1 / 31

International Agreements and Data Export Prohibitions

International Agreements and Data Export Prohibitions. Graham Greenleaf Last Updated September 2008. Main international sources. Privacy in human rights treaties ICCPR A17, ECHR A8 Agreements on privacy standards OECD Guidelines 1980

minnie
Download Presentation

International Agreements and Data Export Prohibitions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. International Agreements and Data Export Prohibitions Graham Greenleaf Last Updated September 2008

  2. Main international sources • Privacy in human rights treaties • ICCPR A17, ECHR A8 • Agreements on privacy standards • OECD Guidelines 1980 • Council of Europe Convention 1981 (and Optional Protocol) • European Union Directive 1995 • UN Guidelines on Computerized Data Files 1990 • APEC Privacy Framework 2004/5 • Avoiding data export prohibitions • OECD Guidelines 1980 • Council of Europe Convention 1981 (and Optional Protocol) • ‘Adequacy’ under the EU Directive • APEC position • Export restrictions in other national laws LAWS 3037 Data Surveillance & Information Privacy Law

  3. General resources • RG ‘Privacy protection in international agreements’ • Lee Bygrave ‘International agreements to protect personal data’, in Rule J and Greenleaf G (Eds) Global Privacy Protection: The First Generation, Edward Elgar, Cheltenham, 2008 (in publication) • Included in materials: cited as ‘Bygrave 20008’ LAWS 3037 Data Surveillance & Information Privacy Law

  4. Human rights treaties - ICCPR A17 • International Covenant on Civil and Political Rights 1966 • A 17 ‘1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence…. • 2. Everyone has the right to protection of the law against such interference or attacks’. • Not limited to interferences by governments LAWS 3037 Data Surveillance & Information Privacy Law

  5. ICCPR A17 • Australian reservations • Reserves right to legislate to protect ‘national security, public safety, the economic well-being of the country, the protection of public health or morals, or the protection of the rights and freedoms of others’ • Similar to A8(2) of ECHR • Reservation not relied on in Toonen LAWS 3037 Data Surveillance & Information Privacy Law

  6. ICCPR A17 - Enforcement • Direct enforcement of ICCPR A17 • Reports to the UN Human Rights Committee • Complaints to UNHRC by state parties - a ‘dead letter’ • Complaints to UNHRC by individuals under 1st Optional Protocol - • Australia has acceded to the Protocol • Cf Hong Kong - UK did not accede to Protocol • Aust and NZ only APEC countries to accede? • Implementation in domestic law • No direct application in Australia - indirect effects only • Cf Hong Kong - enacted in BORO LAWS 3037 Data Surveillance & Information Privacy Law

  7. A17 in Australian domestic law • International treaties are not, as such, part of Australian domestic law until legislated (contra USA, China etc) • Young v Registrar, Court of Appeal [No 3] (1993) NSW CA (Kirby P and Handley JA) • If there is no ambiguity in a domestic law , it prevails in a direct conflict with the international covenant • If domestic law is ambiguous, international covenants should guide interpretation. • Kruger v Cth (Stolen Children Case) (1997) confirms continuing significance LAWS 3037 Data Surveillance & Information Privacy Law

  8. A17 in Australian domestic law (2) • Minister for Immigration & Ethnic Affairs v Teoh (1995) 183 CLR 273 • application of the UN Convention on the Rights of the Child in respect to a deportation order • HCA held there may be a legitimate expectation that officers of the executive government will act in conformity with international treaties pending implementation, in the absence of a statutory or executive statement to the contrary • Can give rise to breaches of natural justice if a treaty obligation is not to be adhered to and the person affected is not provided a hearing. LAWS 3037 Data Surveillance & Information Privacy Law

  9. A17 in Australian domestic law (3) • Effect of Teoh now largely nullified • Executive Statement on the Effects of Treaties in Administrative Decision Making (1997) • provides that the act of entering a treaty 'does not give rise to any legitimate expectations which could form the basis for challenging any administrative decision ...’ • Uncertainties remain… LAWS 3037 Data Surveillance & Information Privacy Law

