Reporting Privacy Complaints Pt 2: Complaint reporting practices of Asia-Pacific Privacy Commissioners

Reporting Privacy Complaints Pt 3: Complaint reporting practices of Canadian Privacy Commissioners

Graham Greenleaf

[Published in (2002) 9 Privacy Law & Policy Reporter 74 (Pt 2) and 111 (Pt 3).'Part 1: A proposal for systematic reporting of complaints in Asia-Pacific jurisdictions' appeared in 9 PLPR 41. ]

We now turn to a more detailed consideration, on a jurisdiction-by-jurisdiction basis, of the complaint reporting practices of Privacy Commissioners in the following jurisdictions in the Asia-Pacific:

Hong Kong SAR

The Privacy Commissioner for Personal Data, Hong Kong SAR, China can mediate complaints received but can also issue enforcement notices where a breach of an IPP has been found, 'directing the data user to take such steps as are specified in the notice to remedy the contravention' (s50)[1]. Failure to comply is a criminal offence (s64(7)).

 The Commissioner provides complaint statistics in his Annual Report. In 1999-2000, of 303 complaints formally completed, 137 (45%) were resolved through mediation, 13% found to be unsubstantiated on investigation, and 24% were withdrawn. Of the 56 (18%) formally resolved, 29 were found to involve contraventions of the Ordinance. These resulted in 21 warning notices, requiring written undertakings to implement remedies, with only 4 resulting in enforcement notices directing remedial actions.

 The HKPCO reports anonymised summaries of both complaints and enquiries on its web site. The web site of the HKPCO, provides both Complaint Case Notes[2]] and Enquiry Case Notes[3]]. They are both indexed by the DPP or section of the Ordinance to which they relate, and by their subject matter ('Sector/Business'). A lot of Enquiry Case Notes are provided, and they are up-to-date to at least 2001. However, there are only about a dozen Complaint Case Notes and they only date from 1997-98 and so are four years out of date. There is a search engine provided but it does not seems to search the complaints or enquiries.

 Section 48 of the Personal Data (Privacy) Ordinance[4]] provides 'the Commissioner may, after completing an investigation and if he is of the opinion that it is in the public interest to do so, publish a report' detailing the results of the investigation, his recommendations and comments. However, it must 'prevent the identity of any individual being ascertained from it' (s48(3)), but this right of anonymity does not apply to data users (s48(4)(b)), only to complainants and other third party individuals[5]. There has apparently been only one report which has named a data user, and it is not available on the Commissioner's website.

A deficiency of the Commissioner's reporting practices is that there is no systematic reporting of those complaints that have gone to the stage of formal resolution and a decision under s50 whether to issed an enforcement notice (56 in 1999-2000). Such reporting would need to include significant decisions not to issue notices, as well as those where notices are issued. Given that the Commissioner does have enforcement powers, systematic reporting of at least significant complaints resolved under s50 would be valuable.

Decisions about the Commissioner and Ordinance

There is no indication on the Commissioner's website of those decisions under s50 that have been taaken on appeal to the Administrative Appeals Board (AAB), although there are approximately twenty such decisions, or those matters taken to the Courts for judicial review. HKLII[6] proposes to publish the decisions if the AAB will make them available (all decisions, not only on privacy issues). AAB decisions are not yet available via the Internet, nor published in any convenient form. Their existence is known only to government agencies and barristers involved in this area. The Commissioner intends to investigate further the publication of information about these decisions[7].

New Zealand

The New Zealand Privacy Commissioner reaches opinions concerning breaches of the Act after investigating complaints, but only the Complaints Review Tribunal can give binding decisions.

 The Commissioner releases periodic sets of complaint summaries both in print and on his website[8] (up to date to 2002). There were 20 summaries in 1994, and 24 summaries in 2001. The level of detail is considerably greater in more recent summaries. While very helpful, some of the earlier complaints did not usually provide enough detail of the legal considerations involved in the complaint. They are one of the best examples of the reporting of mediated complaints as distinct from formal determinations/decisions. They have useful catchwords indicating the IPP involved, but no index by IPPs or subject matter. The search engine will search the tables of contents of decisions, but has some bugs[9]. The Commissioner's office does publish printed compilations of all casenotes periodically, including an indexed compilation of 120 casenotes from 1993 to December 2001[10]. The index, not yet on the website, identifies casenotes by sector/agency, words and phrases interpreted, IPP and statutory provision interpreted.

 The Commissioner's Guide to Preparing Privacy Commissioner's Case Notes[11] states that

'The purpose of a case note is to enable someone who has not read the Commissioner's formal opinions to understand the essential conclusions that he reached. ... The case note writer must express clearly the Commissioner's opinion and the reasons for it. ... The case note needs to briefly set out the facts relevant to the legal points at issue and the Commissioner's findings.'

