The "final" privacy frontier? Regulating trans-border data flows

International Journal of Law and Information Technology

Volumn 17, Issue 2, 2009, Pages 147-179

  Gunasekara, Gehan ^a  

^a UNIVERSITY OF AUCKLAND   (New Zealand)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 67650132842     PISSN: 09670769     EISSN: 14643693     Source Type: Journal    
DOI: 10.1093/ijlit/eam004     Document Type: Article

References (173)

1. Several watch lists exist including, in the United States, that of the Offi ce of Foreign Assets Control (available at: http://www.treasury.gov/ offices/enforcement/ofac/sdn/t11sdn.pdf) as well as a United Nations list.
2. For an account of this incident see the Weekend Herald, Saturday-Sunday, October 23-24 2004, A16.
3. This is discussed further below.
4. British Columbia Government & Service Employees' Union (petitioner) v The Minister of Health Services and The Medical Services Commission (respondents) B.C.S.C., Victoria registry No. 04-0879.
5. Freedom of Information and Protection of Privacy Amendment Act, 2004, S.B.C. 2004, c.64.
6. Information & Privacy Commissioner for British Columbia 'Privacy and the USA Patriot Act: Implications for British Columbia Public Sector Outsourcing', (British Columbia, 2004). Available at: http://www.oipcbc.org/sector_public/usa_paariot_act/pdfs/report/ privacy-final.pdf.
7. The PNR data elements include the 'PNR record locator code,' date of reservation, name, address, all forms of payment information, contact telephone numbers, travel agency, travel status of the passenger, e-mail address, general remarks, seat number, no-show history and any collected APIS (Advanced Passenger Information System) Information.
8. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data; this directive is discussed further below.
9. European Parliament v Council of the European Union, ECJ, C-317/04 & C-318/04, 30 May 2006.
10. See for example the OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1980, clause 17.
11. SD Warren and LD Brandeis 'The Right to Privacy' (1890) 4 Harv LR 193.
12. Restatement of the Law of Torts, 2d (American Law institute: 1965-79) S 652A-F.
13. Through application of the existing remedy of Breach of Confi dence although influenced heavily by the Human Rights Act 1998 (UK) which implemented the European Convention on Human Rights see Campbell v MGN Ltd [2004] 2 AC 457 (HL).
14. Hosking v Runting [2005] 1 NZLR 1 (CA).
15. Early concern in New Zealand over privacy led to the enactment of the Wanganui Computer Centre Act 1976 which for the fi rst time contained provisions safeguarding personal privacy of citizens.
16. See for example Anne Wells Branscomb, Who Owns Information? From privacy to public access (Basic Books, New York, 1994).
17. 5 USC S 552(a) (1988).
18. Available at: www.oecd.org.
19. Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5.
20. Above n 6, at p 38.
21. Privacy Commissioner of Canada, 'Annual Report to Parliament 2003-2004' (available at: http://www.privcom.gc.ca/information/ar/200304/ 200304_e.asp).
22. Privacy Act, 1993, s 6.
23. Privacy Amendment (Private Sector) Act 2000 (C'th, Aust).
24. Privacy Act 1993.
25. Privacy Act 1988 (as amended) (C'th, Aust).
26. Personal Data (Privacy) Ordinance 1996.
27. Personal Information Protection Act (Law No. 57 of 2003).
28. For example the Video Privacy Protection Act 1988 was enacted by Congress as a result of the release of Judge Robert Bork's video rental records during his failed Supreme Court nomination.
29. Above n 6, at p 51.
30. Involving the alleged extra-legal abduction and transfer of suspects to 'black-sites' in third countries where they have been allegedly subject to detention, torture and interrogation; see P Sands 'The International Rule of Law: Extraordinary Rendition, Complicity and its Consequences' [2006] European Human Rights LR 408.
31. See for instance C Doyle and M Bagaric, Privacy Law in Australia (The Federation Press: Sydney 2005) at pp 50-56.
32. Above n 6, at p 44.
33. Public Policy Forum and ITAC Round Table, 'IT Offshore Outsourcing Practices in Canada' (Ottawa, 20 May 2004) at p 6.
34. The process of satisfying the European Commission under the Privacy Directive is explained below.
35. See generally the discussion in Dorothee Heisenberg, Negotiating Privacy: The European Union, the United States, and Personal Data Protection (Lynne Rienner Publishers, USA, 2005) at pp 112-113.
