International Agreements and Data Export Prohibitions Graham Greenleaf Last Updated September 2008
Main international sources Privacy in human rights treaties 1. • ICCPR A 17, ECHR A 8 Agreements on privacy standards 2. • • • OECD Guidelines 1980 Council of Europe Convention 1981 (and Optional Protocol) European Union Directive 1995 UN Guidelines on Computerized Data Files 1990 APEC Privacy Framework 2004/5 Avoiding data export prohibitions 3. • • • OECD Guidelines 1980 Council of Europe Convention 1981 (and Optional Protocol) ‘Adequacy’ under the EU Directive APEC position Export restrictions in other national laws September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
General resources n n RG ‘Privacy protection in international agreements’ Lee Bygrave ‘International agreements to protect personal data’, in Rule J and Greenleaf G (Eds) Global Privacy Protection: The First Generation, Edward Elgar, Cheltenham, 2008 (in publication) n September 2008 Included in materials: cited as ‘Bygrave 20008’ LAWS 3037 Data Surveillance & Information Privacy Law
Human rights treaties ICCPR A 17 n International Covenant on Civil and Political Rights 1966 n n n A 17 ‘ 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence…. 2. Everyone has the right to protection of the law against such interference or attacks’. Not limited to interferences by governments September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
ICCPR A 17 n Australian reservations n n n Reserves right to legislate to protect ‘national security, public safety, the economic well-being of the country, the protection of public health or morals, or the protection of the rights and freedoms of others’ Similar to A 8(2) of ECHR Reservation not relied on in Toonen September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
ICCPR A 17 - Enforcement n Direct enforcement of ICCPR A 17 n n n Reports to the UN Human Rights Committee Complaints to UNHRC by state parties - a ‘dead letter’ Complaints to UNHRC by individuals under 1 st Optional Protocol n n Australia has acceded to the Protocol Cf Hong Kong - UK did not accede to Protocol Aust and NZ only APEC countries to accede? Implementation in domestic law n n No direct application in Australia - indirect effects only Cf Hong Kong - enacted in BORO September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
A 17 in Australian domestic law n n International treaties are not, as such, part of Australian domestic law until legislated (contra USA, China etc) Young v Registrar, Court of Appeal [No 3] (1993) NSW CA (Kirby P and Handley JA) n n n If there is no ambiguity in a domestic law , it prevails in a direct conflict with the international covenant If domestic law is ambiguous, international covenants should guide interpretation. Kruger v Cth (Stolen Children Case) (1997) confirms continuing significance September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
A 17 in Australian domestic law (2) n Minister for Immigration & Ethnic Affairs v Teoh (1995) 183 CLR 273 n n n application of the UN Convention on the Rights of the Child in respect to a deportation order HCA held there may be a legitimate expectation that officers of the executive government will act in conformity with international treaties pending implementation, in the absence of a statutory or executive statement to the contrary Can give rise to breaches of natural justice if a treaty obligation is not to be adhered to and the person affected is not provided a hearing. September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
A 17 in Australian domestic law (3) n Effect of Teoh now largely nullified n Executive Statement on the Effects of Treaties in Administrative Decision Making (1997) n n September 2008 provides that the act of entering a treaty 'does not give rise to any legitimate expectations which could form the basis for challenging any administrative decision. . . ’ Uncertainties remain… LAWS 3037 Data Surveillance & Information Privacy Law
Compare A 17 effect on HK law n HK legislation cannot conflict with A 17 n n UK ratified 1976 for UK and HK; PRC accepted; A 39 Basic Law entrenches ICCPR as HK law A 14 Bill of Rights Ordinance (BORO) n n implements A 17 ICCPR s 6 empowers Courts to give remedies for breaches possible right of action for privacy breaches but untested s 7 - BORO only binds public authorities and those acting on their behalf Tam Hing Yee [1992] - BORO does not apply to private relationships even when created by statute - A 14 does not have ‘horizontal effect’ September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
