Unclassified                                                                                     DSTI/ICCP/REG(98)12/FINAL

Organization for Economic Co-operation and Development                                                                                                                              Dist. :  19-May-1999

COMMITTEE FOR INFORMATION, COMPUTER AND COMMUNICATIONS POLICY

Working Party on Information Security and Privacy

INVENTORY OF INSTRUMENTS AND MECHANISMS CONTRIBUTING TO THE IMPLEMENTATION AND ENFORCEMENT OF THE OECD PRIVACY GUIDELINES ON GLOBAL NETWORKS

INVENTORY OF INSTRUMENTS AND MECHANISMS CONTRIBUTING TO THE IMPLEMENTATION AND ENFORCEMENT OF THE OECD PRIVACY GUIDELINES ON GLOBAL NETWORKS

The Inventory was prepared by the Secretariat to survey the available instruments and mechanisms (including law, self-regulation, contracts and technology) contributing to the implementation and enforcement of the OECD Privacy Guidelines on global networks. Such a study was intended to serve to identify a range of technological policy and legal tools which may be used as a resource for providing seamless, or at least effective protection.

The Inventory has been compiled by the Secretariat, incorporating contributions from Member countries, International and Regional organizations and the Business and Industry Advisory Committee (BIAC). The OECD Working Party on Information Security and Privacy decided at its meeting on 21-22 October 1998 to finalize the Inventory. At its meeting on 1-2 March 1999 the Working Party approved the finalized Inventory, noting that Section I was current as at March 1999 and Section II as at December 1998. The Working Party recommended that the Inventory be transmitted to the Information, Computer and Communications Policy (ICCP) Committee for declassification. The ICCP Committee subsequently approved the declassification of the Inventory at a meeting on 4-5 March 1999.

The following more recent changes have come to the attention of the Secretariat:

• On 21 April 1999, Poland signed the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108).

INVENTORY OF INSTRUMENTS AND MECHANISMS CONTRIBUTING TO THE IMPLEMENTATION AND ENFORCEMENT OF THE OECD PRIVACY GUIDELINES ON GLOBAL NETWORKS

2)  The report "Implementing the OECD Privacy Guidelines in the Electronic Environment: Focus on the Internet" (DSTI/ICCP/REG(97)6/FINAL) proposed that OECD Member governments:

 4)  With the goal of identifying appropriate practical solutions which could be implemented irrespective of the different cultural approaches, the Workshop sessions addressed the following issues:

6)  The Chair noted widespread consensus that the protection of personal privacy requires: education and transparency; flexible and effective instruments; full exploitation of technologies; and enforceability and redress.

7)  The Chair also highlighted the need to survey the available instruments (including law, self regulation, contracts, and technology) in order to describe their practical application in a networked environment and their ability to further the objectives of the OECD Guidelines (including effectiveness, enforceability, redress and coverage across jurisdictions). Such a study would serve to identify a range of technological policy and legal tools which may be used as a resource for providing seamless, or at least effective privacy protection.

8)  At its May 1998 meeting, the Group of Experts on Information Security and Privacy agreed that an Inventory of Instruments and Mechanisms Contributing to the Implementation and Enforcement of the OECD Privacy Guidelines on Global Networks (Inventory) would be prepared by the Secretariat for consideration, comment and approval at its forthcoming meetings.

9)  The OECD Working Party on Information Security and Privacy decided at its meeting on 21-22 October 1998 to finalize the Inventory. At its meeting on 1-2 March 1999 the Working Party approved the finalized Inventory, noting that Section I was current as at March 1999 and Section II as at December 1998. The Working Party recommended that the Inventory be transmitted to the Information, Computer and Communications Policy (ICCP) Committee for declassification. The ICCP Committee subsequently approved the declassification of the Inventory at a meeting on 4-5 March 1999.
 
 
 

11)  Simply "browsing" on the Web can make a considerable quantity of information available to the sites visited, even if much of this information is needed to enable Internet interaction and much of it is maintained in aggregate form. Whenever a Web page is accessed, certain "header information" is made available by the "client" (the user’s computer) to the "server" (the computer that hosts the Web site being accessed). This information can include:

13)  Personal data is also often disclosed voluntarily. Many commercial sites ask users to complete and submit Web page forms in order to register; subscribe, join a discussion group, enter a contest, make suggestions or complete a transaction. The kind of data which are typically requested may include information such as the user’s name; address, home or work telephone number and e-mail address. Data relating to age; sex, marital status, occupation, income and personal interests is also sometimes collected. In addition, purchasing forms will usually require credit card details, including the card type, number and expiration date. If a visitor is asked to send information to a Web site by e-mail, then the site (like any e-mail recipient) will be able to ascertain the visitor’s e-mail address from the "e-mail header".

14)  "Cookies" are small data packets created by a Web site server and stored on the user’s hard drive. Cookies were developed to assist in client/server interaction and data collection, and may be accessed by the server during current and subsequent visits to the Web site. Cookies may be used to facilitate the collection, aggregation and re-use of header, click-stream and voluntarily disclosed data. This is typically accomplished by assigning a unique code to each visitor and storing this number in a cookie which is retrieved each time the site is visited. Information which is subsequently collected about the user can then be linked to this code number.

15)  Thus, although the development of global networks and digital technology has brought many social and economic benefits, recent technology increases the risk that personal information may be automatically generated; collected, stored, interconnected and put to a variety of uses by online businesses or government bodies, without the data subject’s knowledge or consent.

16)  This Inventory focuses on the various overlapping and complementary instruments, practices, techniques and technologies which are used, or are being developed, to define, implement and enforce privacy principles in networked environments.

17)  The Inventory is divided into two main Sections. Section I, describes the international, regional and national instruments, both legal and self-regulatory, which exist, or are being developed for the protection of personal data and privacy in OECD Member countries. Special attention is paid to instruments which have been specifically developed for the online environment. Section II, discusses the mechanisms which exist, or are being developed, to implement and enforce privacy principles on global networks. In addition, a list of contact details for many of the public, private, national, regional and international privacy organizations mentioned in this Inventory are included in the Appendix.
 
 
 

19)  At the international and regional levels, a number of government and private sector multilateral organizations have produced, are producing, or intend to produce, texts and standards aimed at promoting privacy protection. These organizations are also for ongoing research, policy formulation and dialogue between governments, businesses, academics and public-interest groups. The instruments that have been developed through such organizations have greatly influenced many national laws and self-regulatory instruments on privacy protection.

20)  At the national level, in most countries the protection of privacy and personal data involves a combination of legislative instruments, government agencies and industry-based self-regulation. All OECD Member countries have laws of one sort or another that affect the processing of personal data. A number of countries have enacted "comprehensive" laws which apply personal data protection principles in a general fashion to both the public and private sectors. Other data protection legislation is more sectoral, applying only to a specific sector (such as government agencies) or a particular type of data (such as health data).

21)  Most OECD Member countries have also created central oversight authorities, commonly known as Data Protection Officers or Privacy Commissioners. The roles and powers of these bodies vary from country to country, but generally include advice-giving, the investigation of complaints and enforcement actions.

22)  Self-regulation is seen in some OECD Member countries as a flexible and efficient solution to the protection of online privacy by allowing market forces and industry-led initiatives to provide innovative solutions. Self-regulatory instruments may broadly be defined as rules developed and enforced by the entities to whom they are intended to apply. Independent third parties may play a role in enforcement of self-regulation. However, public authorities may also be involved in the development, implementation and enforcement of industry codes and guidelines. Governments can work with the private sector to develop criteria for effective privacy protection which the private sector can implement through self-regulatory codes. In a number of jurisdictions self-regulatory codes are seen as a way of implementing privacy legislation in the context of a specific industry, or as an aid to interpreting general privacy principles. In some OECD Member countries such as Ireland and New Zealand, industry codes can, on receiving official approval, have the force of law.

A.  International and regional instruments and Organizations

    1)  Intergovernmental legal instruments

        a.  OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

23)  e Recommendation concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (the OECD Guidelines) was adopted by the Council of the OECD on 23rd September 1980. Council Recommendations are not binding legal instruments but reflect a "political" commitment by Member countries. The Council recommended that "Member countries take into account in their domestic legislation the principles concerning the protection of privacy and individual liberties set forth in the Guidelines", that they "endeavor to remove, or avoid creating, in the name of privacy protection, unjustified obstacles to transborder flows of personal data", and that they "co-operate in the implementation of the Guidelines".

24)  The principles that comprise the OECD Guidelines have been applied in Member countries and other countries through a variety of instruments.

25)  The Guidelines are widely acknowledged as an internationally accepted and technologically neutral set of privacy principles that have stood the test of time. They apply to "any information relating to an identified or identifiable individual", and their scope encompasses public and private sector data, all media for the computerized processing of data on individuals (from local computers to networks with global ramifications) and all types of data processing.

26)  The OECD Privacy Guidelines establish eight basic principles to govern the handling of personal information. These "Privacy Principles" are:

27)  The OECD Guidelines tend to avoid the imposition of unnecessary impediments to transborder data flows. Legitimate restrictions are, however, recognized. For example, a Member country may impose transfer restrictions on "certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other Member country provides no equivalent protection".

28)  The OECD Guidelines create a framework for future co-operation. The areas of future co-operation include; ensuring that procedures for transborder flows of personal data and for the protection of privacy are simple and compatible with those of other Member countries, establishing procedures to facilitate information exchange, and developing principles, domestic and international, to identify applicable laws of Member countries in the case of transborder flows of personal data.

30)  The OECD, through the ICCP Committee continues to work in the area of privacy and data protection and provides a forum for discussing new issues, such as the challenges presented by the emergence of global networks.
 

        b.  Council of Europe Convention for the Protection of individuals with regard to automatic processing of personal data

31)  Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data of 18 September 1980 (Convention 108) was opened for signature by the Committee of Ministers of the Council of Europe on 28 January 1981. Since then, it has been signed by 23 Countries and ratified by 21. Convention 108 which is open to the accession of any State, and not only to the members of the Council of Europe is a binding instrument in international law.

32)  The terms of the Convention apply to automated personal data files and automatic processing of personal data in the public and private sectors.

33)  The Convention’s basic principles are similar to those in the OECD Guidelines, but include a principle requiring appropriate safeguards for special categories of data (sensitive data) that reveal racial origin, political opinions or religious or other beliefs, that concern health or sexual life, or that relate to criminal convictions.

34)  The principles of the Convention provide for the free flow of personal data between parties to the Convention who provide equivalent protection.

35)  For the purposes of mutual assistance in the implementation of the Convention, each party to the Convention designates an authority to furnish information on its laws and administrative practices in the field of data protection. In addition, Articles 18-20 establish the Consultative Committee which represents Member States and makes proposals as to the application of the Convention.

36)  Each contracting State undertakes to take the necessary measures in its domestic law to give effect to the basic principles of data protection, but the manner of implementation is left for each State to decide. Under Article 10, States undertake to establish "appropriate sanctions and remedies for violations of domestic law giving effect to the basic principles".

37)  Through the Consultative Committee, the Council of Europe continues its work in the area of privacy protection. The Council of Europe’s Project Group on Data Protection has also issued draft Guidelines on "The Protection of Privacy on the Internet" (May 1998).

        c.  United Nations Guidelines for the Regulation of computerized personal data files

38)  The United Nations High Commissioner for Human Rights’ Guidelines for the Regulation of Computerized Personal Data Files (Resolution 45/95 of 14 December 1990) (UN Guidelines) were adopted by the United Nations General Assembly pursuant to Article 10 of the UN Charter. This Article empowers the General Assembly to make recommendations to Members States. Members must take the Guidelines into account when implementing national regulation concerning computerized personal data files, but the procedures for implementing those regulations are left to the initiative of each State.

39)  The UN Guidelines apply to computerized personal data files (both public and private) and may be (optionally) extended to manual files and to files on legal persons. Part A of the Guidelines are intended as the minimum privacy guarantees that should be provided in national legislation. Part B of the Guidelines are intended to apply to personal data kept by governmental international organizations.

40)  The "Principles concerning the minimum guarantees that should be provided in National Legislation" broadly reflect the basic principles in the OECD Guidelines. In addition the UN Guidelines restrict the compilation of "sensitive data" within the "Principle of non-discrimination".

41)  Paragraph 9 of the UN Guidelines provides for free transborder data flows between countries with "comparable safeguards".

42)  Regarding domestic legislation (Part A), Article 8 recommends that each country establish an independent authority to oversee application of the privacy principles set out in the Guidelines. In addition, violations of national implementing law should lead to "criminal or other penalties ... together with the appropriate individual remedies".

43)  With respect to governmental international organization (Part B), the creation of supervisory bodies is also recommended.

44)  A 1997 report of the UN Secretary-General looks at the implementation of the Guidelines within the United Nations system and at the national and regional levels.

45)  Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (EU Directive) is a binding instrument that the 15 EU Member States were required to implement by 24 October 1998.

46)  The Directive applies generally to the processing of personal data by a "controller" in an EU Member State. It applies to data about natural persons, whether held by the public or private sector. Computerized data processing and most categories of manual processing are covered.

47)  The information privacy principles contained in Chapter II of the EU Directive are broader and more detailed than those in the OECD Guidelines. In addition to the OECD principles, the EU Directive contains, inter alia, special provisions for sensitive data, detailed disclosure requirements, registration provisions, "opt-out" rights for data subjects to refuse commercial solicitations and redress rights.

48)  The EU Directive transborder data flows within the EU on the basis of equivalent protection provided in all Member States and allows transfers to third countries which provide adequate protection. Member States are not permitted to inhibit the free movement of personal data within the EU simply for reasons of privacy protection, because of the equivalent and high level of protection ensured by the Directive throughout the Community. A transfer of data outside the EU may take place to third countries which guarantee an "adequate" level of protection. Adequacy is to be assessed "in the light of all the circumstances surrounding a data transfer operation [with] particular consideration ... given to the nature of the data, the purpose and duration of the proposed processing operation ... the country of origin and the country of final destination, the rules of law, both general and sectoral, in force in the third countries in question and the professional rules and security measures which are complied with in that country". Exceptions apply where, for example, the consent of the data subject has been obtained.

49)  The EU Directive defines the role of the supervisory authority or data protection body in each Member State as a key aspect of implementation and enforcement of the domestic law enacting the Directive. These authorities must act with complete independence and should have a wide range of powers that include investigative authority, intervention powers and the ability to engage in legal proceedings.

50)  With respect to enforcement, the EU Directive provides for judicial remedies, liabilities and sanctions. It states that persons shall be entitled to judicial remedies and compensation from data controllers for damage suffered as a result of unlawful processing. Member States have to adopt suitable administrative, civil or criminal sanctions.

51)  Article 28 requires supervisory authorities to co-operate with one another as necessary, and in particular to exchange useful information.

52)  The Directive establishes two bodies, one consultative (Article 29) and one "decision-making" (Article 31), to assist the European Commission with issues related to data processing.

53)  The Article 29 Working Group has already issued a number of reports and recommendations including "Orientations on Transfers of Personal Data to Third Countries - Possible Ways Forward in Assessing Adequacy" and "Judging Self-Regulation".

54)  On 15 December 1997, Directive 97/66/EC was adopted by the European Parliament and the Council. This Directive complements Directive 95/46/EC with respect to the processing of personal data and the protection of privacy in the telecommunications sector. It provides for the harmonization of the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the telecommunications sector and to ensure the free movement of such data and of telecommunications equipment and services in the Community.

        (e) General Agreement on Trade in Services

55)  The General Agreement on Trade in Services (GATS) is a multilateral agreement which aims to promote free trade in services. GATS is administered by the World Trade Organization (WTO). Article XIV recognizes that GATS does not prevent Member States from adopting measures necessary to secure "the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts". However, Article XIV limits what a country can do with regard to privacy protection by subjecting it to the requirement or safeguard that any such measures must not be applied in a discriminatory manner and must not constitute a disguised restriction on trade in services.

2. International Conferences and Discussion Forums Concerning Privacy Protection

56)  International conferences and discussion forums play an important role in contributing to information exchange, education and the development of instruments on privacy protection.