  10. Compare A17 effect on HK law • HK legislation cannot conflict with A17 • UK ratified 1976 for UK and HK; PRC accepted; A39 Basic Law entrenches ICCPR as HK law • A14 Bill of Rights Ordinance (BORO) • implements A17 ICCPR • s6 empowers Courts to give remedies for breaches - possible right of action for privacy breaches but untested • s7 - BORO only binds public authorities and those acting on their behalf • Tam Hing Yee [1992] - BORO does not apply to private relationships even when created by statute - A14 does not have ‘horizontal effect’ LAWS 3037 Data Surveillance & Information Privacy Law

  11. A 17 and 1st Optional Protocol • 1st Optional Protocol allows complaints (‘communictions) to UN Human Rights Committee by individuals against State parties • Toonen v Australia[1994] UNHRC 9 (casenote) • Tasmanian Criminal Code criminalised all sexual contact between consenting male adults in private • UNHCR held Australia in breach of A17: • T was a ‘victim’ despite lack of enforcement due to threat of enforcement and public opinion • Adult consensual sex was within ‘privacy’ • No effective domestic remedy since ICCPR not directly enforceable in Australian law • The Tasmanian legislation was ‘arbitrary’ as it was not ‘reasonable’ on public health or moral grounds (Australia did not contest this) LAWS 3037 Data Surveillance & Information Privacy Law

  12. A 17 and 1st Optional Protocol (2) • UNHCR in Toonen considered repeal of the laws was the proper remedy • this eventually occurred, after Federal legislation (relying on the foreign affairs power) made the Tasmanian legislation ineffective • General Comment 15(32) on A17 (1989) shows UNHCR considers most information privacy issues come under A17 LAWS 3037 Data Surveillance & Information Privacy Law

  13. A 17 and 1st Optional Protocol (3) • Few other UNHRC decisions are principally on privacy and A17 - Search UNHRC for ‘privacy near (A17 or article 17)’ - Toonen still leading case, few others: • Coeriel and Aurik vNetherlands[1994] UNHRC 56 - Refusal to allow change of names to Hindu names (necessary for study for priesthood) was a privacy breach of A17 • Hopu and Bessert v France[1997] UNHRC 40:The UNHRC concluded ‘that the construction of a hotel complex on the authors' ancestral burial grounds did interfere with their right to family and privacy. The State party has not shown that this interference was reasonable in the circumstances…’ • When they do arise, they will be relevant to HK because of A39 and BORO A14, even though HK is not a party to Protocol • Cases are relevant to Australia, as it is a party to protocol LAWS 3037 Data Surveillance & Information Privacy Law

  14. Decisions interpreting A17 • 3 main sources • UNHRC decisions on 1st Optional Protocol (already covered) • Decisions on European Convention on Human Rights A8 by European human rights Courts • Decisions on A17 or ECHR A8 by national courts LAWS 3037 Data Surveillance & Information Privacy Law

  15. Decisions on A17 - (2) • European Convention on Human Rights, A8 • A8(2) itemises 7 grounds of exception • Considerable case law by European Court of Human Rights - search for ‘privacy near (Article 8 or A8)’ - many cases • Principles of A8 jurisprudence (Bygrave 1998) • Values of protecting human rights, promoting democracy • Creates positive obligations on states to protect privacy • Probably covers privacy interference by private bodies • Some specific principles from cases (Bygrave) • Laws/practices allowing secret surveillance may infrige • Data of ordinarily trivial character may be used to infringe • Exceptions have to be justified in terms of proportionality including any safeguards against abuse LAWS 3037 Data Surveillance & Information Privacy Law

  16. Decisions on A17 - (3) • ECHR says ‘this may develop toward a right of informational self-determination” • Decisions on A8 ECHR by EU national courts • Robertson v Home Office [2001] (UK) • Breach of A8 because the method of providing electoral register to 3rd parties was a disproportionate way to achieve legitimate ends because there was no right to object • Shows A8 can be used against administrative practices even if they are in accordance with law including data protection laws • Decisions on A14 BORO by HK courts • None significant on privacy as yet LAWS 3037 Data Surveillance & Information Privacy Law

  17. International privacy standards • 1980’s standards for IPPs & TBDF • OECD Guidelines 1980 • Council of Europe Convention 1981 • UN Guidelines on Computerized Data Files 1990 • Features of these first-generation agreements • Principle aim is to guarantee free data flows between countries adopting minimum standards • No case law, only obligations between State parties • EU privacy Directives (from 1995) • Regional Asia-Pacific standards • APEC Privacy Framework (2004/5) • (Draft)Asia-Pacific Telecommunity (APT) standard (2003) LAWS 3037 Data Surveillance & Information Privacy Law

