Unclassified                                                                                     DSTI/ICCP/REG(98)12/FINAL

Organization for Economic Co-operation and Development                                                                                                                              Dist. :  19-May-1999

COMMITTEE FOR INFORMATION, COMPUTER AND COMMUNICATIONS POLICY

Working Party on Information Security and Privacy

INVENTORY OF INSTRUMENTS AND MECHANISMS CONTRIBUTING TO THE IMPLEMENTATION AND ENFORCEMENT OF THE OECD PRIVACY GUIDELINES ON GLOBAL NETWORKS

INVENTORY OF INSTRUMENTS AND MECHANISMS CONTRIBUTING TO THE IMPLEMENTATION AND ENFORCEMENT OF THE OECD PRIVACY GUIDELINES ON GLOBAL NETWORKS

The Inventory was prepared by the Secretariat to survey the available instruments and mechanisms (including law, self-regulation, contracts and technology) contributing to the implementation and enforcement of the OECD Privacy Guidelines on global networks. Such a study was intended to serve to identify a range of technological policy and legal tools which may be used as a resource for providing seamless, or at least effective protection.

The Inventory has been compiled by the Secretariat, incorporating contributions from Member countries, International and Regional organizations and the Business and Industry Advisory Committee (BIAC). The OECD Working Party on Information Security and Privacy decided at its meeting on 21-22 October 1998 to finalize the Inventory. At its meeting on 1-2 March 1999 the Working Party approved the finalized Inventory, noting that Section I was current as at March 1999 and Section II as at December 1998. The Working Party recommended that the Inventory be transmitted to the Information, Computer and Communications Policy (ICCP) Committee for declassification. The ICCP Committee subsequently approved the declassification of the Inventory at a meeting on 4-5 March 1999.

The following more recent changes have come to the attention of the Secretariat:

• On 21 April 1999, Poland signed the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108).

INVENTORY OF INSTRUMENTS AND MECHANISMS CONTRIBUTING TO THE IMPLEMENTATION AND ENFORCEMENT OF THE OECD PRIVACY GUIDELINES ON GLOBAL NETWORKS

2)  The report "Implementing the OECD Privacy Guidelines in the Electronic Environment: Focus on the Internet" (DSTI/ICCP/REG(97)6/FINAL) proposed that OECD Member governments:

 4)  With the goal of identifying appropriate practical solutions which could be implemented irrespective of the different cultural approaches, the Workshop sessions addressed the following issues:

6)  The Chair noted widespread consensus that the protection of personal privacy requires: education and transparency; flexible and effective instruments; full exploitation of technologies; and enforceability and redress.

7)  The Chair also highlighted the need to survey the available instruments (including law, self regulation, contracts, and technology) in order to describe their practical application in a networked environment and their ability to further the objectives of the OECD Guidelines (including effectiveness, enforceability, redress and coverage across jurisdictions). Such a study would serve to identify a range of technological policy and legal tools which may be used as a resource for providing seamless, or at least effective privacy protection.

8)  At its May 1998 meeting, the Group of Experts on Information Security and Privacy agreed that an Inventory of Instruments and Mechanisms Contributing to the Implementation and Enforcement of the OECD Privacy Guidelines on Global Networks (Inventory) would be prepared by the Secretariat for consideration, comment and approval at its forthcoming meetings.

9)  The OECD Working Party on Information Security and Privacy decided at its meeting on 21-22 October 1998 to finalize the Inventory. At its meeting on 1-2 March 1999 the Working Party approved the finalized Inventory, noting that Section I was current as at March 1999 and Section II as at December 1998. The Working Party recommended that the Inventory be transmitted to the Information, Computer and Communications Policy (ICCP) Committee for declassification. The ICCP Committee subsequently approved the declassification of the Inventory at a meeting on 4-5 March 1999.
 
 
 

11)  Simply "browsing" on the Web can make a considerable quantity of information available to the sites visited, even if much of this information is needed to enable Internet interaction and much of it is maintained in aggregate form. Whenever a Web page is accessed, certain "header information" is made available by the "client" (the user’s computer) to the "server" (the computer that hosts the Web site being accessed). This information can include:

13)  Personal data is also often disclosed voluntarily. Many commercial sites ask users to complete and submit Web page forms in order to register; subscribe, join a discussion group, enter a contest, make suggestions or complete a transaction. The kind of data which are typically requested may include information such as the user’s name; address, home or work telephone number and e-mail address. Data relating to age; sex, marital status, occupation, income and personal interests is also sometimes collected. In addition, purchasing forms will usually require credit card details, including the card type, number and expiration date. If a visitor is asked to send information to a Web site by e-mail, then the site (like any e-mail recipient) will be able to ascertain the visitor’s e-mail address from the "e-mail header".

14)  "Cookies" are small data packets created by a Web site server and stored on the user’s hard drive. Cookies were developed to assist in client/server interaction and data collection, and may be accessed by the server during current and subsequent visits to the Web site. Cookies may be used to facilitate the collection, aggregation and re-use of header, click-stream and voluntarily disclosed data. This is typically accomplished by assigning a unique code to each visitor and storing this number in a cookie which is retrieved each time the site is visited. Information which is subsequently collected about the user can then be linked to this code number.

15)  Thus, although the development of global networks and digital technology has brought many social and economic benefits, recent technology increases the risk that personal information may be automatically generated; collected, stored, interconnected and put to a variety of uses by online businesses or government bodies, without the data subject’s knowledge or consent.

16)  This Inventory focuses on the various overlapping and complementary instruments, practices, techniques and technologies which are used, or are being developed, to define, implement and enforce privacy principles in networked environments.

17)  The Inventory is divided into two main Sections. Section I, describes the international, regional and national instruments, both legal and self-regulatory, which exist, or are being developed for the protection of personal data and privacy in OECD Member countries. Special attention is paid to instruments which have been specifically developed for the online environment. Section II, discusses the mechanisms which exist, or are being developed, to implement and enforce privacy principles on global networks. In addition, a list of contact details for many of the public, private, national, regional and international privacy organizations mentioned in this Inventory are included in the Appendix.
 
