OECD
Back to Privacy Statement

 

Unclassified                                                                                     DSTI/ICCP/REG(98)12/FINAL

OLIS :  11-May-1999
Organization de Cooperation et de Development Economics

Organization for Economic Co-operation and Development                                                                                                                              Dist. :  19-May-1999

Or. Eng.
DIRECTORATE FOR SCIENCE, TECHNOLOGY AND INDUSTRY

COMMITTEE FOR INFORMATION, COMPUTER AND COMMUNICATIONS POLICY

Working Party on Information Security and Privacy

INVENTORY OF INSTRUMENTS AND MECHANISMS CONTRIBUTING TO THE IMPLEMENTATION AND ENFORCEMENT OF THE OECD PRIVACY GUIDELINES ON GLOBAL NETWORKS

INVENTORY OF INSTRUMENTS AND MECHANISMS CONTRIBUTING TO THE IMPLEMENTATION AND ENFORCEMENT OF THE OECD PRIVACY GUIDELINES ON GLOBAL NETWORKS

The Inventory was prepared by the Secretariat to survey the available instruments and mechanisms (including law, self-regulation, contracts and technology) contributing to the implementation and enforcement of the OECD Privacy Guidelines on global networks. Such a study was intended to serve to identify a range of technological policy and legal tools which may be used as a resource for providing seamless, or at least effective protection.

The Inventory has been compiled by the Secretariat, incorporating contributions from Member countries, International and Regional organizations and the Business and Industry Advisory Committee (BIAC). The OECD Working Party on Information Security and Privacy decided at its meeting on 21-22 October 1998 to finalize the Inventory. At its meeting on 1-2 March 1999 the Working Party approved the finalized Inventory, noting that Section I was current as at March 1999 and Section II as at December 1998. The Working Party recommended that the Inventory be transmitted to the Information, Computer and Communications Policy (ICCP) Committee for declassification. The ICCP Committee subsequently approved the declassification of the Inventory at a meeting on 4-5 March 1999.

The following more recent changes have come to the attention of the Secretariat:

(ii) On 26 April 1999 50 Internet service providers signed up to use Freedom Network, an international collection of independent server operators providing technology to support privacy for Web users. The 50 participating providers and networks are located in the United States, the United Kingdom, the Netherlands, Japan, Canada, Austria and Australia.

Copyright OECD, 1999

Applications for permission to reproduce or translate all or part of this material should be made to:
Head of Publications Services, OECD, 2 rue-André-Pascal, 75775 Paris Cedex 16, France.
 
 

Table of Contents

INVENTORY OF INSTRUMENTS AND MECHANISMS CONTRIBUTING TO THE IMPLEMENTATION AND ENFORCEMENT OF THE OECD PRIVACY GUIDELINES ON GLOBAL NETWORKS

PREFACE

INTRODUCTION

I. LEGAL AND SELF-REGULATORY INSTRUMENTS

    A. International and Regional Instruments and Organizations
 

1)  Intergovernmental Legal Instruments a.  OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
b.  Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of     Personal Data
c.  United Nations Guidelines for the Regulation of Computerized Personal Data Files
d.  European Union Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data
e.  General Agreement on Trade in Services


2)  International and Regional Conferences and Discussion Forums Concerning Privacy Protection

a.  Annual International Conferences of the Data Protection Commissioners
b.  Conferences of the EU Data Protection Commissioners
c.  International Working Group on Data Protection in Telecommunications
d.  International Organization for Standardization
e.  International Chamber of Commerce
f.  International Federation of Direct Marketing Associations
g.  Electronic Commerce Europe
h.  Online Initiatives for Privacy Information Exchange
    B. National Instruments
 
 
AUSTRALIA
AUSTRIA
BELGIUM
CANADA
CZECH REPUBLIC
DENMARK
FINLAND
FRANCE
GERMANY
GREECE
HUNGARY
ICELAND
IRELAND
ITALY
JAPAN
KOREA
LUXEMBOURG
MEXICO
THE NETHERLANDS
NEW ZEALAND
NORWAY
POLAND
PORTUGAL
SPAIN
SWEDEN
SWITZERLAND
TURKEY
UNITED KINGDOM
UNITED STATES
TABLE OF NATIONAL INSTRUMENTS
II. MECHANISMS TO IMPLEMENT AND ENFORCE PRIVACY PRINCIPLES ON GLOBAL NETWORKS       A. Minimizing the Disclosure and Collection of Personal Data  
1)  Restricting or Eliminating the Automatic Disclosure and Collection of Personal Data a.  Restricting the Creation of Cookies
b.  Blocking the Transfer and Collection of Automatically Generated Data


2)  Reducing or Avoiding the Need for Personal Data Disclosure

a.  Anonymous Payment Systems
b.  Digital Certificates
c.  Anonymous Profiles
    B. Informing Users about Online Privacy Policies  
1. Posted Privacy Policies
2. Terms and Conditions
3. Digital Labels
    C. Providing Users with Options for Personal Data Disclosure and Use  
1. Optional Data Fields and Click-Box Choices
2. Online Negotiation of Privacy Standards through Digital Labels
3. "Opting-Out"
    D. Providing Access to Personal Data       E. Protecting Privacy through Transborder Data Flow Contracts       F. Enforcing Privacy Principles  
1)  Ensuring Compliance with Privacy Standards a.  Internal Data Protection Officers
b.  Third Party Compliance Reviews and Web site Certification
c.  Membership-Based Industry Bodies
d.  Central Oversight Authorities


2)  Complaint Resolution Procedures for Breaches of Privacy Standards

a.  Complaint Resolution between the Data Subject and the Data Controller
b.  Enforcement through Private Sector Certification Schemes and Industry Bodies
c.  Enforcement through Administrative, Civil and Criminal Proceedings
    G. Educating Users and the Private Sector   APPENDIX -- CONTACT DETAILS FOR INTERNATIONAL AND REGIONAL ORGANIZATIONS, NATIONAL SUPERVISORY AUTHORITIES AND NON-GOVERNMENTAL PRIVACY ORGANIZATIONS
 
 
 
PREFACE
1In order to contribute towards building a trustworthy environment for the development of electronic commerce and given its ongoing work in the area of the global information infrastructure and the global information society, its history in developing the OECD Privacy Guidelines and its continuing experience in issues related to privacy protection, the OECD decided in October 1997 to examine the various solutions which would facilitate the implementation of the privacy principles in the context of international networks.

2)  The report "Implementing the OECD Privacy Guidelines in the Electronic Environment: Focus on the Internet" (DSTI/ICCP/REG(97)6/FINAL) proposed that OECD Member governments:

3)  In that context, a Workshop entitled "Privacy Protection in a Global Networked Society" was organized with the support of the Business and Industry Advisory Committee (BIAC) on 16-17 February 1998. The Workshop was intended to examine how the OECD Guidelines may be implemented in the context of global networks. The OECD sought to build on the various approaches adopted by its Member countries and to help identify mechanisms and technological tools that could provide effective bridges between the different approaches to privacy protection developed by Member countries. Furthermore an important focus was put on encouraging the private sector to provide meaningful protection for personal data on global networks by effective self-regulation.

 4)  With the goal of identifying appropriate practical solutions which could be implemented irrespective of the different cultural approaches, the Workshop sessions addressed the following issues:

 5)  At the end of the Workshop, participants recognized that increasing confidence in online privacy protection is an essential element for the growth of business-to-business electronic commerce, and that the OECD Guidelines continue to provide a common set of fundamental principles for guiding efforts in this area. They affirmed the commitment to protect individual privacy in the increasingly networked environment, both to uphold important rights and to prevent interruptions in transborder data flows.

6)  The Chair noted widespread consensus that the protection of personal privacy requires: education and transparency; flexible and effective instruments; full exploitation of technologies; and enforceability and redress.

7)  The Chair also highlighted the need to survey the available instruments (including law, self regulation, contracts, and technology) in order to describe their practical application in a networked environment and their ability to further the objectives of the OECD Guidelines (including effectiveness, enforceability, redress and coverage across jurisdictions). Such a study would serve to identify a range of technological policy and legal tools which may be used as a resource for providing seamless, or at least effective privacy protection.

8)  At its May 1998 meeting, the Group of Experts on Information Security and Privacy agreed that an Inventory of Instruments and Mechanisms Contributing to the Implementation and Enforcement of the OECD Privacy Guidelines on Global Networks (Inventory) would be prepared by the Secretariat for consideration, comment and approval at its forthcoming meetings.

9)  The OECD Working Party on Information Security and Privacy decided at its meeting on 21-22 October 1998 to finalize the Inventory. At its meeting on 1-2 March 1999 the Working Party approved the finalized Inventory, noting that Section I was current as at March 1999 and Section II as at December 1998. The Working Party recommended that the Inventory be transmitted to the Information, Computer and Communications Policy (ICCP) Committee for declassification. The ICCP Committee subsequently approved the declassification of the Inventory at a meeting on 4-5 March 1999.
 
 
 

INTRODUCTION
10)  The development of digital computer and network technologies, and in particular the Internet, has brought with it a migration of social, commercial and political activities from the physical world into the electronic environment. The integration of global networks into everyday life raises concerns over the protection of personal privacy. In the world of digital technology and global networks, users often leave behind long-lasting "electronic footprints", that is, digital records of where they have been, what they spent time looking at, the thoughts they aired, the messages they sent, and the goods and services they purchased. Furthermore, these data tend to be detailed, individualized and computer-processable.

11)  Simply "browsing" on the Web can make a considerable quantity of information available to the sites visited, even if much of this information is needed to enable Internet interaction and much of it is maintained in aggregate form. Whenever a Web page is accessed, certain "header information" is made available by the "client" (the user’s computer) to the "server" (the computer that hosts the Web site being accessed). This information can include:

  • the client’s Internet Protocol (IP) address, from which the domain name and the name and location of the organization who registered this domain name can be determined through the Domain Name System;
  • basic information about the browser, operating system and hardware platform used by the client;
  • the time and date of the visit;
  • the Uniform Resource Locator (URL) of the Web page which was viewed immediately prior to accessing the current page;
  • if a search engine was used to find the site, the entire query may be passed on to the server; and
  • depending on the browser, the user’s e-mail address (if this has been set in the browser’s preference configuration screen).
  • 12)  In addition, when a user browses through a Web site, he or she can generate "click-stream data" such as the pages visited, the time spent on each page and information sent and received.

    13)  Personal data is also often disclosed voluntarily. Many commercial sites ask users to complete and submit Web page forms in order to register; subscribe, join a discussion group, enter a contest, make suggestions or complete a transaction. The kind of data which are typically requested may include information such as the user’s name; address, home or work telephone number and e-mail address. Data relating to age; sex, marital status, occupation, income and personal interests is also sometimes collected. In addition, purchasing forms will usually require credit card details, including the card type, number and expiration date. If a visitor is asked to send information to a Web site by e-mail, then the site (like any e-mail recipient) will be able to ascertain the visitor’s e-mail address from the "e-mail header".

    14)  "Cookies" are small data packets created by a Web site server and stored on the user’s hard drive. Cookies were developed to assist in client/server interaction and data collection, and may be accessed by the server during current and subsequent visits to the Web site. Cookies may be used to facilitate the collection, aggregation and re-use of header, click-stream and voluntarily disclosed data. This is typically accomplished by assigning a unique code to each visitor and storing this number in a cookie which is retrieved each time the site is visited. Information which is subsequently collected about the user can then be linked to this code number.

    15)  Thus, although the development of global networks and digital technology has brought many social and economic benefits, recent technology increases the risk that personal information may be automatically generated; collected, stored, interconnected and put to a variety of uses by online businesses or government bodies, without the data subject’s knowledge or consent.

    16)  This Inventory focuses on the various overlapping and complementary instruments, practices, techniques and technologies which are used, or are being developed, to define, implement and enforce privacy principles in networked environments.

    17)  The Inventory is divided into two main Sections. Section I, describes the international, regional and national instruments, both legal and self-regulatory, which exist, or are being developed for the protection of personal data and privacy in OECD Member countries. Special attention is paid to instruments which have been specifically developed for the online environment. Section II, discusses the mechanisms which exist, or are being developed, to implement and enforce privacy principles on global networks. In addition, a list of contact details for many of the public, private, national, regional and international privacy organizations mentioned in this Inventory are included in the Appendix.
     
     
     

    I. LEGAL AND SELF-REGULATORY INSTRUMENTS
    18)  This Section of the Inventory discusses international, regional and national guidance instruments and related institutions, for the protection of personal data and privacy.

    19)  At the international and regional levels, a number of government and private sector multilateral organizations have produced, are producing, or intend to produce, texts and standards aimed at promoting privacy protection. These organizations are also for ongoing research, policy formulation and dialogue between governments, businesses, academics and public-interest groups. The instruments that have been developed through such organizations have greatly influenced many national laws and self-regulatory instruments on privacy protection.

    20)  At the national level, in most countries the protection of privacy and personal data involves a combination of legislative instruments, government agencies and industry-based self-regulation. All OECD Member countries have laws of one sort or another that affect the processing of personal data. A number of countries have enacted "comprehensive" laws which apply personal data protection principles in a general fashion to both the public and private sectors. Other data protection legislation is more sectoral, applying only to a specific sector (such as government agencies) or a particular type of data (such as health data).

    21)  Most OECD Member countries have also created central oversight authorities, commonly known as Data Protection Officers or Privacy Commissioners. The roles and powers of these bodies vary from country to country, but generally include advice-giving, the investigation of complaints and enforcement actions.

    22)  Self-regulation is seen in some OECD Member countries as a flexible and efficient solution to the protection of online privacy by allowing market forces and industry-led initiatives to provide innovative solutions. Self-regulatory instruments may broadly be defined as rules developed and enforced by the entities to whom they are intended to apply. Independent third parties may play a role in enforcement of self-regulation. However, public authorities may also be involved in the development, implementation and enforcement of industry codes and guidelines. Governments can work with the private sector to develop criteria for effective privacy protection which the private sector can implement through self-regulatory codes. In a number of jurisdictions self-regulatory codes are seen as a way of implementing privacy legislation in the context of a specific industry, or as an aid to interpreting general privacy principles. In some OECD Member countries such as Ireland and New Zealand, industry codes can, on receiving official approval, have the force of law.

    A.  International and regional instruments and Organizations

        1)  Intergovernmental legal instruments

            a.  OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

    Status

    23)  e Recommendation concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (the OECD Guidelines) was adopted by the Council of the OECD on 23rd September 1980. Council Recommendations are not binding legal instruments but reflect a "political" commitment by Member countries. The Council recommended that "Member countries take into account in their domestic legislation the principles concerning the protection of privacy and individual liberties set forth in the Guidelines", that they "endeavor to remove, or avoid creating, in the name of privacy protection, unjustified obstacles to transborder flows of personal data", and that they "co-operate in the implementation of the Guidelines".

    24)  The principles that comprise the OECD Guidelines have been applied in Member countries and other countries through a variety of instruments.

    Scope

    25)  The Guidelines are widely acknowledged as an internationally accepted and technologically neutral set of privacy principles that have stood the test of time. They apply to "any information relating to an identified or identifiable individual", and their scope encompasses public and private sector data, all media for the computerized processing of data on individuals (from local computers to networks with global ramifications) and all types of data processing.

    Basic principles

    26)  The OECD Privacy Guidelines establish eight basic principles to govern the handling of personal information. These "Privacy Principles" are:

  • Collection Limitation:  there should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject;
  • Data Quality: personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date;
  • Purpose Specification: the purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose;
  • Use Limitation: personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the "purpose specification" except: (a) with the consent of the data subject; or (b) by the authority of law;
  • Security Safeguards: personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data;
  • Openness: there should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, the main purposes of their use, as well as the identity and usual residence of the data controller;
  • Individual Participation: an individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him: within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and, in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and, (d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified completed or amended;
  • Accountability: a data controller should be accountable for complying with measures which give effect to the principles stated above.
  • Provisions on data flows

    27)  The OECD Guidelines tend to avoid the imposition of unnecessary impediments to transborder data flows. Legitimate restrictions are, however, recognized. For example, a Member country may impose transfer restrictions on "certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other Member country provides no equivalent protection".

    Provisions on further co-operation

    28)  The OECD Guidelines create a framework for future co-operation. The areas of future co-operation include; ensuring that procedures for transborder flows of personal data and for the protection of privacy are simple and compatible with those of other Member countries, establishing procedures to facilitate information exchange, and developing principles, domestic and international, to identify applicable laws of Member countries in the case of transborder flows of personal data.

    Provisions on implementation and enforcement
    29)  The Guidelines call upon Member countries to implement these principles domestically by establishing legal, administrative or other procedures or institutions for the protection of privacy and personal data. The means by which this can be accomplished include; adopting appropriate domestic legislation, encouraging and supporting self-regulation, providing reasonable means for individuals to exercise their rights, providing adequate sanctions and remedies in case of failures to comply with measures which implement the principles and ensuring that there is no unfair discrimination against data subjects.