  18. OECD Guidelines 1980 See Bygrave (2008) for history • OECD privacy/TBDF Guidelines 1980 - 3 elements: • (1) Recommended 7 minimum IPPs • Strengths - better than 1970s predecessors; (I) introduced ‘finality’; (ii) openness; right to ‘challenge’ data; (iii) covered ‘manual’ as well as ‘automated’ data (cf CoE); (iv) recognises some collection ‘limits’ as well as fairness requirement • Weaknesses - (I) collection limits unspecified; (ii) requirement of notice at time of collection ambiguous; (iii) weak use limitation (‘not incompatible’); (iv) no deletion requirement • Bygrave (2008) shows numerous points where the CoE Convention goes further than OECD LAWS 3037 Data Surveillance & Information Privacy Law

  19. OECD Guidelines 1980 (2) • (2) Legitimate restrictions on free flow personal data • To countries which do not ‘substantially observe’ the GLs • Where re-export would circumvent domestic legislation • If foreign law has no equivalent protection for special data • OECD allowed data export restrictions, did not require them • Similar approach to CoE Convention LAWS 3037 Data Surveillance & Information Privacy Law

  20. OECD Guidelines 1980 (3) • Recommends forms of national implementation • ‘appropriate’ domestic legislation (only) • ‘adequate sanctions and remedies’ for all breaches • ‘ensure there is no unfair discrimination’ • Is this a ‘no disadvantage’ principle? - EM uninformative • Conclusions? • OECD continues to endorse its 1980 principles • Australia promoted OECD guidelines as basis for APEC IPPs, and as the ‘only accepted international standard’ • Kirby J considers they are now inadequate • What have we learnt since 1980? LAWS 3037 Data Surveillance & Information Privacy Law

  21. EU privacy Directive - Basics • European Union privacy Directive 1995 (RG link) • See EU’s data protection page for resources • Based on both trade and human rights concerns • Strongest international restatement of IPPs • Some requirements go beyond CoE and OECD • All EU member countries were required to revise their national laws to conform to the Directive • National Courts now a valuable source of case law on interpretation of Directive • Eg Robertson [2001] (UK) - shows requirements of Directive can determine interpretation of UK laws • EU countries must prohibit exports of personal data • Major contrast with OECD GLs and CoE Convention LAWS 3037 Data Surveillance & Information Privacy Law

  22. EU’s privacy Principles • See Directive’s principles (Materials #3 and link below) • see Bygrave (2006) for assessment • Significance of the Directive as IPPs: • A stronger requirement on legitimate processing as a precondition • Stronger notice rights, including in collection from 3rd parties • Requires notice to 3rd party recipients when data is corrected • Controls on automated processing (Bygrave: ‘most innovative’) • Prior checking (justification) of high risk systems • Stronger protection of ‘sensitive’ data categories • ‘Onward transfers’ limited to where protection is adequate • Result: EU Directive stronger than OECD GLs (though clearly a member of the same family) LAWS 3037 Data Surveillance & Information Privacy Law

  23. EU privacy Directive - within EU • EU often criticised for tolerating variations in IPPs, and weak enforcement, within EU • European Commission has proposed actions in the European Court of Justice (but they have not yet occurred) • vs Germany for inadequate enforcement becausethe 16 Land (state) DataProtection Commissioners lack independent status required by Art. 28.1 of the EU Data Protection Directive. • vs UK for Court interpretations of ‘personal data’ at variance with Directive (Durant case); also appeal to ECHR for breach of A 8 obligations • Open question as yet whether EU Commission can obtain ‘adequacy’ of the laws of EU member states LAWS 3037 Data Surveillance & Information Privacy Law

  24. EU privacy Directive - 1st review • EU’s First Report on the Implementation of the Data Protection Directive (2003) (see Bygrave in PLPR (2003)) concluded: • Amendments premature - Many EU states were slow in implementing • Achieved main aims • free flow within EU • ‘high level of protection’ in EU • Shortcomings • Too much divergence in EU national laws • Levels of enforcement and compliance too low • Data export implementation too variable - either too lax or too bureaucratic in various countries; improvements proposed • Many Articles of Directive too difficult to interpret LAWS 3037 Data Surveillance & Information Privacy Law

