baker cyberlaw centre seminar 4/12/031 pitfalls in the complaints process: a privacy advocate's...

Baker Cyberlaw Centre Seminar 4/12/03

1

Pitfalls in the complaints process: a privacy advocate's perspective

Graham GreenleafProfessor of Law, UNSW, and Co-Director, Baker & McKenzie Cyberspace Law and Policy Centre

Copy available at <http://www2.austlii.edu.au/~graham/>

Privacy Complaints:How to Win for Your Client

(Making privacy laws work)


2

Some pitfalls under the Commonwealth & NSW Acts Who decides remedies?

What rights of appeal are there? Does anyone get a remedy?

Is the law enforced, or is it a joke? What law is applied?

Are cases reported? Is the law applied the same?

The widening divergence


3

Objectives in enforcement A means of individual redress;

low-cost and non-public Appropriate range of remedies, such as:

Access to and correction of records; compensatory damages; injunctions or orders to enforce compliance; Criminal penalties for serious/repeated breaches

Judicial review of administrative errors; Appeals by either party to the Courts

Preventative/educative powers of PCO, such as: Audits of data users; Privacy Impact Assessments (PIAs) on new proposals Power to require reports on existing practices


4

Complaint resolution - Overview - Cth Act Investigation - public and private sectors

Complaints only re ‘interferences with privacy’: breaches of NPPs, IPPs etc (s36)

Representative complaints possible (s36(2), s38 - s39) ‘Own motion’ investigations possible (s40(2) Comm must not investigate unless complaint first made to

respondent, unless inappropriate (s40(1A)) Comm can refuse / close / defer investigation (s41)

‘not an interference’ (a); ‘lacking in substance’ (d) Another law ‘provides a more appropriate remedy’ (s41(1)(f)) Respondent has dealt edequately with complaint (s41(2)(a))

If Comm is considering a s52 determination, must give both parties the opportunity of a hearing (s43(5))

Comm’s extensive powers to investigate (ss44-47)


5

Complaint resolution - Overview - Cth Act (2) Determinations under s52

Possible determinations Dismissing complaint (not used - s41 instead) That conduct should not be repeated Performance of reasonable acts; compensation ‘correction, deletion or addition to a record’ Can compensate ‘feelings or humiliation’ Reimbursement for ‘expenses reasonable incurred’

Practice so far: determinations made public But they don’t occur


6

Complaint resolution - Overview - Cth Act (3) Enforcement of s52 determinations

S55 - respondent must comply with determination s55A - if respondent does not comply, must

proceed de novo in Fed Ct / Mag Ct for enforcement

Evidence before Commissioner is admissable s55B - Certified copy of Comm’s determination is

prima facie evidence of facts found by him Onus is on respondent to rebut facts Onus is still on complainant to show breach of IPP/NPP

Is this biased in favour of respondents?


7

Complaint resolution - Overview - NSW Act Basic point: Only ‘Part 5’ complaints to agencies can

lead to the ADT and enforceable remedies Investigation of complaints by Commissioner

Commissioner can investigate any complaint (IPP or ‘non-IPP’)

can only conciliate and make recommendations (s49) (like old Privacy Committee)

For complainant to get to ADT, must first seek internal review by agency under Pt 5

Commissioner can appear in ADT hearings (and does) has extensive powers, including compulsory conferences

(s49) May investigate ‘own motion’ complaints (s45 ‘or by’)


8

Complaint resolution - Overview - NSW Act (2) Pt 5 complaints - internal review and ADT

Applicant must seek review of conduct by agency (s53) Agency must conduct internal but independent review (s53(4)) and

consider provision of the full range of remedies (7) Agency must inform Comm of review and its progress, and accept

submissions from him (s54) Dissatisfied applicant may apply to ADT for review (s55)

ADT may award damages to $40,000 and other remedies

Commissioner can appear in ADT hearings (and does) Either party may apply to ADT Appeal Panel for further review


9

Remedies Compensation Access to and correction of records; Injunctions or orders to enforce

compliance; Criminal penalties


10

Injunctions and compliance orders Injunctions - Cth public sector, private sector

Privacy Act 1988 s98 allows ‘any person’, including Comm, to seek injunction to enforce IPPs and NPPs

Risk of costs against, and damages particularly in the case of interim injunctions

Cth Comm s52 determinations are a form of compliance notice

NSW - only the ADT can make orders Vic - Comm can serve compliance notice on an

organisation but only if ‘flagrant’ or repeated breaches


11

Criminal offences Cth

Public sector and private sector enforcement does not involve significant criminal enforcement

Part IIIA credit reporting does involve offences NSW PPIPA ss62-s63

offences of corrupt disclosure and use of personal information by public officials

offence of offer to supply personal information disclosed unlawfully

Cth and NSW cybercrime legislation relevant


12

Black hole #1: Complaint outcomes -

Does anyone get a remedy?

