International Agreements and
Data Export Prohibitions
Graham Greenleaf
Last Updated September 2008
Main international sources
1.
Privacy in human rights treaties
•
2.
ICCPR A17, ECHR A8
Agreements on privacy standards
•
•
•
•
•
3.
OECD Guidelines 1980
Council of Europe Convention 1981 (and Optional Protocol)
European Union Directive 1995
UN Guidelines on Computerized Data Files 1990
APEC Privacy Framework 2004/5
Avoiding data export prohibitions
•
•
•
•
•
OECD Guidelines 1980
Council of Europe Convention 1981 (and Optional Protocol)
‘Adequacy’ under the EU Directive
APEC position
Export restrictions in other national laws
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
General resources


RG ‘Privacy protection in international
agreements’
Lee Bygrave ‘International agreements to
protect personal data’, in Rule J and
Greenleaf G (Eds) Global Privacy
Protection: The First Generation, Edward
Elgar, Cheltenham, 2008 (in publication)

September 2008
Included in materials: cited as ‘Bygrave 20008’
LAWS 3037 Data Surveillance &
Information Privacy Law
Human rights treaties ICCPR A17

International Covenant on Civil and Political
Rights 1966



A 17 ‘1. No one shall be subjected to arbitrary or
unlawful interference with his privacy, family,
home or correspondence….
2. Everyone has the right to protection of
the law against such interference or attacks’.
Not limited to interferences by governments
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
ICCPR A17

Australian reservations



Reserves right to legislate to protect
‘national security, public safety, the
economic well-being of the country, the
protection of public health or morals, or the
protection of the rights and freedoms of
others’
Similar to A8(2) of ECHR
Reservation not relied on in Toonen
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
ICCPR A17 - Enforcement

Direct enforcement of ICCPR A17



Reports to the UN Human Rights Committee
Complaints to UNHRC by state parties - a ‘dead letter’
Complaints to UNHRC by individuals under 1st Optional
Protocol 



Australia has acceded to the Protocol
Cf Hong Kong - UK did not accede to Protocol
Aust and NZ only APEC countries to accede?
Implementation in domestic law


No direct application in Australia - indirect effects only
Cf Hong Kong - enacted in BORO
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
A17 in Australian domestic law


International treaties are not, as such, part of
Australian domestic law until legislated (contra
USA, China etc)
Young v Registrar, Court of Appeal [No 3] (1993)
NSW CA (Kirby P and Handley JA)



If there is no ambiguity in a domestic law , it prevails in a
direct conflict with the international covenant
If domestic law is ambiguous, international covenants
should guide interpretation.
Kruger v Cth (Stolen Children Case) (1997)
confirms continuing significance
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
A17 in Australian domestic law (2)

Minister for Immigration & Ethnic Affairs v
Teoh (1995) 183 CLR 273



application of the UN Convention on the Rights of
the Child in respect to a deportation order
HCA held there may be a legitimate expectation
that officers of the executive government will act in
conformity with international treaties pending
implementation, in the absence of a statutory or
executive statement to the contrary
Can give rise to breaches of natural justice if a
treaty obligation is not to be adhered to and the
person affected is not provided a hearing.
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
A17 in Australian domestic law (3)

Effect of Teoh now largely nullified

Executive Statement on the Effects of
Treaties in Administrative Decision Making
(1997)


September 2008
provides that the act of entering a treaty 'does
not give rise to any legitimate expectations
which could form the basis for challenging any
administrative decision ...’
Uncertainties remain…
LAWS 3037 Data Surveillance &
Information Privacy Law
Compare A17 effect on HK law

HK legislation cannot conflict with A17


UK ratified 1976 for UK and HK; PRC accepted; A39 Basic
Law entrenches ICCPR as HK law
A14 Bill of Rights Ordinance (BORO)




implements A17 ICCPR
s6 empowers Courts to give remedies for breaches possible right of action for privacy breaches but untested
s7 - BORO only binds public authorities and those acting
on their behalf
Tam Hing Yee [1992] - BORO does not apply to private
relationships even when created by statute - A14 does not
have ‘horizontal effect’
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
A 17 and 1st Optional Protocol