        (a) Annual International Conferences of data protection commissioners

57)  From 1979 International Data Protection Commissioners’ Conferences have been held annually. The Conferences have no particular legal status and do not vote on resolutions. Rather, they are a forum of information exchange. The 20th International Conference of Data Protection Authorities took place in Santiago de Compostela, Spain.

        (b) Conferences of the EU data protection commissioners

58)  The annual Conferences of the EU Data Protection Commissioners provide an opportunity to develop common approaches to privacy protection and to address topical issues such as, telecommunications and police files.

        (c) International Working Group on Data Protection in Telecommunications

59)  The International Working Group on Data Protection in Telecommunications, led by the Data Protection Commissioner of Berlin, was initiated by the data protection commissioners from a number of countries to improve privacy and data protection in telecommunications and media. The "Budapest-Berlin Memorandum" on data protection on the Internet discusses the issues surrounding legal and technical protection of Internet user privacy.

        (d) International Organization for Standardization

60)  The International Organization for Standardization (ISO) is a world-wide federation of national standards bodies from around 130 different countries. The ISO’s work results in international agreements which are published as International Standards. In May 1996, the Consumer Policy Advisory Committee of ISO passed a unanimous resolution in favor of a proposal to develop an international standard on privacy based on the Canadian Standard Association Model Code for the Protection of Personal Information. An Ad Hoc Advisory Group on Privacy undertook a study on behalf of the ISO to examine whether there is a need, under the pressure of the technological advances in the global information structures, for an international standard to address information privacy, measure privacy protection and ensure global harmonization. The Advisory Group concluded in June 1998 that it was premature to reach a determination on the desirability and practicality of ISO undertaking the development of international standards relevant to the protection of personal privacy.

        (e) International Chamber of Commerce

61)  The International Chamber of Commerce (ICC) represents international businesses all over the world and has produced a number of documents and industry codes relating to the protection of personal privacy and information flows. These have included a range of marketing codes and guidelines, including guidelines for Internet advertising, with privacy provisions. The ICC has also published a proposed model contract for transborder flows of personal data which builds on the 1992 ICC/Council of Europe/European Commission model contract.

        (f) International Federation of Direct Marketing Associations

62)  The International Federation of Direct Marketing Associations (IFDMA) is a collaboration of national and regional direct marketing associations. Its aims include fostering industry programs of self-regulation and consumer education. The data protection "Online Principles" formulated by the IFDMA encourage direct marketers to post their privacy policies online in a manner that is easy to find, read and understand. The principles include special provisions with respect to children’s on-line activities.

        (g) Electronic Commerce Europe

63)  Electronic Commerce Europe (ECE) is a group of European electronic commerce businesses and associations who are working on drafting a Code of Conduct for Electronic Commerce.

        (h) Online initiatives for privacy information exchange

64)  A number of privacy orientated non-governmental organizations have created Web sites to provide information on online privacy issues. These organizations include, inter alia:

• the Electronic Privacy Information Center (EPIC), a public interest research center established to focus public attention on emerging online civil liberties issues and to protect privacy;
• The Center For Democracy and Technology (CDT), a public interest organization working for public policies that advance civil liberties and democratic values in new computer and communications technologies;
• Privacy International, a human rights group formed to act as a watchdog on surveillance by governments and corporations; and
• PrivacyExchange.Org, a group intended to provide timely information on national data protection laws and practices, and distribute model policies, agreements and codes of conduct.

Australia

Laws

Commonwealth / Federal Laws

65)  The Privacy Act 1988 provides privacy protection with respect to federal government agencies in Australia. The Act establishes the office of the Privacy Commissioner and sets out eleven Information Privacy Principles (IPPs) based upon the OECD Guidelines. The Commissioner can receive complaints, conduct investigations and make determinations (including compensation orders) that are enforceable in the Federal Court of Australia.

66)  The Privacy Act has a limited application to the private sector. In particular, it allows the Privacy Commissioner to issue guidelines in relation to tax file numbers. The Act also regulates the information handling practices of the consumer credit reporting industry.

67)  On 16 December 1998 the Government announced that it would develop a light-touch legislative scheme to support and strengthen self-regulatory privacy protection in the private sector. The legislative scheme will support the existing self-regulatory approach by recognizing codes developed by business and providing a legislative framework to apply where such codes are not in place. The legislative framework will be based on the National Principles for the Fair Handling of Personal Information (the National Principles) issued by the Privacy Commissioner. The National Principles set out privacy standards that are based on the OECD privacy guidelines.

68)  Consultation on the development of legislation to establish this scheme is underway.

Other federal laws with privacy provisions

69)  Other Commonwealth legislation provides privacy protection for specific types of information, such as "spent" criminal convictions (Part VIIC, Crimes Act 1914 protects a person against the unauthorized use of certain criminal convictions after ten years) and taxation information (Taxation Administration Act 1953), and for specific procedures, such as the interception of telecommunications and the disclosure of personal information by telecommunications companies (Telecommunications Act 1997). The Data-matching Program (Assistance and Tax) Act 1990 provides privacy protections in relation to the matching of personal information relating to tax and social welfare benefits by Commonwealth Government Departments.

State and Territory laws

70)  There are many State and Territory laws which provide some form of privacy protection. In the Australian Capital Territory, for example, there is legislation dealing with privacy and the confidentiality of personal health information. In late 1998 New South Wales enacted the Privacy and Personal Information Protection Act 1998 (NSW) which provides protection with respect to the NSW public sector. In South Australia a Cabinet Administrative Instruction (No. 1 of 1989) implements guidelines (based on the federal IPP’s) for State government agencies. Finally, a Data Protection Bill has been proposed by the Victorian Government which would have the effect of applying the National Principles in both the private and public sectors.

Self-Regulatory Instruments

71)  Since the release of the National Principles some key industry bodies have developed codes of conduct based on the National Principles. For example, in February 1999, the Internet Industry Association released their Internet Industry Code of Practice for adoption. It is anticipated that codes based on the National Principles will be able to be given effect as part of the proposed legislative scheme discussed above.

72)  In February1999, the Australian Internet Industry Association released Internet Code of Practice. In the first instance, it is intended that complaints will be dealt with between the user and the Code Subscriber within a time frame specified by the Code. If this is not successful, however, the Code sets out other procedures including the appointment of a mediator and orders by the Code’s Administrative Council directing the subscriber to comply with the Code or to provide corrective advertising and/or the payment of compensation. The Council may also withdraw permission for a site to use its Code Compliance Symbol.

Austria

Laws

Federal comprehensive laws

. 73
The Federal Data Protection Act of 1978 (Datenschutzgesetz. BGBl. Nr. 565/1978) regulates the use of computerized data in the public and private sectors, creates a central registration system and provides civil remedies and criminal sanctions. A new law is being prepared to implement the EU Data Protection Directive.

. 74
An independent Commission (the Datenschutzkommission), is responsible for enforcing the law, administering the registration system and authorizing transborder data flows. The Commission acts on specific complaints against public data controllers, and can impose sanctions for certain actions, such as breaches of transborder data flow authorizations. A Council for Data Protection also exists and may be referred to by the Commission for advice on certain matters. Complaints against private data controllers must be brought before the courts.

. 75
The Chamber of Commerce and the Federal Chancellery run a court of arbitration, the Schlichtungsstelle-Datenschutz, which hears complaints against businesses who have not complied with a request by a data subject to access, correct or delete personal information.

Other federal laws with privacy provisions

. 76
There are many federal laws in Austria which relate to personal privacy. For example, the Austrian Telecommunications Act (1997) imposes confidentiality and data protection obligations on suppliers of public telecommunication services. The use of personal information by direct marketing businesses is governed by Section 268 of the Industrial Code (1994). Finally, the Genetic Engineering Act 1994 contains data protection provisions relating to genetic data.

Implementation of the EU Directive

. 77
A first draft of the Datenschutzgesetz was submitted to Parliament recently..

Laender (State) laws

. 78
The role which individual Land will play in data protection is presently being considered in the context of implementing the EU Directive.

Self-regulatory instruments

. 79
Whilst there are no codes of conduct in Austria which deal exclusively with privacy, members of the banking sector have codes in place containing general privacy clauses.

Belgium

Constitution

. 80
Privacy rights are contained in Articles 22 and 32 of the Belgian Constitution.

Laws

Comprehensive laws

. 81
The Law on the Protection of Privacy Regarding the Processing of Personal Data (1992) applies to both the public and private sectors in Belgium. The Law is supplemented by Royal Decrees with respect to, for example, sensitive data and information regarding criminal convictions. The law is supervised by an independent Commission within the Ministry of Justice, the Commission Consultative de la Protection de la Vie Privee. The Commission handles data processing registrations and may also advise the government on privacy matters.

. 82
In terms of recourse for individuals, applications may be made to the Tribunal de Première Instance for rulings on the rights arising under the Law. The Law also includes criminal sanctions for breach of privacy obligations.

Other laws with privacy provisions

. 83
The Law of 30 June 1994 provides for privacy protection in the context of wire-tapping and the recording of private telecommunications.

Implementation of the EU Directive

. 84
A draft law designed to implement the Directive and based on the structure of the 1992 Law, is now before the Belgian Parliament.

Self-regulatory instruments

. 85
The Internet Service Providers Association of Belgium has a Code of Conduct, approved by the Plenary Assembly, which encourages its members to comply with privacy protection law in their use of clients’ personal data.

Canada

Laws

Federal laws

. 86
The Privacy Act (1983) applies to virtually all federal public sector institutions in Canada. The Act regulates the confidentiality, collection, correction, disclosure, retention and use of personal information, and gives data subjects the right to examine information held about them and to request that errors be corrected. The Act reflects the principles of the OECD Guidelines.

. 87
The Privacy Commissioner is appointed by Parliament to investigate complaints and audit compliance with the Act by federal agencies. The Commissioner has the authority to conduct investigations, attempt to resolve disputes, and issue recommendations. Disputes about the right of access to personal information that are not resolved in this manner can be taken to the Federal Court for review.

Federal approach to privacy in the private sector

. 88
The Canadian federal government introduced privacy legislation to protect personal information in the private sector on October 1, 1998 Bill C-54. The Personal Information Protection and Electronic Documents Act, has received its second reading and is currently being studied by the Standing Committee on Industry, which will report back to Parliament in the Spring of 1999. The legislation will initially extend privacy protection to the federally-regulated private sector as well as inter-provincial and international trade in personal information. Three years later the legislation will apply to the remaining private sector organizations which fall under provincial jurisdiction. If a province enacts substantially similar legislation, the commercial organizations operating under its jurisdiction will be subject to the provincial law. At this time, only the province of Quebec has such legislation. The obligations and rights set out in the bill are those of the Canadian Standard Association’s Model Code for the Protection of Personal Information which is a recognised national privacy standard that is modeled on the OECD Guidelines. Individuals have access and redress rights and the federal Privacy Commissioner will exercise oversight by investigating and reporting on complaints. The Commissioner has ombudsman powers but complainants may bring unresolved matters to the Federal Court, as may the Commissioner, and the Court has the power to issue binding orders and award damages.

Provincial laws

. 89
Most Canadian Provinces have passed privacy legislation governing the public sector and the majority of this legislation reflects the principles included in the OECD Guidelines. Various sectoral statutes provide privacy protection in areas such as personal health information.

. 90
Quebec is the only province where general legislation, the Act Respecting the Protection of Personal Information in the Private Sector (1993), regulates the handling of personal information by private sector organizations, including corporations, sole proprietorships, partnerships, organizations and associations. The Act governs the collection and use of personal information and provides individuals with a right of access and correction, disputes are resolved before the Commission d'accès à l'information, the agency which is responsible for oversight and redress for public sector information access and privacy rights in the province. It is noteworthy that the law has special provisions which apply to lists of names used for marketing purposes and to transfers of information about Quebec residents to third parties outside of the province.

Self-regulatory instruments

The CSA model code

. 91
Canada has a widely accepted model code of conduct with respect to privacy. The Model Code for the Protection of Personal Information was developed by the Technical Committee on Privacy of the Canadian Standards Association (CSA) and was adopted as a National Standard by the Standards Council of Canada in 1996. The Code reflects the OECD Guidelines, but also requires companies to identify an officer accountable for compliance to whom complaints may be addressed.

. 92
The CSA has prepared a workbook, "Making the CSA Privacy Code work for You", to assist in the development of compliant codes (which may be certified by the Quality Management Institute, a division of the CSA). In terms of ensuring ongoing compliance with a code, the workbook highlights the importance of independent audits by duly certified auditors. Private sector codes may be certified as complying with the CSA standard by a quality registrar and a company may cite the standard in an ISO 9000 registration. There are a variety of ways in which a company may demonstrate compliance, e.g. the Canadian Bankers’ Association Privacy Model Code was verified by Price Waterhouse.

Other initiatives

. 93
A number of companies and associations have or are in the process of developing CSA based privacy codes, including Stentor (the alliance of telecommunications providers), the Canadian Marketing Association, the Canadian Bankers Association, the Insurance Bureau of Canada, the Canadian Television Standards Association and the Canadian Medical Association.

Instruments relating to online privacy

. 94
The Canadian Association of Internet Providers’ (CAIP’s) voluntary Code of Conduct requires CAIP members "to respect and protect the privacy of their users" and comply with all applicable laws. Enforcement is by a complaint-driven process to be established by each member.

Czech Republic

Laws

Comprehensive laws

. 95
The Protection of Personal Data in Information Systems Act became effective on 1 June 1992. The Act covers computerized data on natural persons and applies to both the public and private sectors.

. 96
This Act broadly conforms with the principles of the OECD Guidelines and sets down specific provisions for sensitive data. It contains civil remedies for breaches that are administered through the courts. There is no data protection commissioner in the Czech Republic at this time.

. 97
In anticipation of the Czech Republic joining the EU, the Government has appointed the Office for the State Information System (OSIS) to prepare the legislation that will be compatible with the EU Data Protection Directive. The new legislation will establish the framework for an independent supervisory body. It is not expected that the legislation will receive Parliamentary approval before the middle of 1999.

Other laws with privacy provisions

. 98
A Bill is being prepared by the Czech Telecommunication Office in co-operation with OSIS which will implement the terms of EU Directive 97/66/EC on the protection of privacy in the telecommunications sector. A proposal for the Digital Signature Law is also being prepared by the Office for the State Information System (OSIS) which will implement the terms of the EU Directive on a common framework for electronic signatures.

Denmark

Constitution

. 99
According to section 72 of the Constitution, regarding the sanctity of the home, it is forbidden, without a prior court order, to search an individual’s house, open their letters or tap their telephone. It is generally accepted in Danish judicial theory that this section can be interpreted to also apply to data stored electronically and any form of telecommunication. The authorities may not, for example, open and examine one’s e-mail without prior consent. They may intercept and open the message via the telecommunications networks only if they have a court order which allows them to. The main rule being that a search requires a prior court order, a search without a prior warrant may therefore only take place in exceptional cases where it is deemed absolutely necessary. A general permission is granted in accordance with the Law on Civil and Criminal Proceedings. Outside the scope of criminal proceedings, permission to perform administrative searches is granted under numerous laws, for example, to carry out an inspection by the Data Surveillance Authority of the locations of public filing systems.

Laws

. 100
The Law on Public Access ensures (§ 4 section 1) that any citizen may have access to documents which form part of public authority decisions. The wide access to documents is, however, limited by section 3 of § 4, which requires that the person seeking access is able to identify the case which he is applying for access to.

. 101
The following documents are exempt from access; records of criminal proceedings, application and procedures regarding the employment of civil servants and documents intended for internal use only. These exemptions may be divided into two categories 1) personal data concerning individual citizens in accordance with § 12. 2) types of data to which access is denied for reasons of public policy, in accordance with §13. An example of the first category of data would be the political affiliation of a person. An example of a public policy interest that may outweigh access in the second category of data would be national security.

. 102
The Danish laws on public and private filing systems have been in effect since 1979. The laws provide privacy protection with respect to both governmental agencies and to filing systems kept by private entities.

. 103
The Law on Public Filing Systems is applicable to computerized filing systems held by public authorities containing personal information in accordance with § 1, section 1. The law applies only to the administration.