36. Ibid.
37. US, Bill H.R. 4366, Personal Data Offshoring Protection Act of 2004, 108 th Cong., 2004.
38. Above n 6, at p 44.
39. Above n 6.
40. Ibid, at p 136, see particularly Recommendations 4, 5 and 6.
41. Ibid, at p 49.
42. In New Zealand, for example, see the Privacy Commissioner Act 1991 which has been replaced by Part X Privacy Act 1993.
43. Privacy Act 1993, Part X.
44. Data-matching Program (Assistance and tax) Act 1990 (C'th). It should be noted that section 12 of this Act requires the Privacy Commissioner to issue Guidelines for the conduct of data-matching programmes and that a breach of either the Act or Guidelines constitutes an interference with privacy under s 13 of the Privacy Act 1988 (C'th) thus enabling a person to complain to the Privacy Commissioner.
45. Privacy Act 1993, s 98.
46. Ibid, Part X.
47. Ibid, Fourth Schedule.
48. In other words a further 'black list' of those caught cheating the social welfare for example cannot be maintained after the initial adverse action is taken against the individuals concerned.
49. For example programmes between the New Zealand Inland Revenue Department and its Netherlands counterparts for the purposes of assessing eligibility for superannuation, pension and welfare payments was undertaken in the 2004-2005 year, see 'Annual Report of the Privacy Commissioner', (Wellington, 2005) at pp68-71.
50. Above n 8, Article 15.
51. 'Dangers of tenant database' The New Zealand Herald 10 January 2006.
52. See W Renke 'Who Controls the Past Now Controls the Future: Counter-Terrorism, Data Mining and Privacy' (2006) 43 Alberta LR 779.
53. Above n 6, at p 51.
54. US General Accounting Offi ce, 'Data Mining: Federal Efforts Cover a Wide Range of Uses: Report to the Ranking Minority Member, Subcommittee on Financial Management, the Budget, and International Security', (Committee on Governmental Affairs, US Senate, May 2004) at p 1.
55. Above n 6, at p 52.
56. Ibid.
57. Above n 6, at p 53.
58. Above n 52, at p 789.
59. Ibid.
60. J T Soma, MM Nichols, SD Rynerson, LA Maish & JD Rogers 'Balance of privacy vs security: A historical perspective of the USA PATRIOT Act' (2005) 31 Rutgers Computer & Technology Law Journal 285 at pp 343-344.
61. Ibid.
62. http://www.wired.com/news/privacy/0,1848,64748,00.html.
63. Above n 6, Recommendation 10, p 138.
64. The risks and alleged benefi ts of data mining are thoroughly examined by Renke, above n 52. Renke argues, convincingly, that extreme caution must be exercised before employing such technology given the fact that modern terrorist organisations do not exhibit the same traits as those which existed in the past and also differ in many significant ways from organised criminal organisations. Many assumptions on which data mining is founded may therefore be incorrect resulting in mistakes and consequent undermining of the public confi dence in the efficacy of the practice.
65. USA Patriot Act, Pub. L. No. 107-56, 115 Stat.272 (2001).
66. Above n 6, at p 23.
67. Above n 6, at p 70.
68. Ibid.
69. Ibid at p 71.
70. Ibid.
71. 50 U.S.C. SS 1804 (a) (7) (B) and 1823 (a) (7) (B);
72. the United States courts have sanctioned the use of the powers for such expanded purposes, see for example In re: Sealed Case 310 F.3d 717 (U.S. Foreign Int. Surv. Ct. Rev. 2002)
73. and United States v Sattar 2003 U.S. Dist. LEXIS 16164 (S.D.N.Y. 2003).
74. 18 U.S.C. S 2709 (counterintelligence access to telephone toll and transactional records);
75. 12 U.S.C. S 3414 (special procedures for fi nancial records);
76. 15 U.S.C. S 1681 u (credit record disclosures to FBI for counterintelligence purposes).
77. Above n 6, at p 73.
78. Ibid.
79. For example see section 351, Patriot Act.
80. For discussion of different approaches to whistle-blowing see G Gunasekara 'Whistle-blowing: New Zealand and UK Solutions to a Common Problem' (2003) 24 Stat LR 39.
81. 'Bank Data Is Sifted by U.S. in Secret to Block Terror' The New York Times June 23, 2006.
82. 'Bush Secretly Lifted Some Limits on Spying in U.S. After 9/11, Officials Say' The New York Times December 15, 2005.
