The European influence on privacy law and practice

Nigel Waters, Pacific Privacy Consulting

International Dimension of E-commerce and Cyberspace Regulation Conference, 25 October 2002

Pacific Privacy Consulting 2

Trans-national institutions

• European Union– 15 member states – expansion in 2004

• Council of Europe– 44 member states + other observer countries

• OECD– 30 members – Europe + N. America, Australasia,

Japan & Korea

Pacific Privacy Consulting 3

Council of Europe

• European Convention on Human Rights 1950

• Article 8 – privacy

• 1981 Convention on data protection

• Recommendations – working parties

• Case law – European Court of Human Rights

• Other relevant work– Cybercrime Convention

Pacific Privacy Consulting 4

European Union

• General data protection (privacy) law

• Telecommunications privacy law

• Other relevant law

• Areas outside jurisdiction– Public security– Defence– State security– Criminal law

Pacific Privacy Consulting 5

EU General Privacy Directive

• Developed early 1990’s

• Adopted 1995 (95/46/EC)

• Deadline for compliance 1998

• Action to enforce compliance

• 3 states still not fully compliant– Ireland– Luxembourg– France

Pacific Privacy Consulting 6

EU General Privacy Directive

• Currently under review

• Public consultation July 2002– Submissions on web site

• Conference Sept/Oct 2002

• Report by end of 2002?

• Won’t necessarily lead to change in the law – focus on compliance and implementation

Pacific Privacy Consulting 7

EU General Privacy Directive

• Template for national laws

• Protection for data about EU citizens/residents when data is exported

• Articles 25 & 26 – limit transfer unless certain criteria are met– Adequate law or code (A.25)– Consent, fulfilment of contracts, legal

proceedings, emergencies (A.26.1)– Case by case arragments (contract or MoU)

Pacific Privacy Consulting 8

Adequacy assessment

• Proposal from Commission bureaucracy

• Opinion from A.29 Committee of DP regulators

• Opinion from A.31 committee of national government representatives

• Scrutiny by European Parliament

• Commission Decision

Pacific Privacy Consulting 9

Adequacy assessment

• Decisions to date– Switzerland (law)– Hungary (law)– Canada (law)– USA (US Department of Commerce Safe harbor

Privacy Principles)

• Discussions with others including Australia

Pacific Privacy Consulting 10

Australia – adequacy?

• EU criticisms:– wide exemptions for small businesses, employee

data and publicly available information– breadth of the ‘authorized by law’ exception to

several principles– tolerance of notice of purpose being given after

the time of collection

Pacific Privacy Consulting 11

Australia – adequacy?

• EU criticisms continued:– lack of a requirement for an opt-out choice

where data is used for the primary purpose of direct marketing

– absence of additional controls over the use and disclosure of sensitive data

– lack of correction rights or rights under NPP 9 for most EU citizens, and

– absence of a role for the Privacy Commissioner in advising on adequacy under NPP9

Pacific Privacy Consulting 12

Influence on Australian privacy laws

• Onward transfer principles

• Potential disruption of common data exchanges

• Commissioners reluctant to enforce

• Role for Codes of Practice– Internet Industry Association draft “EU

compliant’ Code

Pacific Privacy Consulting 13

Telecommunications Privacy

• Telecommunications Privacy Directive adopted 1997 (97/66/EC), compliance required by 2000. Set standards for:– authorisation for interception (Article 5)– access to traffic data (A.6 )– itemised billing (A.7)– calling line identification (art 8)– personal information in directories (A.11)– unsolicited calls (Art 12).

Pacific Privacy Consulting 14

Telecommunications Privacy

• Influence on Australian regulation– Telecommunications Act 1997, Part 13– Telecommunications (Interception) Act 1979– ACIF Codes of Practice:

• Customer Personal Information• Calling Number Display• Integrated Public Number Database

Pacific Privacy Consulting 15

Telecommunications Privacy

• Electronic Communications Privacy Directive adopted 2002 (2002/58/EC), compliance required by October 2003. Main changes:– Broadens scope beyond telephony– More privacy protective on:

• unsolicited emails, SMS and faxes, (opt-in basis with prior consent)

• cookies, explained to customers, with a right to decline them

• use of mobile phone location data - right to ‘block’ it• prior consent to inclusion in public directories

– Less privacy protective on retention of traffic data

Pacific Privacy Consulting 16

Other Directives

• Many have privacy implications

• No systematic privacy impact assessment

• New supervisory authority being established

• Proposed Directive on re-use and commercial exploitation of public sector information– Parallel debate in Australia – public register

principles in NSW & Victorian Acts + consultations

Pacific Privacy Consulting 17

Other EU Activity

• ECHELON – communications interception by UKUSA alliance

• Investigative journalism in 1990’s

• European Parliament Inquiry – reported 2001

• Negotiations between EU and UKUSA countries

• Caught up in anti-terrorism response

Pacific Privacy Consulting 18

Other International work

• OECD – Europe + other developed countries– Pioneer – 1981 Privacy Guidelines & Principles

– foundation of most privacy laws– IT Security Guidelines 1992, 2002– Cryptography Policy Guidelines 1997– Privacy Statement Generator