Australia' (eg 'FCA', 'HCA') whereas those for State and Territory bodies start with the abbreviation for the State. 'Cmr' is used for 'Commissioner', whereas 'Comm' is used for 'Commission'. This may be slightly inconsistent, but it is now the settled practice.

    [25] Nigel Waters 'Re-thinking Information Privacy - A Third Way in Data Protection?' Proc. International Data Protection and Privacy Commissioners Concerence, Hong Kong, 1999; <>

    [26] See 'Global Protection of Privacy in Cyberspace - Implications for the Asia-Pacific' 1998 Internet Law Symposium Science & Technology Law Center, Taiwan, June 1998, available at <>; this paper was also the basis of a presentation to the Asia-Pacific Privacy Commissioners at the International Privacy and Data Protection Commissioners Conference, Hong Kong, 1999