. 104
One of the purposes of the Law on Private Filing Systems is to ensure that economic and personal data about private citizens, institutions, societies, and companies are only recorded by private persons to the extent that they serve fair interests and that the recorded data are processed in a satisfactory way. The law contains a general ban on private parties systematically processing personal data, but does, however, contain certain exceptions to this rule. The law applies to any systematic processing (gathering, recording and passing on) of personal and economic data, carried out by private parties (persons or companies) by electronic data processing (EDP)) or, in some instances, manual processing.

. 105
The Danish Media law regulates the liability of the mass media (traditional news and IT related news). The media law is closely related to the Penal Code, because several of the punishable media offenses relate to the rules on privacy in the Penal Code.

. 106
The Danish Penal Code, § 152, contains a prohibition for civil servants to illegally process or use confidential information, obtained through their work. The section contains the legal basis on which employees who abuse their duty of confidentiality may be fined. The Article states that the mere obtaining of information is permitted, but it is illegal to process or abuse that personal data. However, the obtaining of the information may be subject to ordinary disciplinary sanctions. § 152a-d states that the duty of confidentiality (and the sanctions affiliated to this) extends to include persons who are not civil servants, but who in some way perform duties for the public administration.

. 107
§ 263 of the Penal Code, subsection one, deals with the situation where someone opens another person’s mail, searches their private premises or listens in on their conversations. These rules can easily be interpreted to cover the situation in which someone gains unauthorized access to another person’s e-mail messages or intercepts their messages via telecommunications networks. Subsection 2 covers the situation in which someone gains unauthorized access to programs or personal information destined to be used in a computer system. Intercepting data transmissions is also included in this subsection.

. 108
Under section § 264 d, it is a crime to pass on information or pictures concerning the personal affairs of other individuals. New network capabilities facilitate the circulation of such information to a much wider range of persons than was previously possible.

. 109
The Data Surveillance Authority monitors both public and private filing systems. It is organized under the competence of the Ministry of Justice, but complaints etc., about the authority cannot be brought before the Minister of Justice and he has no authority to instruct the Data Surveillance Authority, in other words the Authority is independent. This is known as functional independence, and is an important element of securing the integrity of the data subject.

Implementation of the EU Directive

. 110
A proposal to implement the EU Directive was introduced to the Danish Parliament (the Folketinget) on 30 April 1998 but has not yet been adopted.

Self-regulatory instruments

. 111
The Ombudsman for consumer issues is preparing a set of ethical rules aimed at use of the Internet, at this time there is no information on when the work will be completed.

. 112
Other self regulatory initiatives include:

• Fabel, an organization to promote the responsible use of e-mail;
• FIB, an organization for Internet users, with the purpose of trying to secure rights for Internet users; and
• FIL, an organization consisting of Internet service providers. The organization has worked to provide a set of rules protecting users.

Constitution

. 113
Section 8 of the Finnish Constitution provides that each individual’s privacy, honor and domicilary peace shall be protected and that the use of personal data shall be prescribed by law.

Laws

Comprehensive laws

. 114
The Personal Data Act (1999) covers computerized and manual records of natural persons in both the public and private sectors. There are two overseeing bodies, the Data Protection Ombudsman who has investigative and advisory powers, and the Data Protection Board who hears cases pursuant to the Act and has the power to authorize the export of sensitive data to other countries. If recommendations made by the Ombudsman are not observed, the Ombudsman may refer the case to the Data Protection Board. The decisions of the Data Protection Ombudsman and the Data Protection Board are subject to appeal in accordance with the provisions of the Administrative Judicial Procedure Act. .

. 115
The Personal Data Act includes civil remedies (for example, data controllers must compensate data subjects for unlawful data use) and criminal sanctions for violations.

Other laws with privacy provisions

. 116
Sectoral legislation, such as the Statistics Act, the Act on the Medical Research Development Center and the Act on the Protection of Privacy and Data Security in Telecommunications, contain privacy protection provisions.

Implementation of the EU Directive

. 117
The Personal Data Act conforms with the EU Directive. It extends the rights of data subjects and the powers of the data protection authorities. It also includes a provision for the approval of sectoral codes of conduct by the authorities. Work on implementing the Directive in specialized legislation is also underway. A Government proposal for an Act on the Protection of Privacy in Working Life was put before Parliament in 1998 but it was returned to the Ministry of Labor for further preparations.

Self-regulatory instruments

. 118
The Finnish Rules for Electronic Consumer Trade were prepared jointly by the Finnish Direct Marketing Association and the Federation of Commerce and Trade. The introduction notes that an electronic vendor should follow the Personal Data Act and other data protection laws. The Rules include provisions regarding; data security, the recording of personal data about consumers (making reference to the EU Data Protection Directive) and the right to opt-out.

France

Laws

Comprehensive laws

. 119
Law No. 78/17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties covers computerized and manual records on natural persons and applies to the public and private sectors. Law 78/17 was modified by Law No. 94-548 which introduced a special regime for the processing of personal health data for research purposes. Law 78/17 is supplemented by the Penal Code.

. 120
Law 78/17 establishes a central registration system which is administered by an independent data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL). The data protection authority’s role includes informing and advising the public on rights and obligations under the law, examining data processing proposals in the public sector prior to their implementation, and proposing changes in the law in line with technological developments. The authority acts on its own initiative or on complaints and queries, it carries out investigations and ensures that data subjects may exercise rights of access.

. 121
Unlawful processing or transfer of named data is punishable under Law 78/17 by fines and/or imprisonment. A criminal prosecution for breach of the Act may be brought by an individual data subject or a prosecuting authority.

Other laws with privacy provisions

. 122
Sectoral laws with privacy provisions include, inter alia, the Labor Code and the Law on Video Surveillance (1995).

Implementation of the EU Directive

. 123
A report on implementing the EU Directive was issued on 3 March 1998, and a Bill is being prepared by the Ministry of Justice. The Bill will be discussed at ministerial level before submission to the French Parliament. The National Commission for Human Rights and the CNIL will be consulted on the draft law.

Self-regulatory instruments

Instruments relating to online privacy

. 124
The "Charte de l’Internet" (Internet Charter) is a self-regulatory initiative established on the ground of national legislation. This Charter, aimed at Internet actors, creates an independent supervisory body, the "Conseil de l’Internet" (Internet Council), with advisory and mediation powers. The Charter stipulates that users should have the right to use services anonymously, and imposes an obligation on Internet actors to inform users of the data being collected.

Other initiatives

. 125
SEVPCD, a professional association for distance marketers, has developed a code of conduct designed to accord with the Law 78/17. Only members who comply with these rules are entitled to display the Association’s emblem, and violations may result in disciplinary proceedings before the Association’s Supervisory Committee.

Germany

Laws

Federal comprehensive laws

. 126
Germany’s Federal Data Protection Act (1990) is applicable to computerized and manual records of natural persons. The Act distinguishes between public and private data controllers. Public sector name-linked files must be registered with the independent Federal Data Protection Commissioner who is elected by Parliament. The supervisory authorities for the private sector are designated by the laws of each German State (Land). Private organizations are required, under certain circumstances, to appoint data protection supervisors to see that the law is observed.

. 127
Anyone may lodge a complaint with the Federal Data Protection Commissioner if they believe that their rights have been infringed through the collection, processing or use of personal data by a Federal authority. Complaints against private sector organizations may similarly be made to the Laender supervisory authorities. In terms of sanctions, the Act creates administrative penalties and criminal offenses.

Other Federal laws with privacy provisions

. 128
The German Federal Government has enacted a significant number of specific issue laws and regulations dealing with privacy, including legislation on; national registers and archives, federal statistics; population registers, the storage and transfer of personal data concerning foreigners in Germany (the Central Register of Foreigners Act (1994)), and telecommunications (the Federal Telecommunications Act (1996) and the Telecommunications Carriers Data Protection Ordinance).

. 129
Article 2 of the Federal Information and Communication Services Act (1997) governs the processing of personal data in the networked environment. The Act refers to the anonymous use of teleservices, technical devices to minimize the amount of personal data collected and procedures for obtaining electronic consent.

Laender (State) laws

. 130
Each Land has its own data protection law covering its public sector, as well as its own data protection authority. The Data Protection Commissioners of the Federation and the Laender hold regular conferences.

Implementation of the EU Directive

. 131
The Federal Government and Laender are currently working on new legislation to implement the EU Directive. Some of the Laender Commissioners have issued draft implementation proposals and have published Guidelines on transborder flows of data to countries without adequate protection provisions.

Self-regulatory instruments

. 132
The approach to privacy protection in Germany is currently based on laws rather than self-regulatory mechanisms.

GREECE

Constitution

. 133
The Greek Constitution contains rights to personal and family privacy (Article 9) and secrecy (Article 19).

Laws

Comprehensive laws

. 134
The Law No. 2472/97regardingthe Protection of the Individual Against Processing of Personal Data was approved on 26 March 1997 and implements the EU Directive. The Law covers computerized and manual personal data on natural persons, and applies to the public and private sectors. The Law also establishes an independent Data Protection Authority to oversee the registration system, enforce the Law, promote the adoption of sectoral voluntary codes and impose sanctions for violations.

. 135
The Law gives data subjects the right to be informed of, and have access to, their personal data and to apply to Court for the suspension of certain processing operations. The Law provides civil damages for losses caused in contravention of the law, administrative sanctions (such as fines and the cancellation of data processing licenses) and criminal sanctions.

Other laws with privacy provisions

. 136
Law No. 2225/94 protects freedom of correspondence and communication.

Self-regulatory instruments

. 137
There are no specific privacy codes of conduct in Greece, however the Codes of Conduct of the Journalists Association and the Greek Banks Association both refer to the protection of privacy.

HUNGARY

Constitution

. 138
The Hungarian Constitution includes a right to the protection of personal data (Article 59).

Laws

Comprehensive laws

. 139
The law on the Protection of Personal Data and Disclosure of Data of Public Interest (1992) covers both computerized and manual data regarding natural persons, applies to both the public and private sectors and includes a limited registration system. An independent Parliamentary Commissioner for Data Protection and Freedom of Information was elected pursuant to the Act in 1995. The Commissioner is responsible for observing the implementation of the Act, investigating complaints and maintaining the Data Protection Register.

. 140
The Act, which includes the basic principles in the OECD Guidelines, gives data subjects a number of rights over their personal data (including correction/deletion of data). The Act also provides for remedies (including compensation) for breaches. Remedies may either be pursued through application to the Commissioner or by initiating court proceedings.

Other laws with privacy provisions

. 141
There are a number of specific-issue laws with provisions relating to data protection. These include Acts concerning the national registry; the handling of research and direct marketing information, the handling of medical data, education, archives, the police, banking and national security.

Self-regulatory instruments

. 142
Examples of self-regulatory initiatives can be found in the co-operation between direct marketing companies and in the rules adopted by, for example, Hungary’s National Association of Journalists. The Office of the Data Protection Commissioner offers professional consultation to those in charge of drafting ethics regulations.

Iceland

Laws

Comprehensive laws

. 143
Iceland’s data protection legislation, Act Nr. 121 Concerning the Registration and Handling of Personal Data (28 December 1989), is applicable to both the public and private sectors. The legislation covers computerized and manual personal data of natural and legal persons. The legislation also establishes a central registration system which is overseen by the Icelandic Data Protection Commission. The Commission’s other functions include handling violations of the Act, and authorizing the processing of data abroad.

. 144
Data subjects have rights of access to personal data, and can demand rectification or deletion. Data subjects can also request that their names be deleted from direct mailing lists. If there is a dispute over a data subject’s rights, the matter can be referred to the Data Protection Commission. The Commission can make orders in cases where the data subject’s rights have been infringed.

. 145
The 1989 Law contains criminal sanctions for the infringement of certain provisions.

Ireland

Constitution

. 146
The Irish Constitution recognizes a right to privacy.

Laws

Comprehensive laws

. 147
The Data Protection Act 1988 covers computerized personal data of natural persons and establishes a limited registration system applying to certain categories of data controllers including the public sector, holders of sensitive data, financial institutions, and organizations involved in direct marketing, debt collection and credit reference.

. 148
The Act establishes the government-appointed post of Data Protection Commissioner. The Commissioner enforces the law by investigating complaints, prosecuting offenders, supervising registrations and encouraging the development of sectoral codes of conduct. The Data Protection Commissioner’s decisions may be challenged in the courts.

. 149
The Act establishes data protection principles which must be observed regardless of registration. The breach of one of these principles does not involve a criminal offense per se, however, if the Commissioner investigates a complaint and issues a Statutory notice, failure to comply without reasonable excuse becomes an offense. The Act provides for specified criminal offenses such as unauthorized disclosure. Civil litigation may be used by data subjects to seek compensation for violations of the Act.

Other laws with privacy provisions

. 150
Ireland also has specific statistical data laws, as well as regulations made pursuant to the Data Protection Act which relate to privacy and the protection of personal data.

Implementation of the EU Directive

. 151
A draft Bill to implement the EU Directive has been submitted to the Attorney-General’s office and will go to Parliament before mid July 1999. This follows the "Consultation Paper on Transposition into Irish Law" produced by the Department of Justice Equality and Law Reform (November 1997).

Self-regulatory instruments

. 152
The Irish Direct Marketing Association’s (IDMA’s) Code of Conduct provides guidance on the application of the Data Protection Act to direct marketing. In terms of enforcement, a company official should be appointed to ensure compliance and carry out reviews, complaints may be addressed to the IDMA Board whose powers include expulsion from the Association.

. 153
Sectoral codes of conduct may be validated by the Irish Parliament, thereby giving them force of law.

Italy

Laws

Comprehensive laws

. 154
Italy’s Data Protection Act (adopted on 31 December 1996) implements the EU Directive. Following the Directive, the Act covers both computerized and manual personal data of natural and legal persons in the public and private sectors. The supervisory office established to oversee the implementation of the Act is the Guarantor of the Protection of Personal Data. The Guarantor supervises the registration process, investigates complaints and assists in the development of sectoral codes.

. 155
The Act provides that organizations who cause damage by the unlawful processing of personal data are liable to pay damages pursuant to the Italian Civil Code. Breaches of the Act may be pursued either through the courts or via the Guarantor.

. 156
The Guarantor may fine organizations for failing to provide information required by the Act. The Act also includes criminal sanctions (imprisonment) for violations such as unlawful processing. As a "collateral punishment" convictions can be published in the press.

Other laws with privacy provisions

. 157
Laws and regulations with privacy provisions include; legislative decrees pursuant to the Data Protection Act; telecommunications legislation; Labor Decree n. 39/93 which establishes the Authority for Information Technology in the Public Administration to support public agencies in the development and use of information systems; and Law No. 59 of 15 March 1997 (supplemented by Presidential Decree No. 513 of 10 November 1997) which concerns the use of computerized data in the public sector.

. 158
The Legislative decree No. 171 of 13.05.98 published in the Official Journal of 03.06.98, includes provisions for the protection of privacy in the telecommunications sector. It implements the EC Directive 97/66, of the European Parliament and the Council and applies to journalistic activities. Security and confidentiality of telecommunications are provided for in Articles 2 and 3, respectively, whereas under Article 4 traffic and billing data must be canceled or made anonymous upon termination of a call, except as laid down in the selfsame article.

. 159
A draft legislative decree was recently approved by the Council of Ministers which includes technical rules for the creation, transmission, keeping, duplication, reproduction and validation of documents created by computer-based means. This decree was referred to in Article 3 of legislative decree No 513 (see above) with regard to the public sector, as yet it has not been published in the Official Journal.

Self-regulatory instruments

. 160
A voluntary Code of Conduct which addresses privacy on the Internet was approved by the Associazone Italiana Internet Providers (AIIP) in early 1998. The AIIP is also working in conjunction with the Italian Supreme Court and the Milan Chamber of Commerce, to establish regulatory and dispute settlement bodies, and create an online arbitration forum.

Japan

Laws

Public sector laws

. 161
The Act on Protection of Computer Processed Personal Data held by Administrative Organs (1988) controls computer-processed personal data held by national agencies in Japan. The Act generally conforms to the OECD Guidelines. The legislation is co-ordinated by the Management and Co-ordination Agency (MCA) within the Prime Minister’s Office. Data users are accountable to the MCA, who also provides advice on the implementation of the Act.