    Ongoing work

    30)  The OECD, through the ICCP Committee continues to work in the area of privacy and data protection and provides a forum for discussing new issues, such as the challenges presented by the emergence of global networks.
     

            b.  Council of Europe Convention for the Protection of individuals with regard to automatic processing of personal data

    Status

    31)  Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data of 18 September 1980 (Convention 108) was opened for signature by the Committee of Ministers of the Council of Europe on 28 January 1981. Since then, it has been signed by 23 Countries and ratified by 21. Convention 108 which is open to the accession of any State, and not only to the members of the Council of Europe is a binding instrument in international law.

    Scope

    32)  The terms of the Convention apply to automated personal data files and automatic processing of personal data in the public and private sectors.

    Basic principles

    33)  The Convention’s basic principles are similar to those in the OECD Guidelines, but include a principle requiring appropriate safeguards for special categories of data (sensitive data) that reveal racial origin, political opinions or religious or other beliefs, that concern health or sexual life, or that relate to criminal convictions.

    Provisions on data flows

    34)  The principles of the Convention provide for the free flow of personal data between parties to the Convention who provide equivalent protection.

    Provisions on further co-operation

    35)  For the purposes of mutual assistance in the implementation of the Convention, each party to the Convention designates an authority to furnish information on its laws and administrative practices in the field of data protection. In addition, Articles 18-20 establish the Consultative Committee which represents Member States and makes proposals as to the application of the Convention.

    Provisions on implementation and enforcement

    36)  Each contracting State undertakes to take the necessary measures in its domestic law to give effect to the basic principles of data protection, but the manner of implementation is left for each State to decide. Under Article 10, States undertake to establish "appropriate sanctions and remedies for violations of domestic law giving effect to the basic principles".

    Ongoing work

    37)  Through the Consultative Committee, the Council of Europe continues its work in the area of privacy protection. The Council of Europe’s Project Group on Data Protection has also issued draft Guidelines on "The Protection of Privacy on the Internet" (May 1998).

            c.  United Nations Guidelines for the Regulation of computerized personal data files

    Status

    38)  The United Nations High Commissioner for Human Rights’ Guidelines for the Regulation of Computerized Personal Data Files (Resolution 45/95 of 14 December 1990) (UN Guidelines) were adopted by the United Nations General Assembly pursuant to Article 10 of the UN Charter. This Article empowers the General Assembly to make recommendations to Members States. Members must take the Guidelines into account when implementing national regulation concerning computerized personal data files, but the procedures for implementing those regulations are left to the initiative of each State.

    Scope

    39)  The UN Guidelines apply to computerized personal data files (both public and private) and may be (optionally) extended to manual files and to files on legal persons. Part A of the Guidelines are intended as the minimum privacy guarantees that should be provided in national legislation. Part B of the Guidelines are intended to apply to personal data kept by governmental international organizations.

    Basic principles

    40)  The "Principles concerning the minimum guarantees that should be provided in National Legislation" broadly reflect the basic principles in the OECD Guidelines. In addition the UN Guidelines restrict the compilation of "sensitive data" within the "Principle of non-discrimination".

    Provisions on transborder data flows

    41)  Paragraph 9 of the UN Guidelines provides for free transborder data flows between countries with "comparable safeguards".

    Provisions on implementation and enforcement

    42)  Regarding domestic legislation (Part A), Article 8 recommends that each country establish an independent authority to oversee application of the privacy principles set out in the Guidelines. In addition, violations of national implementing law should lead to "criminal or other penalties ... together with the appropriate individual remedies".

    43)  With respect to governmental international organization (Part B), the creation of supervisory bodies is also recommended.

    Ongoing work

    44)  A 1997 report of the UN Secretary-General looks at the implementation of the Guidelines within the United Nations system and at the national and regional levels.

    d) European Union Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data
    Status

    45)  Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (EU Directive) is a binding instrument that the 15 EU Member States were required to implement by 24 October 1998.

    Scope

    46)  The Directive applies generally to the processing of personal data by a "controller" in an EU Member State. It applies to data about natural persons, whether held by the public or private sector. Computerized data processing and most categories of manual processing are covered.

    Basic principles

    47)  The information privacy principles contained in Chapter II of the EU Directive are broader and more detailed than those in the OECD Guidelines. In addition to the OECD principles, the EU Directive contains, inter alia, special provisions for sensitive data, detailed disclosure requirements, registration provisions, "opt-out" rights for data subjects to refuse commercial solicitations and redress rights.

    Provisions on transborder data flows

    48)  The EU Directive transborder data flows within the EU on the basis of equivalent protection provided in all Member States and allows transfers to third countries which provide adequate protection. Member States are not permitted to inhibit the free movement of personal data within the EU simply for reasons of privacy protection, because of the equivalent and high level of protection ensured by the Directive throughout the Community. A transfer of data outside the EU may take place to third countries which guarantee an "adequate" level of protection. Adequacy is to be assessed "in the light of all the circumstances surrounding a data transfer operation [with] particular consideration ... given to the nature of the data, the purpose and duration of the proposed processing operation ... the country of origin and the country of final destination, the rules of law, both general and sectoral, in force in the third countries in question and the professional rules and security measures which are complied with in that country". Exceptions apply where, for example, the consent of the data subject has been obtained.

    Provisions on implementation and enforcement

    49)  The EU Directive defines the role of the supervisory authority or data protection body in each Member State as a key aspect of implementation and enforcement of the domestic law enacting the Directive. These authorities must act with complete independence and should have a wide range of powers that include investigative authority, intervention powers and the ability to engage in legal proceedings.

    50)  With respect to enforcement, the EU Directive provides for judicial remedies, liabilities and sanctions. It states that persons shall be entitled to judicial remedies and compensation from data controllers for damage suffered as a result of unlawful processing. Member States have to adopt suitable administrative, civil or criminal sanctions.

    Provisions on further co-operation

    51)  Article 28 requires supervisory authorities to co-operate with one another as necessary, and in particular to exchange useful information.

    52)  The Directive establishes two bodies, one consultative (Article 29) and one "decision-making" (Article 31), to assist the European Commission with issues related to data processing.

    Ongoing work

    53)  The Article 29 Working Group has already issued a number of reports and recommendations including "Orientations on Transfers of Personal Data to Third Countries - Possible Ways Forward in Assessing Adequacy" and "Judging Self-Regulation".

    Other developments

    54)  On 15 December 1997, Directive 97/66/EC was adopted by the European Parliament and the Council. This Directive complements Directive 95/46/EC with respect to the processing of personal data and the protection of privacy in the telecommunications sector. It provides for the harmonization of the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the telecommunications sector and to ensure the free movement of such data and of telecommunications equipment and services in the Community.

            (e) General Agreement on Trade in Services

    55)  The General Agreement on Trade in Services (GATS) is a multilateral agreement which aims to promote free trade in services. GATS is administered by the World Trade Organization (WTO). Article XIV recognizes that GATS does not prevent Member States from adopting measures necessary to secure "the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts". However, Article XIV limits what a country can do with regard to privacy protection by subjecting it to the requirement or safeguard that any such measures must not be applied in a discriminatory manner and must not constitute a disguised restriction on trade in services.

    2. International Conferences and Discussion Forums Concerning Privacy Protection

    56)  International conferences and discussion forums play an important role in contributing to information exchange, education and the development of instruments on privacy protection.

            (a) Annual International Conferences of data protection commissioners

    57)  From 1979 International Data Protection Commissioners’ Conferences have been held annually. The Conferences have no particular legal status and do not vote on resolutions. Rather, they are a forum of information exchange. The 20th International Conference of Data Protection Authorities took place in Santiago de Compostela, Spain.

            (b) Conferences of the EU data protection commissioners

    58)  The annual Conferences of the EU Data Protection Commissioners provide an opportunity to develop common approaches to privacy protection and to address topical issues such as, telecommunications and police files.

            (c) International Working Group on Data Protection in Telecommunications

    59)  The International Working Group on Data Protection in Telecommunications, led by the Data Protection Commissioner of Berlin, was initiated by the data protection commissioners from a number of countries to improve privacy and data protection in telecommunications and media. The "Budapest-Berlin Memorandum" on data protection on the Internet discusses the issues surrounding legal and technical protection of Internet user privacy.

            (d) International Organization for Standardization

    60)  The International Organization for Standardization (ISO) is a world-wide federation of national standards bodies from around 130 different countries. The ISO’s work results in international agreements which are published as International Standards. In May 1996, the Consumer Policy Advisory Committee of ISO passed a unanimous resolution in favor of a proposal to develop an international standard on privacy based on the Canadian Standard Association Model Code for the Protection of Personal Information. An Ad Hoc Advisory Group on Privacy undertook a study on behalf of the ISO to examine whether there is a need, under the pressure of the technological advances in the global information structures, for an international standard to address information privacy, measure privacy protection and ensure global harmonization. The Advisory Group concluded in June 1998 that it was premature to reach a determination on the desirability and practicality of ISO undertaking the development of international standards relevant to the protection of personal privacy.

            (e) International Chamber of Commerce

    61)  The International Chamber of Commerce (ICC) represents international businesses all over the world and has produced a number of documents and industry codes relating to the protection of personal privacy and information flows. These have included a range of marketing codes and guidelines, including guidelines for Internet advertising, with privacy provisions. The ICC has also published a proposed model contract for transborder flows of personal data which builds on the 1992 ICC/Council of Europe/European Commission model contract.

            (f) International Federation of Direct Marketing Associations

    62)  The International Federation of Direct Marketing Associations (IFDMA) is a collaboration of national and regional direct marketing associations. Its aims include fostering industry programs of self-regulation and consumer education. The data protection "Online Principles" formulated by the IFDMA encourage direct marketers to post their privacy policies online in a manner that is easy to find, read and understand. The principles include special provisions with respect to children’s on-line activities.

            (g) Electronic Commerce Europe

    63)  Electronic Commerce Europe (ECE) is a group of European electronic commerce businesses and associations who are working on drafting a Code of Conduct for Electronic Commerce.

            (h) Online initiatives for privacy information exchange

    64)  A number of privacy orientated non-governmental organizations have created Web sites to provide information on online privacy issues. These organizations include, inter alia:

    B.  National Instruments

    Australia

    Laws

    Commonwealth / Federal Laws

    65)  The Privacy Act 1988 provides privacy protection with respect to federal government agencies in Australia. The Act establishes the office of the Privacy Commissioner and sets out eleven Information Privacy Principles (IPPs) based upon the OECD Guidelines. The Commissioner can receive complaints, conduct investigations and make determinations (including compensation orders) that are enforceable in the Federal Court of Australia.

    66)  The Privacy Act has a limited application to the private sector. In particular, it allows the Privacy Commissioner to issue guidelines in relation to tax file numbers. The Act also regulates the information handling practices of the consumer credit reporting industry.

    67)  On 16 December 1998 the Government announced that it would develop a light-touch legislative scheme to support and strengthen self-regulatory privacy protection in the private sector. The legislative scheme will support the existing self-regulatory approach by recognizing codes developed by business and providing a legislative framework to apply where such codes are not in place. The legislative framework will be based on the National Principles for the Fair Handling of Personal Information (the National Principles) issued by the Privacy Commissioner. The National Principles set out privacy standards that are based on the OECD privacy guidelines.

    68)  Consultation on the development of legislation to establish this scheme is underway.

    Other federal laws with privacy provisions

    69)  Other Commonwealth legislation provides privacy protection for specific types of information, such as "spent" criminal convictions (Part VIIC, Crimes Act 1914 protects a person against the unauthorized use of certain criminal convictions after ten years) and taxation information (Taxation Administration Act 1953), and for specific procedures, such as the interception of telecommunications and the disclosure of personal information by telecommunications companies (Telecommunications Act 1997). The Data-matching Program (Assistance and Tax) Act 1990 provides privacy protections in relation to the matching of personal information relating to tax and social welfare benefits by Commonwealth Government Departments.

    State and Territory laws

    70)  There are many State and Territory laws which provide some form of privacy protection. In the Australian Capital Territory, for example, there is legislation dealing with privacy and the confidentiality of personal health information. In late 1998 New South Wales enacted the Privacy and Personal Information Protection Act 1998 (NSW) which provides protection with respect to the NSW public sector. In South Australia a Cabinet Administrative Instruction (No. 1 of 1989) implements guidelines (based on the federal IPP’s) for State government agencies. Finally, a Data Protection Bill has been proposed by the Victorian Government which would have the effect of applying the National Principles in both the private and public sectors.

    Self-Regulatory Instruments

    71)  Since the release of the National Principles some key industry bodies have developed codes of conduct based on the National Principles. For example, in February 1999, the Internet Industry Association released their Internet Industry Code of Practice for adoption. It is anticipated that codes based on the National Principles will be able to be given effect as part of the proposed legislative scheme discussed above.

    72)  In February1999, the Australian Internet Industry Association released Internet Code of Practice. In the first instance, it is intended that complaints will be dealt with between the user and the Code Subscriber within a time frame specified by the Code. If this is not successful, however, the Code sets out other procedures including the appointment of a mediator and orders by the Code’s Administrative Council directing the subscriber to comply with the Code or to provide corrective advertising and/or the payment of compensation. The Council may also withdraw permission for a site to use its Code Compliance Symbol.

    Austria

    Laws

    Federal comprehensive laws

    . 73
    The Federal Data Protection Act of 1978 (Datenschutzgesetz. BGBl. Nr. 565/1978) regulates the use of computerized data in the public and private sectors, creates a central registration system and provides civil remedies and criminal sanctions. A new law is being prepared to implement the EU Data Protection Directive.

    . 74
    An independent Commission (the Datenschutzkommission), is responsible for enforcing the law, administering the registration system and authorizing transborder data flows. The Commission acts on specific complaints against public data controllers, and can impose sanctions for certain actions, such as breaches of transborder data flow authorizations. A Council for Data Protection also exists and may be referred to by the Commission for advice on certain matters. Complaints against private data controllers must be brought before the courts.

    . 75
    The Chamber of Commerce and the Federal Chancellery run a court of arbitration, the Schlichtungsstelle-Datenschutz, which hears complaints against businesses who have not complied with a request by a data subject to access, correct or delete personal information.

    Other federal laws with privacy provisions

    . 76
    There are many federal laws in Austria which relate to personal privacy. For example, the Austrian Telecommunications Act (1997) imposes confidentiality and data protection obligations on suppliers of public telecommunication services. The use of personal information by direct marketing businesses is governed by Section 268 of the Industrial Code (1994). Finally, the Genetic Engineering Act 1994 contains data protection provisions relating to genetic data.

    Implementation of the EU Directive

    . 77
    A first draft of the Datenschutzgesetz was submitted to Parliament recently..

    Laender (State) laws

    . 78
    The role which individual Land will play in data protection is presently being considered in the context of implementing the EU Directive.

    Self-regulatory instruments

    . 79
    Whilst there are no codes of conduct in Austria which deal exclusively with privacy, members of the banking sector have codes in place containing general privacy clauses.

    Belgium

    Constitution

    . 80
    Privacy rights are contained in Articles 22 and 32 of the Belgian Constitution.

    Laws

    Comprehensive laws

    . 81
    The Law on the Protection of Privacy Regarding the Processing of Personal Data (1992) applies to both the public and private sectors in Belgium. The Law is supplemented by Royal Decrees with respect to, for example, sensitive data and information regarding criminal convictions. The law is supervised by an independent Commission within the Ministry of Justice, the Commission Consultative de la Protection de la Vie Privee. The Commission handles data processing registrations and may also advise the government on privacy matters.

    . 82
    In terms of recourse for individuals, applications may be made to the Tribunal de Première Instance for rulings on the rights arising under the Law. The Law also includes criminal sanctions for breach of privacy obligations.

    Other laws with privacy provisions

    . 83
    The Law of 30 June 1994 provides for privacy protection in the context of wire-tapping and the recording of private telecommunications.

    Implementation of the EU Directive

    . 84
    A draft law designed to implement the Directive and based on the structure of the 1992 Law, is now before the Belgian Parliament.

    Self-regulatory instruments

    . 85
    The Internet Service Providers Association of Belgium has a Code of Conduct, approved by the Plenary Assembly, which encourages its members to comply with privacy protection law in their use of clients’ personal data.

    Canada

    Laws

    Federal laws

    . 86
    The Privacy Act (1983) applies to virtually all federal public sector institutions in Canada. The Act regulates the confidentiality, collection, correction, disclosure, retention and use of personal information, and gives data subjects the right to examine information held about them and to request that errors be corrected. The Act reflects the principles of the OECD Guidelines.

