International Agreements and Data Export Prohibitions Graham Greenleaf Last Updated September 2008

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law Main international sources 1.Privacy in human rights treaties ICCPR A17, ECHR A8 2.Agreements on privacy standards OECD Guidelines 1980 Council of Europe Convention 1981 (and Optional Protocol) European Union Directive 1995 UN Guidelines on Computerized Data Files 1990 APEC Privacy Framework 2004/5 3.Avoiding data export prohibitions OECD Guidelines 1980 Council of Europe Convention 1981 (and Optional Protocol) ‘Adequacy’ under the EU Directive APEC position Export restrictions in other national laws

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law General resources RG ‘Privacy protection in international agreements’‘Privacy protection in international agreements’ Lee Bygrave ‘International agreements to protect personal data’, in Rule J and Greenleaf G (Eds) Global Privacy Protection: The First Generation, Edward Elgar, Cheltenham, 2008 (in publication) Included in materials: cited as ‘Bygrave 20008’

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law Human rights treaties - ICCPR A17 International Covenant on Civil and Political Rights 1966 International Covenant on Civil and Political Rights 1966 A 17 ‘1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence…. 2. Everyone has the right to protection of the law against such interference or attacks’. Not limited to interferences by governments

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law ICCPR A17 Australian reservations Reserves right to legislate to protect ‘national security, public safety, the economic well-being of the country, the protection of public health or morals, or the protection of the rights and freedoms of others’ Similar to A8(2) of ECHR Reservation not relied on in Toonen

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law ICCPR A17 - Enforcement Direct enforcement of ICCPR A17 Reports to the UN Human Rights Committee Complaints to UNHRC by state parties - a ‘dead letter’ Complaints to UNHRC by individuals under 1st Optional Protocol - Australia has acceded to the Protocol Cf Hong Kong - UK did not accede to Protocol Aust and NZ only APEC countries to accede? Implementation in domestic law No direct application in Australia - indirect effects only Cf Hong Kong - enacted in BORO

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law A17 in Australian domestic law International treaties are not, as such, part of Australian domestic law until legislated (contra USA, China etc) Young v Registrar, Court of Appeal [No 3] (1993) NSW CA (Kirby P and Handley JA) Young v Registrar, Court of Appeal [No 3] If there is no ambiguity in a domestic law, it prevails in a direct conflict with the international covenant If domestic law is ambiguous, international covenants should guide interpretation. Kruger v Cth (Stolen Children Case) (1997) confirms continuing significance

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law A17 in Australian domestic law (2) Minister for Immigration & Ethnic Affairs v Teoh (1995) 183 CLR 273 application of the UN Convention on the Rights of the Child in respect to a deportation order HCA held there may be a legitimate expectation that officers of the executive government will act in conformity with international treaties pending implementation, in the absence of a statutory or executive statement to the contrary Can give rise to breaches of natural justice if a treaty obligation is not to be adhered to and the person affected is not provided a hearing.

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law A17 in Australian domestic law (3) Effect of Teoh now largely nullified Executive Statement on the Effects of Treaties in Administrative Decision Making (1997) provides that the act of entering a treaty 'does not give rise to any legitimate expectations which could form the basis for challenging any administrative decision...’ Uncertainties remain…

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law Compare A17 effect on HK law HK legislation cannot conflict with A17 UK ratified 1976 for UK and HK; PRC accepted; A39 Basic Law entrenches ICCPR as HK law A14 Bill of Rights Ordinance (BORO) implements A17 ICCPR s6 empowers Courts to give remedies for breaches - possible right of action for privacy breaches but untested s7 - BORO only binds public authorities and those acting on their behalf Tam Hing Yee [1992] - BORO does not apply to private relationships even when created by statute - A14 does not have ‘horizontal effect’

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law A 17 and 1st Optional Protocol 1st Optional Protocol allows complaints (‘communictions) to UN Human Rights Committee by individuals against State parties Toonen v Australia [1994] UNHRC 9 (casenote) Toonen v Australia casenote Tasmanian Criminal Code criminalised all sexual contact between consenting male adults in private UNHCR held Australia in breach of A17: T was a ‘victim’ despite lack of enforcement due to threat of enforcement and public opinion Adult consensual sex was within ‘privacy’ No effective domestic remedy since ICCPR not directly enforceable in Australian law The Tasmanian legislation was ‘arbitrary’ as it was not ‘reasonable’ on public health or moral grounds (Australia did not contest this)

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law A 17 and 1st Optional Protocol (2) UNHCR in Toonen considered repeal of the laws was the proper remedy this eventually occurred, after Federal legislation (relying on the foreign affairs power) made the Tasmanian legislation ineffective General Comment 15(32) on A17 (1989) shows UNHCR considers most information privacy issues come under A17