 
 

19)  At the international and regional levels, a number of government and private sector multilateral organizations have produced, are producing, or intend to produce, texts and standards aimed at promoting privacy protection. These organizations are also for ongoing research, policy formulation and dialogue between governments, businesses, academics and public-interest groups. The instruments that have been developed through such organizations have greatly influenced many national laws and self-regulatory instruments on privacy protection.

20)  At the national level, in most countries the protection of privacy and personal data involves a combination of legislative instruments, government agencies and industry-based self-regulation. All OECD Member countries have laws of one sort or another that affect the processing of personal data. A number of countries have enacted "comprehensive" laws which apply personal data protection principles in a general fashion to both the public and private sectors. Other data protection legislation is more sectoral, applying only to a specific sector (such as government agencies) or a particular type of data (such as health data).

21)  Most OECD Member countries have also created central oversight authorities, commonly known as Data Protection Officers or Privacy Commissioners. The roles and powers of these bodies vary from country to country, but generally include advice-giving, the investigation of complaints and enforcement actions.

22)  Self-regulation is seen in some OECD Member countries as a flexible and efficient solution to the protection of online privacy by allowing market forces and industry-led initiatives to provide innovative solutions. Self-regulatory instruments may broadly be defined as rules developed and enforced by the entities to whom they are intended to apply. Independent third parties may play a role in enforcement of self-regulation. However, public authorities may also be involved in the development, implementation and enforcement of industry codes and guidelines. Governments can work with the private sector to develop criteria for effective privacy protection which the private sector can implement through self-regulatory codes. In a number of jurisdictions self-regulatory codes are seen as a way of implementing privacy legislation in the context of a specific industry, or as an aid to interpreting general privacy principles. In some OECD Member countries such as Ireland and New Zealand, industry codes can, on receiving official approval, have the force of law.

A.  International and regional instruments and Organizations

    1)  Intergovernmental legal instruments

        a.  OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

23)  e Recommendation concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (the OECD Guidelines) was adopted by the Council of the OECD on 23rd September 1980. Council Recommendations are not binding legal instruments but reflect a "political" commitment by Member countries. The Council recommended that "Member countries take into account in their domestic legislation the principles concerning the protection of privacy and individual liberties set forth in the Guidelines", that they "endeavor to remove, or avoid creating, in the name of privacy protection, unjustified obstacles to transborder flows of personal data", and that they "co-operate in the implementation of the Guidelines".

24)  The principles that comprise the OECD Guidelines have been applied in Member countries and other countries through a variety of instruments.

25)  The Guidelines are widely acknowledged as an internationally accepted and technologically neutral set of privacy principles that have stood the test of time. They apply to "any information relating to an identified or identifiable individual", and their scope encompasses public and private sector data, all media for the computerized processing of data on individuals (from local computers to networks with global ramifications) and all types of data processing.

26)  The OECD Privacy Guidelines establish eight basic principles to govern the handling of personal information. These "Privacy Principles" are:

27)  The OECD Guidelines tend to avoid the imposition of unnecessary impediments to transborder data flows. Legitimate restrictions are, however, recognized. For example, a Member country may impose transfer restrictions on "certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other Member country provides no equivalent protection".

28)  The OECD Guidelines create a framework for future co-operation. The areas of future co-operation include; ensuring that procedures for transborder flows of personal data and for the protection of privacy are simple and compatible with those of other Member countries, establishing procedures to facilitate information exchange, and developing principles, domestic and international, to identify applicable laws of Member countries in the case of transborder flows of personal data.

30)  The OECD, through the ICCP Committee continues to work in the area of privacy and data protection and provides a forum for discussing new issues, such as the challenges presented by the emergence of global networks.
 

        b.  Council of Europe Convention for the Protection of individuals with regard to automatic processing of personal data

31)  Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data of 18 September 1980 (Convention 108) was opened for signature by the Committee of Ministers of the Council of Europe on 28 January 1981. Since then, it has been signed by 23 Countries and ratified by 21. Convention 108 which is open to the accession of any State, and not only to the members of the Council of Europe is a binding instrument in international law.

32)  The terms of the Convention apply to automated personal data files and automatic processing of personal data in the public and private sectors.

33)  The Convention’s basic principles are similar to those in the OECD Guidelines, but include a principle requiring appropriate safeguards for special categories of data (sensitive data) that reveal racial origin, political opinions or religious or other beliefs, that concern health or sexual life, or that relate to criminal convictions.

34)  The principles of the Convention provide for the free flow of personal data between parties to the Convention who provide equivalent protection.

35)  For the purposes of mutual assistance in the implementation of the Convention, each party to the Convention designates an authority to furnish information on its laws and administrative practices in the field of data protection. In addition, Articles 18-20 establish the Consultative Committee which represents Member States and makes proposals as to the application of the Convention.

36)  Each contracting State undertakes to take the necessary measures in its domestic law to give effect to the basic principles of data protection, but the manner of implementation is left for each State to decide. Under Article 10, States undertake to establish "appropriate sanctions and remedies for violations of domestic law giving effect to the basic principles".

37)  Through the Consultative Committee, the Council of Europe continues its work in the area of privacy protection. The Council of Europe’s Project Group on Data Protection has also issued draft Guidelines on "The Protection of Privacy on the Internet" (May 1998).

        c.  United Nations Guidelines for the Regulation of computerized personal data files

38)  The United Nations High Commissioner for Human Rights’ Guidelines for the Regulation of Computerized Personal Data Files (Resolution 45/95 of 14 December 1990) (UN Guidelines) were adopted by the United Nations General Assembly pursuant to Article 10 of the UN Charter. This Article empowers the General Assembly to make recommendations to Members States. Members must take the Guidelines into account when implementing national regulation concerning computerized personal data files, but the procedures for implementing those regulations are left to the initiative of each State.

39)  The UN Guidelines apply to computerized personal data files (both public and private) and may be (optionally) extended to manual files and to files on legal persons. Part A of the Guidelines are intended as the minimum privacy guarantees that should be provided in national legislation. Part B of the Guidelines are intended to apply to personal data kept by governmental international organizations.

