1 / 39

Pitfalls in the complaints process: a privacy advocate's perspective

Gain insights on common pitfalls in privacy complaints resolution processes and explore effective remedies for clients. Learn how to navigate enforcement, appeals, and widening divergence in privacy legislation.

minchc
Download Presentation

Pitfalls in the complaints process: a privacy advocate's perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pitfalls in the complaints process: a privacy advocate's perspective Graham Greenleaf Professor of Law, UNSW, and Co-Director, Baker & McKenzie Cyberspace Law and Policy Centre Copy available at <http://www2.austlii.edu.au/~graham/> Privacy Complaints:How to Win for Your Client (Making privacy laws work) Baker Cyberlaw Centre Seminar 4/12/03

  2. Some pitfalls under the Commonwealth & NSW Acts • Who decides remedies? • What rights of appeal are there? • Does anyone get a remedy? • Is the law enforced, or is it a joke? • What law is applied? • Are cases reported? • Is the law applied the same? • The widening divergence Baker Cyberlaw Centre Seminar 4/12/03

  3. Objectives in enforcement • A means of individual redress; • low-cost and non-public • Appropriate range of remedies, such as: • Access to and correction of records; • compensatory damages; • injunctions or orders to enforce compliance; • Criminal penalties for serious/repeated breaches • Judicial review of administrative errors; • Appeals by either party to the Courts • Preventative/educative powers of PCO, such as: • Audits of data users; • Privacy Impact Assessments (PIAs) on new proposals • Power to require reports on existing practices Baker Cyberlaw Centre Seminar 4/12/03

  4. Complaint resolution - Overview - Cth Act • Investigation - public and private sectors • Complaints only re ‘interferences with privacy’: breaches of NPPs, IPPs etc (s36) • Representative complaints possible (s36(2), s38 - s39) • ‘Own motion’ investigations possible (s40(2) • Comm must not investigate unless complaint first made to respondent, unless inappropriate (s40(1A)) • Comm can refuse / close / defer investigation (s41) • ‘not an interference’ (a); ‘lacking in substance’ (d) • Another law ‘provides a more appropriate remedy’ (s41(1)(f)) • Respondent has dealt edequately with complaint (s41(2)(a)) • If Comm is considering a s52 determination, must give both parties the opportunity of a hearing (s43(5)) • Comm’s extensive powers to investigate (ss44-47) Baker Cyberlaw Centre Seminar 4/12/03

  5. Complaint resolution - Overview - Cth Act (2) • Determinations under s52 • Possible determinations • Dismissing complaint (not used - s41 instead) • That conduct should not be repeated • Performance of reasonable acts; compensation • ‘correction, deletion or addition to a record’ • Can compensate ‘feelings or humiliation’ • Reimbursement for ‘expenses reasonable incurred’ • Practice so far: determinations made public • But they don’t occur Baker Cyberlaw Centre Seminar 4/12/03

  6. Complaint resolution - Overview - Cth Act (3) • Enforcement of s52 determinations • S55 - respondent must comply with determination • s55A - if respondent does not comply, must proceed de novo in Fed Ct / Mag Ct for enforcement • Evidence before Commissioner is admissable • s55B - Certified copy of Comm’s determination is prima facie evidence of facts found by him • Onus is on respondent to rebut facts • Onus is still on complainant to show breach of IPP/NPP • Is this biased in favour of respondents? Baker Cyberlaw Centre Seminar 4/12/03

  7. Complaint resolution - Overview - NSW Act • Basic point: Only ‘Part 5’ complaints to agencies can lead to the ADT and enforceable remedies • Investigation of complaints by Commissioner • Commissioner can investigate any complaint (IPP or ‘non-IPP’) • can only conciliate and make recommendations (s49) (like old Privacy Committee) • For complainant to get to ADT, must first seek internal review by agency under Pt 5 • Commissioner can appear in ADT hearings (and does) • has extensive powers, including compulsory conferences (s49) • May investigate ‘own motion’ complaints (s45 ‘or by’) Baker Cyberlaw Centre Seminar 4/12/03