This is from an earlier broader study Sources of evidence available?

√ Annual Reports - only public source examined 01/02; some 00/01

? websites? - could extract from reported cases (have not) - should provide continuous data

? FOI requests? - ‘document’ available? (have not done) Only some jurisdictions considered

Privacy Comms - Australian Fed; NSW ; HK; NZ; Canada Information Commissioners not considered - mainly access,

some correction, some broader


13

Outcomes - Australian Fed PC 2000-01 AR included some outcome stats

133 closed complaints; uncertain % breaches found 9 cases in AR involved $52,000 compensation No information about other remedies

2001-02 Annual Report - no statistics! Complaints tripled with private sector coverage (611) AR contains summaries of 11 complaints, of which one

resulted in $5000 compensation No statistics given of complaint outcomes at all


14

Outcomes - Australian Fed PC (2) 2002-2003 Annual Report

225 breaches of the Act found NPPs 127; IPPs35; Pt IIIA 63

No specific details of remedies, just a few vague comments not even compensation total as in 2000/1

No example cases (replaced by 2 per month on web) No details of complaints dismissed (and no use of s52)

Is everybody happy? All breaches found were ‘adequately dealt with’ (in the

Commissioner’s view) One genuine s52 determinations in 15 years (2003) No appeal right; No substantive case on the Act ever before a

Court for judicial review


15

Outcomes - NSW PC Annual Report 1999-2000 (most recent)

Before new Act commenced (1/7/00) No statistics or complaint resolutions yet under new Act still relevant to ‘non-IPP’ complaints

4 complaint resolutions summarised ‘Quick Stats’ 2000-03 provided on web

In 2002/3, 219 complaints, and 39 internal reviews, finalised No statistics of complaint mediation outcomes No complaint mediation case-studies

Reviews by the NSW ADT (enforceable) 49 cases lodged with ADT (37 in 2003) 15 decided & reported as yet - 15 more than the Cth!


16

Outcomes - Hong Kong PC PC Annual Report 2000/01 (01/02 is similar)

789 complaints (up 39%); 68% vs private sector;14% vs government;18% vs 3rd Ps Over 50% allege breaches of DPP 3 (use)

52 formally investigated (14% of 531 finalised) 26 (50%) found to involve contravention of PD(P)O 10 warning notices; 12 enforcement notices - but no idea what

actions required, or what results 4 referals to Police for prosecution but in 3 Police found

insufficient evidence; one unresolved Not one HK $1 compensation paid under s66;

any by mediation? A Rep does not say


17

Comparison - 4 PCs Annual Reports ‘Will I get a remedy - and if so, what?’ is largely

unanswered - evidence is not there Some evidence of the % of successful complainants Little evidence of what remedies result Compensation? - a few examples from Aus and NZ All of the PCs are below ‘best practice’ A systematic and comparable standard of reporting is

needed Asia-Pacific PCs could develop standards

18

Will I get a remedy? Evidence from Privacy Commissioners Annual Reports 2001/02(see web page for explanatory notes) √= yes; ?= can’t tell

Aus NZ HK Can

Complaints opened/complete √ / √ √ / √ √ / √ √ / √

Type of complaint/respondent ? (√ / √) √ / √ √ / √ √ / √

Respondent name (‘Top 10’) ? (no) √ no √

% formal finding 0% (0%) 8% 10% 72%

% found breaches - mediated / awarded

? (√ / √) (? / -)

? / ? √ / √25 / 46

√ / √59 / 63

% success in Court N/A √ (0%) ? ?

Remedies - mediated / awarded

?(31 / 0)

? / ? 4 egs

? / ? ? / ?

Damages - mediated / awarded

?(9 / 0)

? / ? 4 egs

? / 0 ? / ?


19

Black hole #2: Publication of Commissioners’ decisions For detailed criticisms of reporting practices:

Greenleaf ‘Reforming reporting of privacy cases’ <http://www2.austlii.edu.au/~graham/publications/2003/Reforming_reporting/>

Bygrave ‘Where have all the judges gone?’ (2000) European Commissioners were little better - improved?