40)  The "Principles concerning the minimum guarantees that should be provided in National Legislation" broadly reflect the basic principles in the OECD Guidelines. In addition the UN Guidelines restrict the compilation of "sensitive data" within the "Principle of non-discrimination".

41)  Paragraph 9 of the UN Guidelines provides for free transborder data flows between countries with "comparable safeguards".

42)  Regarding domestic legislation (Part A), Article 8 recommends that each country establish an independent authority to oversee application of the privacy principles set out in the Guidelines. In addition, violations of national implementing law should lead to "criminal or other penalties ... together with the appropriate individual remedies".

43)  With respect to governmental international organization (Part B), the creation of supervisory bodies is also recommended.

44)  A 1997 report of the UN Secretary-General looks at the implementation of the Guidelines within the United Nations system and at the national and regional levels.

45)  Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (EU Directive) is a binding instrument that the 15 EU Member States were required to implement by 24 October 1998.

46)  The Directive applies generally to the processing of personal data by a "controller" in an EU Member State. It applies to data about natural persons, whether held by the public or private sector. Computerized data processing and most categories of manual processing are covered.

47)  The information privacy principles contained in Chapter II of the EU Directive are broader and more detailed than those in the OECD Guidelines. In addition to the OECD principles, the EU Directive contains, inter alia, special provisions for sensitive data, detailed disclosure requirements, registration provisions, "opt-out" rights for data subjects to refuse commercial solicitations and redress rights.

48)  The EU Directive transborder data flows within the EU on the basis of equivalent protection provided in all Member States and allows transfers to third countries which provide adequate protection. Member States are not permitted to inhibit the free movement of personal data within the EU simply for reasons of privacy protection, because of the equivalent and high level of protection ensured by the Directive throughout the Community. A transfer of data outside the EU may take place to third countries which guarantee an "adequate" level of protection. Adequacy is to be assessed "in the light of all the circumstances surrounding a data transfer operation [with] particular consideration ... given to the nature of the data, the purpose and duration of the proposed processing operation ... the country of origin and the country of final destination, the rules of law, both general and sectoral, in force in the third countries in question and the professional rules and security measures which are complied with in that country". Exceptions apply where, for example, the consent of the data subject has been obtained.

49)  The EU Directive defines the role of the supervisory authority or data protection body in each Member State as a key aspect of implementation and enforcement of the domestic law enacting the Directive. These authorities must act with complete independence and should have a wide range of powers that include investigative authority, intervention powers and the ability to engage in legal proceedings.

50)  With respect to enforcement, the EU Directive provides for judicial remedies, liabilities and sanctions. It states that persons shall be entitled to judicial remedies and compensation from data controllers for damage suffered as a result of unlawful processing. Member States have to adopt suitable administrative, civil or criminal sanctions.

51)  Article 28 requires supervisory authorities to co-operate with one another as necessary, and in particular to exchange useful information.

52)  The Directive establishes two bodies, one consultative (Article 29) and one "decision-making" (Article 31), to assist the European Commission with issues related to data processing.

53)  The Article 29 Working Group has already issued a number of reports and recommendations including "Orientations on Transfers of Personal Data to Third Countries - Possible Ways Forward in Assessing Adequacy" and "Judging Self-Regulation".

54)  On 15 December 1997, Directive 97/66/EC was adopted by the European Parliament and the Council. This Directive complements Directive 95/46/EC with respect to the processing of personal data and the protection of privacy in the telecommunications sector. It provides for the harmonization of the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the telecommunications sector and to ensure the free movement of such data and of telecommunications equipment and services in the Community.

        (e) General Agreement on Trade in Services

55)  The General Agreement on Trade in Services (GATS) is a multilateral agreement which aims to promote free trade in services. GATS is administered by the World Trade Organization (WTO). Article XIV recognizes that GATS does not prevent Member States from adopting measures necessary to secure "the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts". However, Article XIV limits what a country can do with regard to privacy protection by subjecting it to the requirement or safeguard that any such measures must not be applied in a discriminatory manner and must not constitute a disguised restriction on trade in services.

2. International Conferences and Discussion Forums Concerning Privacy Protection

56)  International conferences and discussion forums play an important role in contributing to information exchange, education and the development of instruments on privacy protection.

        (a) Annual International Conferences of data protection commissioners

57)  From 1979 International Data Protection Commissioners’ Conferences have been held annually. The Conferences have no particular legal status and do not vote on resolutions. Rather, they are a forum of information exchange. The 20th International Conference of Data Protection Authorities took place in Santiago de Compostela, Spain.

        (b) Conferences of the EU data protection commissioners

58)  The annual Conferences of the EU Data Protection Commissioners provide an opportunity to develop common approaches to privacy protection and to address topical issues such as, telecommunications and police files.

        (c) International Working Group on Data Protection in Telecommunications

59)  The International Working Group on Data Protection in Telecommunications, led by the Data Protection Commissioner of Berlin, was initiated by the data protection commissioners from a number of countries to improve privacy and data protection in telecommunications and media. The "Budapest-Berlin Memorandum" on data protection on the Internet discusses the issues surrounding legal and technical protection of Internet user privacy.

        (d) International Organization for Standardization

60)  The International Organization for Standardization (ISO) is a world-wide federation of national standards bodies from around 130 different countries. The ISO’s work results in international agreements which are published as International Standards. In May 1996, the Consumer Policy Advisory Committee of ISO passed a unanimous resolution in favor of a proposal to develop an international standard on privacy based on the Canadian Standard Association Model Code for the Protection of Personal Information. An Ad Hoc Advisory Group on Privacy undertook a study on behalf of the ISO to examine whether there is a need, under the pressure of the technological advances in the global information structures, for an international standard to address information privacy, measure privacy protection and ensure global harmonization. The Advisory Group concluded in June 1998 that it was premature to reach a determination on the desirability and practicality of ISO undertaking the development of international standards relevant to the protection of personal privacy.