    . 87
    The Privacy Commissioner is appointed by Parliament to investigate complaints and audit compliance with the Act by federal agencies. The Commissioner has the authority to conduct investigations, attempt to resolve disputes, and issue recommendations. Disputes about the right of access to personal information that are not resolved in this manner can be taken to the Federal Court for review.

    Federal approach to privacy in the private sector

    . 88
    The Canadian federal government introduced privacy legislation to protect personal information in the private sector on October 1, 1998 Bill C-54. The Personal Information Protection and Electronic Documents Act, has received its second reading and is currently being studied by the Standing Committee on Industry, which will report back to Parliament in the Spring of 1999. The legislation will initially extend privacy protection to the federally-regulated private sector as well as inter-provincial and international trade in personal information. Three years later the legislation will apply to the remaining private sector organizations which fall under provincial jurisdiction. If a province enacts substantially similar legislation, the commercial organizations operating under its jurisdiction will be subject to the provincial law. At this time, only the province of Quebec has such legislation. The obligations and rights set out in the bill are those of the Canadian Standard Association’s Model Code for the Protection of Personal Information which is a recognised national privacy standard that is modeled on the OECD Guidelines. Individuals have access and redress rights and the federal Privacy Commissioner will exercise oversight by investigating and reporting on complaints. The Commissioner has ombudsman powers but complainants may bring unresolved matters to the Federal Court, as may the Commissioner, and the Court has the power to issue binding orders and award damages.

    Provincial laws

    . 89
    Most Canadian Provinces have passed privacy legislation governing the public sector and the majority of this legislation reflects the principles included in the OECD Guidelines. Various sectoral statutes provide privacy protection in areas such as personal health information.

    . 90
    Quebec is the only province where general legislation, the Act Respecting the Protection of Personal Information in the Private Sector (1993), regulates the handling of personal information by private sector organizations, including corporations, sole proprietorships, partnerships, organizations and associations. The Act governs the collection and use of personal information and provides individuals with a right of access and correction, disputes are resolved before the Commission d'accès à l'information, the agency which is responsible for oversight and redress for public sector information access and privacy rights in the province. It is noteworthy that the law has special provisions which apply to lists of names used for marketing purposes and to transfers of information about Quebec residents to third parties outside of the province.

    Self-regulatory instruments

    The CSA model code

    . 91
    Canada has a widely accepted model code of conduct with respect to privacy. The Model Code for the Protection of Personal Information was developed by the Technical Committee on Privacy of the Canadian Standards Association (CSA) and was adopted as a National Standard by the Standards Council of Canada in 1996. The Code reflects the OECD Guidelines, but also requires companies to identify an officer accountable for compliance to whom complaints may be addressed.

    . 92
    The CSA has prepared a workbook, "Making the CSA Privacy Code work for You", to assist in the development of compliant codes (which may be certified by the Quality Management Institute, a division of the CSA). In terms of ensuring ongoing compliance with a code, the workbook highlights the importance of independent audits by duly certified auditors. Private sector codes may be certified as complying with the CSA standard by a quality registrar and a company may cite the standard in an ISO 9000 registration. There are a variety of ways in which a company may demonstrate compliance, e.g. the Canadian Bankers’ Association Privacy Model Code was verified by Price Waterhouse.

    Other initiatives

    . 93
    A number of companies and associations have or are in the process of developing CSA based privacy codes, including Stentor (the alliance of telecommunications providers), the Canadian Marketing Association, the Canadian Bankers Association, the Insurance Bureau of Canada, the Canadian Television Standards Association and the Canadian Medical Association.

    Instruments relating to online privacy

    . 94
    The Canadian Association of Internet Providers’ (CAIP’s) voluntary Code of Conduct requires CAIP members "to respect and protect the privacy of their users" and comply with all applicable laws. Enforcement is by a complaint-driven process to be established by each member.

    Czech Republic

    Laws

    Comprehensive laws

    . 95
    The Protection of Personal Data in Information Systems Act became effective on 1 June 1992. The Act covers computerized data on natural persons and applies to both the public and private sectors.

    . 96
    This Act broadly conforms with the principles of the OECD Guidelines and sets down specific provisions for sensitive data. It contains civil remedies for breaches that are administered through the courts. There is no data protection commissioner in the Czech Republic at this time.

    . 97
    In anticipation of the Czech Republic joining the EU, the Government has appointed the Office for the State Information System (OSIS) to prepare the legislation that will be compatible with the EU Data Protection Directive. The new legislation will establish the framework for an independent supervisory body. It is not expected that the legislation will receive Parliamentary approval before the middle of 1999.

    Other laws with privacy provisions

    . 98
    A Bill is being prepared by the Czech Telecommunication Office in co-operation with OSIS which will implement the terms of EU Directive 97/66/EC on the protection of privacy in the telecommunications sector. A proposal for the Digital Signature Law is also being prepared by the Office for the State Information System (OSIS) which will implement the terms of the EU Directive on a common framework for electronic signatures.

    Denmark

    Constitution

    . 99
    According to section 72 of the Constitution, regarding the sanctity of the home, it is forbidden, without a prior court order, to search an individual’s house, open their letters or tap their telephone. It is generally accepted in Danish judicial theory that this section can be interpreted to also apply to data stored electronically and any form of telecommunication. The authorities may not, for example, open and examine one’s e-mail without prior consent. They may intercept and open the message via the telecommunications networks only if they have a court order which allows them to. The main rule being that a search requires a prior court order, a search without a prior warrant may therefore only take place in exceptional cases where it is deemed absolutely necessary. A general permission is granted in accordance with the Law on Civil and Criminal Proceedings. Outside the scope of criminal proceedings, permission to perform administrative searches is granted under numerous laws, for example, to carry out an inspection by the Data Surveillance Authority of the locations of public filing systems.

    Laws

    . 100
    The Law on Public Access ensures (§ 4 section 1) that any citizen may have access to documents which form part of public authority decisions. The wide access to documents is, however, limited by section 3 of § 4, which requires that the person seeking access is able to identify the case which he is applying for access to.

    . 101
    The following documents are exempt from access; records of criminal proceedings, application and procedures regarding the employment of civil servants and documents intended for internal use only. These exemptions may be divided into two categories 1) personal data concerning individual citizens in accordance with § 12. 2) types of data to which access is denied for reasons of public policy, in accordance with §13. An example of the first category of data would be the political affiliation of a person. An example of a public policy interest that may outweigh access in the second category of data would be national security.

    . 102
    The Danish laws on public and private filing systems have been in effect since 1979. The laws provide privacy protection with respect to both governmental agencies and to filing systems kept by private entities.

    . 103
    The Law on Public Filing Systems is applicable to computerized filing systems held by public authorities containing personal information in accordance with § 1, section 1. The law applies only to the administration.

    . 104
    One of the purposes of the Law on Private Filing Systems is to ensure that economic and personal data about private citizens, institutions, societies, and companies are only recorded by private persons to the extent that they serve fair interests and that the recorded data are processed in a satisfactory way. The law contains a general ban on private parties systematically processing personal data, but does, however, contain certain exceptions to this rule. The law applies to any systematic processing (gathering, recording and passing on) of personal and economic data, carried out by private parties (persons or companies) by electronic data processing (EDP)) or, in some instances, manual processing.

    . 105
    The Danish Media law regulates the liability of the mass media (traditional news and IT related news). The media law is closely related to the Penal Code, because several of the punishable media offenses relate to the rules on privacy in the Penal Code.

    . 106
    The Danish Penal Code, § 152, contains a prohibition for civil servants to illegally process or use confidential information, obtained through their work. The section contains the legal basis on which employees who abuse their duty of confidentiality may be fined. The Article states that the mere obtaining of information is permitted, but it is illegal to process or abuse that personal data. However, the obtaining of the information may be subject to ordinary disciplinary sanctions. § 152a-d states that the duty of confidentiality (and the sanctions affiliated to this) extends to include persons who are not civil servants, but who in some way perform duties for the public administration.

    . 107
    § 263 of the Penal Code, subsection one, deals with the situation where someone opens another person’s mail, searches their private premises or listens in on their conversations. These rules can easily be interpreted to cover the situation in which someone gains unauthorized access to another person’s e-mail messages or intercepts their messages via telecommunications networks. Subsection 2 covers the situation in which someone gains unauthorized access to programs or personal information destined to be used in a computer system. Intercepting data transmissions is also included in this subsection.

    . 108
    Under section § 264 d, it is a crime to pass on information or pictures concerning the personal affairs of other individuals. New network capabilities facilitate the circulation of such information to a much wider range of persons than was previously possible.

    . 109
    The Data Surveillance Authority monitors both public and private filing systems. It is organized under the competence of the Ministry of Justice, but complaints etc., about the authority cannot be brought before the Minister of Justice and he has no authority to instruct the Data Surveillance Authority, in other words the Authority is independent. This is known as functional independence, and is an important element of securing the integrity of the data subject.

    Implementation of the EU Directive

    . 110
    A proposal to implement the EU Directive was introduced to the Danish Parliament (the Folketinget) on 30 April 1998 but has not yet been adopted.

    Self-regulatory instruments

    . 111
    The Ombudsman for consumer issues is preparing a set of ethical rules aimed at use of the Internet, at this time there is no information on when the work will be completed.

    . 112
    Other self regulatory initiatives include:

    Finland

    Constitution

    . 113
    Section 8 of the Finnish Constitution provides that each individual’s privacy, honor and domicilary peace shall be protected and that the use of personal data shall be prescribed by law.

    Laws

    Comprehensive laws

    . 114
    The Personal Data Act (1999) covers computerized and manual records of natural persons in both the public and private sectors. There are two overseeing bodies, the Data Protection Ombudsman who has investigative and advisory powers, and the Data Protection Board who hears cases pursuant to the Act and has the power to authorize the export of sensitive data to other countries. If recommendations made by the Ombudsman are not observed, the Ombudsman may refer the case to the Data Protection Board. The decisions of the Data Protection Ombudsman and the Data Protection Board are subject to appeal in accordance with the provisions of the Administrative Judicial Procedure Act. .

    . 115
    The Personal Data Act includes civil remedies (for example, data controllers must compensate data subjects for unlawful data use) and criminal sanctions for violations.

    Other laws with privacy provisions

    . 116
    Sectoral legislation, such as the Statistics Act, the Act on the Medical Research Development Center and the Act on the Protection of Privacy and Data Security in Telecommunications, contain privacy protection provisions.

    Implementation of the EU Directive

    . 117
    The Personal Data Act conforms with the EU Directive. It extends the rights of data subjects and the powers of the data protection authorities. It also includes a provision for the approval of sectoral codes of conduct by the authorities. Work on implementing the Directive in specialized legislation is also underway. A Government proposal for an Act on the Protection of Privacy in Working Life was put before Parliament in 1998 but it was returned to the Ministry of Labor for further preparations.

    Self-regulatory instruments

    . 118
    The Finnish Rules for Electronic Consumer Trade were prepared jointly by the Finnish Direct Marketing Association and the Federation of Commerce and Trade. The introduction notes that an electronic vendor should follow the Personal Data Act and other data protection laws. The Rules include provisions regarding; data security, the recording of personal data about consumers (making reference to the EU Data Protection Directive) and the right to opt-out.

    France

    Laws

    Comprehensive laws

    . 119
    Law No. 78/17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties covers computerized and manual records on natural persons and applies to the public and private sectors. Law 78/17 was modified by Law No. 94-548 which introduced a special regime for the processing of personal health data for research purposes. Law 78/17 is supplemented by the Penal Code.

    . 120
    Law 78/17 establishes a central registration system which is administered by an independent data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL). The data protection authority’s role includes informing and advising the public on rights and obligations under the law, examining data processing proposals in the public sector prior to their implementation, and proposing changes in the law in line with technological developments. The authority acts on its own initiative or on complaints and queries, it carries out investigations and ensures that data subjects may exercise rights of access.

    . 121
    Unlawful processing or transfer of named data is punishable under Law 78/17 by fines and/or imprisonment. A criminal prosecution for breach of the Act may be brought by an individual data subject or a prosecuting authority.

    Other laws with privacy provisions

    . 122
    Sectoral laws with privacy provisions include, inter alia, the Labor Code and the Law on Video Surveillance (1995).

    Implementation of the EU Directive

    . 123
    A report on implementing the EU Directive was issued on 3 March 1998, and a Bill is being prepared by the Ministry of Justice. The Bill will be discussed at ministerial level before submission to the French Parliament. The National Commission for Human Rights and the CNIL will be consulted on the draft law.

    Self-regulatory instruments

    Instruments relating to online privacy

    . 124
    The "Charte de l’Internet" (Internet Charter) is a self-regulatory initiative established on the ground of national legislation. This Charter, aimed at Internet actors, creates an independent supervisory body, the "Conseil de l’Internet" (Internet Council), with advisory and mediation powers. The Charter stipulates that users should have the right to use services anonymously, and imposes an obligation on Internet actors to inform users of the data being collected.

    Other initiatives

    . 125
    SEVPCD, a professional association for distance marketers, has developed a code of conduct designed to accord with the Law 78/17. Only members who comply with these rules are entitled to display the Association’s emblem, and violations may result in disciplinary proceedings before the Association’s Supervisory Committee.

    Germany

    Laws

    Federal comprehensive laws

    . 126
    Germany’s Federal Data Protection Act (1990) is applicable to computerized and manual records of natural persons. The Act distinguishes between public and private data controllers. Public sector name-linked files must be registered with the independent Federal Data Protection Commissioner who is elected by Parliament. The supervisory authorities for the private sector are designated by the laws of each German State (Land). Private organizations are required, under certain circumstances, to appoint data protection supervisors to see that the law is observed.

    . 127
    Anyone may lodge a complaint with the Federal Data Protection Commissioner if they believe that their rights have been infringed through the collection, processing or use of personal data by a Federal authority. Complaints against private sector organizations may similarly be made to the Laender supervisory authorities. In terms of sanctions, the Act creates administrative penalties and criminal offenses.

    Other Federal laws with privacy provisions

    . 128
    The German Federal Government has enacted a significant number of specific issue laws and regulations dealing with privacy, including legislation on; national registers and archives, federal statistics; population registers, the storage and transfer of personal data concerning foreigners in Germany (the Central Register of Foreigners Act (1994)), and telecommunications (the Federal Telecommunications Act (1996) and the Telecommunications Carriers Data Protection Ordinance).

    . 129
    Article 2 of the Federal Information and Communication Services Act (1997) governs the processing of personal data in the networked environment. The Act refers to the anonymous use of teleservices, technical devices to minimize the amount of personal data collected and procedures for obtaining electronic consent.

    Laender (State) laws

    . 130
    Each Land has its own data protection law covering its public sector, as well as its own data protection authority. The Data Protection Commissioners of the Federation and the Laender hold regular conferences.

    Implementation of the EU Directive

    . 131
    The Federal Government and Laender are currently working on new legislation to implement the EU Directive. Some of the Laender Commissioners have issued draft implementation proposals and have published Guidelines on transborder flows of data to countries without adequate protection provisions.

    Self-regulatory instruments

    . 132
    The approach to privacy protection in Germany is currently based on laws rather than self-regulatory mechanisms.

    GREECE

    Constitution

    . 133
    The Greek Constitution contains rights to personal and family privacy (Article 9) and secrecy (Article 19).

    Laws

    Comprehensive laws

    . 134
    The Law No. 2472/97regardingthe Protection of the Individual Against Processing of Personal Data was approved on 26 March 1997 and implements the EU Directive. The Law covers computerized and manual personal data on natural persons, and applies to the public and private sectors. The Law also establishes an independent Data Protection Authority to oversee the registration system, enforce the Law, promote the adoption of sectoral voluntary codes and impose sanctions for violations.

    . 135
    The Law gives data subjects the right to be informed of, and have access to, their personal data and to apply to Court for the suspension of certain processing operations. The Law provides civil damages for losses caused in contravention of the law, administrative sanctions (such as fines and the cancellation of data processing licenses) and criminal sanctions.

    Other laws with privacy provisions

    . 136
    Law No. 2225/94 protects freedom of correspondence and communication.

    Self-regulatory instruments

    . 137
    There are no specific privacy codes of conduct in Greece, however the Codes of Conduct of the Journalists Association and the Greek Banks Association both refer to the protection of privacy.

    HUNGARY

    Constitution

    . 138
    The Hungarian Constitution includes a right to the protection of personal data (Article 59).

    Laws

    Comprehensive laws

    . 139
    The law on the Protection of Personal Data and Disclosure of Data of Public Interest (1992) covers both computerized and manual data regarding natural persons, applies to both the public and private sectors and includes a limited registration system. An independent Parliamentary Commissioner for Data Protection and Freedom of Information was elected pursuant to the Act in 1995. The Commissioner is responsible for observing the implementation of the Act, investigating complaints and maintaining the Data Protection Register.