Identification of parties

The NZ Commissioner's general practice[12] is that he complainant is not to be named. The default position is not to identify respondents, but with exceptions as explained :
'the respondent will not be named unless it is essential to the understanding of the case, or if the Commissioner has decided to publicly identify the respondent'. It is usually (but not always) necessary to name government departments to enable the case note to make sense. For example, a case note involving the Police will always identify the respondent as the Police and not simply as "a respondent", "a government department" or a "law enforcement authority", as any such label may lead to misunderstandings. On the other hand, a case concerning a government department's disciplinary records in respect of which the identity of the respondent was irrelevant could be reported in more generic terms.'
Therefore, public sector respondents will normally be named, but private sector ones will normally not be named. The basis on which the Commissioner will decide to name a private sector respondent is not discussed. Perusal of year 2002 complaints reported by the Commissioner shows that some private sector respondents are identified ('Fourth Estate Holdings Limited', a media body), but some are not ('a life assurance company', 'a club'), and most but not all government agencies are identified.

 In addition, the Commissioner's Annual Report does name the year's 'Top 8 Respondents', most of whom were public sector agencies but Telecom and Baycorp (a credit bureau) are not[13].

Decisions about the Commissioner and Act

There is no indication on the Commissioner's website of which decisions of the Commissioner have gone to the Complaints Review Tribunal for enforcement proceedings, or the outcome of those proceedings. However, this information is available in printed form of facsimile judgments from the Commissioner[14], and contains 68 decisions in little over two years, covering 268 pages. It is therefore expensive (NZ$45) and in effect unavailable to anyone except the privacy cognoscenti[15]. This is the largest body of law on the NZ privacy legislation. This publication is both a credit to the Privacy Commissioner, and an indication of why NZ Courts and Tribunals need to lift their game in the publication of important case-law. Here is a jurisdiction that actually has some privacy law, if only it could be found.

 At the least, the NZ Commissioner could list the title of all enforcement actions to the Tribunal, their outcomes, and the titles of any further appeals. He could also list any other Court actions in which his Office is involved, or actions of which he is aware that involve the Act.

Australia - Federal

The Australian federal Privacy Commissioner is unusual in that he has powers under the Privacy Act 1988 (Cth) that allow him both to mediate complaints, and to make 'determinations' under s52 that respondents should provide various remedies, including that they should pay monetary compensation[16]. Resolution of complaints be the Commissioner, whether by mediation or determination, is therefore very significant, given his powers.

Low reporting of complaint resolutions

In the thirteen years of the Act's operation (1988-2002), the Commissioner has only twice made determinations under s52, and in these cases formal written determinations explaining the decisions (probably required by s52[17]) were made public. It is some measure of the lack of importance the Commissioner places on publishing his decisions that they are not available on his website, or in the official loose-leaf service published with his office's assistance[18]. Details can only be found in summary form in Privacy Law & Policy Reporter[19] or in the Commissioner's 1994 Annual Report[20].

Brief details of a handful of complaints are provided in his annual reports. For example, his Annual Report 1998-99 gives brief details of nine settled complaints (out of 91 closed that year), but not even the details of all of those resulting in compensation. Even these minimal details were dropped from the 1999-2000 Annual Report, but the 2000-01 report[21] reinstates the practice of reports on a dozen complaints, each of a couple of paragraphs in length. The details are not enough for anyone to understand the legal significance (if any) of the issues resolved by the Commissioner in resolving the complaint. This reporting is more in the nature of a public relations exercise, and does not provide any useful guidance on how the Commissioner interprets the Act, or guidance on the types of remedies that the Commissioner typically negotiates.

 The Commissioner's website[22] does not include any details of the resolution of particular complaints[23]. It is therefore not possible to find any consolidated set of examples of how the Commissioner deals with complaints. The Commissioner says that his reporting policy is under review and will involve more complaint reporting in future[24].

Non-reporting and lack of accountability

The practices of the Australian federal Commissioner illustrate best how non-publication of complaint resolutions can increase the danger that Privacy Commissioners will 'bury their mistakes' (misinterpretations of the law, failure to investigate, and failure to provide adequate remedies) by making them less likely to be subjected to the scrutiny of the parties, their advisers, the press, or scholars. Acts and practices in other jurisdictions may raise similar problems, but the very low level of complaint reporting by the Australian federal jurisdiction, even though he has determinative powers, makes it the logical jurisdiction on which to focus as an example of potential problems.