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law A 17 and 1st Optional Protocol (3) Few other UNHRC decisions are principally on privacy and A17 - Search UNHRC for ‘privacy near (A17 or article 17)’ - Toonen still leading case, few others:Search UNHRC Coeriel and Aurik v Netherlands [1994] UNHRC 56 - Refusal to allow change of names to Hindu names (necessary for study for priesthood) was a privacy breach of A17 Coeriel and Aurik v Netherlands Hopu and Bessert v France [1997] UNHRC 40: The UNHRC concluded ‘that the construction of a hotel complex on the authors' ancestral burial grounds did interfere with their right to family and privacy. The State party has not shown that this interference was reasonable in the circumstances…’ Hopu and Bessert v France When they do arise, they will be relevant to HK because of A39 and BORO A14, even though HK is not a party to Protocol Cases are relevant to Australia, as it is a party to protocol

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law Decisions interpreting A17 3 main sources UNHRC decisions on 1st Optional Protocol (already covered) Decisions on European Convention on Human Rights A8 by European human rights Courts Decisions Decisions on A17 or ECHR A8 by national courts

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law Decisions on A17 - (2) European Convention on Human Rights, A8 A8(2) itemises 7 grounds of exception Considerable case law by European Court of Human Rights - search for ‘privacy near (Article 8 or A8)’ - many cases search Principles of A8 jurisprudence (Bygrave 1998)Bygrave 1998 Values of protecting human rights, promoting democracy Creates positive obligations on states to protect privacy Probably covers privacy interference by private bodies Some specific principles from cases (Bygrave) Laws/practices allowing secret surveillance may infrige Data of ordinarily trivial character may be used to infringe Exceptions have to be justified in terms of proportionality including any safeguards against abuse

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law Decisions on A17 - (3) ECHR says ‘this may develop toward a right of informational self-determination” Decisions on A8 ECHR by EU national courts Robertson v Home Office [2001] (UK) Breach of A8 because the method of providing electoral register to 3rd parties was a disproportionate way to achieve legitimate ends because there was no right to object Shows A8 can be used against administrative practices even if they are in accordance with law including data protection laws Decisions on A14 BORO by HK courts None significant on privacy as yet

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law International privacy standards 1980’s standards for IPPs & TBDF OECD Guidelines 1980 Council of Europe Convention 1981 UN Guidelines on Computerized Data Files 1990 Features of these first-generation agreements Principle aim is to guarantee free data flows between countries adopting minimum standards No case law, only obligations between State parties EU privacy Directives (from 1995) Regional Asia-Pacific standards APEC Privacy Framework (2004/5) (Draft)Asia-Pacific Telecommunity (APT) standard (2003)

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law OECD Guidelines 1980 See Bygrave (2008) for history OECD privacy/TBDF Guidelines elements: OECD privacy/TBDF Guidelines 1980 (1) Recommended 7 minimum IPPs Strengths - better than 1970s predecessors; (I) introduced ‘finality’; (ii) openness; right to ‘challenge’ data; (iii) covered ‘manual’ as well as ‘automated’ data (cf CoE); (iv) recognises some collection ‘limits’ as well as fairness requirement Weaknesses - (I) collection limits unspecified; (ii) requirement of notice at time of collection ambiguous; (iii) weak use limitation (‘not incompatible’); (iv) no deletion requirement Bygrave (2008) shows numerous points where the CoE Convention goes further than OECD

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law OECD Guidelines 1980 (2) (2) Legitimate restrictions on free flow personal data To countries which do not ‘substantially observe’ the GLs Where re-export would circumvent domestic legislation If foreign law has no equivalent protection for special data OECD allowed data export restrictions, did not require them Similar approach to CoE Convention

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law OECD Guidelines 1980 (3) Recommends forms of national implementation ‘appropriate’ domestic legislation (only) ‘adequate sanctions and remedies’ for all breaches ‘ensure there is no unfair discrimination’ Is this a ‘no disadvantage’ principle? - EM uninformative Conclusions? OECD continues to endorse its 1980 principles Australia promoted OECD guidelines as basis for APEC IPPs, and as the ‘only accepted international standard’ Kirby J considers they are now inadequate What have we learnt since 1980?

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law EU privacy Directive - Basics European Union privacy Directive 1995 (RG link)privacy Directive 1995 See EU’s data protection page for resourcesEU’s data protection page Based on both trade and human rights concerns Strongest international restatement of IPPs Some requirements go beyond CoE and OECD All EU member countries were required to revise their national laws to conform to the Directive National Courts now a valuable source of case law on interpretation of Directive Eg Robertson [2001] (UK) - shows requirements of Directive can determine interpretation of UK laws EU countries must prohibit exports of personal data Major contrast with OECD GLs and CoE Convention

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law EU’s privacy Principles See Directive’s principles (Materials #3 and link below) see Bygrave (2006) for assessment Significance of the Directive as IPPs:the Directive as IPPs A stronger requirement on legitimate processing as a precondition Stronger notice rights, including in collection from 3rd parties Requires notice to 3rd party recipients when data is corrected Controls on automated processing (Bygrave: ‘most innovative’) Prior checking (justification) of high risk systems Stronger protection of ‘sensitive’ data categories ‘Onward transfers’ limited to where protection is adequate Result: EU Directive stronger than OECD GLs (though clearly a member of the same family)