. 162
Under the Act, data subjects have a right of access to their personal data, and can complain to the "head" of the data user about difficulties in exercising this right.

Approach to privacy regulation in the private sector

. 163
Basic Guidelines on the Promotion of an Advanced Information and Telecommunications Society (the Prime Minister’s Office 1998) have been produced which include the following direction on the issue of privacy (1) the private sector should take the initiative to formulate guidelines, registration systems and mark granting systems specific to each area of industry and business, (2) on the other hand, governmental regulations concerning entities dealing with highly confidential information, such as personal credit data and medical data which could be damaging if leaked, should be taken into account. In short, the Government will be required to promote independent efforts in the private sector, as well as be expected to review the situation, taking into consideration legal regulations. The Government must also make the necessary efforts to encourage business to disclose to consumers the manner in which they protect personal data.

. 164
The report of "A Consultation Meeting for Protection and Utilisation of Personal Credit Data" (the Ministry of International Trade and Industry, the Ministry of Finance, 1998) indicated the need for legal regulation for protecting personal credit data. The report of the "Study Group on Privacy Protection in Telecommunications Services" (the Ministry of Posts and Telecommunications (MPT), 26 October 1998) also indicated the need for a legal background to make "Guidelines on the Protection of Personal Data in Telecommunications Business" effective. The Japanese Government has also actively encouraged the adoption of codes of conduct by the private sector (see below).

Local authority laws

. 165
There are a large number of Ordinances enacted by local authorities in Japan that provide privacy protection for manual and/or computerized data. While most Ordinances are only applicable to local government bodies, some extend to the private sector.

Self-regulatory instruments

. 166
In March 1997, the Ministry of International Trade and Industry (MITI) published "Guidelines Concerning the Protection of Computer Processed Personal Data in the Private Sector". The MITI Guidelines apply to electronically processed personal data and are intended to serve as a model for industry codes. They take into account both the OECD Guidelines and the EU Directive. According to the MITI Guidelines, a manager should be appointed in each organization to implement the Guidelines. A "System of Granting Privacy Marks" that certifies enterprises abiding by industry codes (based on the MITI Guidelines) which required the maintenance of appropriate levels of privacy protection was established by the Japan Information Processing Development Center in April 1998. This system also ensures that consumers can easily distinguish between the different levels of personal-data protection offered by enterprises.

. 167
The Electronic Network Consortium (ENC) has produced "Guidelines for Protecting Personal Data" (December 1997) which reflect the OECD Guidelines. They apply to anyone handling personal data in electronic networks and are intended to encourage service providers to take a uniform approach to the management and protection of personal data.

. 168
Electronic commerce business associations have also produced privacy codes of conduct. The Cyber Business Association, in consultation with the MPT, has produced voluntary "Guidelines for Protecting Personal Information in Cyber Business" (December 1997). Guidelines have also been produced by the Electronic Commerce Promotion Council (ECOM). The ECOM Privacy Issues Working Group has issued "Guidelines Concerning the Protection of Personal Data in Electronic Commerce in the Private Sector" (March 1998) which are based on the MITI Guidelines, and contain special provisions for children by requiring the consent of parents or guardians. They are intended as a model for individual companies.

. 169
In terms of self-regulation by Internet Service Providers (ISPs), the Telecom Services Association (TELESA) has also developed a model Code of Conduct which includes provisions on privacy and the protection of personal data.

. 170
In April 1998, Japan’s Data Communications Association launched a Mark Granting System to certify telecommunications carriers and service providers which provide appropriate privacy protection in their handling of personal information.

. 171
MPT established "Guidelines on the Protection of Personal Data in Telecommunications Business" in 1991 which were revised in 1998. The Guideline stipulates five basic principles which telecommunications carriers and ISPs should observe; collection limitation, use and disclosure limitation, security safeguards and individual participation and accountability. Six extra clauses were included which focus on issues peculiar to the telecommunications sector; traffic data, itemised billing and calling line identification, etc. Also in 1998, the Telecommunications Business Law was amended and a Petition System was established. Users can file complaints and petitions with MPT about telecommunications services charges, other conditions and their manner of operations, including handling of users’ personal data. This is expected to work as a proper mechanism for individuals to redress privacy infringement. MPT established some other Guidelines including; "Guidelines for the Protection of Personal Caller Information in the Use of Caller Identification Services" (1996) and "Guidelines on Protection of Subscriber’s Personal Information in Broadcasting" (1996).

. 172
Other self-regulatory privacy initiatives include the Center for Financial Industry Information Systems which produced "Guidelines on the Protection of Personal Data for Financial Institutions" based on the OECD Guidelines.

. 173
In March 1999, the Ministry of International Trade and Industry established a Japanese Industrial Standard (JIS) entitled "Requirement for Compliance Program on Personal Information Protection" to standardise the level of protection of personal data in enterprises.

Korea

Constitution

. 174
The Constitution of Korea stipulates that every citizen shall not have their right to confidentiality and freedom of privacy (Article 17), and freedom of communication (Article 18) infringed.

Laws

Public sector laws

. 175
The Protection of Personal Information by Public Organizations Act governs the protection of personal information in the public sector. The Act reflects the principles in the OECD Guidelines and obliges public organizations to act carefully and promote confidentiality in dealing with personal data. Citizens are given the right to access their own personal data and the opportunity to have corrections made.

Other laws with privacy provisions

. 176
The Use and Protection of Credit Information Act focuses on the protection of personal data in financial transactions. For example, the Act prohibits a financial institution from revealing or sharing personal/financial data without the data subject’s written consent. Korea also has an Act on the Protection of Confidentiality in Communications.

Approach to privacy in the private sector

. 177
The Telecommunications Network Use Proliferation Act was amended in January 1999 to institutionalise the protection of personal data in the private sector, reflecting the principles in the OECD Guidelines. The revised Act, which will be in effect as of January 2000, authorizes the Government to place specified restrictions on information and telecommunications service providers in case they abuse or misuse an individual’s personal data.

Self-regulatory instruments

. 178
There are no private sector self-regulatory initiatives in Korea at the present time, although discussions are expected.

LUXEMBOURG

Laws

Comprehensive laws

. 179
The Nominal Data (Automatic Processing) Act (1979) covers computerized and manual personal data of physical and legal persons held in both the public and private sectors. The Data Protection Consultative Commission (the Commission consultative à la protection des données) works under the auspices of the Minister responsible for data banks, it performs an advisory function. The Minister is also assisted by an oversight authority, the autorité de contrôle. Breaches of the privacy legislation can be referred to a prosecuting authority by the Minister.

. 180
The 1979 Act provides criminal sanctions (imprisonment or fines) for breaches of its provisions.

Other laws with privacy provisions

. 181
A number of sectoral regulations have been passed pursuant to the Act. For example, regulations have been passed with respect to police and medical data files.

Implementation of the EU Directive

. 182
A parliamentary Bill has been drafted to implement the EU Directive. It was introduced to the Chamber of Deputies on 8 October 1997.

Mexico

Constitution

. 183
Articles 6 and 7 of the Mexican Constitution provide for the right to information. Article 16 states that private communications are inviolable and the law will provide criminal sanctions for acts which violate the freedom and privacy of such communications.

Laws

Federal laws

. 184
The Federal District Penal Code provides sanctions for breaches of privacy rights by public servants with respect to personal information collected and maintained by public authorities.

The Netherlands

Constitution

. 185
A constitutional right to privacy is contained in Article 10 of the Constitution of The Netherlands.

Laws

Comprehensive laws

. 186
The Data Protection Act (1988) (as supplemented by a Royal Decree of 1993 with respect to sensitive data) applies to both the public and private sectors, and covers computerized and manual records. The Act’s registration requirements are administered by the independent Registration Chamber (the Registratiekamer). The Registration Chamber has the power to investigate breaches of the law and to enforce its provisions. It can conduct an inquiry on its own initiative.

Other laws with privacy provisions

. 187
There has been specific legislation in The Netherlands regarding police files (Police Registration Act (1991)) and medical data (Medical Treatment Information Act (1995)). There is also a regulation of 14 May 1994 concerning personal data about foreigners.

Implementation of the EU Directive

. 188
The Data Protection Act of 1988 will be replaced by the new Personal Data Protection Act. This law aims to implement the EU Directive 95/46/EC, it elaborates on some issues in the Directive which have been vaguely defined. It applies to both the public and private sectors and covers computerized and manual records. It differs in some ways to the preceding Data Protection Act. It applies to the processing of personal data by automatic and manual means. The law contains regulations on the following issues; conditions for lawful processing of personal data, codes of conduct of organizations, supply of information to and options for the data subjects, and publicity of data processing to controlling organizations and a broader public. The law also includes legal protection governing, liability of the data controller responsible, international data transfers and the relationships with other laws. The role of the Registration Chamber remains the same. The Personal Data Protection Act will be in force not earlier than May 1999. The implementation has been delayed due to heavy resistance from both private sector lobby organizations and the national consumer protection agency that made a proposal for private sector own codes of conduct.

. 189
If a request for the provision of information or the rectification of personal data is refused by a data controller, then the data subjects may apply to the District Court for review. The Personal Data Protection Act also provides criminal sanctions for violations.

. 190
The implementation of the EU Directive 97/66/EC is in its final stage. The Telecommunications Act of which Chapter 11 is concerned with privacy issues, has been in force since 15 December 1998. Three specific arrangements in the form of Governmental Decrees must still be prepared. They concern Article 11.4 (specified bills), 11.5 (anonymising) and 11.7 (automatic call systems). These are expected to be finalized in 1999.

Self-regulatory instruments

. 191
The law in The Netherlands encourages individual business and professional sectors to develop their own codes of conduct. The Registration Chamber is responsible for approving such codes which do not become legally binding, but are intended to give guidance in interpreting the law. Some 12 codes of conduct have been approved (examples include the Association of Commercial Information Bureaus, the Banking Association and the National Chipcard Platform). In December 1998 the Dutch private sector lobby organization made a proposal to implement 10 codes of conduct as a minimum level of privacy protection throughout all sectors. The further development of this proposal and the consequences for the implementation of the Personal Data Protection Act are not known yet.

New Zealand

Laws

Comprehensive laws

. 192
The Privacy Act 1993 applies to computerized and manual "personal information" held by almost all public and private sector organizations in New Zealand. The core of the Act is a set of 12 Information Privacy Principles (IPP’s) which are based on the OECD Guidelines. The Act also includes rules on data matching between government agencies.

. 193
The Act establishes the position of a Privacy Commissioner (an independent officer of the Crown) who has the power to investigate and mediate complaints. The Commissioner may issue sectoral Codes of Practice which are enforceable in the same way as the IPP’s.

. 194
Neither the IPP's nor specific Codes of Practice create directly enforceable legal rights. Rather an alleged breach may form the basis of a complaint to the Commissioner who has broad powers of investigation and conciliation. Complaints which cannot be settled by consent are referred to a Complaints Review Tribunal which has broad relief-granting powers.

Other laws with privacy provisions

. 195
Issue specific laws with privacy provisions include the Official Information Act 1982, the Local Government Official Information and Meetings Act 1987, the Electoral Act 1993 and the Domestic Violence Act 1995.

Self-regulatory instruments

. 196
In terms of the Internet industry, the Internet Society of New Zealand has developed an "Internet Service Provider Code of Practice".

. 197
The Privacy Act also provides for the development of Codes of Practice which have the force of law. A Code may determine compliance and complaints procedures and may be more or less stringent than the IPP’s but, once approved by the Privacy Commissioner, it replaces those principles for that specific agency, type of information, activity or industry group. Examples of Codes that have been developed pursuant to the Act are the Health Information Privacy Code 1994 and the Justice Sector Unique Identifier Code 1998.

Norway

Laws

Comprehensive laws

. 198
Norway’s 1978 legislation for the protection of personal data covers both the public and private sectors and applies to manual and computerized records on natural and legal persons. Subsequent amendments to the Act cover direct postings, telemarketing and consumer credit information.

. 199
The Act introduces a central registration system which is administered by an independent Data Inspectorate (the Datatilsynet). The Data Inspectorate enforces the Act and conducts inspections of data practices. The Ministry of Justice is the appeal body for decisions made by the Inspectorate.

. 200
Under the Act, individuals have the right to inspect personal data, to request that corrections be made and to prevent their names from being used in the distribution of advertising. There is also special protection for sensitive data. willful or negligent violations of the conditions of a license, or the terms of the Act, are punishable by fines or imprisonment. Persons suffering as a result of breach are entitled to compensation from the violator.

Other laws with privacy provisions

. 201
There are many provisions in Norwegian legislation which relate to protection of privacy. These include; the Telecommunication Act which concerns the protection of privacy in the telecommunication sector, and Rules of professional secrecy in the Public Administration Act and the National Register Act, which both limit government use of personal data.

. 202
The Ministry of Health and Social Affairs has drafted a proposal for an Act relating to health records and the electronic processing of such records. The proposal will probably be introduced to the Norwegian Parliament in Spring 1999.

Other instruments to protect personal data

. 203
The Basic Agreement between the Norwegian Confederation of Trade Unions (LO) and the Confederation of Norwegian Business and Industry (NHO) contains provisions of protection of personal data. The Agreement has special provisions regarding storing and use of personal data in private enterprises.

Implementation of the EU Directive

. 204
Following the adoption of the EU Directive, and in the light of technological developments in data collection, a government committee was appointed to consider legislative changes. The Norwegian Parliament will consider the committee’s proposals for revised legislation before the end of 1999.

Self-regulatory instruments

. 205
The government committee, charged with revising the Personal Data Registers Act, proposed that individual businesses and professional sectors should develop their own codes of conduct concerning personal data. In this regard the Committee made reference to Article 27 of the EU Directive on data protection, and the 1980 OECD Guidelines.

Poland

Constitution

. 206
Article 51 of the Polish Constitution confers rights of protection for personal data.

Laws

Comprehensive laws

. 207
The Act on the Protection of Personal Data (1997) applies to manual and electronic data files and conforms with Convention 108 and the EU Directive. The data protection authority established under the Act is the General Inspector for Personal Data Protection. The Act contains a number of criminal sanctions (fines or imprisonment).

Other laws with privacy provisions

. 208
An Order of the Ministry of Health in 1993 includes clauses protecting medical data.

Portugal

Constitution

. 209
Article 35 of the Portuguese Constitution confers constitutional rights to privacy.

Laws

Comprehensive laws

. 210
The Protection of Personal Data Act (1991) covers computerized data of natural persons, is applicable to both the public and private sectors and provides for a central registration system. The Act also creates a National Commission for the Protection of Automated Personal Data (the Comissao Nacional de Proteccao de Dados Pessoais Informatizados). The Commission is responsible for administering the registration system, hearing complaints and enforcing privacy rights under the Act and the Constitution. The Commission also oversees the matching of computerized personal files and its authorization is required for transborder flows.

. 211
The Act creates a right of access for data subjects along with a right of correction/erasure. Violations of the Act, as well as the Constitution, are criminal offenses.

Other laws with privacy provisions

. 212
There are a number of laws and regulations containing data protection provisions in Portugal. These include the Law on Computer Crime (1991), regulations establishing institutions such as the Registry of Non-Donors of Human Organs and the Identity Card Center, and regulations controlling the databases operated by the Gendarmerie, the Border and Foreign Services and the Criminal Police.

Implementation of the EU Directive

. 213
In September 1997 a number of changes were proposed to Article 35 of the Constitution to conform with the principles of the EU Directive. In addition, a new data protection law has been approved by the Government and is currently before the Portuguese Parliament.

Spain

Constitution

. 214
Article 18.4 of the Spanish Constitution states that "the law shall limit the use of data processing in order to guarantee the honor of personal and family privacy of citizens and the full exercise of their rights".

Laws

Comprehensive laws

. 215
The Law on the Regulation of the Automated Processing of Personal Data (1992) covers computerized records in the public and private sectors. Its implementation is overseen by an independent public authority, the Data Protection Agency. The Agency provides prior authorizations for the creation of databases, receives complaints and may make orders regarding public sector violations of the Law. It recently produced "Recommendations for Internet Users" which warn of the privacy risks associated with the Internet.