    . 140
    The Act, which includes the basic principles in the OECD Guidelines, gives data subjects a number of rights over their personal data (including correction/deletion of data). The Act also provides for remedies (including compensation) for breaches. Remedies may either be pursued through application to the Commissioner or by initiating court proceedings.

    Other laws with privacy provisions

    . 141
    There are a number of specific-issue laws with provisions relating to data protection. These include Acts concerning the national registry; the handling of research and direct marketing information, the handling of medical data, education, archives, the police, banking and national security.

    Self-regulatory instruments

    . 142
    Examples of self-regulatory initiatives can be found in the co-operation between direct marketing companies and in the rules adopted by, for example, Hungary’s National Association of Journalists. The Office of the Data Protection Commissioner offers professional consultation to those in charge of drafting ethics regulations.

    Iceland

    Laws

    Comprehensive laws

    . 143
    Iceland’s data protection legislation, Act Nr. 121 Concerning the Registration and Handling of Personal Data (28 December 1989), is applicable to both the public and private sectors. The legislation covers computerized and manual personal data of natural and legal persons. The legislation also establishes a central registration system which is overseen by the Icelandic Data Protection Commission. The Commission’s other functions include handling violations of the Act, and authorizing the processing of data abroad.

    . 144
    Data subjects have rights of access to personal data, and can demand rectification or deletion. Data subjects can also request that their names be deleted from direct mailing lists. If there is a dispute over a data subject’s rights, the matter can be referred to the Data Protection Commission. The Commission can make orders in cases where the data subject’s rights have been infringed.

    . 145
    The 1989 Law contains criminal sanctions for the infringement of certain provisions.

    Ireland

    Constitution

    . 146
    The Irish Constitution recognizes a right to privacy.

    Laws

    Comprehensive laws

    . 147
    The Data Protection Act 1988 covers computerized personal data of natural persons and establishes a limited registration system applying to certain categories of data controllers including the public sector, holders of sensitive data, financial institutions, and organizations involved in direct marketing, debt collection and credit reference.

    . 148
    The Act establishes the government-appointed post of Data Protection Commissioner. The Commissioner enforces the law by investigating complaints, prosecuting offenders, supervising registrations and encouraging the development of sectoral codes of conduct. The Data Protection Commissioner’s decisions may be challenged in the courts.

    . 149
    The Act establishes data protection principles which must be observed regardless of registration. The breach of one of these principles does not involve a criminal offense per se, however, if the Commissioner investigates a complaint and issues a Statutory notice, failure to comply without reasonable excuse becomes an offense. The Act provides for specified criminal offenses such as unauthorized disclosure. Civil litigation may be used by data subjects to seek compensation for violations of the Act.

    Other laws with privacy provisions

    . 150
    Ireland also has specific statistical data laws, as well as regulations made pursuant to the Data Protection Act which relate to privacy and the protection of personal data.

    Implementation of the EU Directive

    . 151
    A draft Bill to implement the EU Directive has been submitted to the Attorney-General’s office and will go to Parliament before mid July 1999. This follows the "Consultation Paper on Transposition into Irish Law" produced by the Department of Justice Equality and Law Reform (November 1997).

    Self-regulatory instruments

    . 152
    The Irish Direct Marketing Association’s (IDMA’s) Code of Conduct provides guidance on the application of the Data Protection Act to direct marketing. In terms of enforcement, a company official should be appointed to ensure compliance and carry out reviews, complaints may be addressed to the IDMA Board whose powers include expulsion from the Association.

    . 153
    Sectoral codes of conduct may be validated by the Irish Parliament, thereby giving them force of law.

    Italy

    Laws

    Comprehensive laws

    . 154
    Italy’s Data Protection Act (adopted on 31 December 1996) implements the EU Directive. Following the Directive, the Act covers both computerized and manual personal data of natural and legal persons in the public and private sectors. The supervisory office established to oversee the implementation of the Act is the Guarantor of the Protection of Personal Data. The Guarantor supervises the registration process, investigates complaints and assists in the development of sectoral codes.

    . 155
    The Act provides that organizations who cause damage by the unlawful processing of personal data are liable to pay damages pursuant to the Italian Civil Code. Breaches of the Act may be pursued either through the courts or via the Guarantor.

    . 156
    The Guarantor may fine organizations for failing to provide information required by the Act. The Act also includes criminal sanctions (imprisonment) for violations such as unlawful processing. As a "collateral punishment" convictions can be published in the press.

    Other laws with privacy provisions

    . 157
    Laws and regulations with privacy provisions include; legislative decrees pursuant to the Data Protection Act; telecommunications legislation; Labor Decree n. 39/93 which establishes the Authority for Information Technology in the Public Administration to support public agencies in the development and use of information systems; and Law No. 59 of 15 March 1997 (supplemented by Presidential Decree No. 513 of 10 November 1997) which concerns the use of computerized data in the public sector.

    . 158
    The Legislative decree No. 171 of 13.05.98 published in the Official Journal of 03.06.98, includes provisions for the protection of privacy in the telecommunications sector. It implements the EC Directive 97/66, of the European Parliament and the Council and applies to journalistic activities. Security and confidentiality of telecommunications are provided for in Articles 2 and 3, respectively, whereas under Article 4 traffic and billing data must be canceled or made anonymous upon termination of a call, except as laid down in the selfsame article.

    . 159
    A draft legislative decree was recently approved by the Council of Ministers which includes technical rules for the creation, transmission, keeping, duplication, reproduction and validation of documents created by computer-based means. This decree was referred to in Article 3 of legislative decree No 513 (see above) with regard to the public sector, as yet it has not been published in the Official Journal.

    Self-regulatory instruments

    . 160
    A voluntary Code of Conduct which addresses privacy on the Internet was approved by the Associazone Italiana Internet Providers (AIIP) in early 1998. The AIIP is also working in conjunction with the Italian Supreme Court and the Milan Chamber of Commerce, to establish regulatory and dispute settlement bodies, and create an online arbitration forum.

    Japan

    Laws

    Public sector laws

    . 161
    The Act on Protection of Computer Processed Personal Data held by Administrative Organs (1988) controls computer-processed personal data held by national agencies in Japan. The Act generally conforms to the OECD Guidelines. The legislation is co-ordinated by the Management and Co-ordination Agency (MCA) within the Prime Minister’s Office. Data users are accountable to the MCA, who also provides advice on the implementation of the Act.

    . 162
    Under the Act, data subjects have a right of access to their personal data, and can complain to the "head" of the data user about difficulties in exercising this right.

    Approach to privacy regulation in the private sector

    . 163
    Basic Guidelines on the Promotion of an Advanced Information and Telecommunications Society (the Prime Minister’s Office 1998) have been produced which include the following direction on the issue of privacy (1) the private sector should take the initiative to formulate guidelines, registration systems and mark granting systems specific to each area of industry and business, (2) on the other hand, governmental regulations concerning entities dealing with highly confidential information, such as personal credit data and medical data which could be damaging if leaked, should be taken into account. In short, the Government will be required to promote independent efforts in the private sector, as well as be expected to review the situation, taking into consideration legal regulations. The Government must also make the necessary efforts to encourage business to disclose to consumers the manner in which they protect personal data.

    . 164
    The report of "A Consultation Meeting for Protection and Utilisation of Personal Credit Data" (the Ministry of International Trade and Industry, the Ministry of Finance, 1998) indicated the need for legal regulation for protecting personal credit data. The report of the "Study Group on Privacy Protection in Telecommunications Services" (the Ministry of Posts and Telecommunications (MPT), 26 October 1998) also indicated the need for a legal background to make "Guidelines on the Protection of Personal Data in Telecommunications Business" effective. The Japanese Government has also actively encouraged the adoption of codes of conduct by the private sector (see below).

    Local authority laws

    . 165
    There are a large number of Ordinances enacted by local authorities in Japan that provide privacy protection for manual and/or computerized data. While most Ordinances are only applicable to local government bodies, some extend to the private sector.

    Self-regulatory instruments

    . 166
    In March 1997, the Ministry of International Trade and Industry (MITI) published "Guidelines Concerning the Protection of Computer Processed Personal Data in the Private Sector". The MITI Guidelines apply to electronically processed personal data and are intended to serve as a model for industry codes. They take into account both the OECD Guidelines and the EU Directive. According to the MITI Guidelines, a manager should be appointed in each organization to implement the Guidelines. A "System of Granting Privacy Marks" that certifies enterprises abiding by industry codes (based on the MITI Guidelines) which required the maintenance of appropriate levels of privacy protection was established by the Japan Information Processing Development Center in April 1998. This system also ensures that consumers can easily distinguish between the different levels of personal-data protection offered by enterprises.

    . 167
    The Electronic Network Consortium (ENC) has produced "Guidelines for Protecting Personal Data" (December 1997) which reflect the OECD Guidelines. They apply to anyone handling personal data in electronic networks and are intended to encourage service providers to take a uniform approach to the management and protection of personal data.

    . 168
    Electronic commerce business associations have also produced privacy codes of conduct. The Cyber Business Association, in consultation with the MPT, has produced voluntary "Guidelines for Protecting Personal Information in Cyber Business" (December 1997). Guidelines have also been produced by the Electronic Commerce Promotion Council (ECOM). The ECOM Privacy Issues Working Group has issued "Guidelines Concerning the Protection of Personal Data in Electronic Commerce in the Private Sector" (March 1998) which are based on the MITI Guidelines, and contain special provisions for children by requiring the consent of parents or guardians. They are intended as a model for individual companies.

    . 169
    In terms of self-regulation by Internet Service Providers (ISPs), the Telecom Services Association (TELESA) has also developed a model Code of Conduct which includes provisions on privacy and the protection of personal data.

    . 170
    In April 1998, Japan’s Data Communications Association launched a Mark Granting System to certify telecommunications carriers and service providers which provide appropriate privacy protection in their handling of personal information.

    . 171
    MPT established "Guidelines on the Protection of Personal Data in Telecommunications Business" in 1991 which were revised in 1998. The Guideline stipulates five basic principles which telecommunications carriers and ISPs should observe; collection limitation, use and disclosure limitation, security safeguards and individual participation and accountability. Six extra clauses were included which focus on issues peculiar to the telecommunications sector; traffic data, itemised billing and calling line identification, etc. Also in 1998, the Telecommunications Business Law was amended and a Petition System was established. Users can file complaints and petitions with MPT about telecommunications services charges, other conditions and their manner of operations, including handling of users’ personal data. This is expected to work as a proper mechanism for individuals to redress privacy infringement. MPT established some other Guidelines including; "Guidelines for the Protection of Personal Caller Information in the Use of Caller Identification Services" (1996) and "Guidelines on Protection of Subscriber’s Personal Information in Broadcasting" (1996).

    . 172
    Other self-regulatory privacy initiatives include the Center for Financial Industry Information Systems which produced "Guidelines on the Protection of Personal Data for Financial Institutions" based on the OECD Guidelines.

    . 173
    In March 1999, the Ministry of International Trade and Industry established a Japanese Industrial Standard (JIS) entitled "Requirement for Compliance Program on Personal Information Protection" to standardise the level of protection of personal data in enterprises.

    Korea

    Constitution

    . 174
    The Constitution of Korea stipulates that every citizen shall not have their right to confidentiality and freedom of privacy (Article 17), and freedom of communication (Article 18) infringed.

    Laws

    Public sector laws

    . 175
    The Protection of Personal Information by Public Organizations Act governs the protection of personal information in the public sector. The Act reflects the principles in the OECD Guidelines and obliges public organizations to act carefully and promote confidentiality in dealing with personal data. Citizens are given the right to access their own personal data and the opportunity to have corrections made.

    Other laws with privacy provisions

    . 176
    The Use and Protection of Credit Information Act focuses on the protection of personal data in financial transactions. For example, the Act prohibits a financial institution from revealing or sharing personal/financial data without the data subject’s written consent. Korea also has an Act on the Protection of Confidentiality in Communications.

    Approach to privacy in the private sector

    . 177
    The Telecommunications Network Use Proliferation Act was amended in January 1999 to institutionalise the protection of personal data in the private sector, reflecting the principles in the OECD Guidelines. The revised Act, which will be in effect as of January 2000, authorizes the Government to place specified restrictions on information and telecommunications service providers in case they abuse or misuse an individual’s personal data.

    Self-regulatory instruments

    . 178
    There are no private sector self-regulatory initiatives in Korea at the present time, although discussions are expected.

    LUXEMBOURG

    Laws

    Comprehensive laws

    . 179
    The Nominal Data (Automatic Processing) Act (1979) covers computerized and manual personal data of physical and legal persons held in both the public and private sectors. The Data Protection Consultative Commission (the Commission consultative à la protection des données) works under the auspices of the Minister responsible for data banks, it performs an advisory function. The Minister is also assisted by an oversight authority, the autorité de contrôle. Breaches of the privacy legislation can be referred to a prosecuting authority by the Minister.

    . 180
    The 1979 Act provides criminal sanctions (imprisonment or fines) for breaches of its provisions.

    Other laws with privacy provisions

    . 181
    A number of sectoral regulations have been passed pursuant to the Act. For example, regulations have been passed with respect to police and medical data files.

    Implementation of the EU Directive

    . 182
    A parliamentary Bill has been drafted to implement the EU Directive. It was introduced to the Chamber of Deputies on 8 October 1997.

    Mexico

    Constitution

    . 183
    Articles 6 and 7 of the Mexican Constitution provide for the right to information. Article 16 states that private communications are inviolable and the law will provide criminal sanctions for acts which violate the freedom and privacy of such communications.

    Laws

    Federal laws

    . 184
    The Federal District Penal Code provides sanctions for breaches of privacy rights by public servants with respect to personal information collected and maintained by public authorities.

    The Netherlands

    Constitution

    . 185
    A constitutional right to privacy is contained in Article 10 of the Constitution of The Netherlands.

    Laws

    Comprehensive laws

    . 186
    The Data Protection Act (1988) (as supplemented by a Royal Decree of 1993 with respect to sensitive data) applies to both the public and private sectors, and covers computerized and manual records. The Act’s registration requirements are administered by the independent Registration Chamber (the Registratiekamer). The Registration Chamber has the power to investigate breaches of the law and to enforce its provisions. It can conduct an inquiry on its own initiative.

    Other laws with privacy provisions

    . 187
    There has been specific legislation in The Netherlands regarding police files (Police Registration Act (1991)) and medical data (Medical Treatment Information Act (1995)). There is also a regulation of 14 May 1994 concerning personal data about foreigners.

    Implementation of the EU Directive

    . 188
    The Data Protection Act of 1988 will be replaced by the new Personal Data Protection Act. This law aims to implement the EU Directive 95/46/EC, it elaborates on some issues in the Directive which have been vaguely defined. It applies to both the public and private sectors and covers computerized and manual records. It differs in some ways to the preceding Data Protection Act. It applies to the processing of personal data by automatic and manual means. The law contains regulations on the following issues; conditions for lawful processing of personal data, codes of conduct of organizations, supply of information to and options for the data subjects, and publicity of data processing to controlling organizations and a broader public. The law also includes legal protection governing, liability of the data controller responsible, international data transfers and the relationships with other laws. The role of the Registration Chamber remains the same. The Personal Data Protection Act will be in force not earlier than May 1999. The implementation has been delayed due to heavy resistance from both private sector lobby organizations and the national consumer protection agency that made a proposal for private sector own codes of conduct.

    . 189
    If a request for the provision of information or the rectification of personal data is refused by a data controller, then the data subjects may apply to the District Court for review. The Personal Data Protection Act also provides criminal sanctions for violations.

    . 190
    The implementation of the EU Directive 97/66/EC is in its final stage. The Telecommunications Act of which Chapter 11 is concerned with privacy issues, has been in force since 15 December 1998. Three specific arrangements in the form of Governmental Decrees must still be prepared. They concern Article 11.4 (specified bills), 11.5 (anonymising) and 11.7 (automatic call systems). These are expected to be finalized in 1999.

    Self-regulatory instruments

    . 191
    The law in The Netherlands encourages individual business and professional sectors to develop their own codes of conduct. The Registration Chamber is responsible for approving such codes which do not become legally binding, but are intended to give guidance in interpreting the law. Some 12 codes of conduct have been approved (examples include the Association of Commercial Information Bureaus, the Banking Association and the National Chipcard Platform). In December 1998 the Dutch private sector lobby organization made a proposal to implement 10 codes of conduct as a minimum level of privacy protection throughout all sectors. The further development of this proposal and the consequences for the implementation of the Personal Data Protection Act are not known yet.

    New Zealand

    Laws

    Comprehensive laws

    . 192
    The Privacy Act 1993 applies to computerized and manual "personal information" held by almost all public and private sector organizations in New Zealand. The core of the Act is a set of 12 Information Privacy Principles (IPP’s) which are based on the OECD Guidelines. The Act also includes rules on data matching between government agencies.