As noted above, no complaints are dealt with under s52, which at least requires that a written determination be provided to the parties (but does not require broader publication). Most complaints are dealt with under s41(2)(a), the Commissioner explains[25]:

"This process [conciliation] has been very successful in the existing jurisdiction and usually results in our Office closing the complaint under s.41(2)(a) on the grounds that the respondent has adequately dealt with the matter. Moreover, in the vast majority of complaints over the last five years, resolution has not involved monetary compensation. Less than 6% of complaints have involved financial compensation. In all but a few serious matters, the amounts have been very modest. ($500 - $2,000)."
Section 41 does not require any written report on a complaint, it merely allows the Commissioner to decide not to investigate further. Under s41(2)(a), it is the Commissioner's opinion that the respondent has dealt with the matter adequately, not necessarily the complainants view[26]. Are all complainants dealt with under s41 genuinely satisfied with the resolution? Do they receive a written explanation from the Commissioner setting out the interpretation of the Act on which the Commissioner thinks it would be sensible for them to settle their complaint? Do they settle because they consider that the terms offered, even if inadequate, are the best they will get from a Commissioner's determination in any event, and because they have no right of appeal[27]?

Investigations may also be terminated because the Commissioner thinks there is no breach of the Act (s41(1)(a), or because 'the complaint is frivolous, vexatious, misconceived or lacking in substance' (s41(1)(d)). In these latter two cases, the Commissioner could proceed to make a determination under s52(1)(b) 'dismissing the complaint', but this would require a written determination to be made setting out reasons. How many complainants are aware they could press for a s52 dismissal determination?

Of course, if complainants knows enough administrative law, they can get a statement of reasons for a s41 decision under the Administrative Decisions (Judicial Review) Act 1977, and they can even subject the Commissioner to judicial review of his s41 decision. How many complainants know about this? There is at least one Federal Court decision where the Commissioner's refusal under s41 to investigate further was remitted back to the Commissioner for reconsideration[28], but the only published decisions of judicial review of decisions by the Commissioner were on misconceived grounds[29].

 The lack of any rights of appeal for complainants, the Commissioners' practice to avoid making s52 determinations, the lack of cases of judicial review of s41 refusals to investigate further, and the Commissioner's practice not to publish any meaningful details of mediated or dismissed complaints, taken together prevents any accountability by the Commissioner for his handling of complaints. The Australian Privacy Commissioner's office has become a 'black hole': many complaints enter, but no privacy law or practices ever escape to receive public scrutiny.

 I have no clear idea whether these dangers have been realised in incorrect decisions and inadequate remedies: the lack of public information prevents accountability. Even if the Australian federal Commissioner's staff are scrupulous in avoiding the dangers described, justice is not being seen to be done. Systematic reporting practices would ameliorated some of these deficiencies in the legislation.

Identification of respondents

The Commissioner describes his approach as "based on using the lowest cost, lowest profile approach that the complainant and respondent organisation will allow"[30]. He has decided that it is only in 'rare circumstances' that he will consider identifying a company that is the subject of a privacy complaint. Information Sheet 13 The Privacy Commissioner's Approach to Promoting Compliance with the Privacy Act [31]]states that the normal anonymised approach will be as follows:
"The Office includes in its annual report some cases studies on complaints it has handled and investigations it has carried out. These are reported in summary form and do not generally identify the complainant or respondent. With the new private sector provisions, the Office plans to add to this approach by publishing more frequent, de-identified case notes on complaints it has handled. The aim of these will be to help organisations and the community understand the way the Office applies the provisions of the Act and, where relevant, the provisions of approved codes."
The circumstances where respondents (companies etc) will be named are as follows:
"On occasion there may be some merit in making public the circumstances of a particular complaint or investigation. This may be, for example, where there is already publicity around a particular matter before it reaches the Office or where, despite all the other approaches the Office has taken, an organisation continues to engage in behaviour that constitutes an interference with privacy. This would clearly be a serious step which could have commercial consequences for the organisation concerned. It would only be appropriate in rare circumstances. In the ordinary course of events, the Commissioner would not consider such a step unless:

* an organisation either repeatedly or very seriously breaches the Privacy Act;

* the organisation demonstrates by its actions that it does not intend to comply with its legal obligations; and

* all other measures have failed to change the organisation's behaviour."

This conjunction of requirements means that, no matter how repeatedly or seriously a company has breached the Act, if it demonstrates an intention to mend its ways it will not be named at the Privacy Commissioner's initiative. It would be more appropriate if only one of these conditions needed to be satisfied before a respondent was named. 'Name and shame' has been unnecessarily blunted as a weapon in this Commissioner's armoury.

 As it stands, the only likely way that the identities of privacy-invading companies will be known is where complainants have the courage to go public and the media to report them, or the complainant pushes for a formal determination under s52. The two s52 determinations made by previous Commissioners in the past 13 years have been published, and have identified the respondent departments, but Information Sheet 13 is silent on whether that practice will be followed in future.