. 216
The Law provides that sanctions should be determined according to the nature and size of the violation.

Other laws with privacy provisions

. 217
There is a Spanish Law on public statistics which contains privacy provisions.

Implementation of the EU Directive

. 218
Work on revising the privacy legislation to meet the requirement of the EU Directive is underway.

Self-regulatory instruments

. 219
The Spanish Association of Electronic Commerce (which is part of the Spanish Direct Marketing Association) has a Code of Conduct on Internet privacy. The Code advises its members of the privacy implications of operating on the Internet, specifying that users should be informed of their rights of access, rectification and deletion.

Sweden

Constitution

. 220
The Swedish Constitution (The Freedom of the Press Act) guarantees the right of individuals to have access to documents and data held by public authorities. Furthermore, the Instrument of Government provides that citizens shall be protected to the extent determined in detail by law against any infringement of their personal integrity resulting from the registration of information about them by means of electronic data processing.

Laws

Comprehensive laws

. 221
In April 1998, the Personal Data Act was adopted by Parliament. The Act, which entered into force on 24 October 1998, implements the EU Data Protection Directive in Sweden. The Act represents a legal framework for all processing of personal data and is supplemented by regulations of the Government and the Data Inspection Board. However, the provisions of the Act do not apply, inter alia, to the extent that they would contravene the provisions concerning the freedom of the press and freedom of expression contained in the Freedom of the Press Act and the Fundamental Law on Freedom of Expression.

. 222
The Act confers on the Data Inspection Board a supervisory and advisory role.

. 223
The penalties for violating the Personal Data Act primarily comprise damages in favor of the data subject suffering loss.

Other laws with privacy provisions

. 224
Swedish laws containing privacy provisions include the Credit Information Act, the Debt Recovery Act and the Official Statistics Act.

Self-regulatory instruments

. 225
The Swedish Direct Marketing Association is engaged in self-regulatory activities.

Switzerland

Laws

Federal laws

. 226
The Federal Law on Data Protection (1992) (FLDP) covers both computerized and manual data concerning natural and legal persons in the federal public sector and the private sector. The Federal Data Protection Commissioner (appointed by the Federal Council) oversees the application of the law by federal authorities, and acts as an ombudsman for the handling of personal data in the private sector. All federal data registers must be registered with the Commissioner, but private organizations are only required to register data collections in limited circumstances. The Commissioner’s duties include assisting Federal and Cantonal privacy bodies and examining the extent to which foreign data protection regimes provide comparable protection. The Commissioner can also conduct investigations (on its own initiative or at the request of a third party) and issue recommendations. The Commissioner has a mainly consultative function in the private sector. It may also act as an arbitration and appeal body.

. 227
The FLDP reflects the basic principles of the OECD Guidelines. Sensitive data receives special protection. Transborder data transfers are prohibited under the FDLP unless adequate data protection can be assured, and the prior notification of transfers (to the Commissioner) is required in some circumstances.

. 228
Data subjects may seek the usual remedies of the Swiss Civil Code, such as injunctions and compensation orders, for violations of the FLDP. Violations are also punishable by fine or detention.

Other federal laws with privacy provisions

. 229
A number of Swiss laws include privacy protection clauses, in particular: the Telecommunications Law; the law on Employment Contract Provisions; the law on Federal Statistics; and the Swiss Criminal Code. There is also a 1993 Ordinance regarding Professional Secrecy in Medical Research.

Cantonal (State) law

. 230
The activities of Cantonal authorities are governed by Cantonal law. Most of the Swiss Cantons have introduced data protection laws which apply to these agencies. The applicable rules are generally similar to those at the Federal level and include the establishment of data protection bodies.

Self-regulatory instruments

Instruments relating to online privacy

. 231
A working group of the Office Fédéral de la Justice has formulated recommendations for Internet access providers called the Internet Charter. The Charter includes recommendations on legal issues such as service provider liability and the disclosure of data to third parties.

Other initiatives

. 232
Industry codes of practice provide additional guidance in specific sectors, such as the medical profession, direct marketing and market research. There are well-known confidentiality obligations in the fields of banking, insurance and pensions privacy.

Turkey

Laws

. 233
Turkey has a draft law on Data Protection which applies to both public and private sector data processing entities. It has yet to be approved by the Turkish Parliament. The draft law incorporates the basic principles of the OECD Guidelines and Convention 108, and establishes an autonomous Authority for Data Protection. The Authority is responsible for supervising the application of the law.

. 234
Under the draft law, individuals will have rights to receive information whenever their data are collected, to have access to data of which they are the subject, to correct inaccurate data and to object to certain types of data processing.

. 235
Work on electronic commerce was initiated in Turkey in February 1998, following a decision taken by the Science and Technology High Board (STHB). Three working groups under the Electronic Commerce Co-ordination Committee have handled the studies. An initial Report prepared by these groups was submitted to the STHB in June 1998. The Report covers the existing barriers to e-commerce in Turkey and makes recommendations, which include the development of authentication and certification processes to eliminate these obstacles properly. The next step will be the development of an action plan for submission to STHB. This Study will consider the issue of jobs, timing and entities to be assigned to improve the legal, technical and financial infrastructure which e-commerce needs to develop.

United Kingdom

Laws

Comprehensive laws

. 236
The United Kingdom’s Data Protection Act 1984 applies to automatically processed personal data relating to living individuals in both the public and private sectors. The Act gives rights to individuals, about whom data are recorded, including a right of access to their personal data and a right to have any inaccurate data corrected or deleted. If an individual suffers damage caused by the loss, unauthorized destruction or unauthorized disclosure of information about themselves, or through that information being inaccurate, they can seek compensation through the courts.

. 237
The Act established an independent supervisory authority known as the Data Protection Registrar. The Registrar’s functions include establishing and maintaining a register of those who process personal information. Failure by a data user to register can give rise to criminal liability.

. 238
The Act sets out eight Principles of fair information practice. The Registrar considers complaints made about breaches of the Act and can serve notices on registered persons requiring them to take specified steps to comply with the Act. Failure to comply with such a notice is an offense.

. 239
The Registrar is also charged with promoting data protection compliance, including encouraging the development of industry-based codes of practice. These codes aid the interpretation of the law. The Registrar also issues guidance notes; including on the recently published "Data Protection and the Internet".

Other laws with privacy provisions

. 240
A number of statutes in the UK have implications for data protection, these include; the Financial Services Act 1986, the Human Fertilization and Embryology Act 1990, the Charities Act 1993 and the Criminal Justice and Public Order Act 1994. The Government has proposed a Freedom of Information Bill which, if enacted, would extend rights of access to information, and also contain exemptions on privacy and other grounds.

. 241
The European Convention of Human Rights (ECHR) has recently been embodied in national legislation in the form of the Human Rights Act 1998. The Act received Royal Assent on 9 November 1998 but is not expected to come into force before 2000. The Act adopts Article 8 of the ECHR providing a "right to respect for private and family life".

Implementation of the EU Directive

. 242
The Data Protection Act 1998 which received Royal Assent on the 16 July 1998 was enacted to implement the EU Directive on data protection. Much of the detail of the new law will be contained in secondary legislation. The new law will be brought into force at the end of June 1999, or as soon thereafter as the Government finds it possible to do so.

. 243
The Act broadens the scope of current legislation by bringing personal data contained within structured manual filing systems within the scope of the Act. The definitions of "processing" and other terms have been amended to reflect the definitions found in the EU Directive. The 1998 Act also provides new rights for data subjects, in particular, to prevent their data being used for direct marketing and to object to important decisions concerning them being taken by automatic means but more generally to provide a right to compensation for damages arising from any breach of the new law. When the Act comes into force the Data Protection Registrar will in future be known as the Data Protection Commissioner.

. 244
The British Standards Institute is working with the Data Protection Registrar to prepare a data protection compliance program in preparation for the implementation of the EU Directive.

Self-regulatory instruments

Instruments relating to online privacy

. 245
The Internet Service Providers Association (UK) has developed a Code of Conduct, which is voluntary for the first 12 months, and thereafter becomes obligatory for all Members. The Code provides guidance on registering with the Data Protection Registrar. It also encourages Members to notify users as to the purposes for which personal information are collected and to give the user an opportunity to prevent such usage.

Other initiatives

. 246
A number of other industry associations have produced codes of conduct that include data protection provisions.

United States

Constitution

. 247
The US Constitution does not explicitly mention a right of privacy. However, case law has recognised that the Constitution confers such a right with respect to government restrictions on certain activities or invasions of physical privacy.

Laws

Federal sectoral laws

. 248
The use of personal information held by federal government agencies is regulated by the Privacy Act (1974) which establishes fair information principles for handling personal data. The Office of Management and Budget is responsible for overseeing the Act. The Privacy Act provides data subjects with a civil right of action which may result in monetary damages and/or injunctive relief. The Act also provides criminal penalties for knowing violations of the Act.

. 249
Federal Acts with privacy implications for specific kinds of information include:

• the Federal Trade Commission Act (1914) which prohibits unfair or deceptive trade practices, and thus, holds companies responsible for their representations of their privacy practices;
• the Fair Credit Reporting Act (1970) which regulates the use of information collected by consumer reporting agencies such as credit bureau, medical information companies and tenant screening services. It is administered by the Federal Trade Commission (FTC) and it provides a private cause of action, actual and punitive damages, as well as attorneys fees, and it imposes duties on furnishers of information to credit bureau and users of credit reports in addition to duties imposed on credit bureau;
• the Cable Communications Policy Act (1984) which regulates the use of cable television subscriber records under a regime of notice and consent;
• the Electronic Communications Privacy Act (1986) which regulates the use of information communicated electronically. Violations of these provisions can result in imprisonment, substantial fines and/or civil liability for damages suffered or profits made as a result;
• the Computer Matching and Privacy Protection Act (1988), the Tax Reform Act of 1976, and the Right to Financial Privacy Act of 1978 which prescribe limits on data matching and the use of information collected pursuant to statutory duties;
• the Video Privacy Protection Act (1988) which controls the use of video rental or sale records;
• the Telephone Consumer Protection Act (1991) which regulates unsolicited telephone calls; and

• the "Children's Online Privacy Protection Act" (1998) which regulates the collection of information from children by Web sites and online services by generally requiring prior parental permission. The Federal Trade Commission both issues regulations to implement this new law and enforces those regulations once adopted. The law allows for firms to operate under FTC-approved safe harbors."

. 250
A number of State Constitutions include a right to privacy. States generally follow the federal sectoral model and enact privacy enhancing statutes on a sectoral (industry by industry) basis. The level of protection varies from one State to another.

Approach to privacy regulation in the private sector

. 251
The US Government believes that private sector-developed and enforced codes of conduct are an effective way to protect privacy online without creating a bureaucracy which could stifle the growth of electronic commerce. Reports by government bodies and statements by officials include:

• "Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information" (June 1995) by the Information Infrastructure Task Force (IITF)which outlined a set of Privacy Principles based upon the OECD Guidelines;
• "Privacy and the National Information Infrastructure: Safeguarding Telecommunications-Related Personal Information" (October 1995) by the National Telecommunications and Information Administration (NTIA) (part of the Department of Commerce) which recommended that telecommunications and information service providers put into practice privacy policies that notify users of their information practices and obtain user consent for the use of personal information;
• "Options for Promoting Privacy on the National Information Infrastructure" (April 1997) by the Information Policy Committee of the IITF which sets out options for the implementation of online privacy protection including the creation of a federal privacy entity;
• "A Framework for Global Electronic Commerce" (July 1997) by the Clinton Administration which suggests that the government will play a more direct role if industry did not address privacy concerns through self-regulation and technology;
• "Individual Reference Services: A Report to Congress" (December 1997) by the FTC which discussed the benefits and risks of look-up service databases used to locate, identify, or verify the identity of individuals. The report also discussed the self-regulatory principles adopted by industry members;
• "Elements of Effective Self-Regulation for Protection of Privacy" (January 1998) by NTIA (US Department of Commerce) which outlines actions which the private sector can take in order to meet an acceptable level of privacy protection;
• " Privacy Online: a report to Congress" (June 1998) by the FTC which emphasizes the importance of notice, choice, security and access to privacy protection, suggests that incentives are needed to spur self-regulation and ensure widespread implementation of basic privacy principles, and recommends the enactment of legislation to protect children’s online privacy. In testimony before the Subcommittee on Telecommunications, Trade and Consumer Protection in July 1998, the Chairman of the FTC recommended that unless effective and broad-based self-regulation is in place by the end of 1998, legislation establishing statutory standards should be enacted authorizing enforcement by a government agency;
• a press release by Vice President Gore (31 July 1998) which calls for an Electronic Bill of Rights as well as legislation to protect sensitive personal information and children’s privacy online. It also gives the Office of Management and Budget responsibility for co-ordination of privacy issues, drawing on expertise and resources of other governmental agencies; and

• "US Government Working Group on Electronic Commerce: First Annual Report" which describes progress made toward the establishment of self-regulation for privacy, and suggests an appropriate government role in protecting privacy."

Instruments relating to online privacy

. 252
A number of industry-based organizations have developed guidelines and codes of conduct for their members. These include:

• the Information Technology Industry Council which has adopted principles for the protection of personal data in electronic commerce which serve as a foundation upon which member companies can build their own privacy policies;
• the Interactive Services Association which has published voluntary "Principles on Notice and Choice Procedures for Online Information Collection and Distribution by Online Operators" (June 1997) based on a regime of notice and opt-out;
• the Online Privacy Alliance (formed in June 1998 by 50 American Internet-related companies and associations) which has produced Guidelines for Online Privacy (which urge Alliance members to have regard to the OECD Guidelines and use third party privacy seal programs such as TRUSTe and BBBOnLine), and a set of guidelines for safeguarding children’s privacy; and
• the American Electronics Association which has announced (June 1998) self-regulation plans including the adoption of a set of privacy protection elements for implementation by member companies.

. 253
Other self-regulatory initiatives include:

• The establishment by the Direct Marketing Association of voluntary guidelines and the development of Online Guidelines based on the principles of disclosure and opting-out.
• The publication by the Children’s Advertising Review Unit of the Council of Better Business Bureau of "Self-Regulatory Guidelines for Advertising to Children". The Guidelines require "reasonable efforts" be made to provide notice and choice to parents when information is collected from children online.
• The development by the Coalition for Advertising Supported Information and Entertainment of a statement of Goals for Privacy for Marketing in Interactive Media.
• The agreement between the Individual Reference Services Group (IRSG) and the FTC in December 1997 to abide by a set of IRSG Principles which address the availability of information obtained through computerised database services which may be used to locate, identify or verify the identity of individuals. Firms must submit to an annual third party audit with the results made public.

* Denotes membership of European Union
 
 

II. MECHANISMS TO IMPLEMENT AND ENFORCE PRIVACY PRINCIPLES ON GLOBAL NETWORKS

. 254
There are various practices, techniques and technologies which are used, or are being developed, to implement and enforce privacy principles in networked environments. These different mechanisms are highly interrelated, many are based on recent technological developments, and some blur the traditional distinctions between setting, implementing and enforcing privacy guidelines. Some allow users to take charge of their own personal data protection and privacy (for example, by blocking the transfer and collection of header information and click-stream data), others are implemented by data controllers (for example, by digitally labelling a Website’s privacy practices), and others may be facilitated by governments and/or private sector organizations (for example, by creating model clauses for transborder data flow contracts).

. 255
This part of the Inventory categorises the various mechanisms for the protection of privacy on global networks according to whether their purpose is:

• minimising the disclosure and collection of personal data;
• informing users about online privacy policies;
• providing users with options for personal data disclosure and use;
• providing access to personal data;
• protecting privacy through transborder data flow contracts;
• enforcing privacy principles; or
• educating users and the private sector.

. 256
Users of global networks can act with relative anonymity by minimising the amount of personal data they disclose and/or allow to be collected. This is an important means of protecting privacy. To help preserve online anonymity, mechanisms are available which: (i) empower users to restrict the automatic disclosure and collection of Web-browsing data; and (ii) reduce the need for personal data to be disclosed voluntarily.