1st Optional Protocol allows complaints (‘communictions) to UN
Human Rights Committee by individuals against State parties
Toonen v Australia [1994] UNHRC 9 (casenote)


Tasmanian Criminal Code criminalised all sexual contact
between consenting male adults in private
UNHCR held Australia in breach of A17:




September 2008
T was a ‘victim’ despite lack of enforcement due to threat of
enforcement and public opinion
Adult consensual sex was within ‘privacy’
No effective domestic remedy since ICCPR not directly
enforceable in Australian law
The Tasmanian legislation was ‘arbitrary’ as it was not
‘reasonable’ on public health or moral grounds (Australia did
not contest this)
LAWS 3037 Data Surveillance &
Information Privacy Law
A 17 and 1st Optional Protocol (2)

UNHCR in Toonen considered repeal of the
laws was the proper remedy


this eventually occurred, after Federal legislation
(relying on the foreign affairs power) made the
Tasmanian legislation ineffective
General Comment 15(32) on A17 (1989)
shows UNHCR considers most information
privacy issues come under A17
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
A 17 and 1st Optional Protocol (3)

Few other UNHRC decisions are principally on privacy and A17
- Search UNHRC for ‘privacy near (A17 or article 17)’ - Toonen
still leading case, few others:

Coeriel and Aurik v Netherlands [1994] UNHRC 56 - Refusal to
allow change of names to Hindu names (necessary for study for
priesthood) was a privacy breach of A17
Hopu and Bessert v France [1997] UNHRC 40: The UNHRC
concluded ‘that the construction of a hotel complex on the authors'
ancestral burial grounds did interfere with their right to family and
privacy. The State party has not shown that this interference was
reasonable in the circumstances…’



When they do arise, they will be relevant to HK because of A39
and BORO A14, even though HK is not a party to Protocol
Cases are relevant to Australia, as it is a party to protocol
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
Decisions interpreting A17

3 main sources



UNHRC decisions on 1st Optional Protocol
(already covered)
Decisions on European Convention on
Human Rights A8 by European human
rights Courts
Decisions on A17 or ECHR A8 by national
courts
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
Decisions on A17 - (2)

European Convention on Human Rights, A8



Principles of A8 jurisprudence (Bygrave 1998)




A8(2) itemises 7 grounds of exception
Considerable case law by European Court of Human Rights search for ‘privacy near (Article 8 or A8)’ - many cases
Values of protecting human rights, promoting democracy
Creates positive obligations on states to protect privacy
Probably covers privacy interference by private bodies
Some specific principles from cases (Bygrave)



Laws/practices allowing secret surveillance may infrige
Data of ordinarily trivial character may be used to infringe
Exceptions have to be justified in terms of proportionality including
any safeguards against abuse
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
Decisions on A17 - (3)


ECHR says ‘this may develop toward a right of
informational self-determination”
Decisions on A8 ECHR by EU national courts

Robertson v Home Office [2001] (UK)



Breach of A8 because the method of providing electoral
register to 3rd parties was a disproportionate way to achieve
legitimate ends because there was no right to object
Shows A8 can be used against administrative practices even if
they are in accordance with law including data protection laws
Decisions on A14 BORO by HK courts

None significant on privacy as yet
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
International privacy standards
1980’s standards for IPPs & TBDF
•
•
•
•
•
OECD Guidelines 1980
Council of Europe Convention 1981
UN Guidelines on Computerized Data Files 1990
Features of these first-generation agreements
•
•
•
•
Principle aim is to guarantee free data flows between
countries adopting minimum standards
No case law, only obligations between State parties
EU privacy Directives (from 1995)
Regional Asia-Pacific standards
•
•
APEC Privacy Framework (2004/5)
(Draft)Asia-Pacific Telecommunity (APT) standard (2003)
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
OECD Guidelines 1980