    . 193
    The Act establishes the position of a Privacy Commissioner (an independent officer of the Crown) who has the power to investigate and mediate complaints. The Commissioner may issue sectoral Codes of Practice which are enforceable in the same way as the IPP’s.

    . 194
    Neither the IPP's nor specific Codes of Practice create directly enforceable legal rights. Rather an alleged breach may form the basis of a complaint to the Commissioner who has broad powers of investigation and conciliation. Complaints which cannot be settled by consent are referred to a Complaints Review Tribunal which has broad relief-granting powers.

    Other laws with privacy provisions

    . 195
    Issue specific laws with privacy provisions include the Official Information Act 1982, the Local Government Official Information and Meetings Act 1987, the Electoral Act 1993 and the Domestic Violence Act 1995.

    Self-regulatory instruments

    . 196
    In terms of the Internet industry, the Internet Society of New Zealand has developed an "Internet Service Provider Code of Practice".

    . 197
    The Privacy Act also provides for the development of Codes of Practice which have the force of law. A Code may determine compliance and complaints procedures and may be more or less stringent than the IPP’s but, once approved by the Privacy Commissioner, it replaces those principles for that specific agency, type of information, activity or industry group. Examples of Codes that have been developed pursuant to the Act are the Health Information Privacy Code 1994 and the Justice Sector Unique Identifier Code 1998.

    Norway

    Laws

    Comprehensive laws

    . 198
    Norway’s 1978 legislation for the protection of personal data covers both the public and private sectors and applies to manual and computerized records on natural and legal persons. Subsequent amendments to the Act cover direct postings, telemarketing and consumer credit information.

    . 199
    The Act introduces a central registration system which is administered by an independent Data Inspectorate (the Datatilsynet). The Data Inspectorate enforces the Act and conducts inspections of data practices. The Ministry of Justice is the appeal body for decisions made by the Inspectorate.

    . 200
    Under the Act, individuals have the right to inspect personal data, to request that corrections be made and to prevent their names from being used in the distribution of advertising. There is also special protection for sensitive data. willful or negligent violations of the conditions of a license, or the terms of the Act, are punishable by fines or imprisonment. Persons suffering as a result of breach are entitled to compensation from the violator.

    Other laws with privacy provisions

    . 201
    There are many provisions in Norwegian legislation which relate to protection of privacy. These include; the Telecommunication Act which concerns the protection of privacy in the telecommunication sector, and Rules of professional secrecy in the Public Administration Act and the National Register Act, which both limit government use of personal data.

    . 202
    The Ministry of Health and Social Affairs has drafted a proposal for an Act relating to health records and the electronic processing of such records. The proposal will probably be introduced to the Norwegian Parliament in Spring 1999.

    Other instruments to protect personal data

    . 203
    The Basic Agreement between the Norwegian Confederation of Trade Unions (LO) and the Confederation of Norwegian Business and Industry (NHO) contains provisions of protection of personal data. The Agreement has special provisions regarding storing and use of personal data in private enterprises.

    Implementation of the EU Directive

    . 204
    Following the adoption of the EU Directive, and in the light of technological developments in data collection, a government committee was appointed to consider legislative changes. The Norwegian Parliament will consider the committee’s proposals for revised legislation before the end of 1999.

    Self-regulatory instruments

    . 205
    The government committee, charged with revising the Personal Data Registers Act, proposed that individual businesses and professional sectors should develop their own codes of conduct concerning personal data. In this regard the Committee made reference to Article 27 of the EU Directive on data protection, and the 1980 OECD Guidelines.

    Poland

    Constitution

    . 206
    Article 51 of the Polish Constitution confers rights of protection for personal data.

    Laws

    Comprehensive laws

    . 207
    The Act on the Protection of Personal Data (1997) applies to manual and electronic data files and conforms with Convention 108 and the EU Directive. The data protection authority established under the Act is the General Inspector for Personal Data Protection. The Act contains a number of criminal sanctions (fines or imprisonment).

    Other laws with privacy provisions

    . 208
    An Order of the Ministry of Health in 1993 includes clauses protecting medical data.

    Portugal

    Constitution

    . 209
    Article 35 of the Portuguese Constitution confers constitutional rights to privacy.

    Laws

    Comprehensive laws

    . 210
    The Protection of Personal Data Act (1991) covers computerized data of natural persons, is applicable to both the public and private sectors and provides for a central registration system. The Act also creates a National Commission for the Protection of Automated Personal Data (the Comissao Nacional de Proteccao de Dados Pessoais Informatizados). The Commission is responsible for administering the registration system, hearing complaints and enforcing privacy rights under the Act and the Constitution. The Commission also oversees the matching of computerized personal files and its authorization is required for transborder flows.

    . 211
    The Act creates a right of access for data subjects along with a right of correction/erasure. Violations of the Act, as well as the Constitution, are criminal offenses.

    Other laws with privacy provisions

    . 212
    There are a number of laws and regulations containing data protection provisions in Portugal. These include the Law on Computer Crime (1991), regulations establishing institutions such as the Registry of Non-Donors of Human Organs and the Identity Card Center, and regulations controlling the databases operated by the Gendarmerie, the Border and Foreign Services and the Criminal Police.

    Implementation of the EU Directive

    . 213
    In September 1997 a number of changes were proposed to Article 35 of the Constitution to conform with the principles of the EU Directive. In addition, a new data protection law has been approved by the Government and is currently before the Portuguese Parliament.

    Spain

    Constitution

    . 214
    Article 18.4 of the Spanish Constitution states that "the law shall limit the use of data processing in order to guarantee the honor of personal and family privacy of citizens and the full exercise of their rights".

    Laws

    Comprehensive laws

    . 215
    The Law on the Regulation of the Automated Processing of Personal Data (1992) covers computerized records in the public and private sectors. Its implementation is overseen by an independent public authority, the Data Protection Agency. The Agency provides prior authorizations for the creation of databases, receives complaints and may make orders regarding public sector violations of the Law. It recently produced "Recommendations for Internet Users" which warn of the privacy risks associated with the Internet.

    . 216
    The Law provides that sanctions should be determined according to the nature and size of the violation.

    Other laws with privacy provisions

    . 217
    There is a Spanish Law on public statistics which contains privacy provisions.

    Implementation of the EU Directive

    . 218
    Work on revising the privacy legislation to meet the requirement of the EU Directive is underway.

    Self-regulatory instruments

    . 219
    The Spanish Association of Electronic Commerce (which is part of the Spanish Direct Marketing Association) has a Code of Conduct on Internet privacy. The Code advises its members of the privacy implications of operating on the Internet, specifying that users should be informed of their rights of access, rectification and deletion.

    Sweden

    Constitution

    . 220
    The Swedish Constitution (The Freedom of the Press Act) guarantees the right of individuals to have access to documents and data held by public authorities. Furthermore, the Instrument of Government provides that citizens shall be protected to the extent determined in detail by law against any infringement of their personal integrity resulting from the registration of information about them by means of electronic data processing.

    Laws

    Comprehensive laws

    . 221
    In April 1998, the Personal Data Act was adopted by Parliament. The Act, which entered into force on 24 October 1998, implements the EU Data Protection Directive in Sweden. The Act represents a legal framework for all processing of personal data and is supplemented by regulations of the Government and the Data Inspection Board. However, the provisions of the Act do not apply, inter alia, to the extent that they would contravene the provisions concerning the freedom of the press and freedom of expression contained in the Freedom of the Press Act and the Fundamental Law on Freedom of Expression.

    . 222
    The Act confers on the Data Inspection Board a supervisory and advisory role.

    . 223
    The penalties for violating the Personal Data Act primarily comprise damages in favor of the data subject suffering loss.

    Other laws with privacy provisions

    . 224
    Swedish laws containing privacy provisions include the Credit Information Act, the Debt Recovery Act and the Official Statistics Act.

    Self-regulatory instruments

    . 225
    The Swedish Direct Marketing Association is engaged in self-regulatory activities.

    Switzerland

    Laws

    Federal laws

    . 226
    The Federal Law on Data Protection (1992) (FLDP) covers both computerized and manual data concerning natural and legal persons in the federal public sector and the private sector. The Federal Data Protection Commissioner (appointed by the Federal Council) oversees the application of the law by federal authorities, and acts as an ombudsman for the handling of personal data in the private sector. All federal data registers must be registered with the Commissioner, but private organizations are only required to register data collections in limited circumstances. The Commissioner’s duties include assisting Federal and Cantonal privacy bodies and examining the extent to which foreign data protection regimes provide comparable protection. The Commissioner can also conduct investigations (on its own initiative or at the request of a third party) and issue recommendations. The Commissioner has a mainly consultative function in the private sector. It may also act as an arbitration and appeal body.

    . 227
    The FLDP reflects the basic principles of the OECD Guidelines. Sensitive data receives special protection. Transborder data transfers are prohibited under the FDLP unless adequate data protection can be assured, and the prior notification of transfers (to the Commissioner) is required in some circumstances.

    . 228
    Data subjects may seek the usual remedies of the Swiss Civil Code, such as injunctions and compensation orders, for violations of the FLDP. Violations are also punishable by fine or detention.

    Other federal laws with privacy provisions

    . 229
    A number of Swiss laws include privacy protection clauses, in particular: the Telecommunications Law; the law on Employment Contract Provisions; the law on Federal Statistics; and the Swiss Criminal Code. There is also a 1993 Ordinance regarding Professional Secrecy in Medical Research.

    Cantonal (State) law

    . 230
    The activities of Cantonal authorities are governed by Cantonal law. Most of the Swiss Cantons have introduced data protection laws which apply to these agencies. The applicable rules are generally similar to those at the Federal level and include the establishment of data protection bodies.

    Self-regulatory instruments

    Instruments relating to online privacy

    . 231
    A working group of the Office Fédéral de la Justice has formulated recommendations for Internet access providers called the Internet Charter. The Charter includes recommendations on legal issues such as service provider liability and the disclosure of data to third parties.

    Other initiatives

    . 232
    Industry codes of practice provide additional guidance in specific sectors, such as the medical profession, direct marketing and market research. There are well-known confidentiality obligations in the fields of banking, insurance and pensions privacy.

    Turkey

    Laws

    . 233
    Turkey has a draft law on Data Protection which applies to both public and private sector data processing entities. It has yet to be approved by the Turkish Parliament. The draft law incorporates the basic principles of the OECD Guidelines and Convention 108, and establishes an autonomous Authority for Data Protection. The Authority is responsible for supervising the application of the law.

    . 234
    Under the draft law, individuals will have rights to receive information whenever their data are collected, to have access to data of which they are the subject, to correct inaccurate data and to object to certain types of data processing.

    . 235
    Work on electronic commerce was initiated in Turkey in February 1998, following a decision taken by the Science and Technology High Board (STHB). Three working groups under the Electronic Commerce Co-ordination Committee have handled the studies. An initial Report prepared by these groups was submitted to the STHB in June 1998. The Report covers the existing barriers to e-commerce in Turkey and makes recommendations, which include the development of authentication and certification processes to eliminate these obstacles properly. The next step will be the development of an action plan for submission to STHB. This Study will consider the issue of jobs, timing and entities to be assigned to improve the legal, technical and financial infrastructure which e-commerce needs to develop.

    United Kingdom

    Laws

    Comprehensive laws

    . 236
    The United Kingdom’s Data Protection Act 1984 applies to automatically processed personal data relating to living individuals in both the public and private sectors. The Act gives rights to individuals, about whom data are recorded, including a right of access to their personal data and a right to have any inaccurate data corrected or deleted. If an individual suffers damage caused by the loss, unauthorized destruction or unauthorized disclosure of information about themselves, or through that information being inaccurate, they can seek compensation through the courts.

    . 237
    The Act established an independent supervisory authority known as the Data Protection Registrar. The Registrar’s functions include establishing and maintaining a register of those who process personal information. Failure by a data user to register can give rise to criminal liability.

    . 238
    The Act sets out eight Principles of fair information practice. The Registrar considers complaints made about breaches of the Act and can serve notices on registered persons requiring them to take specified steps to comply with the Act. Failure to comply with such a notice is an offense.

    . 239
    The Registrar is also charged with promoting data protection compliance, including encouraging the development of industry-based codes of practice. These codes aid the interpretation of the law. The Registrar also issues guidance notes; including on the recently published "Data Protection and the Internet".

    Other laws with privacy provisions

    . 240
    A number of statutes in the UK have implications for data protection, these include; the Financial Services Act 1986, the Human Fertilization and Embryology Act 1990, the Charities Act 1993 and the Criminal Justice and Public Order Act 1994. The Government has proposed a Freedom of Information Bill which, if enacted, would extend rights of access to information, and also contain exemptions on privacy and other grounds.

    . 241
    The European Convention of Human Rights (ECHR) has recently been embodied in national legislation in the form of the Human Rights Act 1998. The Act received Royal Assent on 9 November 1998 but is not expected to come into force before 2000. The Act adopts Article 8 of the ECHR providing a "right to respect for private and family life".

    Implementation of the EU Directive

    . 242
    The Data Protection Act 1998 which received Royal Assent on the 16 July 1998 was enacted to implement the EU Directive on data protection. Much of the detail of the new law will be contained in secondary legislation. The new law will be brought into force at the end of June 1999, or as soon thereafter as the Government finds it possible to do so.

    . 243
    The Act broadens the scope of current legislation by bringing personal data contained within structured manual filing systems within the scope of the Act. The definitions of "processing" and other terms have been amended to reflect the definitions found in the EU Directive. The 1998 Act also provides new rights for data subjects, in particular, to prevent their data being used for direct marketing and to object to important decisions concerning them being taken by automatic means but more generally to provide a right to compensation for damages arising from any breach of the new law. When the Act comes into force the Data Protection Registrar will in future be known as the Data Protection Commissioner.

    . 244
    The British Standards Institute is working with the Data Protection Registrar to prepare a data protection compliance program in preparation for the implementation of the EU Directive.

    Self-regulatory instruments

    Instruments relating to online privacy

    . 245
    The Internet Service Providers Association (UK) has developed a Code of Conduct, which is voluntary for the first 12 months, and thereafter becomes obligatory for all Members. The Code provides guidance on registering with the Data Protection Registrar. It also encourages Members to notify users as to the purposes for which personal information are collected and to give the user an opportunity to prevent such usage.

    Other initiatives

    . 246
    A number of other industry associations have produced codes of conduct that include data protection provisions.

    United States

    Constitution

    . 247
    The US Constitution does not explicitly mention a right of privacy. However, case law has recognised that the Constitution confers such a right with respect to government restrictions on certain activities or invasions of physical privacy.

    Laws

    Federal sectoral laws

    . 248
    The use of personal information held by federal government agencies is regulated by the Privacy Act (1974) which establishes fair information principles for handling personal data. The Office of Management and Budget is responsible for overseeing the Act. The Privacy Act provides data subjects with a civil right of action which may result in monetary damages and/or injunctive relief. The Act also provides criminal penalties for knowing violations of the Act.

    . 249
    Federal Acts with privacy implications for specific kinds of information include:

    State laws

    . 250
    A number of State Constitutions include a right to privacy. States generally follow the federal sectoral model and enact privacy enhancing statutes on a sectoral (industry by industry) basis. The level of protection varies from one State to another.

    Approach to privacy regulation in the private sector

    . 251
    The US Government believes that private sector-developed and enforced codes of conduct are an effective way to protect privacy online without creating a bureaucracy which could stifle the growth of electronic commerce. Reports by government bodies and statements by officials include:

    Self-regulatory instruments

    Instruments relating to online privacy

    . 252
    A number of industry-based organizations have developed guidelines and codes of conduct for their members. These include:

    Other initiatives

    . 253
    Other self-regulatory initiatives include:

    TABLE OF NATIONAL INSTRUMENTS
    Country name Ratification of Convention 108 Omnibus Legislation Dealing with Privacy and Data Protection and applying to the:
    Public Sector Legislation Private Sector Legislation
    Australia   3  
    Austria * 3 3 3
    Belgium * 3 3 3
    Canada   3 Quebec
    Czech Republic   3 3
    Denmark * 3 3 3
    Finland * 3 3 3
    France * 3 3 3
    Germany * 3 3 3
    Greece * 3 3 3
    Hungary  3 3 3
    Iceland 3 3 3
    Ireland * 3 3 3
    Italy * 3 3 3
    Japan   3  
    Korea   3  
    Luxembourg * 3 3 3
    Mexico   3  
    Netherlands * 3 3 3
    New Zealand   3 3
    Norway  3 3 3
    Poland   3 3
    Portugal * 3 3 3
    Spain * 3 3 3
    Sweden * 3 3 3
    Switzerland 3 3 3
    Turkey      
    United Kingdom * 3 3 3
    United States   3  

    * Denotes membership of European Union
     
     

    II. MECHANISMS TO IMPLEMENT AND ENFORCE PRIVACY PRINCIPLES ON GLOBAL NETWORKS

    . 254
    There are various practices, techniques and technologies which are used, or are being developed, to implement and enforce privacy principles in networked environments. These different mechanisms are highly interrelated, many are based on recent technological developments, and some blur the traditional distinctions between setting, implementing and enforcing privacy guidelines. Some allow users to take charge of their own personal data protection and privacy (for example, by blocking the transfer and collection of header information and click-stream data), others are implemented by data controllers (for example, by digitally labelling a Website’s privacy practices), and others may be facilitated by governments and/or private sector organizations (for example, by creating model clauses for transborder data flow contracts).