1. Restricting or eliminating the automatic disclosure and collection of personal data

. 257
As discussed in the general introduction, header information and click-stream data may be disclosed whenever a Web site is visited and cookies are often used to facilitate the collection of such data. In general, a user’s level of anonymity may be increased by restricting the creation of cookies, or by blocking the transfer, and collection, of automatically generated data (header information, e-mail headers and click-stream data) from the user’s computer. Both these techniques empower users to take control over their own privacy.

(a) Management of cookies

. 258
Since cookies can be used to associate a unique code with a particular user, one approach to preserving anonymity while using the Web is to allow individuals to limit or prevent the creation of cookies. Methods which may be used include the following:

• the most recent versions of Microsoft Explorer and Netscape Communicator allow users to set their preferences to be warned when a server tries to set a cookie and be given the opportunity to refuse its creation; and
• software applications have been developed to automatically delete unauthorised cookies (some of these applications can also control the header information which is transferred from the client to the Web site). Examples include the Internet Junkbuster Proxy and the Cookie Crusher.

(b) Blocking the transfer and collection of automatically generated data

. 260
Mechanisms are available to block the transfer and/or collection of automatically generated data, such as e-mail headers, header information and click-stream data.

. 261
"Anonymous re-mailers" allow e-mail messages to be sent without revealing the identity of the sender. Some, such as Hotmail and the Freedom Remailer,run by the Global Internet Liberty Campaign, operate through Web pages where an e-mail is created and sent without any information identifying the sender. Other re-mailers are designed to receive an e-mail message from one party, re-address it and send it to a second party. In the process, header information that would identify the sender is removed. Examples include the re-mailers at Replay and Nymserver. Such re-mailers offer varying degrees of protection to prevent the identity of the sender of an anonymous e-mail being determined by eavesdropping on the messages being received and sent via the re-mailer and making matches based on, for example, their length and timing information. Many anonymous re-mailers have been forced to close down because of abuses, such as offensive messages and mass mailings.

. 262
An "anonymising intermediary" may be used to prevent a Web site automatically collecting header information about the user, associating click-stream data with a particular user or setting cookies on the user’s computer. The intermediary is a Web server which operates between the user and the rest of the Web. When the user wishes to view a Web page he or she requests the page from the intermediary. The intermediary retrieves the page and passes it back to the user. Since the user is never directly connected to the site being browsed, no header information about the user is passed on, nor is the Web site able to set a cookie on the user’s computer. An example of such a service is the Anonymizer.

. 263
Issues which have been raised about the use of anonymising intermediaries include the need for the intermediaries to follow good data practices, and the risk of abuses of anonymity.

2. Reducing or avoiding the need for personal data disclosure

. 264
One of the reasons that personal data are requested on global networks is to prove that a user is eligible for a certain transaction or that payment details are genuine. Mechanisms are being developed which, if adopted by users and online businesses, will allow for the verification of such details without requiring the disclosure of personal information.

(a) Anonymous payment systems

. 265
Some payment mechanisms cause more data to be revealed than others. In the off-line world the most anonymous means of payment is cash. Since the value of cash is inherent and irrefutable, recipients do not require additional assurances of authenticity. In contrast, other payment mechanisms, such as credit cards, often require the disclosure of personal data (such as the name and billing address of the payor) as a means of authenticating the payment. The facility to engage in cash-like transactions in the online world increases user anonymity, and limits the ability for header information and click-stream data to be linked to a real world identity.

. 266
A number of companies are developing cash-like payment mechanisms for use on global networks. Two examples are Ecash, and Mondex. Ecash provides cash-like anonymity through an encrypted payment system. Essentially, money from an account held with a participating bank can be converted into "digital coins" which can be transferred into an "electronic purse" on the user’s computer. From there the coins can be transferred to other individuals or merchants doing business online. Each coin has a unique serial number and is validated by a "digital signature", which allow transactions to be verified and prevents the same coin from being spent more than once. To protect user anonymity, the user’s computer (rather than the bank) may randomly assign a serial number to a coin which can be sent to the bank in a special digital envelope. The bank adds a "blind digital signature" to the envelope, debits the user’s account and returns the coin without ever knowing the serial number. The user can then spend the coin, and payment will be honoured by the bank even though it cannot trace the identity of the payor.

. 267
Mondex is another electronic payment mechanism. Here funds are stored in a "smart card" and transactions are carried out directly between the parties without the transaction being reported to a central computer. For security and practical reasons, rolling audit trails are held on each individual card and with retailers. These trails can be revealed to resolve disputes, to correct failed transaction or if required by legal authorities. In normal transactions, however, an individual’s privacy is protected because the retailer does not have access to the bank information which links an individual’s name to their Mondex card reference number.

. 268
As with payment systems in the off-line world, electronic payment mechanisms do have limitations. First, they are subject to network externalities and will only be practicable when they are accepted by a critical mass of merchants. Second, personal identity information may still be revealed if, for example, a name and address are supplied so a product can be shipped to the purchaser or if the merchant is able to automatically collect identity revealing information such as the user’s e-mail address. Finally, some commentators fear that anonymous payment mechanisms may be used to facilitate money laundering, fraud and tax evasion. However, these payment systems constitute an important tool for protecting privacy, especially when used in conjunction with other technologies and privacy policies.

(b) Digital certificates

. 269
Another potential means of facilitating "faceless" anonymous transactions across global networks is the use of "digital certificates" based on public key cryptography techniques to establish personal attributes without revealing the party’s true name or other identification information.

. 270
Digital certificates issued by a trusted source, such as a "certification authority", can provide independent verification of information such as identity and transaction details. In the context of minimising the disclosure of personal data and preserving anonymity on global networks, digital certificates can be issued to establish personal attributes such as age, residence, citizenship, registration to use a service or membership in an organisation without revealing the transacting party’s identity. Such certificates may reduce, or avoid, the need for personal data to be disclosed where the important issue is not who a party is, but whether he or she possesses a certain characteristic. For example, a merchant selling age-sensitive products in the electronic environment may be satisfied by a digital certificate which states that a particular consumer is not underage without needing to know the consumer’s actual identity.

. 271
The use of digital certificates for establishing personal attributes raises a number of issues which may require further consideration, such as the problem of attributes which change over time, fraud, and the importance of certification authorities, which may hold large amounts of personal data, following good privacy practices.

(c) Anonymous profiles

. 272
One of the reasons why Websites collect data about users and their browsing habits is to develop profiles which can be used to facilitate the targeting of advertising, editorial and commercial content to individual visitors. However, this may be accomplished by using "anonymous profiles" which reveal the desired information about browsing habits, but do not contain any personally identifying information. For example, Engage Technologies has created a database of 16 million Web-user profiles by using cookies to assign a unique numerical identifier to each visitor of an "Engage-Enabled" Web site. Other companies which run similar systems include DoubleClick and Clickstream.

. 273
A number of privacy concerns have been voiced about such systems on the basis that, although the profiles are in a sense anonymous, a large quantity of data is nonetheless collected which can be sold on a commercial basis, affect future browsing sessions and, potentially, be linked to the user’s real identity at a later date.

B. INFORMING USERS ABOUT ONLINE PRIVACY POLICIES

. 274
There is a balance between benefit from anonymity and the disclosure of personal information in order to participate fully in the wide range of interactions, relationships, and communications available on international networks. Also, many users will not have the knowledge, or be prepared to make the effort to keep their personal data private.

. 275
The percentage of Websites which currently include statements about their privacy and personal data practices is still growing. Various privacy bodies (such as, TRUSTe and BBBOnLine) and trade associations (such as, the Online Privacy Alliance and the American Electronics Association) promote appropriate disclosure practices and common standards for privacy protection. For example, in the TRUSTe licensing programme participating sites must, at a minimum, declare their policies with respect to what information is gathered, what is done with that information, with whom is it shared, and the site’s "opt-out" policy. One important factor in determining whether or not users trust Websites to follow their announced privacy policies is the mechanisms available for ensuring compliance with these policies and providing redress if they are breached. These mechanism are discussed below.

. 276
The ways in which a Web site can inform its visitors about what (if any) personal data is being collected and how it will be used include: (i) posted privacy policies; (ii) the terms and conditions of online agreements; and (iii) digital labelling.

1. Posted privacy policies

. 277
The simplest way for an organisation engaged in online activities to declare its privacy policy is via a specific page on their Web site. The information contained in Web site privacy policies should reflect the OECD Guidelines and could include: who the organisation collecting the data is and how they may be contacted; what information is being collected and how; how the collected data will be used; what choices the user has regarding the collection, use and distribution of the data; what security safeguards are used; how data subjects can access their information and have corrections made; what redress is available for violations of the policy; whether there any applicable privacy laws or codes of conduct; whether any auditing or certification procedures are in place; and whether any technologies are used to enhance privacy protection. Privacy policies are also sometimes found within the Frequently Asked Questions (the FAQ’s) or "Help" sections of a Web site.

. 278
To supplement the information provided in such a statement some Websites offer hypertext links to direct visitors to information about privacy issues, privacy organizations and technical issues such as cookies. Access to a privacy policy may also be facilitated by providing hypertext links from convenient locations, such as the site’s homepage and any pages from which personal data are requested, and by including "privacy" in the keyword index if the site has an internal search engine. The development of well-recognised "privacy icons", with hypertext links to Web site privacy policies, can also improve the accessibility of these policies. Such icons may serve additional functions, such as signalling that a site’s privacy policy and information practices meet the requirements of a third party certifier.

2. Terms and conditions

. 279
A Web site may include its privacy policy as a part of the terms and conditions which apply between the site and its visitors. For example, where a Web site requires the user to accept some form of registration agreement to gain access to non-public portions of the site, a privacy clause is often included. Like the other means of notification, privacy clauses in online terms and conditions vary widely as to their scope and the amount of privacy protection afforded to the user.

3. Digital labels

. 280
"Digital labelling" of privacy practices can provide an alternative or complementary means of notification. The basic idea is that a uniform "vocabulary" for Web site information practices, developed by a particular online community or organisation, would be used to describe the practices of individual sites. The description would take the form of a label included in the header of a Web page and readable by the user’s browser software.

. 281
The Platform for Privacy Preferences project (P3P) takes this approach. P3P is being developed by the World Wide Web Consortium (W3C) and is based on their Platform for Internet Content Selection (PICS) framework for labelling Websites. The goal of P3P is to allow Websites to simply express their privacy practices over the collection and use of personal data and to enable users to specify their own preferences. The privacy vocabulary being developed currently includes a list of data categories and data practices relating to, for example, the purposes for which data are used and disclosed, the ability of an individual to access and correct stored data and the identity of the person to whom problems should be addressed.

. 282
The interaction between the privacy preferences of the site and the user is mediated by P3P. Sites with practices which fall within a user’s preference set will be accessed "seamlessly". Otherwise, users will be notified of a site’s practices and have the opportunity to agree to those terms, to be offered new terms, or to discontinue browsing that site.

1. Optional data fields and click-box choices

. 284
Some Websites offer choice by collecting data through online forms which distinguish between obligatory and optional data fields, and which display "click boxes" giving visitors options as to how information supplied may be used. For example, obligatory data might include identification and payment information required for a transaction between the parties, while optional data might correspond to the user’s age, sex, occupation and various personal preferences. In terms of use options, visitors may be given boxes to click on which will determine whether their data may be used for marketing purposes and/or passed to third parties.

. 285
A similar approach to allowing individual control over personal data disclosures has been developed by companies in the business of providing personal profiles to other Websites. Firefly is an example of such a system. A Firefly user creates a "passport" which contains the information that he or she is willing to divulge on the Web. The passport, which is in effect a personal profile of likes and dislikes, is then instantaneously made available to participating sites that the user visits. MatchLogic operate a similar system. A unique random number is assigned, using a cookie, to each user visiting one of its sites. This number is used to track click-stream data relating to, for example, the kinds of advertisements viewed.

2. Online negotiation of privacy standards through digital labels

. 286
Digital labelling and automated filtering, which were discussed above, may also be used to give a user new options when a Website’s standard privacy practices are not consistent with the privacy preferences that are set on his or her browser software. This would constitute a simple form of online negotiation.

3. "Opting-out"

Controlling the use of personal data after collection

. 287
To allow users to express a change of mind over how their data may be used, some Websites allow a control decision to be conveyed by e-mail, regular mail or telephone.

Preventing the receipt of unsolicited e-mail advertising

. 288
Various technologies and practices are also available to prevent the receipt of unsolicited e-mail advertising. One mechanism is for user’s to adopt filtering tools to block e-mail messages originating from known bulk e-mail distributors. Another practice is to allow the recipient of an unsolicited bulk e-mail to reply to the sender and request that no more e-mails are sent to that address. A broader proposal is to develop an "E-mail Preference Service" (an e-MPS) or "E-mail Robinson List". An e-MPS would allow consumers who do not wish to receive marketing e-mails to add their address to a common register which participating marketers would use to remove people from their own lists. The US Direct Marketing Association is developing such a programme and intend to make its use a condition of membership from July 1999. Another proposal, which comes from the UK Data Protection Registrar, is to use a universally agreed upon character in e-mail addresses to indicate that the user does not want to receive any marketing solicitations.

Opting-out of anonymous profiling

. 289
Different approaches currently exist with respect to data which has been automatically collected from header information and click-streams. In the anonymous profile systems operated by Engage Technologiesand MatchLogic, click-stream data which are collected automatically are not treated as "personal data" over which the user is entitled to exercise control. For example, the DoubleClick system, which also uses cookies to assign unique identification numbers and collect click-stream data, offers users an "opt-out" option. If selected, the unique identification number is erased and click-stream data are no longer recorded.

D. PROVIDING ACCESS TO PERSONAL DATA

. 290
Access to one’s data can be provided using either traditional off-line mechanisms (such as mail or telephone) or interactive online procedures where the request and the response are executed in real time during a connection between the Web site and the data subject.

E. PROTECTING PRIVACY THROUGH TRANSBORDER DATA FLOW CONTRACTS

. 291
Transborder data flow contracts are an important means of implementing Privacy Principles in the context of a transfer of personal data between a data controller in one country and a data controller in another. Such contracts provide a mechanism for safeguarding personal data transferred between jurisdictions which may have different legal regimes, with respect to privacy protection.

. 292
Many international documents require special treatment for transborder data flows. For example, Part Three of the OECD Guidelines state that Member countries may restrict flows of certain categories of personal data specifically controlled by domestic legislation to Member countries which have no "equivalent" protection. A similar provision is contained in Article 12 of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). This issue is particularly topical because of Article 25(1) of the European Union Data Protection Directive provides that data transfers from a Member country to a third country can only take place where that country ensures an "adequate level of protection". Transborder data flow contracts may provide a bridge between different systems of privacy protection where the data importer is not otherwise regarded as providing adequate protection.

The Council of Europe Model Contract, 1992

. 293
The Council of Europe Model Contract to Ensure Equivalent Data Protection in the Context of Transborder Data Flows (Model Contract) was the result of a joint study by the Council of Europe, the Commission of the European Communities and the International Chamber of Commerce (ICC). The contract is a collection of model clauses designed to ensure "equivalent protection" in the context of transborder data flows based on the guarantees in Convention 108. As well as being applicable to the equivalent protection clause in the OECD Guidelines, the Council of Europe Model Contract provides a useful reference in determining what may amount to "adequate protection" under the EU Directive.

. 294
Under the Model Contract the party sending the data warrants that data have been obtained and handled in accordance with the domestic privacy laws of the country in which it operates. In particular reference is made to fair and lawful data collection, the purpose for which the data has been stored, the adequacy and relevance of the data, the accuracy of the data and the period for which data storage has been authorised.

. 295
The party receiving the data undertakes to abide by the same principles that apply to the data sender in its home country. To supplement this undertaking, the data receiver also agrees to use the data only for the purposes set out in the contract, to protect sensitive data in the manner required by the domestic law of the data sender, not to communicate the data to a third party unless specifically authorised in the contract and to rectify, delete and update the data as required by the data sender.

. 296
The remaining clauses deal with liability for the misuse of the data by the data receiver, rights of data subjects, dispute settlement and termination of the contract. The applicable law is left open as a matter for the parties to determine.