See Bygrave (2008) for history
OECD privacy/TBDF Guidelines 1980 - 3 elements:
(1) Recommended 7 minimum IPPs



Strengths - better than 1970s predecessors; (I) introduced ‘finality’;
(ii) openness; right to ‘challenge’ data; (iii) covered ‘manual’ as well
as ‘automated’ data (cf CoE); (iv) recognises some collection ‘limits’
as well as fairness requirement
Weaknesses - (I) collection limits unspecified; (ii) requirement of
notice at time of collection ambiguous; (iii) weak use limitation (‘not
incompatible’); (iv) no deletion requirement
Bygrave (2008) shows numerous points where the CoE Convention
goes further than OECD
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
OECD Guidelines 1980 (2)

(2) Legitimate restrictions on free flow personal data





To countries which do not ‘substantially observe’ the GLs
Where re-export would circumvent domestic legislation
If foreign law has no equivalent protection for special data
OECD allowed data export restrictions, did not require them
Similar approach to CoE Convention
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
OECD Guidelines 1980 (3)

Recommends forms of national implementation



‘appropriate’ domestic legislation (only)
‘adequate sanctions and remedies’ for all breaches
‘ensure there is no unfair discrimination’


Is this a ‘no disadvantage’ principle? - EM uninformative
Conclusions?




OECD continues to endorse its 1980 principles
Australia promoted OECD guidelines as basis for APEC
IPPs, and as the ‘only accepted international standard’
Kirby J considers they are now inadequate
What have we learnt since 1980?
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
EU privacy Directive - Basics
• European Union privacy Directive 1995 (RG link)
• See EU’s data protection page for resources
• Based on both trade and human rights concerns
• Strongest international restatement of IPPs
• Some requirements go beyond CoE and OECD
• All EU member countries were required to revise their national
laws to conform to the Directive
• National Courts now a valuable source of case law on
interpretation of Directive
• Eg Robertson [2001] (UK) - shows requirements of Directive can
determine interpretation of UK laws
• EU countries must prohibit exports of personal data
• Major contrast with OECD GLs and CoE Convention
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
EU’s privacy Principles

See Directive’s principles (Materials #3 and link below)


Significance of the Directive as IPPs:








see Bygrave (2006) for assessment
A stronger requirement on legitimate processing as a precondition
Stronger notice rights, including in collection from 3rd parties
Requires notice to 3rd party recipients when data is corrected
Controls on automated processing (Bygrave: ‘most innovative’)
Prior checking (justification) of high risk systems
Stronger protection of ‘sensitive’ data categories
‘Onward transfers’ limited to where protection is adequate
Result: EU Directive stronger than OECD GLs (though clearly a
member of the same family)
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
EU privacy Directive - within EU

EU often criticised for tolerating variations in IPPs,
and weak enforcement, within EU

European Commission has proposed actions in the European
Court of Justice (but they have not yet occurred)


vs Germany for inadequate enforcement because the 16 Land

(state) DataProtection Commissioners lack independent status
required by Art. 28.1 of the EU Data Protection Directive.
vs UK for Court interpretations of ‘personal data’ at variance with
Directive (Durant case); also appeal to ECHR for breach of A 8
obligations
Open question as yet whether EU Commission can obtain
‘adequacy’ of the laws of EU member states
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
EU privacy Directive - 1st review