    . 255
    This part of the Inventory categorises the various mechanisms for the protection of privacy on global networks according to whether their purpose is:

    A. MINIMISING THE DISCLOSURE AND COLLECTION OF PERSONAL DATA

    . 256
    Users of global networks can act with relative anonymity by minimising the amount of personal data they disclose and/or allow to be collected. This is an important means of protecting privacy. To help preserve online anonymity, mechanisms are available which: (i) empower users to restrict the automatic disclosure and collection of Web-browsing data; and (ii) reduce the need for personal data to be disclosed voluntarily.

    1. Restricting or eliminating the automatic disclosure and collection of personal data

    . 257
    As discussed in the general introduction, header information and click-stream data may be disclosed whenever a Web site is visited and cookies are often used to facilitate the collection of such data. In general, a user’s level of anonymity may be increased by restricting the creation of cookies, or by blocking the transfer, and collection, of automatically generated data (header information, e-mail headers and click-stream data) from the user’s computer. Both these techniques empower users to take control over their own privacy.

    (a) Management of cookies

    . 258
    Since cookies can be used to associate a unique code with a particular user, one approach to preserving anonymity while using the Web is to allow individuals to limit or prevent the creation of cookies. Methods which may be used include the following:

    . 259
    These technologies require a considerable degree of user sophistication and they generally do not prevent the server from retrieving basic header information from the user’s browser. However, further development of the technologies may make their use more streamlined and effective.

    (b) Blocking the transfer and collection of automatically generated data

    . 260
    Mechanisms are available to block the transfer and/or collection of automatically generated data, such as e-mail headers, header information and click-stream data.

    . 261
    "Anonymous re-mailers" allow e-mail messages to be sent without revealing the identity of the sender. Some, such as Hotmail and the Freedom Remailer,run by the Global Internet Liberty Campaign, operate through Web pages where an e-mail is created and sent without any information identifying the sender. Other re-mailers are designed to receive an e-mail message from one party, re-address it and send it to a second party. In the process, header information that would identify the sender is removed. Examples include the re-mailers at Replay and Nymserver. Such re-mailers offer varying degrees of protection to prevent the identity of the sender of an anonymous e-mail being determined by eavesdropping on the messages being received and sent via the re-mailer and making matches based on, for example, their length and timing information. Many anonymous re-mailers have been forced to close down because of abuses, such as offensive messages and mass mailings.

    . 262
    An "anonymising intermediary" may be used to prevent a Web site automatically collecting header information about the user, associating click-stream data with a particular user or setting cookies on the user’s computer. The intermediary is a Web server which operates between the user and the rest of the Web. When the user wishes to view a Web page he or she requests the page from the intermediary. The intermediary retrieves the page and passes it back to the user. Since the user is never directly connected to the site being browsed, no header information about the user is passed on, nor is the Web site able to set a cookie on the user’s computer. An example of such a service is the Anonymizer.

    . 263
    Issues which have been raised about the use of anonymising intermediaries include the need for the intermediaries to follow good data practices, and the risk of abuses of anonymity.

    2. Reducing or avoiding the need for personal data disclosure

    . 264
    One of the reasons that personal data are requested on global networks is to prove that a user is eligible for a certain transaction or that payment details are genuine. Mechanisms are being developed which, if adopted by users and online businesses, will allow for the verification of such details without requiring the disclosure of personal information.

    (a) Anonymous payment systems

    . 265
    Some payment mechanisms cause more data to be revealed than others. In the off-line world the most anonymous means of payment is cash. Since the value of cash is inherent and irrefutable, recipients do not require additional assurances of authenticity. In contrast, other payment mechanisms, such as credit cards, often require the disclosure of personal data (such as the name and billing address of the payor) as a means of authenticating the payment. The facility to engage in cash-like transactions in the online world increases user anonymity, and limits the ability for header information and click-stream data to be linked to a real world identity.

    . 266
    A number of companies are developing cash-like payment mechanisms for use on global networks. Two examples are Ecash, and Mondex. Ecash provides cash-like anonymity through an encrypted payment system. Essentially, money from an account held with a participating bank can be converted into "digital coins" which can be transferred into an "electronic purse" on the user’s computer. From there the coins can be transferred to other individuals or merchants doing business online. Each coin has a unique serial number and is validated by a "digital signature", which allow transactions to be verified and prevents the same coin from being spent more than once. To protect user anonymity, the user’s computer (rather than the bank) may randomly assign a serial number to a coin which can be sent to the bank in a special digital envelope. The bank adds a "blind digital signature" to the envelope, debits the user’s account and returns the coin without ever knowing the serial number. The user can then spend the coin, and payment will be honoured by the bank even though it cannot trace the identity of the payor.

    . 267
    Mondex is another electronic payment mechanism. Here funds are stored in a "smart card" and transactions are carried out directly between the parties without the transaction being reported to a central computer. For security and practical reasons, rolling audit trails are held on each individual card and with retailers. These trails can be revealed to resolve disputes, to correct failed transaction or if required by legal authorities. In normal transactions, however, an individual’s privacy is protected because the retailer does not have access to the bank information which links an individual’s name to their Mondex card reference number.

    . 268
    As with payment systems in the off-line world, electronic payment mechanisms do have limitations. First, they are subject to network externalities and will only be practicable when they are accepted by a critical mass of merchants. Second, personal identity information may still be revealed if, for example, a name and address are supplied so a product can be shipped to the purchaser or if the merchant is able to automatically collect identity revealing information such as the user’s e-mail address. Finally, some commentators fear that anonymous payment mechanisms may be used to facilitate money laundering, fraud and tax evasion. However, these payment systems constitute an important tool for protecting privacy, especially when used in conjunction with other technologies and privacy policies.

    (b) Digital certificates

    . 269
    Another potential means of facilitating "faceless" anonymous transactions across global networks is the use of "digital certificates" based on public key cryptography techniques to establish personal attributes without revealing the party’s true name or other identification information.

    . 270
    Digital certificates issued by a trusted source, such as a "certification authority", can provide independent verification of information such as identity and transaction details. In the context of minimising the disclosure of personal data and preserving anonymity on global networks, digital certificates can be issued to establish personal attributes such as age, residence, citizenship, registration to use a service or membership in an organisation without revealing the transacting party’s identity. Such certificates may reduce, or avoid, the need for personal data to be disclosed where the important issue is not who a party is, but whether he or she possesses a certain characteristic. For example, a merchant selling age-sensitive products in the electronic environment may be satisfied by a digital certificate which states that a particular consumer is not underage without needing to know the consumer’s actual identity.

    . 271
    The use of digital certificates for establishing personal attributes raises a number of issues which may require further consideration, such as the problem of attributes which change over time, fraud, and the importance of certification authorities, which may hold large amounts of personal data, following good privacy practices.

    (c) Anonymous profiles

    . 272
    One of the reasons why Websites collect data about users and their browsing habits is to develop profiles which can be used to facilitate the targeting of advertising, editorial and commercial content to individual visitors. However, this may be accomplished by using "anonymous profiles" which reveal the desired information about browsing habits, but do not contain any personally identifying information. For example, Engage Technologies has created a database of 16 million Web-user profiles by using cookies to assign a unique numerical identifier to each visitor of an "Engage-Enabled" Web site. Other companies which run similar systems include DoubleClick and Clickstream.

    . 273
    A number of privacy concerns have been voiced about such systems on the basis that, although the profiles are in a sense anonymous, a large quantity of data is nonetheless collected which can be sold on a commercial basis, affect future browsing sessions and, potentially, be linked to the user’s real identity at a later date.

    B. INFORMING USERS ABOUT ONLINE PRIVACY POLICIES

    . 274
    There is a balance between benefit from anonymity and the disclosure of personal information in order to participate fully in the wide range of interactions, relationships, and communications available on international networks. Also, many users will not have the knowledge, or be prepared to make the effort to keep their personal data private.

    . 275
    The percentage of Websites which currently include statements about their privacy and personal data practices is still growing. Various privacy bodies (such as, TRUSTe and BBBOnLine) and trade associations (such as, the Online Privacy Alliance and the American Electronics Association) promote appropriate disclosure practices and common standards for privacy protection. For example, in the TRUSTe licensing programme participating sites must, at a minimum, declare their policies with respect to what information is gathered, what is done with that information, with whom is it shared, and the site’s "opt-out" policy. One important factor in determining whether or not users trust Websites to follow their announced privacy policies is the mechanisms available for ensuring compliance with these policies and providing redress if they are breached. These mechanism are discussed below.

    . 276
    The ways in which a Web site can inform its visitors about what (if any) personal data is being collected and how it will be used include: (i) posted privacy policies; (ii) the terms and conditions of online agreements; and (iii) digital labelling.

    1. Posted privacy policies

    . 277
    The simplest way for an organisation engaged in online activities to declare its privacy policy is via a specific page on their Web site. The information contained in Web site privacy policies should reflect the OECD Guidelines and could include: who the organisation collecting the data is and how they may be contacted; what information is being collected and how; how the collected data will be used; what choices the user has regarding the collection, use and distribution of the data; what security safeguards are used; how data subjects can access their information and have corrections made; what redress is available for violations of the policy; whether there any applicable privacy laws or codes of conduct; whether any auditing or certification procedures are in place; and whether any technologies are used to enhance privacy protection. Privacy policies are also sometimes found within the Frequently Asked Questions (the FAQ’s) or "Help" sections of a Web site.

    . 278
    To supplement the information provided in such a statement some Websites offer hypertext links to direct visitors to information about privacy issues, privacy organizations and technical issues such as cookies. Access to a privacy policy may also be facilitated by providing hypertext links from convenient locations, such as the site’s homepage and any pages from which personal data are requested, and by including "privacy" in the keyword index if the site has an internal search engine. The development of well-recognised "privacy icons", with hypertext links to Web site privacy policies, can also improve the accessibility of these policies. Such icons may serve additional functions, such as signalling that a site’s privacy policy and information practices meet the requirements of a third party certifier.

    2. Terms and conditions

    . 279
    A Web site may include its privacy policy as a part of the terms and conditions which apply between the site and its visitors. For example, where a Web site requires the user to accept some form of registration agreement to gain access to non-public portions of the site, a privacy clause is often included. Like the other means of notification, privacy clauses in online terms and conditions vary widely as to their scope and the amount of privacy protection afforded to the user.

    3. Digital labels

    . 280
    "Digital labelling" of privacy practices can provide an alternative or complementary means of notification. The basic idea is that a uniform "vocabulary" for Web site information practices, developed by a particular online community or organisation, would be used to describe the practices of individual sites. The description would take the form of a label included in the header of a Web page and readable by the user’s browser software.

    . 281
    The Platform for Privacy Preferences project (P3P) takes this approach. P3P is being developed by the World Wide Web Consortium (W3C) and is based on their Platform for Internet Content Selection (PICS) framework for labelling Websites. The goal of P3P is to allow Websites to simply express their privacy practices over the collection and use of personal data and to enable users to specify their own preferences. The privacy vocabulary being developed currently includes a list of data categories and data practices relating to, for example, the purposes for which data are used and disclosed, the ability of an individual to access and correct stored data and the identity of the person to whom problems should be addressed.

    . 282
    The interaction between the privacy preferences of the site and the user is mediated by P3P. Sites with practices which fall within a user’s preference set will be accessed "seamlessly". Otherwise, users will be notified of a site’s practices and have the opportunity to agree to those terms, to be offered new terms, or to discontinue browsing that site.

    C. PROVIDING USERS WITH OPTIONS FOR PERSONAL DATA DISCLOSURE AND USE . 283
    The interactive nature of global networks may be used to provide users with options regarding what information they are prepared to disclose and how it will be used.

    1. Optional data fields and click-box choices

    . 284
    Some Websites offer choice by collecting data through online forms which distinguish between obligatory and optional data fields, and which display "click boxes" giving visitors options as to how information supplied may be used. For example, obligatory data might include identification and payment information required for a transaction between the parties, while optional data might correspond to the user’s age, sex, occupation and various personal preferences. In terms of use options, visitors may be given boxes to click on which will determine whether their data may be used for marketing purposes and/or passed to third parties.

    . 285
    A similar approach to allowing individual control over personal data disclosures has been developed by companies in the business of providing personal profiles to other Websites. Firefly is an example of such a system. A Firefly user creates a "passport" which contains the information that he or she is willing to divulge on the Web. The passport, which is in effect a personal profile of likes and dislikes, is then instantaneously made available to participating sites that the user visits. MatchLogic operate a similar system. A unique random number is assigned, using a cookie, to each user visiting one of its sites. This number is used to track click-stream data relating to, for example, the kinds of advertisements viewed.

    2. Online negotiation of privacy standards through digital labels

    . 286
    Digital labelling and automated filtering, which were discussed above, may also be used to give a user new options when a Website’s standard privacy practices are not consistent with the privacy preferences that are set on his or her browser software. This would constitute a simple form of online negotiation.

    3. "Opting-out"

    Controlling the use of personal data after collection

    . 287
    To allow users to express a change of mind over how their data may be used, some Websites allow a control decision to be conveyed by e-mail, regular mail or telephone.

    Preventing the receipt of unsolicited e-mail advertising

    . 288
    Various technologies and practices are also available to prevent the receipt of unsolicited e-mail advertising. One mechanism is for user’s to adopt filtering tools to block e-mail messages originating from known bulk e-mail distributors. Another practice is to allow the recipient of an unsolicited bulk e-mail to reply to the sender and request that no more e-mails are sent to that address. A broader proposal is to develop an "E-mail Preference Service" (an e-MPS) or "E-mail Robinson List". An e-MPS would allow consumers who do not wish to receive marketing e-mails to add their address to a common register which participating marketers would use to remove people from their own lists. The US Direct Marketing Association is developing such a programme and intend to make its use a condition of membership from July 1999. Another proposal, which comes from the UK Data Protection Registrar, is to use a universally agreed upon character in e-mail addresses to indicate that the user does not want to receive any marketing solicitations.

    Opting-out of anonymous profiling

    . 289
    Different approaches currently exist with respect to data which has been automatically collected from header information and click-streams. In the anonymous profile systems operated by Engage Technologiesand MatchLogic, click-stream data which are collected automatically are not treated as "personal data" over which the user is entitled to exercise control. For example, the DoubleClick system, which also uses cookies to assign unique identification numbers and collect click-stream data, offers users an "opt-out" option. If selected, the unique identification number is erased and click-stream data are no longer recorded.

    D. PROVIDING ACCESS TO PERSONAL DATA

    . 290
    Access to one’s data can be provided using either traditional off-line mechanisms (such as mail or telephone) or interactive online procedures where the request and the response are executed in real time during a connection between the Web site and the data subject.

    E. PROTECTING PRIVACY THROUGH TRANSBORDER DATA FLOW CONTRACTS

    . 291
    Transborder data flow contracts are an important means of implementing Privacy Principles in the context of a transfer of personal data between a data controller in one country and a data controller in another. Such contracts provide a mechanism for safeguarding personal data transferred between jurisdictions which may have different legal regimes, with respect to privacy protection.

    . 292
    Many international documents require special treatment for transborder data flows. For example, Part Three of the OECD Guidelines state that Member countries may restrict flows of certain categories of personal data specifically controlled by domestic legislation to Member countries which have no "equivalent" protection. A similar provision is contained in Article 12 of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). This issue is particularly topical because of Article 25(1) of the European Union Data Protection Directive provides that data transfers from a Member country to a third country can only take place where that country ensures an "adequate level of protection". Transborder data flow contracts may provide a bridge between different systems of privacy protection where the data importer is not otherwise regarded as providing adequate protection.

    The Council of Europe Model Contract, 1992

    . 293
    The Council of Europe Model Contract to Ensure Equivalent Data Protection in the Context of Transborder Data Flows (Model Contract) was the result of a joint study by the Council of Europe, the Commission of the European Communities and the International Chamber of Commerce (ICC). The contract is a collection of model clauses designed to ensure "equivalent protection" in the context of transborder data flows based on the guarantees in Convention 108. As well as being applicable to the equivalent protection clause in the OECD Guidelines, the Council of Europe Model Contract provides a useful reference in determining what may amount to "adequate protection" under the EU Directive.