Reporting under Privacy Codes

Even more restrictive, the reporting of identified complaints is completely eliminated if a complaint is dealt with under an industry Privacy Code (Part IIIA Privacy Act 1988). The Privacy (Private Sector) Regulations 2001 set out in Schedule 1 'Prescribed standards for procedures relating to complaints', which gives the Commissioner his instructions from the government as to what industry codes he can and cannot approve. Part 5 'Accountability' states under 'Principle' that 'Reports of determinations and information about complaints must be published...', but in fact only mentions determinations. In relation to determinations it includes the initially positive requirement in cl 5.2 that '(1) Written reports of determinations by an independent adjudicator must ... (b) be made available to any other interested person or body' but unfortunately then provides that '(4) A report must not: (a) name any complainant or respondent organisation'[32]. The 'determinations' made by Code adjudicators are supposed to be the same as those made under s52 (s18BB(3)(d)), so there appears to be an inconsistency between previous practice and the Regulations. Part 5 says nothing about publication of details of other complaints which are resolved by mediation not by a determination, so there is no reason to assume that the Commissioner's approach to providing de-identified summaries will be followed by Code authorities.

 This example demonstrates one of the dangers of co-regulation: less accountability for the co-regulatory bodies through weaker reporting requirements.

Australia - NSW

The only details of complaint mediations by the NSW Privacy Commissioner (and the previous NSW Privacy Committee, operating since 1975) are a few complaints summarised in each Annual Report. The NSW Commissioner's Office states that it is at present unable to prepare case summaries due to resource limitations, except for annual reports, and these are also two years in arrears. However, the Commissioner has applied for funding for a new computer system which will require preparation of an anonymised complaint summary when a file is closed[33].

 The two year lag in Annual Reports means that no reporting of complaint resolutions under the new Privacy And Personal Information Protection Act 1998[34] has yet occurred.

 At present, no details of complaint resolutions by the Commissioner are available on the Commissioner's website[35], with one exception mentioned below. Not even (old) Annual Reports are included. However, the website does provide two other important forms of information about complaint enforcement under the Act.

 The website includes a link to all appeals[36] to the NSW Administrative Decisions Tribunal under the Act (as discused above), and will presumably also include links to Court decisions once any arise. However, the three ADT decisions listed on the site do not quite give a comprehensive picture of judicial consideration of the Act, as a search over AustLII reveals five additional decisions mentioning the Act, at least one of which is of some significance. This is merely raised to illustrate the point that Court or Tribunals other than those which may have an explicit role in appeals or judicial review under an Act may contribute to its interpretation, and it is valuable for Commissioner's sites to list all judicial sources of interpretation.

 The Act makes specific provision for written reports on complaints under s50 and s65. The Commissioner's website includes links to special reports to Parliament by the Commissioner under s65. Since 1998, the Commissioner has made two such reports[37], identifying the respondents and criticising their conduct. The permissible content of s65 reports was contested during the Aquilina investigation[38] and this has not yet been resolved by the Courts.

The Commissioner does not publish all s50 investigation reports because s50 restricts publication to the parties concerned. Legal advice received by the Commissioner is that s65 (special reports to parliament) are the only means of publishing more widely the details of complaints unless one of the following apply: (i) the matter has been the subject of a Special Report to Parliament, or (ii) Privacy NSW has obtained the consent of the complainant, and the consent of the respondent if the respondent's personal information is also at issue, or (iii) the complaint has been de-identified.[39].

It seems therefore that the NSW Commissioner may have a limited ability to name respondents in published reports, but has not yet utilised his ability to systematically report anonymised complaint resolutions.

Australia - Other jurisdictions

The Victorian Privacy Commissioner[40] does not start to handle complaints under Victorian legislation until 1 September 2002, and does not yet have a stated policy on complaint resolution and publication.

 The Queensland Information Commissioner[41] publishes the full text of all his decisions[42], and maintains details of all judicial reviews of his decisions[43]. However, these are only binding determinations on access and correction complaints, the Act does not deal with other IPP complaints. Similarly, the Western Australian Information Commissioner[44] publishes the full text of all decisions since 1994[45], and indexes them by sections of the Act, by catchwords etc. Once again these are limited to access and correction complaints, as the legislation deals only with FOI.

 The fully reasoned decision of both Information Commissioners are good examples of reasoned determinations by Commissioners (not complaint resolutions by conciliation, however), and the majority of their decisions deal with access to and correction of personal records. These are important aspects of IPPs, and it is hard to see why questions of collection, disclosure, security and use are so much harder to document than access and correction decisions.

Canada - Federal

Until 2001 the (Federal) Privacy Commissioner of Canada administered only the Privacy Act covering Federal agencies. Annual Reports up to 1999-2000 contained a small selection of rather journalistic renditions of complaints with few legal details included[46]. Agency respondents were named in complaint summaries and in a list of 'Top Ten Departments by Complaints Received'[47]. Details of the progress of cases about the Commissioner and the Act were also provided[48]. The Commissioner's website provided no additional information about complaint resolution, and so any information about complaints or cases could only be found (by those who knew how to look for it) in rather erratically presented successive Annual Reports [49]. However, all Annual Reports are available in some form back to 1983-84.

