390 likes | 483 Views
Pitfalls in the complaints process: a privacy advocate's perspective. Graham Greenleaf Professor of Law, UNSW, and Co-Director, Baker & McKenzie Cyberspace Law and Policy Centre Copy available at < http://www2.austlii.edu.au/~graham/ >
E N D
Pitfalls in the complaints process: a privacy advocate's perspective Graham Greenleaf Professor of Law, UNSW, and Co-Director, Baker & McKenzie Cyberspace Law and Policy Centre Copy available at <http://www2.austlii.edu.au/~graham/> Privacy Complaints:How to Win for Your Client (Making privacy laws work) Baker Cyberlaw Centre Seminar 4/12/03
Some pitfalls under the Commonwealth & NSW Acts • Who decides remedies? • What rights of appeal are there? • Does anyone get a remedy? • Is the law enforced, or is it a joke? • What law is applied? • Are cases reported? • Is the law applied the same? • The widening divergence Baker Cyberlaw Centre Seminar 4/12/03
Objectives in enforcement • A means of individual redress; • low-cost and non-public • Appropriate range of remedies, such as: • Access to and correction of records; • compensatory damages; • injunctions or orders to enforce compliance; • Criminal penalties for serious/repeated breaches • Judicial review of administrative errors; • Appeals by either party to the Courts • Preventative/educative powers of PCO, such as: • Audits of data users; • Privacy Impact Assessments (PIAs) on new proposals • Power to require reports on existing practices Baker Cyberlaw Centre Seminar 4/12/03
Complaint resolution - Overview - Cth Act • Investigation - public and private sectors • Complaints only re ‘interferences with privacy’: breaches of NPPs, IPPs etc (s36) • Representative complaints possible (s36(2), s38 - s39) • ‘Own motion’ investigations possible (s40(2) • Comm must not investigate unless complaint first made to respondent, unless inappropriate (s40(1A)) • Comm can refuse / close / defer investigation (s41) • ‘not an interference’ (a); ‘lacking in substance’ (d) • Another law ‘provides a more appropriate remedy’ (s41(1)(f)) • Respondent has dealt edequately with complaint (s41(2)(a)) • If Comm is considering a s52 determination, must give both parties the opportunity of a hearing (s43(5)) • Comm’s extensive powers to investigate (ss44-47) Baker Cyberlaw Centre Seminar 4/12/03
Complaint resolution - Overview - Cth Act (2) • Determinations under s52 • Possible determinations • Dismissing complaint (not used - s41 instead) • That conduct should not be repeated • Performance of reasonable acts; compensation • ‘correction, deletion or addition to a record’ • Can compensate ‘feelings or humiliation’ • Reimbursement for ‘expenses reasonable incurred’ • Practice so far: determinations made public • But they don’t occur Baker Cyberlaw Centre Seminar 4/12/03
Complaint resolution - Overview - Cth Act (3) • Enforcement of s52 determinations • S55 - respondent must comply with determination • s55A - if respondent does not comply, must proceed de novo in Fed Ct / Mag Ct for enforcement • Evidence before Commissioner is admissable • s55B - Certified copy of Comm’s determination is prima facie evidence of facts found by him • Onus is on respondent to rebut facts • Onus is still on complainant to show breach of IPP/NPP • Is this biased in favour of respondents? Baker Cyberlaw Centre Seminar 4/12/03
Complaint resolution - Overview - NSW Act • Basic point: Only ‘Part 5’ complaints to agencies can lead to the ADT and enforceable remedies • Investigation of complaints by Commissioner • Commissioner can investigate any complaint (IPP or ‘non-IPP’) • can only conciliate and make recommendations (s49) (like old Privacy Committee) • For complainant to get to ADT, must first seek internal review by agency under Pt 5 • Commissioner can appear in ADT hearings (and does) • has extensive powers, including compulsory conferences (s49) • May investigate ‘own motion’ complaints (s45 ‘or by’) Baker Cyberlaw Centre Seminar 4/12/03