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law EU privacy Directive - within EU EU often criticised for tolerating variations in IPPs, and weak enforcement, within EU European Commission has proposed actions in the European Court of Justice (but they have not yet occurred) vs Germany for inadequate enforcement because the 16 Land (state) DataProtection Commissioners lack independent status required by Art of the EU Data Protection Directive. vs UK for Court interpretations of ‘personal data’ at variance with Directive (Durant case); also appeal to ECHR for breach of A 8 obligations Open question as yet whether EU Commission can obtain ‘adequacy’ of the laws of EU member states

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law EU privacy Directive - 1st review EU’s First Report on the Implementation of the Data Protection Directive (2003) (see Bygrave in PLPR (2003)) concluded:Bygrave Amendments premature - Many EU states were slow in implementing Achieved main aims free flow within EU ‘high level of protection’ in EU Shortcomings Too much divergence in EU national laws Levels of enforcement and compliance too low Data export implementation too variable - either too lax or too bureaucratic in various countries; improvements proposed Many Articles of Directive too difficult to interpret

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law EU data export restrictions - 3 means of satisfying the Directive 3 means of satisfying the EU Directivesatisfying General ‘adequate level of protection’ under A25(1)‘adequate level of protection’ Mandatory exceptions to A25 (A25(2) Mandatory exceptions ‘Adequate safeguards’ for particular transactions (A26) ‘Adequate safeguards’ EU also considers data export restrictions to be a requirement of ‘adequate’ laws in 3rd countries Australia’s NPP 9 reflects all of these options (see later) How does HK s33 compare (if and when proclaimed) ?HK s33

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law EU data export restrictions - ‘Adequacy’ standard EU A29 Working Party all EU national data protection Commissioners function of advising EU Commission on the level of data protection in 3rd countries Described standards it applies in 1998 (WP 12/ in Materials)WP 12/1998 EU Commission has not elaborated on standards it applies Requires consultant reports to it on 3rd countries to apply WP 12/1998, and consider later developments

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law Adequacy - WP 12/1998 standards (1) ‘Content principles’ stress 6 IPPs: Purpose limitation Data quality and proportionality Transparency Security Rights of access, rectification and opposition Restrictions on onward transfers Additional principles in appropriate types of processing ((i) sensitive data, (ii) direct marketing and (iii) automated decisions) Do the Australian or HK laws provide all these?

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law Adequacy - WP 12/1998 standards (2) 3 procedural / enforcement aspects required: Delivery of a good level of compliance Support to individual data subjects (including independent investigation of complaints) Provision of appropriate redress to the injured parties (Directive requires ‘judicial remedies’) What is not stressed: Likelihood of damage to EU citizens Assessment of previous Commission decisions (precedents) Do the Australian or HK laws provide ‘adequate’ enforcement?

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law EU data export restrictions - ‘Adequacy’ decisions EU Commission decisions on ‘adequacy’ in 3rd countries EU Commission decisions on ‘adequacy’ USA ‘Safe Harbor’ scheme - decision holds adequate (but of very limited scope) - see assessment in Materials #3 Canadian Federal law - interim decision holds adequate Argentina - decision holds adequate No decisions yet on NZ, HK, Australia, Korea A29 Committee recommendations re Australia A29 Committee recommendations Australian Federal law - A29 Committee opinion NPPs are not adequate - Australia rejects this - no decision yet - EU Commission now preparing a report on Australia Australian transfer of airline data - At Australia’s request, finds IPPs are adequate in this context Australian transfer of airline data HK not yet considered by A29 Committee or EU Commission

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law Regional data export restrictions Export restrictions in non-EU national laws Examples in the Asia-Pacific Australian laws have export restrictions (see Topic 12) Cth provisions in force but no cases yet NSW provisions not in force yet HK SAR Ordinance s33 not yet in force Macau SAR has a strict export restriction Quebec, Taiwan laws have minor restrictions EU has not insisted for US or Canadian adequacy? Effect of Asia-Pacific export restrictions? Could have prompted a regional Convention Minimum standards in return for free flow of data (Origin of the OECD and CoE agreements) No enforcement has blunted effect; APEC results

September 2008 LAWS 3037 Data Surveillance & Information Privacy Law APEC’s Privacy Framework APEC initiative : ECSG privacy subgroup included numerous ‘economies’; Initially chaired by Australia; significant role by HK, US, Can Framework finalised November 2004 (except Pt IV(B)) Framework APEC IPPs, derived from 1980 OECD Guidelines Rejection of EU Directive standards & processes Now see separate Powerpoints on APECseparate Powerpoints on APEC Other Asia-Pacific developments Asia-Pacific Privacy Charter Council - civil society alternative standard; no draft available yet Asia-Pacific Privacy Charter Council Asia-Pacific Telecommunity (APT) privacy guidelines, chaired by KISA (Korea); 2nd draft 2003 (see Greenleaf comparison with APEC, 2003) comparison with APEC