 Since 2001, under a new Commissioner and covering an additional Act affecting the private sector (the Personal Information Protection and Electronic Documents Act (PIPEDA)), substantial improvements have been made to both the print and website information about complaint resolution. Many good aspects of the Canadian Federal approach pre-date the 2000-01 Report, but the comments below are based on what is contained in that Report and the current website.

 From June 2001 the website has now added the Privacy Commissioner's findings on complaints[50] made under both federal privacy laws, published in advance of their inclusion in any Annual Report. Postings appear to be made every few weeks, on average, so it is quite up-to-date. This method of complaint reporting will make the complaint summaries in the Annual Report increasingly less relevant, except that the most important complaints will presumably be spot-lit in that way, and the Annual Reports reach a different audience than the website.

 The Commissioner has formalised definitions explaining the meaning of complaint outcomes under PIPEDA[51] (Not well-founded / Well-founded / Resolved / Discontinued), and under the Privacy Act[52] (Not well-founded / Well-founded / Well-founded + Resolved / Resolved / Settled / Discontinued). This is very useful and provides a degree of consistency in reporting outcomes that is often lacking in other jurisdictions, in relation to both complaint reporting and complaint statistics.

 The website complaint reporting has the following features:

One major potential improvement to the reporting of PIPEDA complaints (and to Privacy Act complaints when they start to be systematically reported), would be the addition of a proper citation to each complaint, so that it can be referred to briefly and unambiguously. At present, the only possible citation of a PIPEDA casenote would be something like 'Couple objects to agency's delayed response to requests for credit histories (July 3, 2002)'. A suggested citation system is proposed later.

 The HTML version of the first Annual Report (2000-2001) of the new Commissioner also contains much more accessible details of complaints reported there, due to better quality HTML markup.

Decisions about the Commissioner and the Acts

The Commissioner's Annual Reports have for many years included in an 'In the Courts' section[53] brief details of cases before the Courts under the Privacy Act, and this is now being extended to PIPEDA cases. These cases are before various Courts, and include appeals to the Federal Court under s41 and s42 of the Privacy Act concerning refusal of access to personal information. The summaries provided are very useful, and it is commendable that the Commissioner provides them.

 One problem is that the cases are referred to only by name (eg 'Privacy Commissioner v. Canada Labour Relations Board') with no indication of where they are reported in print or on the web. It should be possible to provide citations and/or URLs for all cases. and this would increase the utility of these summaries a great deal.

 The Commissioner's website does not make it clear from its table of contents that it contains information about such Court decisions, though they are in fact available as part of the Annual Report. This defect would be easy to remedy (at least annually) simply by providing hypertext links to the relevant parts of the HTML version of the Annual Reports. It would be even better if an ongoing index of Court decisions could be maintained online, in advance of each Annual Report.

Canada - Ontario

Ontario's Freedom of Information and Protection of Privacy Act (and the corresponding Act for municipal authorities) [54] covers freedom of information and also includes (in 'Part III -- Protection of Individual Privacy'[55]) a full set of IPPs. Individual have enforceable rights of access and correction of their personal records, can appeal to the Information and Privacy Commissioner against Ontario agencies in order to enforce such rights. In relation to other IPPs (use, disclosure, security etc) the Commissioner may investigate but may only mediate, and individuals do not have any right to seek enforcement of the IPPs by other bodies.

 The reporting practices of Ontario's Commissioner are therefore primarily relevant as examples of reporting mediated complaints (or more, accurately, where mediation fails - see below), not determined complaints (except in relation to access and correction). The Commissioner's website provides online Orders, Privacy Complaint Reports and Judicial Reviews[56]. It can be seen from the Privacy Complaint Reports listed under ss37-53 of the Provincial Section Index[57] that the Commissioner has published reports since 1988 on over 200 IPP complaints excluding the hundreds of 'refusal of access' complaints under s49. This is therefore one of the largest sources of reports of mediated complaints in the region.

An Investigation Report by the Commissioner's office, although it can only result in a recommendation by the Commissioner to the agency concerned to comply with one of the IPPs, nevertheless gives full details of the relevant facts, and all legal reasoning involved, with references to the relevant sections of the Act and any other legislation. It is a fully-reasoned decision, little different from what it would be if the Commissioner had statutory power to enforce the recommendation.

 In a number of high profile invesitigations, special reports have been published[58]. Extensive statistics on privacy complaints, and details of judicial reviews, are also included in the Annual Report[59]. The provincial government office responsible for FOI and privacy also provides access to the Commissioner's published privacy reports[60].

 The 'What's New' page[61] of the website lists 'Orders and Privacy Complaint Reports issued this week' (and the previous week), so the site is clearly updated frequently. A minor drawback is that is not possible to see a list of matters decided in chronological order beyond these two weeks.