  25. EU data export restrictions - 3 means of satisfying the Directive • 3 means of satisfying the EU Directive • General ‘adequate level of protection’ under A25(1) • Mandatory exceptions to A25 (A25(2) • ‘Adequate safeguards’ for particular transactions (A26) • EU also considers data export restrictions to be a requirement of ‘adequate’ laws in 3rd countries • Australia’s NPP 9 reflects all of these options (see later) • How does HK s33 compare (if and when proclaimed) ? LAWS 3037 Data Surveillance & Information Privacy Law

  26. EU data export restrictions - ‘Adequacy’ standard • EU A29 Working Party • all EU national data protection Commissioners • function of advising EU Commission on the level of data protection in 3rd countries • Described standards it applies in 1998 (WP 12/1998 - in Materials) • EU Commission • has not elaborated on standards it applies • Requires consultant reports to it on 3rd countries to apply WP 12/1998, and consider later developments LAWS 3037 Data Surveillance & Information Privacy Law

  27. Adequacy - WP 12/1998 standards (1) • ‘Content principles’ stress 6 IPPs: • Purpose limitation • Data quality and proportionality • Transparency • Security • Rights of access, rectification and opposition • Restrictions on onward transfers • Additional principles in appropriate types of processing ((i) sensitive data, (ii) direct marketing and (iii) automated decisions) • Do the Australian or HK laws provide all these? LAWS 3037 Data Surveillance & Information Privacy Law

  28. Adequacy - WP 12/1998 standards (2) • 3 procedural / enforcement aspects required: • Delivery of a good level of compliance • Support to individual data subjects (including independent investigation of complaints) • Provision of appropriate redress to the injured parties (Directive requires ‘judicial remedies’) • What is not stressed: • Likelihood of damage to EU citizens • Assessment of previous Commission decisions (precedents) • Do the Australian or HK laws provide ‘adequate’ enforcement? LAWS 3037 Data Surveillance & Information Privacy Law

  29. EU data export restrictions - ‘Adequacy’ decisions • EU Commission decisions on ‘adequacy’ in 3rd countries • USA ‘Safe Harbor’ scheme - decision holds adequate (but of very limited scope) - see assessment in Materials #3 • Canadian Federal law - interim decision holds adequate • Argentina - decision holds adequate • No decisions yet on NZ, HK, Australia, Korea • A29 Committee recommendations re Australia • Australian Federal law - A29 Committee opinion NPPs are not adequate - Australia rejects this - no decision yet - EU Commission now preparing a report on Australia • Australian transfer of airline data - At Australia’s request, finds IPPs are adequate in this context • HK not yet considered by A29 Committee or EU Commission LAWS 3037 Data Surveillance & Information Privacy Law

  30. Regional data export restrictions • Export restrictions in non-EU national laws • Examples in the Asia-Pacific • Australian laws have export restrictions (see Topic 12) • Cth provisions in force but no cases yet • NSW provisions not in force yet • HK SAR Ordinance s33 not yet in force • Macau SAR has a strict export restriction • Quebec, Taiwan laws have minor restrictions • EU has not insisted for US or Canadian adequacy? • Effect of Asia-Pacific export restrictions? • Could have prompted a regional Convention • Minimum standards in return for free flow of data (Origin of the OECD and CoE agreements) • No enforcement has blunted effect; APEC results LAWS 3037 Data Surveillance & Information Privacy Law

  31. APEC’s Privacy Framework • APEC initiative 2003-4: • ECSG privacy subgroup included numerous ‘economies’; Initially chaired by Australia; significant role by HK, US, Can • Framework finalised November 2004 (except Pt IV(B)) • APEC IPPs, derived from 1980 OECD Guidelines • Rejection of EU Directive standards & processes • Now see separate Powerpoints on APEC • Other Asia-Pacific developments • Asia-Pacific Privacy Charter Council - civil society alternative standard; no draft available yet • Asia-Pacific Telecommunity (APT) privacy guidelines, chaired by KISA (Korea); 2nd draft 2003 (see Greenleaf comparison with APEC, 2003) LAWS 3037 Data Surveillance & Information Privacy Law

More Related