83. To be fair to the US Administration it did claim, in respect of the SWIFT disclosures, authority under the International Emergency Powers Act 50 U.S.C. ss 1701-1707 (1977), whilst at the same time arguing that privacy legislation, such as the Right to Financial Privacy Act 1978, applied to banks, not to a banking co-operative such as Swift. Furthermore the Admistration maintains the latter legislation applies to dealings between individuals and banks not to dealings between major institutions that route money through Swift on behalf of their customers. As to the basis for warrant less eavesdropping the Admistration appeared to rely on both Congressional resolutions on the campaign against terror as well as the argument that 'the Constitution vests in the President inherent authority to conduct warrant less intelligence surveillance of foreign powers or their agents.' Assessment of the merits of these claims is beyond the scope of this article and at least some of the Administration's actions are currently under review by the United States courts.
84. Anti-terrorism Act, S.C. 2001, c. 41;
85. Canadian Security Intelligence Service Act, R.S.C. 1985, C-23.
86. Terrorism Suppression Act 2002, Financial Transactions Reporting Act 1996 and the New Zealand Security Intelligence Service Act 1969 (as amended).
87. Commissioner of Security Warrants, required to have served as a High Court Judge, see Security Intelligence Service Act 1969 s 5A.
88. Privacy Act s 57.
89. Inspector General of Intelligence and Security Act 1996.
90. See for instance Professor Matthew Palmer, 'Counter-Terrorism law' [2002] NZLJ 456.
91. Above n 21 at p 14.
92. Article 3(2).
93. Above n 9.
94. For example see the New Zealand Security Intelligence Act 1969 ss 4G & 4H (relating to the destruction of irrelevant records obtained by interception and the prevention or detection of serious crime).
95. Above n 6 p 72.
96. R Erickson & K Haggerty, Policing the Risk Society (University of Toronto Press: Toronto, 1997) at p34.
97. See the discussion in the previous section.
98. Article 25.
99. See for example, in the United Kingdom, the Data Protection Act 1998 Schedule 1, Part I principle 8 and Schedule 1, Part II clause 13.
100. Article 26: These include the consent of the data subject, contractual and other undertakings given by the transferee, matters considered further below.
101. Heisenberg above n 35, at p 1.
102. These are examined in detail by Heisenberg above n 35.
103. United States Department of Commerce, Issuance of Safe Harbor Principles and Transmission to European Commission, 65 Fed Reg 45666 (2000).
104. Available at: http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/ safe+harbor+list!OpenDocument&Start=976
105. D Lindsay, 'An Exploration of the Conceptual Basis of Privacy and the Implications for the Future of Australian Privacy Law' (2005) 29 Melbourne University LR 131, at p 175.
106. Ibid.
107. Privacy Act 1988 (as amended) (C'th, Aust) Schedule 3, clause 9.
108. Heisenberg above n 35, at p 110.
109. Personal Data (Privacy) Ordinance No 81 of 1995 s 33.
110. Article 26; one point of distinction is that, under the European provisions the onus is on the transferor to adduce 'sufficient safeguards' meaning that concrete steps are necessary on its part, another is that rigorous duties of notification exist where transfer occurs together with the right of the Commission and Member states to object to the transfer. Despite this, the experience with Safe Harbor has shown that the Europeans in effect adopt a 'reasonableness' test in deciding whether third countries ensure an 'adequate' level of protection for personal data.
111. R Baker, 'Offshore IT Outsourcing and the 8th Data Protection Principle - legal and regulatory requirements with reference to Financial Services' (2006) 14 International Journal of Law & Information Technology 1 at p 11.
112. The almost identical United Kingdom provision is found in the Data Protection Act 1998, Schedule 4, cl 3 c.f. Privacy Act 1988 (C'th, Aust) Schedule 3, cl 9.
113. See Baker, above n 106, at p 11.
114. Ibid.
115. The US Safe Harbour scheme would presumably fall into the latter category.
116. National Privacy Principle 4, Privacy Act 1988 (as amended) (C'th, Aust) Schedule 3, clause 4.
117. Privacy Act 1993, s 6, Information Privacy Principle 5.
118. See Office of the Privacy Commissioner, 'Necessary and Desirable: Privacy Act 1993 Review' (Wellington, 1998) Recommendation 35, at p 107.
119. Privacy Act 1988 (as amended) (C'th, Aust) s 5 B.
120. The precise meaning of 'collected...in Australia' would need clarification. See also the discussion relating to the French case of LICRA & UESF v Yahoo Tribunal de Grande Instance de Paris No RG: 00/5308 and the other cases discussed by Judge David Harvey in internet.law.nz (2 ed., LexisNexis: Wellington 2005) at pp41-102.