        (e) International Chamber of Commerce

61)  The International Chamber of Commerce (ICC) represents international businesses all over the world and has produced a number of documents and industry codes relating to the protection of personal privacy and information flows. These have included a range of marketing codes and guidelines, including guidelines for Internet advertising, with privacy provisions. The ICC has also published a proposed model contract for transborder flows of personal data which builds on the 1992 ICC/Council of Europe/European Commission model contract.

        (f) International Federation of Direct Marketing Associations

62)  The International Federation of Direct Marketing Associations (IFDMA) is a collaboration of national and regional direct marketing associations. Its aims include fostering industry programs of self-regulation and consumer education. The data protection "Online Principles" formulated by the IFDMA encourage direct marketers to post their privacy policies online in a manner that is easy to find, read and understand. The principles include special provisions with respect to children’s on-line activities.

        (g) Electronic Commerce Europe

63)  Electronic Commerce Europe (ECE) is a group of European electronic commerce businesses and associations who are working on drafting a Code of Conduct for Electronic Commerce.

        (h) Online initiatives for privacy information exchange

64)  A number of privacy orientated non-governmental organizations have created Web sites to provide information on online privacy issues. These organizations include, inter alia:

• the Electronic Privacy Information Center (EPIC), a public interest research center established to focus public attention on emerging online civil liberties issues and to protect privacy;
• The Center For Democracy and Technology (CDT), a public interest organization working for public policies that advance civil liberties and democratic values in new computer and communications technologies;
• Privacy International, a human rights group formed to act as a watchdog on surveillance by governments and corporations; and
• PrivacyExchange.Org, a group intended to provide timely information on national data protection laws and practices, and distribute model policies, agreements and codes of conduct.

Australia

Laws

Commonwealth / Federal Laws

65)  The Privacy Act 1988 provides privacy protection with respect to federal government agencies in Australia. The Act establishes the office of the Privacy Commissioner and sets out eleven Information Privacy Principles (IPPs) based upon the OECD Guidelines. The Commissioner can receive complaints, conduct investigations and make determinations (including compensation orders) that are enforceable in the Federal Court of Australia.

66)  The Privacy Act has a limited application to the private sector. In particular, it allows the Privacy Commissioner to issue guidelines in relation to tax file numbers. The Act also regulates the information handling practices of the consumer credit reporting industry.

67)  On 16 December 1998 the Government announced that it would develop a light-touch legislative scheme to support and strengthen self-regulatory privacy protection in the private sector. The legislative scheme will support the existing self-regulatory approach by recognizing codes developed by business and providing a legislative framework to apply where such codes are not in place. The legislative framework will be based on the National Principles for the Fair Handling of Personal Information (the National Principles) issued by the Privacy Commissioner. The National Principles set out privacy standards that are based on the OECD privacy guidelines.

68)  Consultation on the development of legislation to establish this scheme is underway.

Other federal laws with privacy provisions

69)  Other Commonwealth legislation provides privacy protection for specific types of information, such as "spent" criminal convictions (Part VIIC, Crimes Act 1914 protects a person against the unauthorized use of certain criminal convictions after ten years) and taxation information (Taxation Administration Act 1953), and for specific procedures, such as the interception of telecommunications and the disclosure of personal information by telecommunications companies (Telecommunications Act 1997). The Data-matching Program (Assistance and Tax) Act 1990 provides privacy protections in relation to the matching of personal information relating to tax and social welfare benefits by Commonwealth Government Departments.

State and Territory laws

70)  There are many State and Territory laws which provide some form of privacy protection. In the Australian Capital Territory, for example, there is legislation dealing with privacy and the confidentiality of personal health information. In late 1998 New South Wales enacted the Privacy and Personal Information Protection Act 1998 (NSW) which provides protection with respect to the NSW public sector. In South Australia a Cabinet Administrative Instruction (No. 1 of 1989) implements guidelines (based on the federal IPP’s) for State government agencies. Finally, a Data Protection Bill has been proposed by the Victorian Government which would have the effect of applying the National Principles in both the private and public sectors.

Self-Regulatory Instruments

71)  Since the release of the National Principles some key industry bodies have developed codes of conduct based on the National Principles. For example, in February 1999, the Internet Industry Association released their Internet Industry Code of Practice for adoption. It is anticipated that codes based on the National Principles will be able to be given effect as part of the proposed legislative scheme discussed above.

72)  In February1999, the Australian Internet Industry Association released Internet Code of Practice. In the first instance, it is intended that complaints will be dealt with between the user and the Code Subscriber within a time frame specified by the Code. If this is not successful, however, the Code sets out other procedures including the appointment of a mediator and orders by the Code’s Administrative Council directing the subscriber to comply with the Code or to provide corrective advertising and/or the payment of compensation. The Council may also withdraw permission for a site to use its Code Compliance Symbol.

Austria

Laws

Federal comprehensive laws

. 73
The Federal Data Protection Act of 1978 (Datenschutzgesetz. BGBl. Nr. 565/1978) regulates the use of computerized data in the public and private sectors, creates a central registration system and provides civil remedies and criminal sanctions. A new law is being prepared to implement the EU Data Protection Directive.

. 74
An independent Commission (the Datenschutzkommission), is responsible for enforcing the law, administering the registration system and authorizing transborder data flows. The Commission acts on specific complaints against public data controllers, and can impose sanctions for certain actions, such as breaches of transborder data flow authorizations. A Council for Data Protection also exists and may be referred to by the Commission for advice on certain matters. Complaints against private data controllers must be brought before the courts.

. 75
The Chamber of Commerce and the Federal Chancellery run a court of arbitration, the Schlichtungsstelle-Datenschutz, which hears complaints against businesses who have not complied with a request by a data subject to access, correct or delete personal information.

Other federal laws with privacy provisions

. 76
There are many federal laws in Austria which relate to personal privacy. For example, the Austrian Telecommunications Act (1997) imposes confidentiality and data protection obligations on suppliers of public telecommunication services. The use of personal information by direct marketing businesses is governed by Section 268 of the Industrial Code (1994). Finally, the Genetic Engineering Act 1994 contains data protection provisions relating to genetic data.