Complaint resolution - Overview - NSW Act (2) • Pt 5 complaints - internal review and ADT • Applicant must seek review of conduct by agency (s53) • Agency must conduct internal but independent review (s53(4)) and consider provision of the full range of remedies (7) • Agency must inform Comm of review and its progress, and accept submissions from him (s54) • Dissatisfied applicant may apply to ADT for review (s55) • ADT may award damages to $40,000 and other remedies • Commissioner can appear in ADT hearings (and does) • Either party may apply to ADT Appeal Panel for further review Baker Cyberlaw Centre Seminar 4/12/03
Remedies • Compensation • Access to and correction of records; • Injunctions or orders to enforce compliance; • Criminal penalties Baker Cyberlaw Centre Seminar 4/12/03
Injunctions and compliance orders • Injunctions - Cth public sector, private sector • Privacy Act 1988 s98 allows ‘any person’, including Comm, to seek injunction to enforce IPPs and NPPs • Risk of costs against, and damages particularly in the case of interim injunctions • Cth Comm s52 determinations are a form of compliance notice • NSW - only the ADT can make orders • Vic - Comm can serve compliance notice on an organisation • but only if ‘flagrant’ or repeated breaches Baker Cyberlaw Centre Seminar 4/12/03
Criminal offences • Cth • Public sector and private sector enforcement does not involve significant criminal enforcement • Part IIIA credit reporting does involve offences • NSW PPIPA ss62-s63 • offences of corrupt disclosure and use of personal information by public officials • offence of offer to supply personal information disclosed unlawfully • Cth and NSW cybercrime legislation relevant Baker Cyberlaw Centre Seminar 4/12/03
Black hole #1: Complaint outcomes - Does anyone get a remedy? This is from an earlier broader study • Sources of evidence available? • √ Annual Reports - only public source • examined 01/02; some 00/01 • ? websites? - could extract from reported cases (have not) - should provide continuous data • ? FOI requests? - ‘document’ available? (have not done) • Only some jurisdictions considered • Privacy Comms - Australian Fed; NSW ; HK; NZ; Canada • Information Commissioners not considered - mainly access, some correction, some broader Baker Cyberlaw Centre Seminar 4/12/03
Outcomes - Australian Fed PC • 2000-01 AR included some outcome stats • 133 closed complaints; uncertain % breaches found • 9 cases in AR involved $52,000 compensation • No information about other remedies • 2001-02 Annual Report - no statistics! • Complaints tripled with private sector coverage (611) • AR contains summaries of 11 complaints, of which one resulted in $5000 compensation • No statistics given of complaint outcomes at all Baker Cyberlaw Centre Seminar 4/12/03
Outcomes - Australian Fed PC (2) • 2002-2003 Annual Report • 225 breaches of the Act found • NPPs 127; IPPs35; Pt IIIA 63 • No specific details of remedies, just a few vague comments • not even compensation total as in 2000/1 • No example cases (replaced by 2 per month on web) • No details of complaints dismissed (and no use of s52) • Is everybody happy? • All breaches found were ‘adequately dealt with’ (in the Commissioner’s view) • One genuine s52 determinations in 15 years (2003) • No appeal right; No substantive case on the Act ever before a Court for judicial review Baker Cyberlaw Centre Seminar 4/12/03
Outcomes - NSW PC • Annual Report 1999-2000 (most recent) • Before new Act commenced (1/7/00) • No statistics or complaint resolutions yet under new Act • still relevant to ‘non-IPP’ complaints • 4 complaint resolutions summarised • ‘Quick Stats’ 2000-03 provided on web • In 2002/3, 219 complaints, and 39 internal reviews, finalised • No statistics of complaint mediation outcomes • No complaint mediation case-studies • Reviews by the NSW ADT (enforceable) • 49 cases lodged with ADT (37 in 2003) • 15 decided & reported as yet - 15 more than the Cth! Baker Cyberlaw Centre Seminar 4/12/03