    . 294
    Under the Model Contract the party sending the data warrants that data have been obtained and handled in accordance with the domestic privacy laws of the country in which it operates. In particular reference is made to fair and lawful data collection, the purpose for which the data has been stored, the adequacy and relevance of the data, the accuracy of the data and the period for which data storage has been authorised.

    . 295
    The party receiving the data undertakes to abide by the same principles that apply to the data sender in its home country. To supplement this undertaking, the data receiver also agrees to use the data only for the purposes set out in the contract, to protect sensitive data in the manner required by the domestic law of the data sender, not to communicate the data to a third party unless specifically authorised in the contract and to rectify, delete and update the data as required by the data sender.

    . 296
    The remaining clauses deal with liability for the misuse of the data by the data receiver, rights of data subjects, dispute settlement and termination of the contract. The applicable law is left open as a matter for the parties to determine.

    The Revised ICC Model Contract

    . 297
    The 1992 model contract clauses have been revised by the International Chamber of Commerce in light of the EU Directive’s requirement of "adequate protection" in data exchanges to third countries. The revision takes into account comments of the European Commission’s Working Party set up pursuant to Article 29 of the EU Directive.

    An illustrative agreement: German railways (Deutsche Bahn AG) and Citibank

    . 298
    In 1994, German Railways (Deutsche Bahn AG) arranged with the German subsidiary of Citibank for the production of Railway Cards (offering discounts for frequent travellers) which also functioned as VISA cards. Because the cards were produced by a Citibank subsidiary in the United States, the agreement gave rise to substantial transborder data flows. In response to German data protection concerns, an Agreement on Inter-territorial Data Protection was entered into to give German citizens the same level of privacy protection which they would have had if the cards had been produced in Germany. In particular, the contract provided for the application of German law, limited the transfer of the data to third parties, allowed for on-site audits by the German data protection authorities at Citibank’s subsidiaries in the United States, and held German Railways and the German Citibank subsidiary liable to German data subjects for any violations of the agreement by their American counterparts.

    F. ENFORCING PRIVACY PRINCIPLES

    . 299
    The mechanisms used to enforce privacy guidelines vary from country to country. In particular, different balances have been struck between relying on laws and self-regulation. Additionally, the privacy concerns created by global networks have led to the development of novel technological, institutional and contractual solutions which are in the process of gaining acceptance in different parts of the world. For example, trusted third parties who certify that a Web site complies with its posted privacy policies are emerging as a new private sector mechanism for enforcing privacy principles.

    . 300
    Irrespective of the regime in question, effective enforcement has two aspects. The first side to enforcement is comprised of those mechanisms designed to ensure ex ante that privacy guidelines are followed in practice. The second aspect of enforcement is concerned with what happens if privacy guidelines are breached. In particular, who can a data subject complain to, what remedies are available to injured parties and how can infringing data controllers be forced to comply with the applicable privacy guidelines? This distinction between proactive "compliance" and ex post "complaint resolution" procedures is adopted in the following discussion of the mechanisms which are available to enforce privacy guidelines.

    1. Ensuring compliance with privacy standards

    . 301
    There are many ex ante means of monitoring compliance with privacy guidelines regardless of whether those principles originate from legislation, codes of conduct or agreements between businesses and consumers. The following section distinguishes between four main means of ensuring compliance; appointment of an internal data protection officer, third party certification as to compliance, membership of industry bodies which impose privacy standards and investigations by central oversight authorities.

    (a) Internal data protection officers

    . 302
    Privacy laws and self-regulatory codes may require the appointment of an internal data protection officer by data controllers or designating a particular person within an organisation who is responsible for ensuring that the organisation complies with the applicable privacy practices. As well as being answerable within the company for its compliance record, appropriate laws may make the internal data protection officer externally accountable to, for example, central oversight authorities.

    (b) Third party compliance reviews and Web site certification

    . 303
    Compliance reviews undertaken by third parties help ensure that Websites follow their privacy statements. Ongoing compliance reviews typically involve periodic information practice "audits" and "seeding" (personal information is submitted to the site and its use is compared with the site’s stated policy). Sites which continue to satisfy these reviews display a certification mark, such as a digital label or a well-recognised icon, as a public confirmation that they comply with their privacy statements.

    . 304
    There are different reasons why a Web site may seek third party compliance reviews and certification. Sites may voluntarily submit to compliance reviews. For example, a Web site may want to demonstrate its commitment to privacy and ease consumer fears that their personal information could be misused. The risk of having its certification withdrawn, and the publicity which would accompany it, may provide a sufficient incentive for Websites to comply with their privacy statements. In addition, privacy laws, self-regulatory codes of conduct and/or industry organizations, may require an online business to seek third party certification.

    . 305
    The following are examples of businesses and professional organizations who offer certification schemes with respect to privacy practices and others, such as BBB Online, are being developed.

    TRUSTe

    . 306
    TRUSTe is an independent, non-profit making organisation that certifies Websites which meet the requirements of the TRUSTe programme. In particular, a Web site must: disclose its information management practices in an online privacy statement; adhere to these stated practices and co-operate with all reviews conducted by TRUSTe. The substance of the site’s privacy policy is determined by the site itself, but, at a minimum, its privacy statement must disclose:

    . 307
    TRUSTe has also recently announced (June 1998) that its licensees will be required to provide consumers with the opportunity to exercise control over how their personal information may be used, including transfers to third parties.

    . 308
    Once a company has agreed to the terms of the TRUSTe programme and satisfied an initial review by TRUSTe, it is permitted to use the TRUSTe "trustmark". To ensure that the Web site continues to adhere to its published privacy statement the TRUSTe programme is backed by an on-going "assurance" process. In particular, TRUSTe monitors a Website’s compliance with its stated privacy practices by:

    Standards authorities

    . 309
    Standards authorities are another type of organisation which may act as third party certifiers by developing privacy standards and offering formal certification to compliant Websites. An example, is the Canadian Standards Association (CSA) which has developed a Model Code for the Protection of Personal Information. The CSA emphasises the importance of conducting independent audits by auditors certified in privacy auditing to verify ongoing compliance.

    Accounting firms

    . 310
    Privacy audits are one of the services now being carried out by large accounting firms. Such audits may be part of a compliance programme run through an organisation such as TRUSTe or the CSA, or it may be organised directly by an accounting firm. The WebTrust programme provides a framework for individual accounting firms to provide certification services. Developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants, the WebTrust Seal is designed to assure online consumers that a participating Web site complies with the WebTrust principles which include information protection. To monitor and ensure ongoing compliance with the WebTrust principles, assurance examinations are conducted by specially licensed accountants on a regular basis. The US Individual Services Reference Group principles provide for annual audits by a third party accounting firm.

    (c) Membership-based industry bodies

    . 311
    Industry bodies which specify certain privacy practices as a pre-requisite for membership can play a role in ensuring that privacy practices are complied with on global networks. Examples include: the Online Alliance which was formed in June 1998 in response to the call for the creation of third party verification mechanisms, it is a cross-industry coalition designed to address online privacy issues whose members have agreed to adopt, implement and disclose privacy policies); the Australian Internet Industry Association (which has proposed an Industry Code of Practice utilising a code compliance icon); and the US Direct Marketing Association (an industry based-association, whose members engage in database marketing, which encourages its members to post privacy policies on their Websites). Also BBBOnLINE, a membership-based certification programme for online businesses, is considering adopting a privacy standard amongst its qualifying criteria, possibly by means of a separate privacy charter represented by its own seal or icon.

    . 312
    How satisfactory an industry body is likely to be in ensuring compliance with privacy standards depends on a number of factors. These include: how the applicable privacy code is publicised to members; how the organisation checks that the code is being followed and how often; how does the organisation deal with consumer complaints, and, when a member is shown to have breached the code, how it is sanctioned.

    (d) Central oversight authorities

    . 313
    Most jurisdictions with laws for the protection of personal privacy also establish a central oversight authority such as a data protection office or a privacy commissioner that may be empowered to perform proactive audits on their own initiative.

    . 314
    The "supervisory authorities" referred to in the EU Directive, for example, are intended to play this role. In particular, these authorities are endowed with investigative powers (such as the right to access data) and powers of intervention (such as the right to ban a particular method of data processing. In the EU, for example, these powers are subject to a right of judicial appeal.

    . 315
    Other legal requirements may be imposed to facilitate the compliance monitoring role of central oversight authorities. For example, a system of compulsory registration increases the information available to such authorities and initial audits can be required to ensure adherence to the law before data processing commences.

    2. Complaint resolution procedures for breaches of privacy standards

    . 316
    When a data subject believes that the privacy guidelines which apply to his or her relationship with a particular data controller have been breached, he or she should have access to redress or remedy. The privacy complaint resolution procedures which can be found in different OECD Member countries vary in many ways.

    . 317
    There are different ways in which privacy complaints may be addressed according to whether (1) the complaint is resolved directly between the data subject and the data controller; (2) the complaint is brought to the notice of a third party certification agency or industry body; or (3) administrative, civil or criminal proceedings are pursued.

    . 318
    The kinds of questions which can be asked in comparing each of these categories are:

    (a) Complaint resolution between the data subject and the data controller

    . 319
    A data subject’s initial complaint is likely to be made to the alleged infringer. Companies that collect and use personally identifiable information may be able to resolve many privacy disputes by providing mechanisms to receive and address consumer complaints. Obtaining redress directly from the data controller is likely to be the quickest, cheapest and least complicated means of complaint resolution.

    . 320
    Good reasons exist for online businesses to attempt to amicably resolve the privacy complaints of their customers. These incentives include protecting their reputations, fostering good customer relations and avoiding the threat of more formal complaint procedures being initiated.

    . 321
    Some online businesses offer clearly defined complaint procedures to facilitate the amicable resolution of privacy complaints. These provisions may address issues such as the method by which an organisation may be contacted, the remedies available (for example, liquidated damages, that is, a set amount of money to be paid for breaches of privacy) and procedures for bringing a claim to arbitration.

    . 322
    Some Legislation and self-regulatory codes require data controllers to appoint internal data protection officers to facilitate the resolution of complaints by providing a clear point of contact with an individual who has well defined responsibilities.

    (b) Enforcement through private sector certification schemes and industry bodies

    . 323
    Certification schemes and industry bodies may offer avenues of redress for data subjects alleging privacy breaches by a member Web site. Such organizations are useful in two ways. First, the privacy criteria set by the certification scheme or industry body provide a benchmark against which the data controller’s practices may be judged. Second, the third party certifier or industry body has a reputational interest in ensuring that members comply with its privacy rules and is also likely to have a large degree of bargaining power relative to its members. These factors give the third party certifier or industry body both the incentive and capability to assist the data subject in resolving his or her complaint.

    . 324
    Third party certifiers and industry bodies may take a variety of roles in the resolution of a privacy dispute, ranging from investigation to mediation to adjudication. The redress available might include compliance with applicable privacy principles and compensation for any losses.

    Sanctions that may be assessed may include:

    - the publication of the business’ name on a "bad actor" list;

    - the revocation of the Website’s compliance certification icon;

    - removal from an industry body; and/or

    - administrative or judicial proceedings against the Web site (for example, for breach of contract or misuse of trademarks).

    . 325
    The following are examples of certification businesses and industry bodies who may play a role in resolving user complaints over a Websites privacy practices.

    TRUSTe

    . 326
    When TRUSTe receives a complaint it first sends a formal notice and gives the alleged infringer a chance to respond. If this proves unsatisfactory, TRUSTe conducts an escalating investigation. Depending on the severity of the breach, the investigation could result in penalties, an on-site conformance review or revocation of the participant’s trustmark. Serious cases may be referred to the FTC for enforcement action under the Federal Trade Commission Act or TRUSTe may conduct breach of contract or trademark infringement litigation against the site.

    The Australian Internet Industry Association

    . 327
    In February 1998, the Australian Internet Industry Association released a draft Industry Code of Practice. In the first instance, it is intended that complaints will be dealt with between the user and the Code Subscriber within a time frame specified by the Code. If this is not successful, however, the Code sets out other procedures including the appointment of a mediator, or the making of orders by the Code’s Administrative Council directing the subscriber to comply with the Code or to provide corrective advertising and/or the payment of compensation. The Council may also withdraw permission for a site to use its Code Compliance Symbol.

    (c) Enforcement through administrative, civil and criminal proceedings

    . 328
    State organs may provide redress either in the form of an administrative remedy through a central oversight authority or a judicial remedy through the court system. Judicial remedies may be either civil (where compensation and/or orders for compliance are typically provided for the breaches of privacy principles) or criminal (where sanctions are typically imposed on offending data controllers).

    Administrative proceedings

    Central oversight agencies

    . 329
    Privacy regimes often create central oversight agencies, such as a Data Protection Authority or a Privacy Commissioner. Such agencies will typically provide an administrative mechanism for resolving privacy complaints.

    . 330
    One reason for involving a central oversight authority is because individual data subjects may not have the expertise or investigative powers to determine exactly when or by whom his or her privacy was violated. A Data Protection Authority or Privacy Commissioner will also bring its experience and institutional authority to bear in attempting to resolve a privacy complaint.

    . 331
    The grounds upon which a complaint may be brought to a central oversight agency will depend on the terms of its empowering legislation, but typical reasons include breaches of privacy laws and, possible, self-regulatory codes of conduct or privacy statements.

    . 332
    The powers of a specific central oversight agency, and the kinds of redress available to the data subject, will also depend on its empowering legislation, but typically such bodies are empowered to:

    . 333
    Decisions of central oversight agencies are often subject to review in the court system or through a specialist tribunal (such as the Data Protection Tribunal in the United Kingdom with respect to enforcement notices).

    Other administrative agencies

    . 334
    Other administrative agencies may become involved in resolving privacy complaints. Where the conduct complained of involves not only a breach of privacy principles but also fair trading standards by, for example, violating the terms of a privacy statement, then administrative bodies charged with enforcing these practices may be complained to. For example, in the US the Federal Trade Commission (FTC), in its role as an independent law enforcement authority, has broad powers to investigate and adjudicate complaints of businesses engaging in unfair and deceptive conduct. The FTC has recently conducted an investigation against a company (it may not be appropriate to single out a company) for misleading its customers as to how their personal information were being used which has resulted in a consent order being issued.

    Civil proceedings

    Breaches of privacy legislation

    . 335
    Privacy legislation may provide data subjects with the right to a judicial remedy for breach of privacy principles established by the legislation. Procedurally, such complaints are usually brought to court by the injured data subject. In addition, in some common law countries, actions may also be brought based on a tort of invasion of privacy.

    . 336
    A court may be given a wide variety of powers to provide suitable redress in a given case. The range of remedies which may be provided for include the power to:

    Violations of privacy statements, online agreements and transborder data flow contracts

    . 337
    The range of civil remedies available to a data subject is not limited to those found in privacy legislation. The general laws relating to breach of contract, fraud and fair trading may also apply where the data controller has violated the terms of a privacy statement, online agreement (such as the terms and conditions associated with a registration form) or a transborder data flow contract.

    . 338
    The breach of a privacy statement or online agreement may give rise to a number of possible civil remedies. Essentially, by providing notification of its privacy practices a Web site offers a commitment that it will follow these practices. Depending of the nature of the breach, most jurisdictions provide remedies for wrongful misrepresentations and/or fraudulent conduct if that commitment is broken.

    . 339
    A contractual remedy may also be available to Web site visitors. A contract is most likely to exist between the parties where they have entered an online agreement by, for example, explicitly agreeing to terms and conditions referred to in a registration form. However, the distinction between a posted privacy policy and an online registration agreement is often one of degree. For example, the Web site may include a "Terms and Conditions" section which is expressed like a contract but which, unlike a registration form, does not require the user to explicitly acknowledge their consent. In general, however, the more a privacy policy looks like a term of an agreement between the parties, the more likely it is to be given contractual effect and be capable of giving rise to a legal remedy for breach of contract. The contractual effect of a privacy clause will depend on the other terms of the contract (relating to, for example, jurisdiction and arbitration of disputes) and the laws of the jurisdiction in which it is being considered.

    . 340
    The breach of a transborder data flow contract by a data controller may also provide the basis for a judicial remedy for an effected data subject. Since the data subject will not usually be a party to this agreement, enforcement difficulties will exist in jurisdictions which do not permit claims by third party beneficiaries to a contract. The solution adopted in the German Railways - Citibank contract was to hold the German Railway and the German Citibank subsidiary liable to German data subjects for any violations of the agreement by their American counterparts. Similarly, the Council of Europe Model Contract provides that damage caused to data subjects, through the use of the transferred data or upon termination of the contract, should be repaired by the party sending the data under domestic law or international private law.