The Revised ICC Model Contract

. 297
The 1992 model contract clauses have been revised by the International Chamber of Commerce in light of the EU Directive’s requirement of "adequate protection" in data exchanges to third countries. The revision takes into account comments of the European Commission’s Working Party set up pursuant to Article 29 of the EU Directive.

An illustrative agreement: German railways (Deutsche Bahn AG) and Citibank

. 298
In 1994, German Railways (Deutsche Bahn AG) arranged with the German subsidiary of Citibank for the production of Railway Cards (offering discounts for frequent travellers) which also functioned as VISA cards. Because the cards were produced by a Citibank subsidiary in the United States, the agreement gave rise to substantial transborder data flows. In response to German data protection concerns, an Agreement on Inter-territorial Data Protection was entered into to give German citizens the same level of privacy protection which they would have had if the cards had been produced in Germany. In particular, the contract provided for the application of German law, limited the transfer of the data to third parties, allowed for on-site audits by the German data protection authorities at Citibank’s subsidiaries in the United States, and held German Railways and the German Citibank subsidiary liable to German data subjects for any violations of the agreement by their American counterparts.

F. ENFORCING PRIVACY PRINCIPLES

. 299
The mechanisms used to enforce privacy guidelines vary from country to country. In particular, different balances have been struck between relying on laws and self-regulation. Additionally, the privacy concerns created by global networks have led to the development of novel technological, institutional and contractual solutions which are in the process of gaining acceptance in different parts of the world. For example, trusted third parties who certify that a Web site complies with its posted privacy policies are emerging as a new private sector mechanism for enforcing privacy principles.

. 300
Irrespective of the regime in question, effective enforcement has two aspects. The first side to enforcement is comprised of those mechanisms designed to ensure ex ante that privacy guidelines are followed in practice. The second aspect of enforcement is concerned with what happens if privacy guidelines are breached. In particular, who can a data subject complain to, what remedies are available to injured parties and how can infringing data controllers be forced to comply with the applicable privacy guidelines? This distinction between proactive "compliance" and ex post "complaint resolution" procedures is adopted in the following discussion of the mechanisms which are available to enforce privacy guidelines.

1. Ensuring compliance with privacy standards

. 301
There are many ex ante means of monitoring compliance with privacy guidelines regardless of whether those principles originate from legislation, codes of conduct or agreements between businesses and consumers. The following section distinguishes between four main means of ensuring compliance; appointment of an internal data protection officer, third party certification as to compliance, membership of industry bodies which impose privacy standards and investigations by central oversight authorities.

(a) Internal data protection officers

. 302
Privacy laws and self-regulatory codes may require the appointment of an internal data protection officer by data controllers or designating a particular person within an organisation who is responsible for ensuring that the organisation complies with the applicable privacy practices. As well as being answerable within the company for its compliance record, appropriate laws may make the internal data protection officer externally accountable to, for example, central oversight authorities.

(b) Third party compliance reviews and Web site certification

. 303
Compliance reviews undertaken by third parties help ensure that Websites follow their privacy statements. Ongoing compliance reviews typically involve periodic information practice "audits" and "seeding" (personal information is submitted to the site and its use is compared with the site’s stated policy). Sites which continue to satisfy these reviews display a certification mark, such as a digital label or a well-recognised icon, as a public confirmation that they comply with their privacy statements.

. 304
There are different reasons why a Web site may seek third party compliance reviews and certification. Sites may voluntarily submit to compliance reviews. For example, a Web site may want to demonstrate its commitment to privacy and ease consumer fears that their personal information could be misused. The risk of having its certification withdrawn, and the publicity which would accompany it, may provide a sufficient incentive for Websites to comply with their privacy statements. In addition, privacy laws, self-regulatory codes of conduct and/or industry organizations, may require an online business to seek third party certification.

. 305
The following are examples of businesses and professional organizations who offer certification schemes with respect to privacy practices and others, such as BBB Online, are being developed.

TRUSTe

. 306
TRUSTe is an independent, non-profit making organisation that certifies Websites which meet the requirements of the TRUSTe programme. In particular, a Web site must: disclose its information management practices in an online privacy statement; adhere to these stated practices and co-operate with all reviews conducted by TRUSTe. The substance of the site’s privacy policy is determined by the site itself, but, at a minimum, its privacy statement must disclose:

• what type of information the site gathers;
• how the information will be used; and
• who the information will be shared with (if anyone).

. 308
Once a company has agreed to the terms of the TRUSTe programme and satisfied an initial review by TRUSTe, it is permitted to use the TRUSTe "trustmark". To ensure that the Web site continues to adhere to its published privacy statement the TRUSTe programme is backed by an on-going "assurance" process. In particular, TRUSTe monitors a Website’s compliance with its stated privacy practices by:

• conducting periodic reviews of participating sites;
• regularly "seeding" sites by submitting personal user information and checking that it is not used in a way that violates the site’s stated privacy policies; and
• organising onsite conformance "audits" conducted by outside accounting firms.

. 309
Standards authorities are another type of organisation which may act as third party certifiers by developing privacy standards and offering formal certification to compliant Websites. An example, is the Canadian Standards Association (CSA) which has developed a Model Code for the Protection of Personal Information. The CSA emphasises the importance of conducting independent audits by auditors certified in privacy auditing to verify ongoing compliance.

Accounting firms

. 310
Privacy audits are one of the services now being carried out by large accounting firms. Such audits may be part of a compliance programme run through an organisation such as TRUSTe or the CSA, or it may be organised directly by an accounting firm. The WebTrust programme provides a framework for individual accounting firms to provide certification services. Developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants, the WebTrust Seal is designed to assure online consumers that a participating Web site complies with the WebTrust principles which include information protection. To monitor and ensure ongoing compliance with the WebTrust principles, assurance examinations are conducted by specially licensed accountants on a regular basis. The US Individual Services Reference Group principles provide for annual audits by a third party accounting firm.

(c) Membership-based industry bodies

. 311
Industry bodies which specify certain privacy practices as a pre-requisite for membership can play a role in ensuring that privacy practices are complied with on global networks. Examples include: the Online Alliance which was formed in June 1998 in response to the call for the creation of third party verification mechanisms, it is a cross-industry coalition designed to address online privacy issues whose members have agreed to adopt, implement and disclose privacy policies); the Australian Internet Industry Association (which has proposed an Industry Code of Practice utilising a code compliance icon); and the US Direct Marketing Association (an industry based-association, whose members engage in database marketing, which encourages its members to post privacy policies on their Websites). Also BBBOnLINE, a membership-based certification programme for online businesses, is considering adopting a privacy standard amongst its qualifying criteria, possibly by means of a separate privacy charter represented by its own seal or icon.

. 312
How satisfactory an industry body is likely to be in ensuring compliance with privacy standards depends on a number of factors. These include: how the applicable privacy code is publicised to members; how the organisation checks that the code is being followed and how often; how does the organisation deal with consumer complaints, and, when a member is shown to have breached the code, how it is sanctioned.

(d) Central oversight authorities

. 313
Most jurisdictions with laws for the protection of personal privacy also establish a central oversight authority such as a data protection office or a privacy commissioner that may be empowered to perform proactive audits on their own initiative.

. 314
The "supervisory authorities" referred to in the EU Directive, for example, are intended to play this role. In particular, these authorities are endowed with investigative powers (such as the right to access data) and powers of intervention (such as the right to ban a particular method of data processing. In the EU, for example, these powers are subject to a right of judicial appeal.

. 315
Other legal requirements may be imposed to facilitate the compliance monitoring role of central oversight authorities. For example, a system of compulsory registration increases the information available to such authorities and initial audits can be required to ensure adherence to the law before data processing commences.

2. Complaint resolution procedures for breaches of privacy standards

. 316
When a data subject believes that the privacy guidelines which apply to his or her relationship with a particular data controller have been breached, he or she should have access to redress or remedy. The privacy complaint resolution procedures which can be found in different OECD Member countries vary in many ways.

. 317
There are different ways in which privacy complaints may be addressed according to whether (1) the complaint is resolved directly between the data subject and the data controller; (2) the complaint is brought to the notice of a third party certification agency or industry body; or (3) administrative, civil or criminal proceedings are pursued.

. 318
The kinds of questions which can be asked in comparing each of these categories are:

• what kinds of redress are available to the data subject? The redress being sought may vary from securing compliance with the applicable privacy principles (for example, by allowing access to, or correcting, the personal data in question or by entering the user on a "opt-out" list so that the personal data will not be used by advertisers in the future), to obtaining orders for compensation.
• what are the ultimate sanctions available to force compliance by the data controller? Ultimate sanctions may include orders by central oversight authorities, civil court remedies, criminal sanctions (which may be pursued by the data subject, a central oversight authority or some other prosecuting body), removal of a certification seal or expulsion from an industry body.
• how formal and complicated is the procedure? The resolution of a privacy complaint may involve different levels of formality, from direct and informal communications between the data subject and controller, to mediation by a central oversight authority, to formal judicial proceedings.

. 319
A data subject’s initial complaint is likely to be made to the alleged infringer. Companies that collect and use personally identifiable information may be able to resolve many privacy disputes by providing mechanisms to receive and address consumer complaints. Obtaining redress directly from the data controller is likely to be the quickest, cheapest and least complicated means of complaint resolution.

. 320
Good reasons exist for online businesses to attempt to amicably resolve the privacy complaints of their customers. These incentives include protecting their reputations, fostering good customer relations and avoiding the threat of more formal complaint procedures being initiated.

. 321
Some online businesses offer clearly defined complaint procedures to facilitate the amicable resolution of privacy complaints. These provisions may address issues such as the method by which an organisation may be contacted, the remedies available (for example, liquidated damages, that is, a set amount of money to be paid for breaches of privacy) and procedures for bringing a claim to arbitration.

. 322
Some Legislation and self-regulatory codes require data controllers to appoint internal data protection officers to facilitate the resolution of complaints by providing a clear point of contact with an individual who has well defined responsibilities.

(b) Enforcement through private sector certification schemes and industry bodies

. 323
Certification schemes and industry bodies may offer avenues of redress for data subjects alleging privacy breaches by a member Web site. Such organizations are useful in two ways. First, the privacy criteria set by the certification scheme or industry body provide a benchmark against which the data controller’s practices may be judged. Second, the third party certifier or industry body has a reputational interest in ensuring that members comply with its privacy rules and is also likely to have a large degree of bargaining power relative to its members. These factors give the third party certifier or industry body both the incentive and capability to assist the data subject in resolving his or her complaint.

. 324
Third party certifiers and industry bodies may take a variety of roles in the resolution of a privacy dispute, ranging from investigation to mediation to adjudication. The redress available might include compliance with applicable privacy principles and compensation for any losses.

Sanctions that may be assessed may include:

- the publication of the business’ name on a "bad actor" list;

- the revocation of the Website’s compliance certification icon;

- removal from an industry body; and/or

- administrative or judicial proceedings against the Web site (for example, for breach of contract or misuse of trademarks).

. 325
The following are examples of certification businesses and industry bodies who may play a role in resolving user complaints over a Websites privacy practices.

TRUSTe

. 326
When TRUSTe receives a complaint it first sends a formal notice and gives the alleged infringer a chance to respond. If this proves unsatisfactory, TRUSTe conducts an escalating investigation. Depending on the severity of the breach, the investigation could result in penalties, an on-site conformance review or revocation of the participant’s trustmark. Serious cases may be referred to the FTC for enforcement action under the Federal Trade Commission Act or TRUSTe may conduct breach of contract or trademark infringement litigation against the site.

The Australian Internet Industry Association

. 327
In February 1998, the Australian Internet Industry Association released a draft Industry Code of Practice. In the first instance, it is intended that complaints will be dealt with between the user and the Code Subscriber within a time frame specified by the Code. If this is not successful, however, the Code sets out other procedures including the appointment of a mediator, or the making of orders by the Code’s Administrative Council directing the subscriber to comply with the Code or to provide corrective advertising and/or the payment of compensation. The Council may also withdraw permission for a site to use its Code Compliance Symbol.

(c) Enforcement through administrative, civil and criminal proceedings

. 328
State organs may provide redress either in the form of an administrative remedy through a central oversight authority or a judicial remedy through the court system. Judicial remedies may be either civil (where compensation and/or orders for compliance are typically provided for the breaches of privacy principles) or criminal (where sanctions are typically imposed on offending data controllers).

Administrative proceedings

Central oversight agencies

. 329
Privacy regimes often create central oversight agencies, such as a Data Protection Authority or a Privacy Commissioner. Such agencies will typically provide an administrative mechanism for resolving privacy complaints.

. 330
One reason for involving a central oversight authority is because individual data subjects may not have the expertise or investigative powers to determine exactly when or by whom his or her privacy was violated. A Data Protection Authority or Privacy Commissioner will also bring its experience and institutional authority to bear in attempting to resolve a privacy complaint.

. 331
The grounds upon which a complaint may be brought to a central oversight agency will depend on the terms of its empowering legislation, but typical reasons include breaches of privacy laws and, possible, self-regulatory codes of conduct or privacy statements.

. 332
The powers of a specific central oversight agency, and the kinds of redress available to the data subject, will also depend on its empowering legislation, but typically such bodies are empowered to:

• investigate complaints;
• conduct or demand audits;
• attempt conciliation between the parties;
• examine witnesses;
• issue recommendations;
• act as specialist tribunals and impose quasi-judicial orders involving, for example, compensation and sanctions; and/or
• either refer complaints to, or prosecute complaints in, a judicial forum.

Other administrative agencies

. 334
Other administrative agencies may become involved in resolving privacy complaints. Where the conduct complained of involves not only a breach of privacy principles but also fair trading standards by, for example, violating the terms of a privacy statement, then administrative bodies charged with enforcing these practices may be complained to. For example, in the US the Federal Trade Commission (FTC), in its role as an independent law enforcement authority, has broad powers to investigate and adjudicate complaints of businesses engaging in unfair and deceptive conduct. The FTC has recently conducted an investigation against a company (it may not be appropriate to single out a company) for misleading its customers as to how their personal information were being used which has resulted in a consent order being issued.

Civil proceedings

Breaches of privacy legislation

. 335
Privacy legislation may provide data subjects with the right to a judicial remedy for breach of privacy principles established by the legislation. Procedurally, such complaints are usually brought to court by the injured data subject. In addition, in some common law countries, actions may also be brought based on a tort of invasion of privacy.

. 336
A court may be given a wide variety of powers to provide suitable redress in a given case. The range of remedies which may be provided for include the power to:

• order payment for compensation or restitution;
• impose a monetary fine;
• make corrective orders (for example, by allowing access to, or correcting, the personal data in question);
• mandate or prohibit certain data processing practices; and
• require periodic reviews to ensure compliance.

. 337
The range of civil remedies available to a data subject is not limited to those found in privacy legislation. The general laws relating to breach of contract, fraud and fair trading may also apply where the data controller has violated the terms of a privacy statement, online agreement (such as the terms and conditions associated with a registration form) or a transborder data flow contract.

. 338
The breach of a privacy statement or online agreement may give rise to a number of possible civil remedies. Essentially, by providing notification of its privacy practices a Web site offers a commitment that it will follow these practices. Depending of the nature of the breach, most jurisdictions provide remedies for wrongful misrepresentations and/or fraudulent conduct if that commitment is broken.

. 339
A contractual remedy may also be available to Web site visitors. A contract is most likely to exist between the parties where they have entered an online agreement by, for example, explicitly agreeing to terms and conditions referred to in a registration form. However, the distinction between a posted privacy policy and an online registration agreement is often one of degree. For example, the Web site may include a "Terms and Conditions" section which is expressed like a contract but which, unlike a registration form, does not require the user to explicitly acknowledge their consent. In general, however, the more a privacy policy looks like a term of an agreement between the parties, the more likely it is to be given contractual effect and be capable of giving rise to a legal remedy for breach of contract. The contractual effect of a privacy clause will depend on the other terms of the contract (relating to, for example, jurisdiction and arbitration of disputes) and the laws of the jurisdiction in which it is being considered.