Outcomes - Hong Kong PC • PC Annual Report 2000/01 (01/02 is similar) • 789 complaints (up 39%); • 68% vs private sector;14% vs government;18% vs 3rd Ps • Over 50% allege breaches of DPP 3 (use) • 52 formally investigated (14% of 531 finalised) • 26 (50%) found to involve contravention of PD(P)O • 10 warning notices; 12 enforcement notices - but no idea what actions required, or what results • 4 referals to Police for prosecution but in 3 Police found insufficient evidence; one unresolved • Not one HK $1 compensation paid under s66; • any by mediation? A Rep does not say Baker Cyberlaw Centre Seminar 4/12/03
Comparison - 4 PCs Annual Reports • ‘Will I get a remedy - and if so, what?’ is largely unanswered - evidence is not there • Some evidence of the % of successful complainants • Little evidence of what remedies result • Compensation? - a few examples from Aus and NZ • All of the PCs are below ‘best practice’ • A systematic and comparable standard of reporting is needed • Asia-Pacific PCs could develop standards Baker Cyberlaw Centre Seminar 4/12/03
Will I get a remedy? Evidence from Privacy Commissioners Annual Reports 2001/02(see web page for explanatory notes) √= yes; ?= can’t tell
Black hole #2: Publication of Commissioners’ decisions • For detailed criticisms of reporting practices: • Greenleaf ‘Reforming reporting of privacy cases’ <http://www2.austlii.edu.au/~graham/publications/2003/Reforming_reporting/> • Bygrave ‘Where have all the judges gone?’ (2000) • European Commissioners were little better - improved? • Why reporting of Commissioners is needed • Few court decisions means Commissioners’ views in complaint resolutions are the de facto law • Identifying non-compliance is more valuable (and difficult) that ‘feel good’ exhortations to comply Baker Cyberlaw Centre Seminar 4/12/03
Publication - Importance • Publication is possible • Requires anonymisation in most cases • Exceptions should not be the rule • Adverse consequences of lack of availability • Interpretation unknown to parties / legal advisers • No privacy jurisprudence is possible • Past remedies (‘tariff’) unknown • Privacy remains ‘Cinderalla’ of legal practice • Deficiences in laws do not become apparent • Commissioners can ‘bury their mistakes’ • Justice is not seen to be done • Deterrent effect is lost • No accountability for high public expenditure Baker Cyberlaw Centre Seminar 4/12/03
Publication - Australian Federal Privacy Commissioner • AnRep had a few small ‘media grab’ summaries • No other mediation details published 1988-2002 • Comm avoids making binding Determinations (2 1993, 1 2003) despite powers to do so • Dismisses matters under s40 - publication not required • Since Dec 2002, 13 useful summaries of mediations and determinations published on web • 2x2002, 11x2003 (+ 2x1993, 1x2003 determinations) • Rate id only 1.1 per month - not 2/month as planned Baker Cyberlaw Centre Seminar 4/12/03
Publication - Australian Federal Privacy Commissioner (2) • Any Federal Court decisions would be on AustLII (but there are none of relevance) • No right of appeal to complainants • Respondents have de facto right of appeal by refusing to comply with determination - de novo hearing in Federal Court - biased and unfair • How would complainants react to this? • Judicial review (ADJR) is possible • How many complainants are aware? • How many could afford this? Baker Cyberlaw Centre Seminar 4/12/03
Publication - NSW Privacy Commissioner • No mediated complaint summaries • No Annual Report since new Act • Privacy NSW says it intends to publish them • Internal review results also needed • ADT decisions • 49 cases lodged with ADT (37 in 2003) • 15 decided & reported as yet - compare Cth! • Decisions are on LawLink and AustLII • Privacy NSW also prepares summaries (also on AustLII) Baker Cyberlaw Centre Seminar 4/12/03
Publication - HK P Comm • Complaint summaries on website only to 1998 • Only 6 (01/02) or 8 (00/01)overly brief complaint summaries in AnRep - about 0.5 per month • No systematic reporting of significant complaints • Cases before other tribunals • AAB complaint summaries are in AnRep, but not on website; AAB cases not available on Internet • No reporting of s66 cases in AnRep or website - There is only one such case Baker Cyberlaw Centre Seminar 4/12/03