A 17 and 1 st Optional Protocol n n 1 st Optional Protocol allows complaints (‘communictions) to UN Human Rights Committee by individuals against State parties Toonen v Australia [1994] UNHRC 9 (casenote) n n Tasmanian Criminal Code criminalised all sexual contact between consenting male adults in private UNHCR held Australia in breach of A 17: n n September 2008 T was a ‘victim’ despite lack of enforcement due to threat of enforcement and public opinion Adult consensual sex was within ‘privacy’ No effective domestic remedy since ICCPR not directly enforceable in Australian law The Tasmanian legislation was ‘arbitrary’ as it was not ‘reasonable’ on public health or moral grounds (Australia did not contest this) LAWS 3037 Data Surveillance & Information Privacy Law
A 17 and 1 st Optional Protocol (2) n UNHCR in Toonen considered repeal of the laws was the proper remedy n n this eventually occurred, after Federal legislation (relying on the foreign affairs power) made the Tasmanian legislation ineffective General Comment 15(32) on A 17 (1989) shows UNHCR considers most information privacy issues come under A 17 September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
A 17 and 1 st Optional Protocol (3) n n n Few other UNHRC decisions are principally on privacy and A 17 - Search UNHRC for ‘privacy near (A 17 or article 17)’ - Toonen still leading case, few others: Coeriel and Aurik v Netherlands [1994] UNHRC 56 - Refusal to allow change of names to Hindu names (necessary for study for priesthood) was a privacy breach of A 17 Hopu and Bessert v France [1997] UNHRC 40: The UNHRC concluded ‘that the construction of a hotel complex on the authors' ancestral burial grounds did interfere with their right to family and privacy. The State party has not shown that this interference was reasonable in the circumstances…’ When they do arise, they will be relevant to HK because of A 39 and BORO A 14, even though HK is not a party to Protocol Cases are relevant to Australia, as it is a party to protocol September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
Decisions interpreting A 17 n 3 main sources n n n UNHRC decisions on 1 st Optional Protocol (already covered) Decisions on European Convention on Human Rights A 8 by European human rights Courts Decisions on A 17 or ECHR A 8 by national courts September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
Decisions on A 17 - (2) n European Convention on Human Rights, A 8 n n n Principles of A 8 jurisprudence (Bygrave 1998) n n A 8(2) itemises 7 grounds of exception Considerable case law by European Court of Human Rights search for ‘privacy near (Article 8 or A 8)’ - many cases Values of protecting human rights, promoting democracy Creates positive obligations on states to protect privacy Probably covers privacy interference by private bodies Some specific principles from cases (Bygrave) n n n Laws/practices allowing secret surveillance may infrige Data of ordinarily trivial character may be used to infringe Exceptions have to be justified in terms of proportionality including any safeguards against abuse September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
Decisions on A 17 - (3) n n ECHR says ‘this may develop toward a right of informational self-determination” Decisions on A 8 ECHR by EU national courts n Robertson v Home Office [2001] (UK) n n n Breach of A 8 because the method of providing electoral register to 3 rd parties was a disproportionate way to achieve legitimate ends because there was no right to object Shows A 8 can be used against administrative practices even if they are in accordance with law including data protection laws Decisions on A 14 BORO by HK courts n None significant on privacy as yet September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
International privacy standards 1980’s standards for IPPs & TBDF • • OECD Guidelines 1980 Council of Europe Convention 1981 UN Guidelines on Computerized Data Files 1990 Features of these first-generation agreements • • • Principle aim is to guarantee free data flows between countries adopting minimum standards No case law, only obligations between State parties EU privacy Directives (from 1995) Regional Asia-Pacific standards • • APEC Privacy Framework (2004/5) (Draft)Asia-Pacific Telecommunity (APT) standard (2003) September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