EU’s First Report on the Implementation of the Data Protection
Directive (2003) (see Bygrave in PLPR (2003)) concluded:
Amendments premature - Many EU states were slow in
implementing
Achieved main aims



free flow within EU
‘high level of protection’ in EU
Shortcomings




Too much divergence in EU national laws
Levels of enforcement and compliance too low
Data export implementation too variable - either too lax or too
bureaucratic in various countries; improvements proposed
Many Articles of Directive too difficult to interpret
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
EU data export restrictions - 3
means of satisfying the Directive
• 3 means of satisfying the EU Directive
• General ‘adequate level of protection’ under A25(1)
• Mandatory exceptions to A25 (A25(2)
• ‘Adequate safeguards’ for particular transactions (A26)
• EU also considers data export restrictions to be a
requirement of ‘adequate’ laws in 3rd countries
• Australia’s NPP 9 reflects all of these options (see later)
• How does HK s33 compare (if and when proclaimed) ?
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
EU data export restrictions ‘Adequacy’ standard

EU A29 Working Party




all EU national data protection Commissioners
function of advising EU Commission on the level
of data protection in 3rd countries
Described standards it applies in 1998 (WP
12/1998 - in Materials)
EU Commission


has not elaborated on standards it applies
Requires consultant reports to it on 3rd countries
to apply WP 12/1998, and consider later
developments
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
Adequacy WP 12/1998 standards (1)

‘Content principles’ stress 6 IPPs:

Purpose limitation

Data quality and proportionality

Transparency
Security
Rights of access, rectification and opposition
Restrictions on onward transfers
Additional principles in appropriate types of processing ((i)
sensitive data, (ii) direct marketing and (iii) automated
decisions)





Do the Australian or HK laws provide all these?
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
Adequacy WP 12/1998 standards (2)

3 procedural / enforcement aspects required:

Delivery of a good level of compliance

Support to individual data subjects (including independent
investigation of complaints)
Provision of appropriate redress to the injured parties
(Directive requires ‘judicial remedies’)


What is not stressed:



Likelihood of damage to EU citizens
Assessment of previous Commission decisions (precedents)
Do the Australian or HK laws provide ‘adequate’
enforcement?
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
EU data export restrictions ‘Adequacy’ decisions
• EU Commission decisions on ‘adequacy’ in 3rd countries
• USA ‘Safe Harbor’ scheme - decision holds adequate (but of
very limited scope) - see assessment in Materials #3
• Canadian Federal law - interim decision holds adequate
• Argentina - decision holds adequate
• No decisions yet on NZ, HK, Australia, Korea
• A29 Committee recommendations re Australia
• Australian Federal law - A29 Committee opinion NPPs are not
adequate - Australia rejects this - no decision yet - EU
Commission now preparing a report on Australia
• Australian transfer of airline data - At Australia’s request, finds
IPPs are adequate in this context
• HK not yet considered by A29 Committee or EU Commission
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
Regional data export restrictions
• Export restrictions in non-EU national laws
• Examples in the Asia-Pacific
• Australian laws have export restrictions (see Topic 12)
• Cth provisions in force but no cases yet
• NSW provisions not in force yet
•
•
•
•
HK SAR Ordinance s33 not yet in force
Macau SAR has a strict export restriction
Quebec, Taiwan laws have minor restrictions
EU has not insisted for US or Canadian adequacy?
• Effect of Asia-Pacific export restrictions?
• Could have prompted a regional Convention
• Minimum standards in return for free flow of data (Origin of the
OECD and CoE agreements)
• No enforcement has blunted effect; APEC results
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law
APEC’s Privacy Framework

APEC initiative 2003-4:






ECSG privacy subgroup included numerous ‘economies’;
Initially chaired by Australia; significant role by HK, US, Can
Framework finalised November 2004 (except Pt IV(B))
APEC IPPs, derived from 1980 OECD Guidelines
Rejection of EU Directive standards & processes
Now see separate Powerpoints on APEC
Other Asia-Pacific developments


Asia-Pacific Privacy Charter Council - civil society alternative
standard; no draft available yet
Asia-Pacific Telecommunity (APT) privacy guidelines,
chaired by KISA (Korea); 2nd draft 2003 (see Greenleaf
comparison with APEC, 2003)
September 2008
LAWS 3037 Data Surveillance &
Information Privacy Law