Publication - NZ P Comm • Av 2 per month (03) reasonably detailed mediation summaries on website • Selection criteria uncertain • Website gives few details of cases on appeal or their outcome; not available elsewhere on web; P Comm publishes occasional compendiums • Overall, difficult for most people to get an overall view of the law Baker Cyberlaw Centre Seminar 4/12/03
Publication - Canadian PC • Av 5 detailed PIPEDA case mediation summaries per month on website • best practice of PCs, but not Info Comms • Few Privacy Act cases on website, but usually 12 or so in AnnRep • Summaries of cases before Courts are in AnnRep (but not linked to mediation summaries) - difficult to obtain overview Baker Cyberlaw Centre Seminar 4/12/03
Publication - 7 recommendations • More reporting than 2/month (% goal) • statistics on reported / resolved ratio • Publicly stated criteria of seriousness • confirmation of adherence in each AnRep • Complainants can elect to be named • In default, name public sector respondents; private sector respondents only exceptionally • Report sufficient detail for a full understanding of legal issues, and the adequacy of the remedy • Report regularly rather than in periodic batches • 'One stop' reporting including reviews of Commissioner’s decisions • Encourage 3rd-P re-publication + citation standards Baker Cyberlaw Centre Seminar 4/12/03
Publication - A central location <http://www.worldlii.org/int/special/privacy/> • Privacy & FOI Law Project = All specialist privacy and/or FOI databases located on any Legal Information Institute (LII) • Current coverage (all searchable in one search) • Australian Federal Privacy Commissioner Cases (AustLII) • New South Wales Privacy Commissioner ADT summaries (AustLII) • Canadian Privacy Commissioner Cases (CanLII) • New Zealand Privacy Commissioner Cases (AustLII) • Nova Scotia FOI & Privacy Review Office (CanLII) • Queensland Information Comm. Decisions (AustLII) • Western Australian Information Commissioner (AustLII) • Privacy Law & Policy Reporter (AustLII) • EPIC ALERT (WorldLII) • More are being added Baker Cyberlaw Centre Seminar 4/12/03
A seach for ‘disclos* near medical’ Baker Cyberlaw Centre Seminar 4/12/03
Widening divergence in public sector privacy laws • Variations so far • Commonwealth / ACT - IPPs • NSW - NSW IPPs • Vic & NT (and private sector) - NPPs • Superficial similarities in aims • All based on life-cycle of information • Significant differences in details • Little case law except new NSW cases - major differences already emerging • NSW caselaw shows how quickly the Acts can diverge once Courts interpret them Baker Cyberlaw Centre Seminar 4/12/03
Examples and recent cases • Collection from the data subject • DO v University of New South Wales [2002] NSWADT 211; [2003] NSW ADTAP 9 • Consent exception to disclosure- express or implied • Macquarie University v FM [2003] NSWADTAP 43 • Minimal collection - anonymity • Wykanak v Dept Local Govt [2002] NSWADT 208 • FH v NSW Dept Corrective Services [2003] NSWADT 72 • Are records required before Acts apply? • Macquarie University v FM [2003] NSWADTAP 43 Baker Cyberlaw Centre Seminar 4/12/03
Collection from the data subject • Some laws require collection from the data subject, but they differ considerably • Cth IPPs impose no obligation to do collect from the individual, no consent needed to collect from 3rd Ps • NPP 1.4 requires collection only from individual ‘if it is reasonable and practicable to do so’ • NSW s9 (IPP 2) requires collection directly from individual unless • 3rd P collection is authorised by the individual; or • Provided by parent/guardian if under 16 • DO v University of New South Wales [2002] NSWADT 211 • UNSW did have authorisation to collect from 3rd Ps • Iillustrates risks under NSW Act • It is OK to ‘double check’ with a 3rd P - collection from both • GV v DPP[2003] NSWADT 177 • DPP obtained a more detailed medical certificate from doctor than patient’s consent allowed - breach of IPP 2 (subpoena may have avoided this) • But the s23(2) exemption for collection in connection with court proceeedings applied Baker Cyberlaw Centre Seminar 4/12/03