  8. Complaint resolution - Overview - NSW Act (2) • Pt 5 complaints - internal review and ADT • Applicant must seek review of conduct by agency (s53) • Agency must conduct internal but independent review (s53(4)) and consider provision of the full range of remedies (7) • Agency must inform Comm of review and its progress, and accept submissions from him (s54) • Dissatisfied applicant may apply to ADT for review (s55) • ADT may award damages to $40,000 and other remedies • Commissioner can appear in ADT hearings (and does) • Either party may apply to ADT Appeal Panel for further review Baker Cyberlaw Centre Seminar 4/12/03

  9. Remedies • Compensation • Access to and correction of records; • Injunctions or orders to enforce compliance; • Criminal penalties Baker Cyberlaw Centre Seminar 4/12/03

  10. Injunctions and compliance orders • Injunctions - Cth public sector, private sector • Privacy Act 1988 s98 allows ‘any person’, including Comm, to seek injunction to enforce IPPs and NPPs • Risk of costs against, and damages particularly in the case of interim injunctions • Cth Comm s52 determinations are a form of compliance notice • NSW - only the ADT can make orders • Vic - Comm can serve compliance notice on an organisation • but only if ‘flagrant’ or repeated breaches Baker Cyberlaw Centre Seminar 4/12/03

  11. Criminal offences • Cth • Public sector and private sector enforcement does not involve significant criminal enforcement • Part IIIA credit reporting does involve offences • NSW PPIPA ss62-s63 • offences of corrupt disclosure and use of personal information by public officials • offence of offer to supply personal information disclosed unlawfully • Cth and NSW cybercrime legislation relevant Baker Cyberlaw Centre Seminar 4/12/03

  12. Black hole #1: Complaint outcomes - Does anyone get a remedy? This is from an earlier broader study • Sources of evidence available? • √ Annual Reports - only public source • examined 01/02; some 00/01 • ? websites? - could extract from reported cases (have not) - should provide continuous data • ? FOI requests? - ‘document’ available? (have not done) • Only some jurisdictions considered • Privacy Comms - Australian Fed; NSW ; HK; NZ; Canada • Information Commissioners not considered - mainly access, some correction, some broader Baker Cyberlaw Centre Seminar 4/12/03

  13. Outcomes - Australian Fed PC • 2000-01 AR included some outcome stats • 133 closed complaints; uncertain % breaches found • 9 cases in AR involved $52,000 compensation • No information about other remedies • 2001-02 Annual Report - no statistics! • Complaints tripled with private sector coverage (611) • AR contains summaries of 11 complaints, of which one resulted in $5000 compensation • No statistics given of complaint outcomes at all Baker Cyberlaw Centre Seminar 4/12/03

  14. Outcomes - Australian Fed PC (2) • 2002-2003 Annual Report • 225 breaches of the Act found • NPPs 127; IPPs35; Pt IIIA 63 • No specific details of remedies, just a few vague comments • not even compensation total as in 2000/1 • No example cases (replaced by 2 per month on web) • No details of complaints dismissed (and no use of s52) • Is everybody happy? • All breaches found were ‘adequately dealt with’ (in the Commissioner’s view) • One genuine s52 determinations in 15 years (2003) • No appeal right; No substantive case on the Act ever before a Court for judicial review Baker Cyberlaw Centre Seminar 4/12/03

  15. Outcomes - NSW PC • Annual Report 1999-2000 (most recent) • Before new Act commenced (1/7/00) • No statistics or complaint resolutions yet under new Act • still relevant to ‘non-IPP’ complaints • 4 complaint resolutions summarised • ‘Quick Stats’ 2000-03 provided on web • In 2002/3, 219 complaints, and 39 internal reviews, finalised • No statistics of complaint mediation outcomes • No complaint mediation case-studies • Reviews by the NSW ADT (enforceable) • 49 cases lodged with ADT (37 in 2003) • 15 decided & reported as yet - 15 more than the Cth! Baker Cyberlaw Centre Seminar 4/12/03