Implementation of the EU Directive

. 77
A first draft of the Datenschutzgesetz was submitted to Parliament recently..

Laender (State) laws

. 78
The role which individual Land will play in data protection is presently being considered in the context of implementing the EU Directive.

Self-regulatory instruments

. 79
Whilst there are no codes of conduct in Austria which deal exclusively with privacy, members of the banking sector have codes in place containing general privacy clauses.

Belgium

Constitution

. 80
Privacy rights are contained in Articles 22 and 32 of the Belgian Constitution.

Laws

Comprehensive laws

. 81
The Law on the Protection of Privacy Regarding the Processing of Personal Data (1992) applies to both the public and private sectors in Belgium. The Law is supplemented by Royal Decrees with respect to, for example, sensitive data and information regarding criminal convictions. The law is supervised by an independent Commission within the Ministry of Justice, the Commission Consultative de la Protection de la Vie Privee. The Commission handles data processing registrations and may also advise the government on privacy matters.

. 82
In terms of recourse for individuals, applications may be made to the Tribunal de Première Instance for rulings on the rights arising under the Law. The Law also includes criminal sanctions for breach of privacy obligations.

Other laws with privacy provisions

. 83
The Law of 30 June 1994 provides for privacy protection in the context of wire-tapping and the recording of private telecommunications.

Implementation of the EU Directive

. 84
A draft law designed to implement the Directive and based on the structure of the 1992 Law, is now before the Belgian Parliament.

Self-regulatory instruments

. 85
The Internet Service Providers Association of Belgium has a Code of Conduct, approved by the Plenary Assembly, which encourages its members to comply with privacy protection law in their use of clients’ personal data.

Canada

Laws

Federal laws

. 86
The Privacy Act (1983) applies to virtually all federal public sector institutions in Canada. The Act regulates the confidentiality, collection, correction, disclosure, retention and use of personal information, and gives data subjects the right to examine information held about them and to request that errors be corrected. The Act reflects the principles of the OECD Guidelines.

. 87
The Privacy Commissioner is appointed by Parliament to investigate complaints and audit compliance with the Act by federal agencies. The Commissioner has the authority to conduct investigations, attempt to resolve disputes, and issue recommendations. Disputes about the right of access to personal information that are not resolved in this manner can be taken to the Federal Court for review.

Federal approach to privacy in the private sector

. 88
The Canadian federal government introduced privacy legislation to protect personal information in the private sector on October 1, 1998 Bill C-54. The Personal Information Protection and Electronic Documents Act, has received its second reading and is currently being studied by the Standing Committee on Industry, which will report back to Parliament in the Spring of 1999. The legislation will initially extend privacy protection to the federally-regulated private sector as well as inter-provincial and international trade in personal information. Three years later the legislation will apply to the remaining private sector organizations which fall under provincial jurisdiction. If a province enacts substantially similar legislation, the commercial organizations operating under its jurisdiction will be subject to the provincial law. At this time, only the province of Quebec has such legislation. The obligations and rights set out in the bill are those of the Canadian Standard Association’s Model Code for the Protection of Personal Information which is a recognised national privacy standard that is modeled on the OECD Guidelines. Individuals have access and redress rights and the federal Privacy Commissioner will exercise oversight by investigating and reporting on complaints. The Commissioner has ombudsman powers but complainants may bring unresolved matters to the Federal Court, as may the Commissioner, and the Court has the power to issue binding orders and award damages.

Provincial laws

. 89
Most Canadian Provinces have passed privacy legislation governing the public sector and the majority of this legislation reflects the principles included in the OECD Guidelines. Various sectoral statutes provide privacy protection in areas such as personal health information.

. 90
Quebec is the only province where general legislation, the Act Respecting the Protection of Personal Information in the Private Sector (1993), regulates the handling of personal information by private sector organizations, including corporations, sole proprietorships, partnerships, organizations and associations. The Act governs the collection and use of personal information and provides individuals with a right of access and correction, disputes are resolved before the Commission d'accès à l'information, the agency which is responsible for oversight and redress for public sector information access and privacy rights in the province. It is noteworthy that the law has special provisions which apply to lists of names used for marketing purposes and to transfers of information about Quebec residents to third parties outside of the province.

Self-regulatory instruments

The CSA model code

. 91
Canada has a widely accepted model code of conduct with respect to privacy. The Model Code for the Protection of Personal Information was developed by the Technical Committee on Privacy of the Canadian Standards Association (CSA) and was adopted as a National Standard by the Standards Council of Canada in 1996. The Code reflects the OECD Guidelines, but also requires companies to identify an officer accountable for compliance to whom complaints may be addressed.

. 92
The CSA has prepared a workbook, "Making the CSA Privacy Code work for You", to assist in the development of compliant codes (which may be certified by the Quality Management Institute, a division of the CSA). In terms of ensuring ongoing compliance with a code, the workbook highlights the importance of independent audits by duly certified auditors. Private sector codes may be certified as complying with the CSA standard by a quality registrar and a company may cite the standard in an ISO 9000 registration. There are a variety of ways in which a company may demonstrate compliance, e.g. the Canadian Bankers’ Association Privacy Model Code was verified by Price Waterhouse.

Other initiatives

. 93
A number of companies and associations have or are in the process of developing CSA based privacy codes, including Stentor (the alliance of telecommunications providers), the Canadian Marketing Association, the Canadian Bankers Association, the Insurance Bureau of Canada, the Canadian Television Standards Association and the Canadian Medical Association.

Instruments relating to online privacy

. 94
The Canadian Association of Internet Providers’ (CAIP’s) voluntary Code of Conduct requires CAIP members "to respect and protect the privacy of their users" and comply with all applicable laws. Enforcement is by a complaint-driven process to be established by each member.

Czech Republic

Laws

Comprehensive laws

. 95
The Protection of Personal Data in Information Systems Act became effective on 1 June 1992. The Act covers computerized data on natural persons and applies to both the public and private sectors.