Consent exception to disclosure • Cth IPPs and NPPs - implied consent • ‘express consent or implied consent’ (Cth PA s6, also Vic) • Consent must also be informed ( meaning of ‘consent’) • Can consent be implied from failure to opt out? • NSW s26(2) requires express consent • Failure to opt out could never be good enough • Macquarie University v FM [2003] NSWADTAP 43 • Consent to UNSW to collect transcript from UNSW was implied consent to Macquarie to disclose it, but that is not express consent • The agency disclosing must go to the individual concerned and ask • Cf NZ requires ‘authorization’ • NZ Courts (L v J, L v L) have held this includes implied authorizations (see Roth article) Baker Cyberlaw Centre Seminar 4/12/03
Minimal collection - anonymity • NPP 8 - ‘Wherever lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation’ - no direct NSW equiv. • Is it a breach to build systems which make anonymity impracticable? Does NPP8 require anonymity to be ‘designed in’? • FH v NSW Dept Corrective Services [2003] NSWADT 72 - • Equivocal on whether breach of security principle where it would cost millions for Dept to change system to log accesses • Wykanak v Dept Local Govt [2002] NSWADT 208 (summary) • ADT could not review a complaint of an anticipated breach of a NSW IPP • Compare Cth IPPs or NPPs - s98 Injunctions available where ‘a person … is proposing to engage in any conduct that … would constitute a contravention of this Act’ Baker Cyberlaw Centre Seminar 4/12/03
'Records' / 'documents’ • Significance in Commonwealth Privacy Act • Cth IPPs all require information in ‘records’ or a ‘generally available publication’ • NPPs don’t, but s16B has same effect • One of the dividing lines between information privacy and surveillance laws • Problems - compare Cth and NSW results • Interview with no notes taken • CCTV with no film • Listening device with no recording Baker Cyberlaw Centre Seminar 4/12/03
'Records' / 'documents’ (2) • Other jurisdictions requiring records / documents • Victoria • S3 definition ‘personal information’ - ‘means information … that is recorded in any form …’ • Northern Territory • S4 definition ‘personal information’ means ‘government information from which …’ • S4 definition ‘government information’ means ‘a record held …’ • Hong Kong • s2 definition 'data' is only 'any representation of information, in any document'. • 'document' includes disks, film etc from which visual images or other data are 'capable ...of being reproduced’ Baker Cyberlaw Centre Seminar 4/12/03
'Records' / 'documents’ (3) • New South Wales - the odd one out • S4 defn ‘personal information’ means ‘information or an opinion (….whether or not recorded in a material form) …’ - cannot imply a record from the definition • NSW IPPs all refer to ‘personal information’ (contrast Cth IPPs require ‘in a record’) • No equivalent to Cth s16B re NPPs • All NSW IPPs therefore apply to all personal information whether or not it is ever recorded • IPPs only require that agency must ‘collect’ or ‘hold’ personal information • However, New Zealand Privacy Act 1993 (s2 "Personal information") does not limit most of its IPPs to records or documents Baker Cyberlaw Centre Seminar 4/12/03
'Records' / 'documents’ (4) • Macquarie University v FM [2003] NSWADTAP 43 • Upheld approach taken in Macquarie University v FM [2003] NSWADT 78 • S18 breach by Macq’s disclosure to UNSW of information in 2 telephone conversations • Information was observations of FM and opinions about him • The information was never recorded by Macq • Held - Was ‘personal information’ even though FM’s behaviour was observed by others • Held - Info was ‘held’ in the mind of Macq staff • s4(4) defines ‘held’ as ‘possession or control’ • ‘Possess’ must include ‘in the mind’ for non-material information • Order - Macq staff must not disclose any information in their minds about students, unless s18 exemption applies Baker Cyberlaw Centre Seminar 4/12/03