    Alternative dispute resolution

    . 341
    Civil remedies need not be pursued exclusively through a court system. Alternative dispute resolution procedures may be followed by the parties where, for example, a contract provides for arbitration hearings. Both the Council of Europe Model Contract to Ensure Equivalent Data Protection in the Context of Transborder Data Flows and the Revised ICC Model Contract (May 1998 Draft) contain clauses which provide for the arbitration of disputes between the sending and receiving data controllers.

    Criminal proceedings

    Proceedings under privacy legislation

    . 342
    Privacy legislation may provide for criminal sanctions to be imposed in cases where there have been serious breaches of the legislation. One reason for such sanctions is to provide companies with a greater incentive to follow good privacy practices than would be provided merely by forcing the payment of compensatory damages when breaches have been proved. The range of entities who can bring criminal proceedings (for example, individual data subjects, data protection authorities and public prosecutors) and the range of available sanctions (for example, fines and prison sentences) will depend on the implementing legislation.

    Other criminal proceedings

    . 343
    In addition to criminal prosecutions based on privacy legislation, where a data controller falsely asserts that it is following a particular privacy policy prosecutions may be possible under fair trading legislation.

    G. EDUCATING USERS AND THE PRIVATE SECTOR

    . 344
    The nature of the global information network makes educating users and commercial entities about privacy issues an important step for the protection of personal privacy. Education supplements all of the other guidance instruments and mechanisms referred to in this Inventory.

    . 345
    Global networks turn businesses into data controllers. The ease with which data are collected and transferred electronically means that online merchants find themselves dealing with far more personal data, far more often, than if they had remained off-line. More and more entities find themselves acting as data controllers and subject to data protection laws, codes of conduct and self-regulatory industry codes. The better educated these ISPs, online merchants, content providers, browser designers and bulletin board operators are in privacy matters, the more likely it is that practices will be effectively implemented in practice.

    . 346
    Global networks also raise new privacy issues for users. The emerging trend for privacy rights to be protected through technological tools and by exercising choice as to privacy options means that users will only be fully protected if they are knowledgeable enough to look after themselves. Unlike the off-line world where individuals rarely have to consciously consider the privacy implications of their actions, the online public must be educated as to the consequences of where they go, what they say and what they do when on the Internet. For example, users should be aware of the information they reveal simply by browsing the Web; sending an email or posting a message to a newsgroup. They should also be alert to the consequences of agreeing to particular privacy practices, how to use privacy enhancing technologies and how to set appropriate browser settings for their desired level of privacy.

    . 347
    In addition to traditional methods of public education in schools, the workplace and the media, various Websites offer online advice on personal privacy protection on global networks. These sites are run by (1) international organizations, such as the Council of Europe; (2) government bodies, such as the FTC in the U.S. and many central oversight authorities in other parts of the World; and (3) private sector organizations, such as Project OPEN (the Online Public Education Network), the US Direct Marketing Association, the Center For Democracy and Technologythe Electronic Privacy Information Center, "Call for Action" and TRUSTe. Hyper-text links can be used to provide access to these sources of privacy information from Websites which collect personal information.

    APPENDIX

    CONTACT DETAILS FOR INTERNATIONAL AND REGIONAL ORGANISATIONS, NATIONAL SUPERVISORY AUTHORITIES AND NON-GOVERNMENTAL PRIVACY ORGANISATIONS

    A. International Governmental Organizations                                                                  Back to Privacy Statement

    Council of Europe

    Data Protection Section
    Public Law Division
    Directorate of Legal Affairs
    Secretariat General
    PO Box 431 R6
    67006 Strasbourg
    FRANCE
    Telephone : (33) 88 41 2445
    Fax : (33) 88 41 2764
    Web : http://www.coe.int/T/E/Legal_affairs/Legal_co-operation/Data_protection/

    European Commission

    European Commission Legal Advisory Board
    European Commission DG XIII/E/2
    EUFO 1166
    Rue Alcide de Gasperi
    L – 2920 LUXEMBOURG
    Telephone : 35 24 301 32400
    Fax : 35 24 301 33190

    Directorate General XV-E1 (Free Movement of Information and Data Protection)
    Rue de la loi 200 (C 107)
    B 1049 Brussels
    BELGIUM
    Telephone : (32.2)2962264
    Fax : (32.2)2968010
    Web : http://www.europa.eu.int/index_en.htm

    Organization for Economic Co-operation and Development

    Information, Computer and Communications Policy Committee
    2 rue André-Pascal
    75775 Paris Cedex 16
    FRANCE
    Telephone : (33) 1 45 24 82 00
    Fax : (33) 1 45 24 93 32
    Web : http://www.sourceoecd.org/content/html/index.htm

    United Nations

    United Nations Centre for Human Rights
    8-14 Avenue de la Paix
    1211 Geneva 10
    SWITZERLAND
    Telephone : 41 22 917 3924
    Fax : 41 22 917 0213
    Web : http://www.unhchr.ch/hchr_un.htm

    World Trade Organization

    World Trade Organization
    154 Rue de Lausanne
    1211 Geneva 21
    SWITZERLAND
    Email:  enquiries@wto.org
     

    B. Data Protection Authorities                                                                                          Back to Privacy Statement

    Australia

    Australian Privacy Commissioner's Office
    GPO Box 5218
    Sydney NSW 1042
    AUSTRALIA
    Telephone : 61 2 9284 9610
    Fax : (02) 9284 9666
    E-mail : privacy@privacy.gov.au
    Web : http://www.privacy.gov.au/

    Austria

    Datenschutzkommission
    Ballhausplatz 1
    Vienna
    1014
    AUSTRIA
    Telephone : (43) 1 531 15 2528
    Fax : (43) 1 531 15 2690
    E-Mail : v3post@bka.gv.at

    Belgium

    Commission Consultative de la Protection de la Vie Privée
    Boulevard de Waterloo 115
    Rue de la Regence 61
    Bruxelles 1000
    BELGIUM
    Telephone : (32) 2 542 7200
    Fax : (32) 2 542 7212
    E-mail : privacy@euronet.be
    Web : http://www.privacy.fgov.be/

    Canada

    Privacy Commissioner of Canada
    112 Kent Street, 3rd floor
    Ottawa, Ontario
    K1A 1H3
    CANADA
    Telephone : 001 613 995-2410
    Fax : 001 613 995-1501
    Web : http://www.privcom.gc.ca/

    The Office of the Information and Privacy Commissioner of Ontario
    80 Bloor Street West
    Suite 1700
    Toronto, Ontario
    M5S 2V1
    CANADA
    Telephone : (416) 326-3333
    Fax : (416) 325-9195

    Information & Privacy Commissioner of British Columbia
    756 Fort Street, 3rd Floor
    Victoria, British Columbia
    V8W 9A4
    CANADA
    Telephone : (250) 387-5629
    Fax : (250) 387-1696
    E-mail : OIPC@gems5.gov.bc.ca
    Web : http://www.oipc.bc.ca/

    Information & Privacy Commissioner of Alberta
    410, 9925-109 Street
    Edmonton, Alberta
    T5K 2J8
    CANADA
    Telephone : (403) 422-6860
    Fax : (403) 422-5682
    E-mail : ipcab@planet.eon.net

    Ombudsman of Manitoba
    500 Portage Avenue, Suite 750
    Winnipeg, Manitoba
    R3C 3X1
    CANADA
    Telephone : (204) 786-6483
    Fax : (204) 942-7803

    Ombudsman of New Brunswick
    703 Brunswick Street
    P.O. Box 6000
    Fredericton, New Brunswick
    3B 5H1
    CANADA
    Telephone : (506) 453-2789
    Fax : (506) 457-7896

    Department of Justice of Newfoundland
    Confederation Building
    P.O. Box 8700
    St. John's, Newfoundland
    A1B 4J6
    CANADA
    Telephone : (709) 729-5942
    Fax : (709) 576-2129

    Information and Privacy Commissioner of the Northwest Territories
    P.O. Box 262
    Yellowknife, Northwest Territories
    X1A 2N2
    CANADA
    Telephone : (403) 873-8631
    Fax : (403) 920-2511

    Review Officer of Nova Scotia
    3-1601 Lower Water Street
    P.O. Box 1692, Postal Unit M
    Halifax, Nova Scotia
    B3J 3S3
    CANADA
    Telephone : (902) 424-4448
    Fax : (902) 424-3919

    Commission d'accès à l'information- Quebec
    900 René-Lévesque Boulevard East, Suite 315
    Quebec City, Quebec
    G1R 2B5
    CANADA
    Telephone : (418) 528-7741
    Fax : (418) 529-3102
    E-mail : Cai.Communications@cai.gouv.qc.ca
    Web : http://www.cai.gouv.qc.ca.

    Information & Privacy Commissioner of Saskatchewan
    2220-12 Avenue, Suite 500
    P.O. Box 1037
    Regina, Saskatchewan
    S4P 3B2
    CANADA
    Telephone : (306) 787-8350
    Fax : (306) 757-4858

    Ombudsman and Information & Privacy Commissioner of the Yukon
    P.O. Box 2703
    Whitehorse, Yukon Territory
    Y1A 2C6
    CANADA
    Telephone : (403) 667-8468
    Fax : (403) 667-8469

    Denmark

    Registertilsynet
    Christians Brygge 28, 4 Fl
    DK-1559
    Copenhagen V
    DENMARK
    Telephone : (45) 33 14 38 44
    Fax : (45) 33 13 38 43
    Web :  http://www.datatilsynet.dk/

    Finland

    Finnish Data Protection Ombudsman
    Albertinkatu 25, 3.krs
    PO Box 315
    SF-00181 Helsinki
    FINLAND
    Telephone : (358) 9 182 57830
    Fax : (358) 9 1825 7835
    Web : http://www.tietosuoja.fi

    France

    Commission Nationale de l'Informatique et des Libertés
    21 Rue Saint-Guillaume
    75007 Paris
    FRANCE
    Telephone : (33) 1 4544 4065
    Fax : (33) 1 4549 0455
    E-mail : CNIL@world-net.sct.fr
    Web : http://www.cnil.fr

    Germany

    Der Bundesbeauftragte fur den Datenschutz
    Riemenschneider Str. 11,
    53175 BONN
    GERMANY
    Telephone : (49) 228 819 95 10
    Fax : (49)228 819 95 50
    E-Mail : poststelle@bfd.bund400.de
    For the addresses of the Laender data protection authorities see: http://www.datenschutz-berlin.de/sonstige/behoerde/aufsicht.htm

    Greece

    Greek Data Protection Authority
    12, Vlaoritou Street
    EL-10671 ATHENS
    GREECE
    Telephone : (30) 1 361 31 17
    Fax : (30) 1 362 90 47

    Hungary

    Parliamentary Commissioner for Data Protection and Freedom of Information
    1054 Budapest
    Tüköry u. 3.
    HUNGARY
    Telephone : (36) 1 269 3537
    Fax : (36) 1 269 3529

    Iceland

    Icelandic Data Protection Commission
    Arnarhvoll
    150 Reykjavik
    ICELAND
    Telephone : (354) 1 609010
    Fax : (354) 1 27340

    Ireland

    Irish Data Protection Commissioner
    Mr. Fergus Glavey
    Block 4, Irish Life Centre
    Talbot Street
    Dublin 1
    IRELAND
    Telephone : 353 1 874 8544
    Fax : 353 1 874 5405
    E-Mail : fergus_glavey@dataprivacy.irlgov.ie

    Italy

    Italian Guarantor of the Protection of Personal Data: Garante per la protezionc dei dati personali
    Largo del Teatro Vallc, 6
    00186 Rome
    ITALY
    Telephone : 00 39 6 681861
    Fax : 00 39 6 6818669
    E-Mail : mc7796@mclink.it
    Web : http://www.privacy.it/

    Luxembourg

    Commission consultative à la protection des données
    Ministère de la Justice
    16 boulevard Royal
    2934 LUXEMBOURG
    Telephone : (352) 478 4546
    Fax : (352) 227 661

    The Netherlands

    Registratiekamer
    Prins Clauslaan 20
    P O Box 93374
    2509 AJ Den Haag
    NETHERLANDS
    Telephone : (31) 70 3811300
    Fax : (31) 70 3811301
    E-Mail : mail@registratiekamer.nl

    New Zealand

    Office of the Privacy Commissioner of New Zealand
    PO Box 466
    Auckland
    NEW ZEALAND
    Telephone : (64) 9 302 2160
    Fax : (64) 9 302 2305
    E-mail : privacy@iprolink.co.nz

    Norway

    Norwegian Data Inspectorate: Datatilsynet
    Postboks 8177 Dep
    0034 OSLO
    NORWAY
    Telephone : 47 22 42 19 10
    Fax : 47 22 42 23 50
    E-Mail : postkasse@datatilsynet.no
    Web : http://www.datatilsynet.no

    Poland

    Generalny Inspektor Danych Osobowych
    Sejm RP ul. Wiejska 4/6/8
    PL 00-950 Warszawa
    POLAND

    Portugal

    Comissao Nacional de Porteccao de Dados Pessoais Informatizados
    Rua de Sao Bento 148
    1200 Lisboa
    PORTUGAL
    Telephone : (351) 1 396 6190
    Fax : (351) 1 397 6832
    E-Mail : cndpi@mail.telepac.pt

    Spain

    Spanish Data Protection Agency: Agencia de Protection de Datos
    Paseo de la Castellana 41,
    28046 Madrid
    SPAIN
    Telephone : (34) 1 308 4017
    Fax : (34) 1 308 4692

    Sweden

    Datainspektionen
    Box 8114
    S-104 20 Stockholm
    SWEDEN
    Telephone : (46) 8 657 6100
    Fax : (46) 8 652 8652
    Email : datainspektionen@din.se

    Switzerland

    Eidgenössischer Datenschutzbeauftragter
    Federal Data Protection Commissioner
    CH - 3003 Berne
    SWITZERLAND
    Telephone : 41 31 322 4395
    Fax : 41 31 3259996
    Web : http://www.edsb.ch

    United Kingdom

    UK Data Protection Registrar
    Wycliffe House
    Water Lane
    Wilmslow
    Cheshire SK9 5AF
    ENGLAND
    Telephone : 44 1625 545700
    Fax : 44 1625 24510
    E-Mail : data@wycliffe.demon.co.uk
    Web:  http://www.ukonline.gov.uk

    United States                                                                                                                      Back to Privacy Statement

    Federal Trade Commission
    6th & Pennsylvania Avenue, N.W.
    Washington, D.C. 20580
    Telephone : (202) FTC-HELP (382-4357)
    Fax : (202) 326-2012 attn: CRC
    Web : http://www.ftc.gov/index.html

    Department of Commerce
    14th & Constitution Avenue, N.W.
    Washington, D.C. 20230
    Telephone : (202) 482-3845
    Fax : (202) 501-2548
    E-mail : ecommerce@itc.doc.gov
    Web : http://www.commerce.gov/

    Office of Management and Budget
    Executive Office of the President
    New Executive Office Building, Room 9026
    725 17th Street, NW
    Washington, D.C. 20503
    Web :  http://w3.access.gpo.gov/usbudget/index.html

    Federal Communications Commission
    445 12TH Street, S.W.
    Washington, D.C. 20554
    Telephone : 202 418 0200
    Fax : 202 418 0232

    Department of the Treasury
    1500 Pennsylvania Avenue, NW
    Washington, D.C. 20220
    Telephone : 202 622 2000
    Fax : 200 622 6415
    Web : http://www.ustreas.gov/

    United States Department of Health and Human Services
    200 Independence Avenue, SW
    Washington DC 20201
    Telephone : 202 619 0257
    E-mail : hhsmail@os.dhhs.gov
    Web : http://www.os.dhhs.gov/

    C. Non-Governmental Organizations                                                                                 Back to Privacy Statement

    Asia-Pacific Smart Card Forum
    G.P.O. Box 1966
    Canberra ACT 2601
    AUSTRALIA
    Telephone : 612 6247 4655
    E-mail : info@interact98.com.au

    Center For Democracy and Technology
    1634 Eye Street NW
    Suite 1100
    Washington DC 20006
    Telephone : 1 202 637 9800
    Fax : 1 202 637 0968
    Web : http://www.cdt.org/

    Electronic Privacy Information Center
    66 Pennsylvania Avenue
    SE Suite 301
    Washington DC 20003
    Telephone : 1 202 544 9240
    Fax : 1 202 547 5482
    E-mail : info@epic.org
    Web : http://www.epic.org/

    Privacy International
    66 6 Pennsylvania Avenue
    SE Suite 301
    Washington DC 20003
    Telephone : 1 202 544 9240
    Fax : 1 202 547 5482
    E-mail : pi@mail.privacy.org
    Web : http://www.privacyinternational.org/

    PrivacyExchange.Org
    c/o Centre for Social and Legal Research
    Hackensack
    New Jersey
    Telephone : 201 996 1154
    Fax : 201 996 1183
    Web : http://www.PrivacyExchange.org/

    Back to Privacy Statement