. 96
This Act broadly conforms with the principles of the OECD Guidelines and sets down specific provisions for sensitive data. It contains civil remedies for breaches that are administered through the courts. There is no data protection commissioner in the Czech Republic at this time.

. 97
In anticipation of the Czech Republic joining the EU, the Government has appointed the Office for the State Information System (OSIS) to prepare the legislation that will be compatible with the EU Data Protection Directive. The new legislation will establish the framework for an independent supervisory body. It is not expected that the legislation will receive Parliamentary approval before the middle of 1999.

Other laws with privacy provisions

. 98
A Bill is being prepared by the Czech Telecommunication Office in co-operation with OSIS which will implement the terms of EU Directive 97/66/EC on the protection of privacy in the telecommunications sector. A proposal for the Digital Signature Law is also being prepared by the Office for the State Information System (OSIS) which will implement the terms of the EU Directive on a common framework for electronic signatures.

Denmark

Constitution

. 99
According to section 72 of the Constitution, regarding the sanctity of the home, it is forbidden, without a prior court order, to search an individual’s house, open their letters or tap their telephone. It is generally accepted in Danish judicial theory that this section can be interpreted to also apply to data stored electronically and any form of telecommunication. The authorities may not, for example, open and examine one’s e-mail without prior consent. They may intercept and open the message via the telecommunications networks only if they have a court order which allows them to. The main rule being that a search requires a prior court order, a search without a prior warrant may therefore only take place in exceptional cases where it is deemed absolutely necessary. A general permission is granted in accordance with the Law on Civil and Criminal Proceedings. Outside the scope of criminal proceedings, permission to perform administrative searches is granted under numerous laws, for example, to carry out an inspection by the Data Surveillance Authority of the locations of public filing systems.

Laws

. 100
The Law on Public Access ensures (§ 4 section 1) that any citizen may have access to documents which form part of public authority decisions. The wide access to documents is, however, limited by section 3 of § 4, which requires that the person seeking access is able to identify the case which he is applying for access to.

. 101
The following documents are exempt from access; records of criminal proceedings, application and procedures regarding the employment of civil servants and documents intended for internal use only. These exemptions may be divided into two categories 1) personal data concerning individual citizens in accordance with § 12. 2) types of data to which access is denied for reasons of public policy, in accordance with §13. An example of the first category of data would be the political affiliation of a person. An example of a public policy interest that may outweigh access in the second category of data would be national security.

. 102
The Danish laws on public and private filing systems have been in effect since 1979. The laws provide privacy protection with respect to both governmental agencies and to filing systems kept by private entities.

. 103
The Law on Public Filing Systems is applicable to computerized filing systems held by public authorities containing personal information in accordance with § 1, section 1. The law applies only to the administration.

. 104
One of the purposes of the Law on Private Filing Systems is to ensure that economic and personal data about private citizens, institutions, societies, and companies are only recorded by private persons to the extent that they serve fair interests and that the recorded data are processed in a satisfactory way. The law contains a general ban on private parties systematically processing personal data, but does, however, contain certain exceptions to this rule. The law applies to any systematic processing (gathering, recording and passing on) of personal and economic data, carried out by private parties (persons or companies) by electronic data processing (EDP)) or, in some instances, manual processing.

. 105
The Danish Media law regulates the liability of the mass media (traditional news and IT related news). The media law is closely related to the Penal Code, because several of the punishable media offenses relate to the rules on privacy in the Penal Code.

. 106
The Danish Penal Code, § 152, contains a prohibition for civil servants to illegally process or use confidential information, obtained through their work. The section contains the legal basis on which employees who abuse their duty of confidentiality may be fined. The Article states that the mere obtaining of information is permitted, but it is illegal to process or abuse that personal data. However, the obtaining of the information may be subject to ordinary disciplinary sanctions. § 152a-d states that the duty of confidentiality (and the sanctions affiliated to this) extends to include persons who are not civil servants, but who in some way perform duties for the public administration.

. 107
§ 263 of the Penal Code, subsection one, deals with the situation where someone opens another person’s mail, searches their private premises or listens in on their conversations. These rules can easily be interpreted to cover the situation in which someone gains unauthorized access to another person’s e-mail messages or intercepts their messages via telecommunications networks. Subsection 2 covers the situation in which someone gains unauthorized access to programs or personal information destined to be used in a computer system. Intercepting data transmissions is also included in this subsection.

. 108
Under section § 264 d, it is a crime to pass on information or pictures concerning the personal affairs of other individuals. New network capabilities facilitate the circulation of such information to a much wider range of persons than was previously possible.

. 109
The Data Surveillance Authority monitors both public and private filing systems. It is organized under the competence of the Ministry of Justice, but complaints etc., about the authority cannot be brought before the Minister of Justice and he has no authority to instruct the Data Surveillance Authority, in other words the Authority is independent. This is known as functional independence, and is an important element of securing the integrity of the data subject.

Implementation of the EU Directive

. 110
A proposal to implement the EU Directive was introduced to the Danish Parliament (the Folketinget) on 30 April 1998 but has not yet been adopted.

Self-regulatory instruments

. 111
The Ombudsman for consumer issues is preparing a set of ethical rules aimed at use of the Internet, at this time there is no information on when the work will be completed.

. 112
Other self regulatory initiatives include:

• Fabel, an organization to promote the responsible use of e-mail;
• FIB, an organization for Internet users, with the purpose of trying to secure rights for Internet users; and
• FIL, an organization consisting of Internet service providers. The organization has worked to provide a set of rules protecting users.

Constitution

. 113
Section 8 of the Finnish Constitution provides that each individual’s privacy, honor and domicilary peace shall be protected and that the use of personal data shall be prescribed by law.

Laws

Comprehensive laws

. 114
The Personal Data Act (1999) covers computerized and manual records of natural persons in both the public and private sectors. There are two overseeing bodies, the Data Protection Ombudsman who has investigative and advisory powers, and the Data Protection Board who hears cases pursuant to the Act and has the power to authorize the export of sensitive data to other countries. If recommendations made by the Ombudsman are not observed, the Ombudsman may refer the case to the Data Protection Board. The decisions of the Data Protection Ombudsman and the Data Protection Board are subject to appeal in accordance with the provisions of the Administrative Judicial Procedure Act. .