OECD Guidelines 1980 n n See Bygrave (2008) for history OECD privacy/TBDF Guidelines 1980 - 3 elements: (1) Recommended 7 minimum IPPs n n n Strengths - better than 1970 s predecessors; (I) introduced ‘finality’; (ii) openness; right to ‘challenge’ data; (iii) covered ‘manual’ as well as ‘automated’ data (cf Co. E); (iv) recognises some collection ‘limits’ as well as fairness requirement Weaknesses - (I) collection limits unspecified; (ii) requirement of notice at time of collection ambiguous; (iii) weak use limitation (‘not incompatible’); (iv) no deletion requirement Bygrave (2008) shows numerous points where the Co. E Convention goes further than OECD September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
OECD Guidelines 1980 (2) n (2) Legitimate restrictions on free flow personal data n n n To countries which do not ‘substantially observe’ the GLs Where re-export would circumvent domestic legislation If foreign law has no equivalent protection for special data OECD allowed data export restrictions, did not require them Similar approach to Co. E Convention September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
OECD Guidelines 1980 (3) n Recommends forms of national implementation n ‘appropriate’ domestic legislation (only) ‘adequate sanctions and remedies’ for all breaches ‘ensure there is no unfair discrimination’ n n Is this a ‘no disadvantage’ principle? - EM uninformative Conclusions? n n OECD continues to endorse its 1980 principles Australia promoted OECD guidelines as basis for APEC IPPs, and as the ‘only accepted international standard’ Kirby J considers they are now inadequate What have we learnt since 1980? September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
EU privacy Directive - Basics • European Union privacy Directive 1995 (RG link) • • • Based on both trade and human rights concerns Strongest international restatement of IPPs • • • Some requirements go beyond Co. E and OECD All EU member countries were required to revise their national laws to conform to the Directive National Courts now a valuable source of case law on interpretation of Directive • • See EU’s data protection page for resources Eg Robertson [2001] (UK) - shows requirements of Directive can determine interpretation of UK laws EU countries must prohibit exports of personal data • Major contrast with OECD GLs and Co. E Convention September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
EU’s privacy Principles n See Directive’s principles (Materials #3 and link below) n n Significance of the Directive as IPPs: n n n n see Bygrave (2006) for assessment A stronger requirement on legitimate processing as a precondition Stronger notice rights, including in collection from 3 rd parties Requires notice to 3 rd party recipients when data is corrected Controls on automated processing (Bygrave: ‘most innovative’) Prior checking (justification) of high risk systems Stronger protection of ‘sensitive’ data categories ‘Onward transfers’ limited to where protection is adequate Result: EU Directive stronger than OECD GLs (though clearly a member of the same family) September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
EU privacy Directive - within EU n n EU often criticised for tolerating variations in IPPs, and weak enforcement, within EU European Commission has proposed actions in the European Court of Justice (but they have not yet occurred) n n n vs Germany for inadequate enforcement because the 16 Land (state) Data. Protection Commissioners lack independent status required by Art. 28. 1 of the EU Data Protection Directive. vs UK for Court interpretations of ‘personal data’ at variance with Directive (Durant case); also appeal to ECHR for breach of A 8 obligations Open question as yet whether EU Commission can obtain ‘adequacy’ of the laws of EU member states September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
EU privacy Directive - 1 st review n n n EU’s First Report on the Implementation of the Data Protection Directive (2003) (see Bygrave in PLPR (2003)) concluded: Amendments premature - Many EU states were slow in implementing Achieved main aims n n n free flow within EU ‘high level of protection’ in EU Shortcomings n n Too much divergence in EU national laws Levels of enforcement and compliance too low Data export implementation too variable - either too lax or too bureaucratic in various countries; improvements proposed Many Articles of Directive too difficult to interpret September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