 The Commissioner does not publish on the web details of all IPP complaints investigated, but only those which result in a recommendation being made to an agency (a 'Privacy Complaint Report')[62]. Complaints that are dismissed or are settled during investigation are not reported in this way. There is a danger in this practice, that significant interpretations of the Act may not come to public notice if they are hidden in settled or dismissed complaints.

 The Ontario Commissioner therefore has a high quality system for reporting complaints where mediation has not resulted in settlement, but not for reporting the outcomes of other significant complaints.

Identification of parties

The Commissioner's policy is that "The Final Privacy Complaint Reports for unresolved files will include the name of the institution and be made available to the public on the IPC Web site, unless the privacy of the complainant might be compromised."[63].


The Ontario Commissioner's reports on IPP complaints include a numerical form of citation, examples of which are: The brief numerical form of citation ('PC-980049-1', 'I94-084P ') is the basis of the sophisticated complaint indexing by the Commissioner's office.

Decisions about the Commissioner and the Acts

The Commissioner's website tracks any Judicial Review of Privacy Complaint Reports[64], but to date there have only been two such applications and both were abandoned.

 There are also tables indicating progress and outcomes of judicial review of the Commissioner's Orders in FOI matters (including access to and correction of personal information)[65], which give citations to the resulting court decisions where available. The outcome of the review is stated (eg 'Institution's appeal allowed by Court of Appeal August 8, 2001; IPC application for leave to appeal to the Supreme Court of Canada dismissed June 13, 2002 '), but no summaries of the Court proceedings are available, since no court actions have yet transpired[66]. Links to web reports of cases are not provided yet but will be soon[67].

Canada - British Columbia

British Columbia's Freedom of Information and Protection of Privacy Act is similar to that in Ontario for the purposes of this paper. Part 3 'Protection of Privacy' contains a set of IPPs (ss26-36). The Information and Privacy Commissioner is authorised to investigate such breaches, and to attempt to mediate(s42).

 The Commissioner has authority to conduct investigations (following complaints or on own motion) into any alleged privacy breach by public bodies regarding collection, use or disclosure of personal information (ie 'IPP complaints'). The Commissioner states that Investigation Reports include 'outcomes of investigations that are of significant public interest, or which could provide guidance to public bodies in order to prevent similar violations'. There have only been 17 such reports since 1994[68]. Another form of IPP report is under s42, where the Commissioner has 'power to authorize a public body to indirectly collect personal information about an individual', but there has only been one such report[69].

 The website of the Information and Privacy Commissioner provides detailed reporting of Orders and Other Decisions[70] (ie FOI matters including access to and correction of personal records). An index of decisions by sections of the Act is provided[71], and it lists about 40 decisions under Part 3 of the Act..

 The BC Commissioner also has a very useful email subscription service for Commissioner's reports, where the full text of reports are mailed to subscribers.

Canada - Alberta

The Information and Privacy Commissioner of Alberta[72] has powers under s69(1) of the Freedom of Information and Protection of Privacy Act and s77(1) of the Health Information Act to conduct an Inquiry if a matter cannot be settled through mediation or investigation, and to dispose of inquiry issues by making a formal order (s72(1) of the FOIP Act and s80(1) of the HIA)[73].

The Commissioner's website provides the full text of all Orders since 1996 (with summaries included in each order), Investigation Reports (IRs) since the Commissioner started making them in 1998, and External Investigator Reports (there are only two as yet). All are searchable by keywords or Order/IR number.

 Judicial reviews of the Commissioner's decisions are listed on the Commissioner's website, but without a direct hypertext link to the text of each decision. However, a link is given to the front of the separate 'Freedom of Information and Protection of Privacy' website of the Alberta Government[74], where the full text of the decisions by the Court of Queen's Bench can be found[75]. There seems little reason why direct links could not be provided to these decisions from the Commissioner's own site.

 The Alberta government site also contains both summaries and the full texts of all of the Commissioner's Orders, IRs etc, and provides a more sophisticated search engine by which they may be searched than is provided by the Commissioner's own site. The Alberta government site is therefore an example of (free access) secondary publication of the Commissioner's decisions. Residents of Alberta seem to be well served by a choice of free access mechanisms to assist them to understand the operation of Alberta FOI and privacy laws.[76]

Canada - Québec

Québec's Commission d'Accès à l'information (CAI) has responsibilities in relation to both freedom of information and privacy disputes. Individuals have a right of recourse (appeal) to the CAI, called a "request for review" (public sector) or an "application for examination of a disagreement" (private sector)[77]. The CAI resolves such disputes by mediation in more than half of all cases[78]. No details of such mediated complaints appear on the CAI's website, and the discussion below relates only to 'determined' (adjudicated) complaints where the CAI makes an enforceable decision.