. 115
The Personal Data Act includes civil remedies (for example, data controllers must compensate data subjects for unlawful data use) and criminal sanctions for violations.

Other laws with privacy provisions

. 116
Sectoral legislation, such as the Statistics Act, the Act on the Medical Research Development Center and the Act on the Protection of Privacy and Data Security in Telecommunications, contain privacy protection provisions.

Implementation of the EU Directive

. 117
The Personal Data Act conforms with the EU Directive. It extends the rights of data subjects and the powers of the data protection authorities. It also includes a provision for the approval of sectoral codes of conduct by the authorities. Work on implementing the Directive in specialized legislation is also underway. A Government proposal for an Act on the Protection of Privacy in Working Life was put before Parliament in 1998 but it was returned to the Ministry of Labor for further preparations.

Self-regulatory instruments

. 118
The Finnish Rules for Electronic Consumer Trade were prepared jointly by the Finnish Direct Marketing Association and the Federation of Commerce and Trade. The introduction notes that an electronic vendor should follow the Personal Data Act and other data protection laws. The Rules include provisions regarding; data security, the recording of personal data about consumers (making reference to the EU Data Protection Directive) and the right to opt-out.

France

Laws

Comprehensive laws

. 119
Law No. 78/17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties covers computerized and manual records on natural persons and applies to the public and private sectors. Law 78/17 was modified by Law No. 94-548 which introduced a special regime for the processing of personal health data for research purposes. Law 78/17 is supplemented by the Penal Code.

. 120
Law 78/17 establishes a central registration system which is administered by an independent data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL). The data protection authority’s role includes informing and advising the public on rights and obligations under the law, examining data processing proposals in the public sector prior to their implementation, and proposing changes in the law in line with technological developments. The authority acts on its own initiative or on complaints and queries, it carries out investigations and ensures that data subjects may exercise rights of access.

. 121
Unlawful processing or transfer of named data is punishable under Law 78/17 by fines and/or imprisonment. A criminal prosecution for breach of the Act may be brought by an individual data subject or a prosecuting authority.

Other laws with privacy provisions

. 122
Sectoral laws with privacy provisions include, inter alia, the Labor Code and the Law on Video Surveillance (1995).

Implementation of the EU Directive

. 123
A report on implementing the EU Directive was issued on 3 March 1998, and a Bill is being prepared by the Ministry of Justice. The Bill will be discussed at ministerial level before submission to the French Parliament. The National Commission for Human Rights and the CNIL will be consulted on the draft law.

Self-regulatory instruments

Instruments relating to online privacy

. 124
The "Charte de l’Internet" (Internet Charter) is a self-regulatory initiative established on the ground of national legislation. This Charter, aimed at Internet actors, creates an independent supervisory body, the "Conseil de l’Internet" (Internet Council), with advisory and mediation powers. The Charter stipulates that users should have the right to use services anonymously, and imposes an obligation on Internet actors to inform users of the data being collected.

Other initiatives

. 125
SEVPCD, a professional association for distance marketers, has developed a code of conduct designed to accord with the Law 78/17. Only members who comply with these rules are entitled to display the Association’s emblem, and violations may result in disciplinary proceedings before the Association’s Supervisory Committee.

Germany

Laws

Federal comprehensive laws

. 126
Germany’s Federal Data Protection Act (1990) is applicable to computerized and manual records of natural persons. The Act distinguishes between public and private data controllers. Public sector name-linked files must be registered with the independent Federal Data Protection Commissioner who is elected by Parliament. The supervisory authorities for the private sector are designated by the laws of each German State (Land). Private organizations are required, under certain circumstances, to appoint data protection supervisors to see that the law is observed.

. 127
Anyone may lodge a complaint with the Federal Data Protection Commissioner if they believe that their rights have been infringed through the collection, processing or use of personal data by a Federal authority. Complaints against private sector organizations may similarly be made to the Laender supervisory authorities. In terms of sanctions, the Act creates administrative penalties and criminal offenses.

Other Federal laws with privacy provisions

. 128
The German Federal Government has enacted a significant number of specific issue laws and regulations dealing with privacy, including legislation on; national registers and archives, federal statistics; population registers, the storage and transfer of personal data concerning foreigners in Germany (the Central Register of Foreigners Act (1994)), and telecommunications (the Federal Telecommunications Act (1996) and the Telecommunications Carriers Data Protection Ordinance).

. 129
Article 2 of the Federal Information and Communication Services Act (1997) governs the processing of personal data in the networked environment. The Act refers to the anonymous use of teleservices, technical devices to minimize the amount of personal data collected and procedures for obtaining electronic consent.

Laender (State) laws

. 130
Each Land has its own data protection law covering its public sector, as well as its own data protection authority. The Data Protection Commissioners of the Federation and the Laender hold regular conferences.

Implementation of the EU Directive

. 131
The Federal Government and Laender are currently working on new legislation to implement the EU Directive. Some of the Laender Commissioners have issued draft implementation proposals and have published Guidelines on transborder flows of data to countries without adequate protection provisions.

Self-regulatory instruments

. 132
The approach to privacy protection in Germany is currently based on laws rather than self-regulatory mechanisms.

GREECE

Constitution

. 133
The Greek Constitution contains rights to personal and family privacy (Article 9) and secrecy (Article 19).

Laws

Comprehensive laws

. 134
The Law No. 2472/97regardingthe Protection of the Individual Against Processing of Personal Data was approved on 26 March 1997 and implements the EU Directive. The Law covers computerized and manual personal data on natural persons, and applies to the public and private sectors. The Law also establishes an independent Data Protection Authority to oversee the registration system, enforce the Law, promote the adoption of sectoral voluntary codes and impose sanctions for violations.

. 135
The Law gives data subjects the right to be informed of, and have access to, their personal data and to apply to Court for the suspension of certain processing operations. The Law provides civil damages for losses caused in contravention of the law, administrative sanctions (such as fines and the cancellation of data processing licenses) and criminal sanctions.