EU data export restrictions - 3 means of satisfying the Directive • 3 means of satisfying the EU Directive • • General ‘adequate level of protection’ under A 25(1) Mandatory exceptions to A 25 (A 25(2) ‘Adequate safeguards’ for particular transactions (A 26) EU also considers data export restrictions to be a requirement of ‘adequate’ laws in 3 rd countries • • September 2008 Australia’s NPP 9 reflects all of these options (see later) How does HK s 33 compare (if and when proclaimed) ? LAWS 3037 Data Surveillance & Information Privacy Law
EU data export restrictions ‘Adequacy’ standard n EU A 29 Working Party n n all EU national data protection Commissioners function of advising EU Commission on the level of data protection in 3 rd countries Described standards it applies in 1998 (WP 12/1998 - in Materials) EU Commission n n has not elaborated on standards it applies Requires consultant reports to it on 3 rd countries to apply WP 12/1998, and consider later developments September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
Adequacy WP 12/1998 standards (1) n ‘Content principles’ stress 6 IPPs: n Purpose limitation n Data quality and proportionality n n n Transparency Security Rights of access, rectification and opposition Restrictions on onward transfers Additional principles in appropriate types of processing ((i) sensitive data, (ii) direct marketing and (iii) automated decisions) Do the Australian or HK laws provide all these? September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
Adequacy WP 12/1998 standards (2) n 3 procedural / enforcement aspects required: n n Support to individual data subjects (including independent investigation of complaints) Provision of appropriate redress to the injured parties (Directive requires ‘judicial remedies’) What is not stressed: n n n Delivery of a good level of compliance Likelihood of damage to EU citizens Assessment of previous Commission decisions (precedents) Do the Australian or HK laws provide ‘adequate’ enforcement? September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
EU data export restrictions ‘Adequacy’ decisions • EU Commission decisions on ‘adequacy’ in 3 rd countries • • • USA ‘Safe Harbor’ scheme - decision holds adequate (but of very limited scope) - see assessment in Materials #3 Canadian Federal law - interim decision holds adequate Argentina - decision holds adequate No decisions yet on NZ, HK, Australia, Korea A 29 Committee recommendations re Australia • • • September 2008 Australian Federal law - A 29 Committee opinion NPPs are not adequate - Australia rejects this - no decision yet - EU Commission now preparing a report on Australian transfer of airline data - At Australia’s request, finds IPPs are adequate in this context HK not yet considered by A 29 Committee or EU Commission LAWS 3037 Data Surveillance & Information Privacy Law
Regional data export restrictions • • Export restrictions in non-EU national laws Examples in the Asia-Pacific • Australian laws have export restrictions (see Topic 12) • • Cth provisions in force but no cases yet NSW provisions not in force yet HK SAR Ordinance s 33 not yet in force Macau SAR has a strict export restriction Quebec, Taiwan laws have minor restrictions EU has not insisted for US or Canadian adequacy? Effect of Asia-Pacific export restrictions? • • • September 2008 Could have prompted a regional Convention Minimum standards in return for free flow of data (Origin of the OECD and Co. E agreements) No enforcement has blunted effect; APEC results LAWS 3037 Data Surveillance & Information Privacy Law
APEC’s Privacy Framework n APEC initiative 2003 -4: n n n ECSG privacy subgroup included numerous ‘economies’; Initially chaired by Australia; significant role by HK, US, Can Framework finalised November 2004 (except Pt IV(B)) APEC IPPs, derived from 1980 OECD Guidelines Rejection of EU Directive standards & processes Now see separate Powerpoints on APEC Other Asia-Pacific developments n n Asia-Pacific Privacy Charter Council - civil society alternative standard; no draft available yet Asia-Pacific Telecommunity (APT) privacy guidelines, chaired by KISA (Korea); 2 nd draft 2003 (see Greenleaf comparison with APEC, 2003) September 2008 LAWS 3037 Data Surveillance & Information Privacy Law
Скачать презентацию International Agreements and Data Export Prohibitions Graham Greenleaf
0571a91f650aacc3e76f5bbe3c0fecb8.ppt