  16. Outcomes - Hong Kong PC • PC Annual Report 2000/01 (01/02 is similar) • 789 complaints (up 39%); • 68% vs private sector;14% vs government;18% vs 3rd Ps • Over 50% allege breaches of DPP 3 (use) • 52 formally investigated (14% of 531 finalised) • 26 (50%) found to involve contravention of PD(P)O • 10 warning notices; 12 enforcement notices - but no idea what actions required, or what results • 4 referals to Police for prosecution but in 3 Police found insufficient evidence; one unresolved • Not one HK $1 compensation paid under s66; • any by mediation? A Rep does not say Baker Cyberlaw Centre Seminar 4/12/03

  17. Comparison - 4 PCs Annual Reports • ‘Will I get a remedy - and if so, what?’ is largely unanswered - evidence is not there • Some evidence of the % of successful complainants • Little evidence of what remedies result • Compensation? - a few examples from Aus and NZ • All of the PCs are below ‘best practice’ • A systematic and comparable standard of reporting is needed • Asia-Pacific PCs could develop standards Baker Cyberlaw Centre Seminar 4/12/03

  18. Will I get a remedy? Evidence from Privacy Commissioners Annual Reports 2001/02(see web page for explanatory notes) √= yes; ?= can’t tell

  19. Black hole #2: Publication of Commissioners’ decisions • For detailed criticisms of reporting practices: • Greenleaf ‘Reforming reporting of privacy cases’ <http://www2.austlii.edu.au/~graham/publications/2003/Reforming_reporting/> • Bygrave ‘Where have all the judges gone?’ (2000) • European Commissioners were little better - improved? • Why reporting of Commissioners is needed • Few court decisions means Commissioners’ views in complaint resolutions are the de facto law • Identifying non-compliance is more valuable (and difficult) that ‘feel good’ exhortations to comply Baker Cyberlaw Centre Seminar 4/12/03

  20. Publication - Importance • Publication is possible • Requires anonymisation in most cases • Exceptions should not be the rule • Adverse consequences of lack of availability • Interpretation unknown to parties / legal advisers • No privacy jurisprudence is possible • Past remedies (‘tariff’) unknown • Privacy remains ‘Cinderalla’ of legal practice • Deficiences in laws do not become apparent • Commissioners can ‘bury their mistakes’ • Justice is not seen to be done • Deterrent effect is lost • No accountability for high public expenditure Baker Cyberlaw Centre Seminar 4/12/03

  21. Publication - Australian Federal Privacy Commissioner • AnRep had a few small ‘media grab’ summaries • No other mediation details published 1988-2002 • Comm avoids making binding Determinations (2 1993, 1 2003) despite powers to do so • Dismisses matters under s40 - publication not required • Since Dec 2002, 13 useful summaries of mediations and determinations published on web • 2x2002, 11x2003 (+ 2x1993, 1x2003 determinations) • Rate id only 1.1 per month - not 2/month as planned Baker Cyberlaw Centre Seminar 4/12/03

  22. Publication - Australian Federal Privacy Commissioner (2) • Any Federal Court decisions would be on AustLII (but there are none of relevance) • No right of appeal to complainants • Respondents have de facto right of appeal by refusing to comply with determination - de novo hearing in Federal Court - biased and unfair • How would complainants react to this? • Judicial review (ADJR) is possible • How many complainants are aware? • How many could afford this? Baker Cyberlaw Centre Seminar 4/12/03

  23. Publication - NSW Privacy Commissioner • No mediated complaint summaries • No Annual Report since new Act • Privacy NSW says it intends to publish them • Internal review results also needed • ADT decisions • 49 cases lodged with ADT (37 in 2003) • 15 decided & reported as yet - compare Cth! • Decisions are on LawLink and AustLII • Privacy NSW also prepares summaries (also on AustLII) Baker Cyberlaw Centre Seminar 4/12/03

  24. Publication - HK P Comm • Complaint summaries on website only to 1998 • Only 6 (01/02) or 8 (00/01)overly brief complaint summaries in AnRep - about 0.5 per month • No systematic reporting of significant complaints • Cases before other tribunals • AAB complaint summaries are in AnRep, but not on website; AAB cases not available on Internet • No reporting of s66 cases in AnRep or website - There is only one such case Baker Cyberlaw Centre Seminar 4/12/03