Other laws with privacy provisions

. 136
Law No. 2225/94 protects freedom of correspondence and communication.

Self-regulatory instruments

. 137
There are no specific privacy codes of conduct in Greece, however the Codes of Conduct of the Journalists Association and the Greek Banks Association both refer to the protection of privacy.

HUNGARY

Constitution

. 138
The Hungarian Constitution includes a right to the protection of personal data (Article 59).

Laws

Comprehensive laws

. 139
The law on the Protection of Personal Data and Disclosure of Data of Public Interest (1992) covers both computerized and manual data regarding natural persons, applies to both the public and private sectors and includes a limited registration system. An independent Parliamentary Commissioner for Data Protection and Freedom of Information was elected pursuant to the Act in 1995. The Commissioner is responsible for observing the implementation of the Act, investigating complaints and maintaining the Data Protection Register.

. 140
The Act, which includes the basic principles in the OECD Guidelines, gives data subjects a number of rights over their personal data (including correction/deletion of data). The Act also provides for remedies (including compensation) for breaches. Remedies may either be pursued through application to the Commissioner or by initiating court proceedings.

Other laws with privacy provisions

. 141
There are a number of specific-issue laws with provisions relating to data protection. These include Acts concerning the national registry; the handling of research and direct marketing information, the handling of medical data, education, archives, the police, banking and national security.

Self-regulatory instruments

. 142
Examples of self-regulatory initiatives can be found in the co-operation between direct marketing companies and in the rules adopted by, for example, Hungary’s National Association of Journalists. The Office of the Data Protection Commissioner offers professional consultation to those in charge of drafting ethics regulations.

Iceland

Laws

Comprehensive laws

. 143
Iceland’s data protection legislation, Act Nr. 121 Concerning the Registration and Handling of Personal Data (28 December 1989), is applicable to both the public and private sectors. The legislation covers computerized and manual personal data of natural and legal persons. The legislation also establishes a central registration system which is overseen by the Icelandic Data Protection Commission. The Commission’s other functions include handling violations of the Act, and authorizing the processing of data abroad.

. 144
Data subjects have rights of access to personal data, and can demand rectification or deletion. Data subjects can also request that their names be deleted from direct mailing lists. If there is a dispute over a data subject’s rights, the matter can be referred to the Data Protection Commission. The Commission can make orders in cases where the data subject’s rights have been infringed.

. 145
The 1989 Law contains criminal sanctions for the infringement of certain provisions.

Ireland

Constitution

. 146
The Irish Constitution recognizes a right to privacy.

Laws

Comprehensive laws

. 147
The Data Protection Act 1988 covers computerized personal data of natural persons and establishes a limited registration system applying to certain categories of data controllers including the public sector, holders of sensitive data, financial institutions, and organizations involved in direct marketing, debt collection and credit reference.

. 148
The Act establishes the government-appointed post of Data Protection Commissioner. The Commissioner enforces the law by investigating complaints, prosecuting offenders, supervising registrations and encouraging the development of sectoral codes of conduct. The Data Protection Commissioner’s decisions may be challenged in the courts.

. 149
The Act establishes data protection principles which must be observed regardless of registration. The breach of one of these principles does not involve a criminal offense per se, however, if the Commissioner investigates a complaint and issues a Statutory notice, failure to comply without reasonable excuse becomes an offense. The Act provides for specified criminal offenses such as unauthorized disclosure. Civil litigation may be used by data subjects to seek compensation for violations of the Act.

Other laws with privacy provisions

. 150
Ireland also has specific statistical data laws, as well as regulations made pursuant to the Data Protection Act which relate to privacy and the protection of personal data.

Implementation of the EU Directive

. 151
A draft Bill to implement the EU Directive has been submitted to the Attorney-General’s office and will go to Parliament before mid July 1999. This follows the "Consultation Paper on Transposition into Irish Law" produced by the Department of Justice Equality and Law Reform (November 1997).

Self-regulatory instruments

. 152
The Irish Direct Marketing Association’s (IDMA’s) Code of Conduct provides guidance on the application of the Data Protection Act to direct marketing. In terms of enforcement, a company official should be appointed to ensure compliance and carry out reviews, complaints may be addressed to the IDMA Board whose powers include expulsion from the Association.

. 153
Sectoral codes of conduct may be validated by the Irish Parliament, thereby giving them force of law.

Italy

Laws

Comprehensive laws

. 154
Italy’s Data Protection Act (adopted on 31 December 1996) implements the EU Directive. Following the Directive, the Act covers both computerized and manual personal data of natural and legal persons in the public and private sectors. The supervisory office established to oversee the implementation of the Act is the Guarantor of the Protection of Personal Data. The Guarantor supervises the registration process, investigates complaints and assists in the development of sectoral codes.

. 155
The Act provides that organizations who cause damage by the unlawful processing of personal data are liable to pay damages pursuant to the Italian Civil Code. Breaches of the Act may be pursued either through the courts or via the Guarantor.

. 156
The Guarantor may fine organizations for failing to provide information required by the Act. The Act also includes criminal sanctions (imprisonment) for violations such as unlawful processing. As a "collateral punishment" convictions can be published in the press.

Other laws with privacy provisions

. 157
Laws and regulations with privacy provisions include; legislative decrees pursuant to the Data Protection Act; telecommunications legislation; Labor Decree n. 39/93 which establishes the Authority for Information Technology in the Public Administration to support public agencies in the development and use of information systems; and Law No. 59 of 15 March 1997 (supplemented by Presidential Decree No. 513 of 10 November 1997) which concerns the use of computerized data in the public sector.

. 158
The Legislative decree No. 171 of 13.05.98 published in the Official Journal of 03.06.98, includes provisions for the protection of privacy in the telecommunications sector. It implements the EC Directive 97/66, of the European Parliament and the Council and applies to journalistic activities. Security and confidentiality of telecommunications are provided for in Articles 2 and 3, respectively, whereas under Article 4 traffic and billing data mu