Why reporting of Commissioners is needed Few court decisions means Commissioners’ views in

complaint resolutions are the de facto law Identifying non-compliance is more valuable (and difficult)

that ‘feel good’ exhortations to comply


20

Publication - Importance Publication is possible

Requires anonymisation in most cases Exceptions should not be the rule

Adverse consequences of lack of availability Interpretation unknown to parties / legal advisers No privacy jurisprudence is possible Past remedies (‘tariff’) unknown Privacy remains ‘Cinderalla’ of legal practice Deficiences in laws do not become apparent Commissioners can ‘bury their mistakes’ Justice is not seen to be done Deterrent effect is lost No accountability for high public expenditure


21

Publication - Australian Federal Privacy Commissioner

AnRep had a few small ‘media grab’ summaries No other mediation details published 1988-2002 Comm avoids making binding Determinations (2

1993, 1 2003) despite powers to do so Dismisses matters under s40 - publication not required

Since Dec 2002, 13 useful summaries of mediations and determinations published on web

2x2002, 11x2003 (+ 2x1993, 1x2003 determinations) Rate id only 1.1 per month - not 2/month as planned


22

Publication - Australian Federal Privacy Commissioner (2)

Any Federal Court decisions would be on AustLII (but there are none of relevance)

No right of appeal to complainants Respondents have de facto right of appeal by

refusing to comply with determination - de novo hearing in Federal Court - biased and unfair

How would complainants react to this? Judicial review (ADJR) is possible

How many complainants are aware? How many could afford this?


23

Publication - NSW Privacy Commissioner No mediated complaint summaries

No Annual Report since new Act Privacy NSW says it intends to publish them Internal review results also needed

ADT decisions 49 cases lodged with ADT (37 in 2003) 15 decided & reported as yet - compare Cth! Decisions are on LawLink and AustLII Privacy NSW also prepares summaries (also on

AustLII)


24

Publication - HK P Comm Complaint summaries on website only to 1998 Only 6 (01/02) or 8 (00/01)overly brief complaint summaries in

AnRep - about 0.5 per month No systematic reporting of significant complaints Cases before other tribunals

AAB complaint summaries are in AnRep, but not on website; AAB cases not available on Internet

No reporting of s66 cases in AnRep or website - There is only one such case


25

Publication - NZ P Comm Av 2 per month (03) reasonably detailed

mediation summaries on website Selection criteria uncertain Website gives few details of cases on appeal

or their outcome; not available elsewhere on web; P Comm publishes occasional compendiums

Overall, difficult for most people to get an overall view of the law


26

Publication - Canadian PC Av 5 detailed PIPEDA case mediation

summaries per month on website best practice of PCs, but not Info Comms

Few Privacy Act cases on website, but usually 12 or so in AnnRep

Summaries of cases before Courts are in AnnRep (but not linked to mediation summaries) - difficult to obtain overview


27

Publication - 7 recommendations More reporting than 2/month (% goal)

statistics on reported / resolved ratio Publicly stated criteria of seriousness

confirmation of adherence in each AnRep Complainants can elect to be named In default, name public sector respondents; private sector respondents

only exceptionally Report sufficient detail for a full understanding of legal issues, and the

adequacy of the remedy Report regularly rather than in periodic batches 'One stop' reporting including reviews of Commissioner’s decisions Encourage 3rd-P re-publication + citation standards


28

Publication - A central location<http://www.worldlii.org/int/special/privacy/>

Privacy & FOI Law Project = All specialist privacy and/or FOI databases located on any Legal Information Institute (LII)

Current coverage (all searchable in one search) Australian Federal Privacy Commissioner Cases (AustLII) New South Wales Privacy Commissioner ADT summaries (AustLII) Canadian Privacy Commissioner Cases (CanLII) New Zealand Privacy Commissioner Cases (AustLII) Nova Scotia FOI & Privacy Review Office (CanLII) Queensland Information Comm. Decisions (AustLII) Western Australian Information Commissioner (AustLII) Privacy Law & Policy Reporter (AustLII) EPIC ALERT (WorldLII)

More are being added


29


30

A seach for ‘disclos* near medical’


31

Widening divergence in public sector privacy laws Variations so far

Commonwealth / ACT - IPPs NSW - NSW IPPs Vic & NT (and private sector) - NPPs

Superficial similarities in aims All based on life-cycle of information Significant differences in details Little case law except new NSW cases - major differences

already emerging NSW caselaw shows how quickly the Acts can

diverge once Courts interpret them


32

Examples and recent cases Collection from the data subject

DO v University of New South Wales [2002] NSWADT 211; [2003] NSW ADTAP 9

Consent exception to disclosure- express or implied Macquarie University v FM [2003] NSWADTAP 43

Minimal collection - anonymity Wykanak v Dept Local Govt [2002] NSWADT 208 FH v NSW Dept Corrective Services [2003] NSWADT 72

Are records required before Acts apply? Macquarie University v FM [2003] NSWADTAP 43