  25. Publication - NZ P Comm • Av 2 per month (03) reasonably detailed mediation summaries on website • Selection criteria uncertain • Website gives few details of cases on appeal or their outcome; not available elsewhere on web; P Comm publishes occasional compendiums • Overall, difficult for most people to get an overall view of the law Baker Cyberlaw Centre Seminar 4/12/03

  26. Publication - Canadian PC • Av 5 detailed PIPEDA case mediation summaries per month on website • best practice of PCs, but not Info Comms • Few Privacy Act cases on website, but usually 12 or so in AnnRep • Summaries of cases before Courts are in AnnRep (but not linked to mediation summaries) - difficult to obtain overview Baker Cyberlaw Centre Seminar 4/12/03

  27. Publication - 7 recommendations • More reporting than 2/month (% goal) • statistics on reported / resolved ratio • Publicly stated criteria of seriousness • confirmation of adherence in each AnRep • Complainants can elect to be named • In default, name public sector respondents; private sector respondents only exceptionally • Report sufficient detail for a full understanding of legal issues, and the adequacy of the remedy • Report regularly rather than in periodic batches • 'One stop' reporting including reviews of Commissioner’s decisions • Encourage 3rd-P re-publication + citation standards Baker Cyberlaw Centre Seminar 4/12/03

  28. Publication - A central location <http://www.worldlii.org/int/special/privacy/> • Privacy & FOI Law Project = All specialist privacy and/or FOI databases located on any Legal Information Institute (LII) • Current coverage (all searchable in one search) • Australian Federal Privacy Commissioner Cases (AustLII) • New South Wales Privacy Commissioner ADT summaries (AustLII) • Canadian Privacy Commissioner Cases (CanLII) • New Zealand Privacy Commissioner Cases (AustLII) • Nova Scotia FOI & Privacy Review Office (CanLII) • Queensland Information Comm. Decisions (AustLII) • Western Australian Information Commissioner (AustLII) • Privacy Law & Policy Reporter (AustLII) • EPIC ALERT (WorldLII) • More are being added Baker Cyberlaw Centre Seminar 4/12/03

  29. Baker Cyberlaw Centre Seminar 4/12/03

  30. A seach for ‘disclos* near medical’ Baker Cyberlaw Centre Seminar 4/12/03

  31. Widening divergence in public sector privacy laws • Variations so far • Commonwealth / ACT - IPPs • NSW - NSW IPPs • Vic & NT (and private sector) - NPPs • Superficial similarities in aims • All based on life-cycle of information • Significant differences in details • Little case law except new NSW cases - major differences already emerging • NSW caselaw shows how quickly the Acts can diverge once Courts interpret them Baker Cyberlaw Centre Seminar 4/12/03

  32. Examples and recent cases • Collection from the data subject • DO v University of New South Wales [2002] NSWADT 211; [2003] NSW ADTAP 9 • Consent exception to disclosure- express or implied • Macquarie University v FM [2003] NSWADTAP 43 • Minimal collection - anonymity • Wykanak v Dept Local Govt [2002] NSWADT 208 • FH v NSW Dept Corrective Services [2003] NSWADT 72 • Are records required before Acts apply? • Macquarie University v FM [2003] NSWADTAP 43 Baker Cyberlaw Centre Seminar 4/12/03

  33. Collection from the data subject • Some laws require collection from the data subject, but they differ considerably • Cth IPPs impose no obligation to do collect from the individual, no consent needed to collect from 3rd Ps • NPP 1.4 requires collection only from individual ‘if it is reasonable and practicable to do so’ • NSW s9 (IPP 2) requires collection directly from individual unless • 3rd P collection is authorised by the individual; or • Provided by parent/guardian if under 16 • DO v University of New South Wales [2002] NSWADT 211 • UNSW did have authorisation to collect from 3rd Ps • Iillustrates risks under NSW Act • It is OK to ‘double check’ with a 3rd P - collection from both • GV v DPP[2003] NSWADT 177 • DPP obtained a more detailed medical certificate from doctor than patient’s consent allowed - breach of IPP 2 (subpoena may have avoided this) • But the s23(2) exemption for collection in connection with court proceeedings applied Baker Cyberlaw Centre Seminar 4/12/03