 CAI publishes a yearly digest entitled: "Décisions de la Commission d'accès à l'information" [79] which contains summaries of about one hundred recent decisions by the CAI and by judicial tribunals. Prior to their appearance in the annual digest, the summaries appear quarterly in the journal, l'Accès à l'information Express (A.I.E.). The annual digest also contains 'a table of the names of the parties, a table of cited legislation, a table of cited cases, a table of cited doctrine, a classification plan, a table of interpretation (interpreted terms and laws), a table of correlation with l'Accès à l'information Express and a table of follow-ups'[80]. Appeals against CAI decisions (and their result if known) are also noted. CAI recommends that decisions in its digest be cited in the form 'title [2001] C.A.I. 134'.

For paid access, the case summaries are also available weekly, and with all summaries searchable back to 1986, in the database AZIMUT Judicial documentation online, in the RÉSUMÉS SOQUIJ database[81]. The full text of all CAI decisions (published or not) since 1993 are also available in the "service de texte integral" (the full text service) of SOQUIJ. the SOQUIJ databases also contain the texts of the judicial decisions of appeals against CAI decisions. A CD-ROM Accès à l'information et protection des renseignements personnels contains, among other things, the CAI summaries to 1997 and full text decisions 1992-97.

 For free access, the CAI publishes the full text of some of its decisions on its website[82], but not all decisions (access is only available from SOQUIJ), and not the decisions of appellate judicial bodies. Only decisions made in the past 12 months are included on the CAI's website - the rest back to 1986 are only available from SOQUIJ. A search engine is provided. The decisions that are published are detailed statements of the facts and legal reasoning involved. No formal method of citation is given for the decisions on the CAI website. The CanLII[83] free access service does not include either decisions of the CAI, or appeals against its decisions[84].

 It appears therefore that free access to privacy decisions in Québec is considerably inferior to paid access, and would provide only limited assistance to anyone wishing to understand Québec privacy laws. This is in contrast with the generally high quality of free access in other Canadian jurisdictions.

Other Canadian jurisdictions

The Manitoba Ombudsman has an Access and Privacy Division[85] 'responsible for investigating complaints and reviewing compliance with access to information and protection of privacy rights under the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Health Information Act (PHIA)'[86]. The Ombudsman's website does not include formal reporting of dispute resolutions, but does include some press releases relating to particular disputes, and links to decisions by Manitoba Courts[87]. In relation to disputes under the Manitoba's Personal Health Information Act these press releases are quite detailed and accompanied by a Background Paper, and could easily be presented as formal reports of complaint resolutions.

 Other Canadian jurisdictions have not been reviewed for this article.

Commissioners outside the Asia-Pacific

Asia-Pacific Commissioners are not alone in having reporting practices in need of improvement.

 For example, the Commissioner in the largest English-speaking country in Europe[88], the UK Information Commissioner (formerly Data Protection Registrar), is starting to provide via her web site[89] decisions by the Data Protection Tribunal (under 'Guidance and Other Publications' - only one available as yet), but not any details of complaint determinations (`assessments' as they are now called). The Commissioner'ss latest Annual Report[90] indicates that her office receives about 10,000 complaints annually, and about 5% of these (ie 500) result in `verified assessments suggesting compliance unlikely' (the closes the Commissioner gets to finding a breach of the Act)[91]. However, of these 500 annnual `substantiated' breaches, neither the Annual Report nor the website provide one useful summary. The Annual Report is populated with `soundbite' size `Case Studies' of less than 100 words, but these are too short to give anyone who is serious about understanding privacy law any useful information, particularly as they contain no references to relevant provisions of the Act. Many of the `Case Studies' are headed `Convicted', and the report indicates that there were 66 prosecutions resulting in 33 convictions during the year. However, there is no list or summary to be found of these obviously serious breaches of the Act. In contrast, 12 pages of the report is given over to extracts from recent developments caselaw on the common law of privacy. This is very useful because such cases do affect the interpretation and administration of the Act, particularly in the context of European human rights law, and are the third category of caselaw I suggest that Commissioners should publicise. However, it indicates an unusual sense of priorities in relation to the near total absence of complaints and cases resolved under the Act and illustrating its day-by-day practical interpretation.

 There does not seem to be any comprehensive reviews of the reporting practices of European Commissioners[92], so it is difficult to make any general comparisions between European and Asia-Pacific practices. The review in this article is intended to provide a start for comparative studies of complaint reporting practices in one part of the world, but a global comparison, and development of global standards of good practice, is needed.

[1] <>

[2] <>

[3] <>

[4] <>

[5] See Berthold & Wacks p205 for more discussion.

[6] Hong Kong Legal Information Institute <>

[7] Personal communication.

[8] <>

[9] In particular, it will list individual complaints in its search results, but cannot display them (17/7/02).

[10] Published by the Commissioner, March 2002

[11] 1995, revised 2002; Available on request from the NZ Commissioner.