. 340
The breach of a transborder data flow contract by a data controller may also provide the basis for a judicial remedy for an effected data subject. Since the data subject will not usually be a party to this agreement, enforcement difficulties will exist in jurisdictions which do not permit claims by third party beneficiaries to a contract. The solution adopted in the German Railways - Citibank contract was to hold the German Railway and the German Citibank subsidiary liable to German data subjects for any violations of the agreement by their American counterparts. Similarly, the Council of Europe Model Contract provides that damage caused to data subjects, through the use of the transferred data or upon termination of the contract, should be repaired by the party sending the data under domestic law or international private law.

Alternative dispute resolution

. 341
Civil remedies need not be pursued exclusively through a court system. Alternative dispute resolution procedures may be followed by the parties where, for example, a contract provides for arbitration hearings. Both the Council of Europe Model Contract to Ensure Equivalent Data Protection in the Context of Transborder Data Flows and the Revised ICC Model Contract (May 1998 Draft) contain clauses which provide for the arbitration of disputes between the sending and receiving data controllers.

Criminal proceedings

Proceedings under privacy legislation

. 342
Privacy legislation may provide for criminal sanctions to be imposed in cases where there have been serious breaches of the legislation. One reason for such sanctions is to provide companies with a greater incentive to follow good privacy practices than would be provided merely by forcing the payment of compensatory damages when breaches have been proved. The range of entities who can bring criminal proceedings (for example, individual data subjects, data protection authorities and public prosecutors) and the range of available sanctions (for example, fines and prison sentences) will depend on the implementing legislation.

Other criminal proceedings

. 343
In addition to criminal prosecutions based on privacy legislation, where a data controller falsely asserts that it is following a particular privacy policy prosecutions may be possible under fair trading legislation.

G. EDUCATING USERS AND THE PRIVATE SECTOR

. 344
The nature of the global information network makes educating users and commercial entities about privacy issues an important step for the protection of personal privacy. Education supplements all of the other guidance instruments and mechanisms referred to in this Inventory.

. 345
Global networks turn businesses into data controllers. The ease with which data are collected and transferred electronically means that online merchants find themselves dealing with far more personal data, far more often, than if they had remained off-line. More and more entities find themselves acting as data controllers and subject to data protection laws, codes of conduct and self-regulatory industry codes. The better educated these ISPs, online merchants, content providers, browser designers and bulletin board operators are in privacy matters, the more likely it is that practices will be effectively implemented in practice.

. 346
Global networks also raise new privacy issues for users. The emerging trend for privacy rights to be protected through technological tools and by exercising choice as to privacy options means that users will only be fully protected if they are knowledgeable enough to look after themselves. Unlike the off-line world where individuals rarely have to consciously consider the privacy implications of their actions, the online public must be educated as to the consequences of where they go, what they say and what they do when on the Internet. For example, users should be aware of the information they reveal simply by browsing the Web; sending an email or posting a message to a newsgroup. They should also be alert to the consequences of agreeing to particular privacy practices, how to use privacy enhancing technologies and how to set appropriate browser settings for their desired level of privacy.

. 347
In addition to traditional methods of public education in schools, the workplace and the media, various Websites offer online advice on personal privacy protection on global networks. These sites are run by (1) international organizations, such as the Council of Europe; (2) government bodies, such as the FTC in the U.S. and many central oversight authorities in other parts of the World; and (3) private sector organizations, such as Project OPEN (the Online Public Education Network), the US Direct Marketing Association, the Center For Democracy and Technology, the Electronic Privacy Information Center, "Call for Action" and TRUSTe. Hyper-text links can be used to provide access to these sources of privacy information from Websites which collect personal information.

A. International Governmental Organizations                                                                  Back to Privacy Statement

Council of Europe

Data Protection Section
Public Law Division
Directorate of Legal Affairs
Secretariat General
PO Box 431 R6
67006 Strasbourg
FRANCE
Telephone : (33) 88 41 2445
Fax : (33) 88 41 2764
Web : http://www.coe.int/T/E/Legal_affairs/Legal_co-operation/Data_protection/

European Commission

European Commission Legal Advisory Board
European Commission DG XIII/E/2
EUFO 1166
Rue Alcide de Gasperi
L – 2920 LUXEMBOURG
Telephone : 35 24 301 32400
Fax : 35 24 301 33190

Directorate General XV-E1 (Free Movement of Information and Data Protection)
Rue de la loi 200 (C 107)
B 1049 Brussels
BELGIUM
Telephone : (32.2)2962264
Fax : (32.2)2968010
Web : http://www.europa.eu.int/index_en.htm

Organization for Economic Co-operation and Development

Information, Computer and Communications Policy Committee
2 rue André-Pascal
75775 Paris Cedex 16
FRANCE
Telephone : (33) 1 45 24 82 00
Fax : (33) 1 45 24 93 32
Web : http://www.sourceoecd.org/content/html/index.htm

United Nations

United Nations Centre for Human Rights
8-14 Avenue de la Paix
1211 Geneva 10
SWITZERLAND
Telephone : 41 22 917 3924
Fax : 41 22 917 0213
Web : http://www.unhchr.ch/hchr_un.htm

World Trade Organization

World Trade Organization
154 Rue de Lausanne
1211 Geneva 21
SWITZERLAND
Email:  enquiries@wto.org
 

B. Data Protection Authorities                                                                                          Back to Privacy Statement

Australia

Australian Privacy Commissioner's Office
GPO Box 5218
Sydney NSW 1042
AUSTRALIA
Telephone : 61 2 9284 9610
Fax : (02) 9284 9666
E-mail : privacy@privacy.gov.au
Web : http://www.privacy.gov.au/

Austria

Datenschutzkommission
Ballhausplatz 1
Vienna
1014
AUSTRIA
Telephone : (43) 1 531 15 2528
Fax : (43) 1 531 15 2690
E-Mail : v3post@bka.gv.at

Belgium

Commission Consultative de la Protection de la Vie Privée
Boulevard de Waterloo 115
Rue de la Regence 61
Bruxelles 1000
BELGIUM
Telephone : (32) 2 542 7200
Fax : (32) 2 542 7212
E-mail : privacy@euronet.be
Web : http://www.privacy.fgov.be/

Canada

Privacy Commissioner of Canada
112 Kent Street, 3rd floor
Ottawa, Ontario
K1A 1H3
CANADA
Telephone : 001 613 995-2410
Fax : 001 613 995-1501
Web : http://www.privcom.gc.ca/

The Office of the Information and Privacy Commissioner of Ontario
80 Bloor Street West
Suite 1700
Toronto, Ontario
M5S 2V1
CANADA
Telephone : (416) 326-3333
Fax : (416) 325-9195

Information & Privacy Commissioner of British Columbia
756 Fort Street, 3rd Floor
Victoria, British Columbia
V8W 9A4
CANADA
Telephone : (250) 387-5629
Fax : (250) 387-1696
E-mail : OIPC@gems5.gov.bc.ca
Web : http://www.oipc.bc.ca/

Information & Privacy Commissioner of Alberta
410, 9925-109 Street
Edmonton, Alberta
T5K 2J8
CANADA
Telephone : (403) 422-6860
Fax : (403) 422-5682
E-mail : ipcab@planet.eon.net

Ombudsman of Manitoba
500 Portage Avenue, Suite 750
Winnipeg, Manitoba
R3C 3X1
CANADA
Telephone : (204) 786-6483
Fax : (204) 942-7803

Ombudsman of New Brunswick
703 Brunswick Street
P.O. Box 6000
Fredericton, New Brunswick
3B 5H1
CANADA
Telephone : (506) 453-2789
Fax : (506) 457-7896

Department of Justice of Newfoundland
Confederation Building
P.O. Box 8700
St. John's, Newfoundland
A1B 4J6
CANADA
Telephone : (709) 729-5942
Fax : (709) 576-2129

Information and Privacy Commissioner of the Northwest Territories
P.O. Box 262
Yellowknife, Northwest Territories
X1A 2N2
CANADA
Telephone : (403) 873-8631
Fax : (403) 920-2511

Review Officer of Nova Scotia
3-1601 Lower Water Street
P.O. Box 1692, Postal Unit M
Halifax, Nova Scotia
B3J 3S3
CANADA
Telephone : (902) 424-4448
Fax : (902) 424-3919

Commission d'accès à l'information- Quebec
900 René-Lévesque Boulevard East, Suite 315
Quebec City, Quebec
G1R 2B5
CANADA
Telephone : (418) 528-7741
Fax : (418) 529-3102
E-mail : Cai.Communications@cai.gouv.qc.ca
Web : http://www.cai.gouv.qc.ca.

Information & Privacy Commissioner of Saskatchewan
2220-12 Avenue, Suite 500
P.O. Box 1037
Regina, Saskatchewan
S4P 3B2
CANADA
Telephone : (306) 787-8350
Fax : (306) 757-4858

Ombudsman and Information & Privacy Commissioner of the Yukon
P.O. Box 2703
Whitehorse, Yukon Territory
Y1A 2C6
CANADA
Telephone : (403) 667-8468
Fax : (403) 667-8469

Denmark

Registertilsynet
Christians Brygge 28, 4 Fl
DK-1559
Copenhagen V
DENMARK
Telephone : (45) 33 14 38 44
Fax : (45) 33 13 38 43
Web :  http://www.datatilsynet.dk/

Finland

Finnish Data Protection Ombudsman
Albertinkatu 25, 3.krs
PO Box 315
SF-00181 Helsinki
FINLAND
Telephone : (358) 9 182 57830
Fax : (358) 9 1825 7835
Web : http://www.tietosuoja.fi

France

Commission Nationale de l'Informatique et des Libertés
21 Rue Saint-Guillaume
75007 Paris
FRANCE
Telephone : (33) 1 4544 4065
Fax : (33) 1 4549 0455
E-mail : CNIL@world-net.sct.fr
Web : http://www.cnil.fr

Germany

Der Bundesbeauftragte fur den Datenschutz
Riemenschneider Str. 11,
53175 BONN
GERMANY
Telephone : (49) 228 819 95 10
Fax : (49)228 819 95 50
E-Mail : poststelle@bfd.bund400.de
For the addresses of the Laender data protection authorities see: http://www.datenschutz-berlin.de/sonstige/behoerde/aufsicht.htm

Greece

Greek Data Protection Authority
12, Vlaoritou Street
EL-10671 ATHENS
GREECE
Telephone : (30) 1 361 31 17
Fax : (30) 1 362 90 47

Hungary

Parliamentary Commissioner for Data Protection and Freedom of Information
1054 Budapest
Tüköry u. 3.
HUNGARY
Telephone : (36) 1 269 3537
Fax : (36) 1 269 3529

Iceland

Icelandic Data Protection Commission
Arnarhvoll
150 Reykjavik
ICELAND
Telephone : (354) 1 609010
Fax : (354) 1 27340

Ireland

Irish Data Protection Commissioner
Mr. Fergus Glavey
Block 4, Irish Life Centre
Talbot Street
Dublin 1
IRELAND
Telephone : 353 1 874 8544
Fax : 353 1 874 5405
E-Mail : fergus_glavey@dataprivacy.irlgov.ie

Italy

Italian Guarantor of the Protection of Personal Data: Garante per la protezionc dei dati personali
Largo del Teatro Vallc, 6
00186 Rome
ITALY
Telephone : 00 39 6 681861
Fax : 00 39 6 6818669
E-Mail : mc7796@mclink.it
Web : http://www.privacy.it/

Luxembourg

Commission consultative à la protection des données
Ministère de la Justice
16 boulevard Royal
2934 LUXEMBOURG
Telephone : (352) 478 4546
Fax : (352) 227 661

The Netherlands

Registratiekamer
Prins Clauslaan 20
P O Box 93374
2509 AJ Den Haag
NETHERLANDS
Telephone : (31) 70 3811300
Fax : (31) 70 3811301
E-Mail : mail@registratiekamer.nl

New Zealand

Office of the Privacy Commissioner of New Zealand
PO Box 466
Auckland
NEW ZEALAND
Telephone : (64) 9 302 2160
Fax : (64) 9 302 2305
E-mail : privacy@iprolink.co.nz

Norway

Norwegian Data Inspectorate: Datatilsynet
Postboks 8177 Dep
0034 OSLO
NORWAY
Telephone : 47 22 42 19 10
Fax : 47 22 42 23 50
E-Mail : postkasse@datatilsynet.no
Web : http://www.datatilsynet.no

Poland

Generalny Inspektor Danych Osobowych
Sejm RP ul. Wiejska 4/6/8
PL 00-950 Warszawa
POLAND

Portugal

Comissao Nacional de Porteccao de Dados Pessoais Informatizados
Rua de Sao Bento 148
1200 Lisboa
PORTUGAL
Telephone : (351) 1 396 6190
Fax : (351) 1 397 6832
E-Mail : cndpi@mail.telepac.pt

Spain

Spanish Data Protection Agency: Agencia de Protection de Datos
Paseo de la Castellana 41,
28046 Madrid
SPAIN
Telephone : (34) 1 308 4017
Fax : (34) 1 308 4692

Sweden

Datainspektionen
Box 8114
S-104 20 Stockholm
SWEDEN
Telephone : (46) 8 657 6100
Fax : (46) 8 652 8652
Email : datainspektionen@din.se

Switzerland

Eidgenössischer Datenschutzbeauftragter
Federal Data Protection Commissioner
CH - 3003 Berne
SWITZERLAND
Telephone : 41 31 322 4395
Fax : 41 31 3259996
Web : http://www.edsb.ch

United Kingdom

UK Data Protection Registrar
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
ENGLAND
Telephone : 44 1625 545700
Fax : 44 1625 24510
E-Mail : data@wycliffe.demon.co.uk
Web:  http://www.ukonline.gov.uk

United States                                                                                                                      Back to Privacy Statement

Federal Trade Commission
6^th & Pennsylvania Avenue, N.W.
Washington, D.C. 20580
Telephone : (202) FTC-HELP (382-4357)
Fax : (202) 326-2012 attn: CRC
Web : http://www.ftc.gov/index.html

Department of Commerce
14^th & Constitution Avenue, N.W.
Washington, D.C. 20230
Telephone : (202) 482-3845
Fax : (202) 501-2548
E-mail : ecommerce@itc.doc.gov
Web : http://www.commerce.gov/

Office of Management and Budget
Executive Office of the President
New Executive Office Building, Room 9026
725 17th Street, NW
Washington, D.C. 20503
Web :  http://w3.access.gpo.gov/usbudget/index.html

Federal Communications Commission
445 12^TH Street, S.W.
Washington, D.C. 20554
Telephone : 202 418 0200
Fax : 202 418 0232

Department of the Treasury
1500 Pennsylvania Avenue, NW
Washington, D.C. 20220
Telephone : 202 622 2000
Fax : 200 622 6415
Web : http://www.ustreas.gov/

United States Department of Health and Human Services
200 Independence Avenue, SW
Washington DC 20201
Telephone : 202 619 0257
E-mail : hhsmail@os.dhhs.gov
Web : http://www.os.dhhs.gov/

C. Non-Governmental Organizations                                                                                 Back to Privacy Statement

Asia-Pacific Smart Card Forum
G.P.O. Box 1966
Canberra ACT 2601
AUSTRALIA
Telephone : 612 6247 4655
E-mail : info@interact98.com.au

Center For Democracy and Technology
1634 Eye Street NW
Suite 1100
Washington DC 20006
Telephone : 1 202 637 9800
Fax : 1 202 637 0968
Web : http://www.cdt.org/

Electronic Privacy Information Center
66 Pennsylvania Avenue
SE Suite 301
Washington DC 20003
Telephone : 1 202 544 9240
Fax : 1 202 547 5482
E-mail : info@epic.org
Web : http://www.epic.org/

Privacy International
66 6 Pennsylvania Avenue
SE Suite 301
Washington DC 20003
Telephone : 1 202 544 9240
Fax : 1 202 547 5482
E-mail : pi@mail.privacy.org
Web : http://www.privacyinternational.org/

PrivacyExchange.Org
c/o Centre for Social and Legal Research
Hackensack
New Jersey
Telephone : 201 996 1154
Fax : 201 996 1183
Web : http://www.PrivacyExchange.org/