  34. Consent exception to disclosure • Cth IPPs and NPPs - implied consent • ‘express consent or implied consent’ (Cth PA s6, also Vic) • Consent must also be informed ( meaning of ‘consent’) • Can consent be implied from failure to opt out? • NSW s26(2) requires express consent • Failure to opt out could never be good enough • Macquarie University v FM [2003] NSWADTAP 43 • Consent to UNSW to collect transcript from UNSW was implied consent to Macquarie to disclose it, but that is not express consent • The agency disclosing must go to the individual concerned and ask • Cf NZ requires ‘authorization’ • NZ Courts (L v J, L v L) have held this includes implied authorizations (see Roth article) Baker Cyberlaw Centre Seminar 4/12/03

  35. Minimal collection - anonymity • NPP 8 - ‘Wherever lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation’ - no direct NSW equiv. • Is it a breach to build systems which make anonymity impracticable? Does NPP8 require anonymity to be ‘designed in’? • FH v NSW Dept Corrective Services [2003] NSWADT 72 - • Equivocal on whether breach of security principle where it would cost millions for Dept to change system to log accesses • Wykanak v Dept Local Govt [2002] NSWADT 208 (summary) • ADT could not review a complaint of an anticipated breach of a NSW IPP • Compare Cth IPPs or NPPs - s98 Injunctions available where ‘a person … is proposing to engage in any conduct that … would constitute a contravention of this Act’ Baker Cyberlaw Centre Seminar 4/12/03

  36. 'Records' / 'documents’ • Significance in Commonwealth Privacy Act • Cth IPPs all require information in ‘records’ or a ‘generally available publication’ • NPPs don’t, but s16B has same effect • One of the dividing lines between information privacy and surveillance laws • Problems - compare Cth and NSW results • Interview with no notes taken • CCTV with no film • Listening device with no recording Baker Cyberlaw Centre Seminar 4/12/03

  37. 'Records' / 'documents’ (2) • Other jurisdictions requiring records / documents • Victoria • S3 definition ‘personal information’ - ‘means information … that is recorded in any form …’ • Northern Territory • S4 definition ‘personal information’ means ‘government information from which …’ • S4 definition ‘government information’ means ‘a record held …’ • Hong Kong • s2 definition 'data' is only 'any representation of information, in any document'. • 'document' includes disks, film etc from which visual images or other data are 'capable ...of being reproduced’ Baker Cyberlaw Centre Seminar 4/12/03

  38. 'Records' / 'documents’ (3) • New South Wales - the odd one out • S4 defn ‘personal information’ means ‘information or an opinion (….whether or not recorded in a material form) …’ - cannot imply a record from the definition • NSW IPPs all refer to ‘personal information’ (contrast Cth IPPs require ‘in a record’) • No equivalent to Cth s16B re NPPs • All NSW IPPs therefore apply to all personal information whether or not it is ever recorded • IPPs only require that agency must ‘collect’ or ‘hold’ personal information • However, New Zealand Privacy Act 1993 (s2 "Personal information") does not limit most of its IPPs to records or documents Baker Cyberlaw Centre Seminar 4/12/03

  39. 'Records' / 'documents’ (4) • Macquarie University v FM [2003] NSWADTAP 43 • Upheld approach taken in Macquarie University v FM [2003] NSWADT 78 • S18 breach by Macq’s disclosure to UNSW of information in 2 telephone conversations • Information was observations of FM and opinions about him • The information was never recorded by Macq • Held - Was ‘personal information’ even though FM’s behaviour was observed by others • Held - Info was ‘held’ in the mind of Macq staff • s4(4) defines ‘held’ as ‘possession or control’ • ‘Possess’ must include ‘in the mind’ for non-material information • Order - Macq staff must not disclose any information in their minds about students, unless s18 exemption applies Baker Cyberlaw Centre Seminar 4/12/03

More Related