[12] Guide, n20

[13] Annual Report 2000-1 Table 8

[14] NZ Privacy Commissioner Complaints Review Tribunal Privacy Cases 1998-2002 (Vol III), NZ$45

[15] Those with even deeper pockets can find some of the decisions in Paul Roth's Privacy Law and Practice loose-leaf service (Butterworths NZ).

[16] A de novo hearing before a Court is necessary in order to enforce a determination (s55A), but the determination is prima facie evidence of the facts on which it is based (s55B).

[17] See s52(2) which

[18] Federal Privacy Handbook, CCH Australian Ltd

[19] Determination: Secretary, Department of Defence 1 PLPR 152 <>; Determination: Minister for Administrative Services 1 PLPR 170 <>

[20] Mentioned by Bygrave, n1

[21] <>

[22] <>

[23] A minor exception is that PDF versions of the (pre-1999) Annual Reports are located obscurely - hidden in fact - on the site. They are 'hidden' in the sense that they are not listed in the table of contents or even the site map <> but can be found if you search for them (17/7/02). The contents are not searchable, only the title 'Annual Report'. This is not effective as publication

[24] Personal communication.

[25] Letter by Federal Privacy Commissioner to the Australian Chamber of Commerce and Industry (ACCI), August 2001.

[26] Consumer advocates are adamant that some of their clients have very reluctantly accepted proposed settlements on the basis that the Commissioner was proposing to deal with their complaint under this section, and they feared that if they insisted on a s52 determination they would receive even less: Personal communications.

[27] See Greenleaf 2001, n5 above, concerning the how the lack of appeal rights is biased against complainants.

[28] Matter D17 of 2000, Federal Court, Darwin. No judgment was delivered, and the transcript is only available to the parties.

[29] Gao v Federal Privacy Commissioner [2002] FCAFC 128; Mario Riediger v Privacy Commissioner [1998] FCA 1742

[30] Federal Privacy Commissioner, n 35 above

[31] <>

[32] This is one small example of how the Regulations are systematically biased against complainants and against the public interest in accountability,

[33] Personal communication, Office of the NSW Privacy Commissioner

[34] <>

[35] <>

[36] <>

[37] Investigation Report into a complaint by Carol Atkins against Mr Hugh Percy and Queanbeyan City Council Special Report No 1, September 2001 at <>; Special Report to NSW Parliament under section 65 of the Privacy & Personal Information Protection Act 1998, Complaint by Student A and his father against Hon John Aquilina MP, Mr Walt Secord, Mr Patrick Low Special Report No 2, 7 May 2002 at <>

[38] Student A v Aquilina, Secord, and Low, Special Report No 2, 7 May 2002 at <>

[39] Personal communication, Office of the NSW Privacy Commissioner

[40] <>

[41] See <>; also decisions 1993- on AustLII at <>

[42] <>

[43] <>

[44] < >

[45] <> and on AustLII at <>

[46] 12 in 1998-99 - see <>

[47] For 1998-99, see <>

[48] For 1999-2000, see <>

[49] I assume the Annual Reports were then on the website. They were erratically presented in that the 1999-2000 report had no internal navigation whereas earlier ones at least had some.

[50] <>

[51] <>

[52] <>

[53] For 2000-01 see <>

[54] <>

[55] <>

[56] <>

[57] See <> - go to <> and scroll from s37 to s53

[58] See <> for examples.

[59] For example, see <>

[60] See search provided by Management Board Secretariat at <>

[61] <>

[62] <>

[63] <>

[64] <>

[65] <>

[66] Personal communcation from the Commissioner's office.

[67] ibid; The texts of FOI judicial reviews have scanned and will be published on the Commissioner's site, so presumably the same would be done for privacy reviews by Courts.

[68] <>

[69] <>

[70] <>

[71] <> - referred to as a 'Concordance'

[72] See <> for the Commissioner'ss website

[73] See <>

[74] <>

[75] See <>

[76] Professor Karim Benyekhlef of the University of Montreal and his research assistant Nicolas Vermeys have assisted very significantly in obtaining the information on which this section is based, but responsibility for comments remains with the author.

[77] See <> for a brief explanation.

[78] ibid

[79] Nicolas Vermeys has translated the prefact to the 2001 edition in order to assist in the preparation o f this section.

[80] From the Preface, translation Nicolas Vermeys

[81] <>

[82] <>

[83] Canadian Legal Information Institute - <>

[84] See <> and search for 'Commission d'Accès à l'information' (boolean)

[85] <>

[86] ibid

[87] <>

[88] Not the only one of course, but this article does not cover Ireland or Jersey, The Isle of Man etc

[89] <>

[90] Information Commissioner Annual Report and Accounts for the year ending 31 March 2002 (June 2002)

[91] ibid, pgs 75-76

[92] Bygrave's review (see FN 2) does not indicate that European practices are any more systematic than those in the Asia-Pacific.