33

Collection from the data subject Some laws require collection from the data subject, but they differ

considerably Cth IPPs impose no obligation to do collect from the individual, no consent

needed to collect from 3rd Ps NPP 1.4 requires collection only from individual ‘if it is reasonable and

practicable to do so’ NSW s9 (IPP 2) requires collection directly from individual unless

3rd P collection is authorised by the individual; or Provided by parent/guardian if under 16

DO v University of New South Wales [2002] NSWADT 211 UNSW did have authorisation to collect from 3rd Ps Iillustrates risks under NSW Act It is OK to ‘double check’ with a 3rd P - collection from both

GV v DPP [2003] NSWADT 177 DPP obtained a more detailed medical certificate from doctor than patient’s consent

allowed - breach of IPP 2 (subpoena may have avoided this) But the s23(2) exemption for collection in connection with court proceeedings applied


34

Consent exception to disclosure Cth IPPs and NPPs - implied consent

‘express consent or implied consent’ (Cth PA s6, also Vic) Consent must also be informed ( meaning of ‘consent’) Can consent be implied from failure to opt out?

NSW s26(2) requires express consent Failure to opt out could never be good enough

Macquarie University v FM [2003] NSWADTAP 43 Consent to UNSW to collect transcript from UNSW was implied

consent to Macquarie to disclose it, but that is not express consent The agency disclosing must go to the individual concerned and ask

Cf NZ requires ‘authorization’ NZ Courts (L v J, L v L) have held this includes implied

authorizations (see Roth article)


35

Minimal collection - anonymity NPP 8 - ‘Wherever lawful and practicable, individuals must have the

option of not identifying themselves when entering transactions with an organisation’ - no direct NSW equiv.

Is it a breach to build systems which make anonymity impracticable? Does NPP8 require anonymity to be ‘designed in’?

FH v NSW Dept Corrective Services [2003] NSWADT 72 - Equivocal on whether breach of security principle where it would cost

millions for Dept to change system to log accesses Wykanak v Dept Local Govt [2002] NSWADT 208 (summary)

ADT could not review a complaint of an anticipated breach of a NSW IPP

Compare Cth IPPs or NPPs - s98 Injunctions available where ‘a person … is proposing to engage in any conduct that … would constitute a contravention of this Act’


36

'Records' / 'documents’ Significance in Commonwealth Privacy Act

Cth IPPs all require information in ‘records’ or a ‘generally available publication’

NPPs don’t, but s16B has same effect One of the dividing lines between information

privacy and surveillance laws Problems - compare Cth and NSW results

Interview with no notes taken CCTV with no film Listening device with no recording


37

'Records' / 'documents’ (2) Other jurisdictions requiring records / documents

Victoria S3 definition ‘personal information’ - ‘means information … that

is recorded in any form …’ Northern Territory

S4 definition ‘personal information’ means ‘government information from which …’

S4 definition ‘government information’ means ‘a record held …’ Hong Kong

s2 definition 'data' is only 'any representation of information, in any document'.

'document' includes disks, film etc from which visual images or other data are 'capable ...of being reproduced’


38

'Records' / 'documents’ (3) New South Wales - the odd one out

S4 defn ‘personal information’ means ‘information or an opinion (….whether or not recorded in a material form) …’ - cannot imply a record from the definition

NSW IPPs all refer to ‘personal information’ (contrast Cth IPPs require ‘in a record’)

No equivalent to Cth s16B re NPPs All NSW IPPs therefore apply to all personal information whether or

not it is ever recorded IPPs only require that agency must ‘collect’ or ‘hold’ personal

information However, New Zealand Privacy Act 1993 (s2 "Personal

information") does not limit most of its IPPs to records or documents


39

'Records' / 'documents’ (4)• Macquarie University v FM [2003] NSWADTAP 43 • Upheld approach taken in Macquarie University v FM [2003] NSWADT 78

S18 breach by Macq’s disclosure to UNSW of information in 2 telephone conversations

Information was observations of FM and opinions about him The information was never recorded by Macq

Held - Was ‘personal information’ even though FM’s behaviour was observed by others

Held - Info was ‘held’ in the mind of Macq staff s4(4) defines ‘held’ as ‘possession or control’ ‘Possess’ must include ‘in the mind’ for non-material information

Order - Macq staff must not disclose any information in their minds about students, unless s18 exemption applies

baker cyberlaw centre seminar 4/12/031 pitfalls in the complaints process: a privacy advocate's...

Documents

complaint ipp

privacy complaints

complaint s412aif comm

baker mckenzie cyberspace

privacy laws

complaints process

substance danother law

cth actinvestigation