121. Privacy Act 1993 s 10(2).
122. Ibid, s 3(4).
123. Ibid, s 10(1).
124. It should be noted that 'agency' is given a broad definition encompassing both the private and public sectors and includes natural persons, bodies of persons and corporations; see Privacy Act 1993 s 2.
125. It would fall within the defi nition of 'agency' as set out above.
126. The applicability of this Act to conduct outside New Zealand is made clear by s 3 which stipulates: 'This Act extends to the engaging in conduct outside New Zealand by any person resident or carrying on business in New Zealand to the extent that such conduct relates to the supply of goods or services, or the granting of interests in land, within New Zealand.'
127. Privacy Act 1993 s 10(3).
128. Privacy Act 1988 (as amended) (C'th, Aust) s 13 D.
129. Above n 75.
130. See the discussion by M Schmidl, 'The Article 29 Working Party Opinion on Whistleblowing' (2006) 6 World Data Protection Report 23.
131. In New Zealand for example see Privacy Act 1993 s 6, Information Privacy Principle 11(d).
132. A schedule, for example, can easily be attached to the contract containing the Fair Information/Privacy Principles.
133. In New Zealand, see Contracts (Privity) Act 1982.
134. (1848) 2 Ph 774.
135. Burrows, Finn & Todd, Law of Contract in New Zealand (2 ed., LexisNexis: Wellington 2004) at p 541.
136. Ibid;
137. see London County Council v Allen [1914] 3 KB 642.
138. See S Gardner, 'The Proprietary Effect of Contractual Obligations under Tulk v Moxhay and De Mattos v Gibson' (1982) 98 LQR 279.
139. (1858) 4 De G & J 276, 282.
140. Lord Stathcona SS Co v Dominion Coal Co [1926] AC 108.
141. Port Line Ltd v Ben Line Steamers Ltd [1958] 2 QB 146.
142. Burrows, Finn & Todd, above n 130, at p 543.
143. Swiss Bank Corp v Lloyds Bank Ltd [1979] Ch 548, 575 per Browne-Wilkinson J.
144. Burrows, Finn & Todd, above n 130 at p 545.
145. See the discussion above relating to jurisdictional approaches towards restricting exports of personal information.
146. For example denial of credit, health insurance or the ability to access air travel to name a few.
147. Privacy Act 1988 (as amended) (C'th, Aust) ss 6 A(2), 6 B(2) & 13 A(c): service providers contracted to the Commonwealth government are bound by the terms of their contract where this is inconsistent with the privacy principles. A breach of contract is deemed to be a breach of the privacy principles in these circumstances.
148. See Baker, above n 106 at p 10.
149. Ibid, at pp 10, 25.
150. Ibid, at p 13.
151. Ibid, at p 14.
152. See: http://www.bp.com/popuppreviewtwocol.do?categoryId= 438&contentId=2008122.
153. See for example Trade Practices Act 1974 (C'th, Aust) Part V Division 1 A and Fair Trading Act (NZ) Parts 2 & 3.
154. See for example Trade Practices Act 1974 (C'th, Aust) Part IV B Industry Codes.
155. In New Zealand see for instance the Health Information Privacy Code 1994.
156. Cartagena Protocol on Biosafety to the Convention on Biological Diversity (adopted in May 2000) Articles 8 & 20.
157. Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat.745 (2002).
158. Such as the Enron debacle.
159. See Baker, above n 106, at p 10.
160. Ibid.
161. Companies Act 1993 s 175(2).
162. Privacy Act 1993 (NZ) s 23.
163. Heisenberg above n 35 at p 171.
164. Quoted in Address by Marie Shroff, Privacy Commissioner 'Privacy and the consumer' Privacy Issues Forum, Wellington, 30 March 2006.
165. See the studies catalogued by Heisenberg above n 35 at pp 37-40.
166. See Article 12 of the United Nations Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights.
167. See for instance the APEC Privacy Framework, available at: http://www.apecsec.org.sg/apec/news_media/2004_media_releases/ 201104_apecminsendorseprivacyfrmwk.html, the standards contained in it do not match those of the EU however as it fails, for example, to include any provisions relating to data exports.
168. See R Abeyratne 'The use of information contained in the airline passenger name record - some issues' (2005) 10 Communications Law 170.
169. For example the TRIPS agreement.
170. Above n 150, Article 20.
171. Ibid.
172. 16 September, 2005 available at: http://www.libertysecurity.org/ article709.html.
173. Available at: http://www.bakercyberlawcentre.org/ipp/.