Help needed! Please contribute your notes to help us finish this page.
- International Law
- Privacy Protection in the European Union
- Privacy Protection in the United States of America
- Privacy Protection in Australia
- The Privacy Act
- The Australian Privacy Principles
- Government Surveillance
- Regulating Privacy-Enhancing Technologies
- The SPAM Act
- Privacy Protection in China
- Privacy Protection in Hong Kong
- Privacy Protection in India
Rita Matulionyte Explains How Online Technologies Affect Our Privacy
Article 12, 1948 Universal Declaration on Human Rights (UDHR)
‘No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attack.’
The UDHR was adopted in the General Assembly as Resolution 217 on 10 December 1948. Among the 58 members of United Nations, 48 voted in favour, 8 abstained. Honduras and Yemen failed to vote or abstain. The historical vote on adoption does not affect the application of the UDHR on other member states who joined the United Nations later.
The UDHR is not a treaty and therefore does not itself create legal obligations for countries. It is an expression of fundamental values which are shared by all members of the international community, and therefore has arguably become binding as part of customary international law
Article 17, International Covenant on Civil and Political Rights (ICCPR)
‘(1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation’
‘(2) Everyone has the right to the protection of the law against such interference or attacks’
Article 16, Convention on the Rights of the Child
‘(1) No Child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation.
‘(2) ‘The Child has the right to the protection of the law against such interference or attacks’
Under Art 1 in the Convention, child is defined as any human being below the age of 18
Article 14 International Convention on the Protection of All Migrant Workers and Members of their families
‘No Migrant worker or member of his or her family shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home, correspondence or other communication, or to unlawful attacks on his or her honour and reputation. Each migrant worker and member of his or her family shall have the right to the protection of the law against such interference or attacks’
Treaty No.108 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
This treaty is open for signature by member States of the Council of Europe and for accession by non-member states since 28 January 1981. There are a total of 57 accessions to it. In summary, it provides protection for individual against abuses arising out of collecting and processing of personal data, in order to secure their rights and fundamental freedoms, in particular his right to privacy. It imposes obligation for parties to the agreement to take appropriate security measure to prevent accidental or authorised access to personal data. It also enshrines data subject’s right to know with regards to his own personal data.
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
Although not binding, this serves as guidelines on all OECD Member countries to uphold human rights and prevent interruptions in international flow of data. It represents a consensus on basic principles that can be included in existing national legislations or serves as basis for legislations in those countries who do not have any yet.
There are 8 principles governing the protection of privacy and transborder flow of personal data. They are: collection limitation principle, data quality principle, purpose specification principle, use limitation principle, security safeguards principle, openness principle, individual participation principle and accountability principle.
Right to privacy is not confined to the physical world. In its sixty-eighth session of General Assembly, the United Nations (UN) adopted Resolution 68/177 regarding the right to privacy in the digital age. It recognized the increasing global trend of Internet usage and the advancement in information and communications technologies, and emphasised that the right to privacy also includes privacy in the digital world.
While gathering of an individual’s sensitive information may be necessary for the purpose of national and public security, it must be done in compliance with the state’s obligations in international human rights laws. Therefore UN called upon on States to review their legislation and practices relating to communication surveillance and collection of personal data so as to protect individual’s right to privacy, which also includes digital communications.
Under UDHR and ICCPR, the content of the right to privacy includes the term ‘interference’. What this essentially means is that the integrity and confidentiality of correspondence should be guaranteed de jure and de facto, without any interception and without being opened or read. Any capture of communication data may potentially fall under the ‘interference’. Therefore, as suggested by the Office of UN High Commissioner for Human Rights, mass surveillance programmes adopted by many states would already be amount to ‘interfering’, and it is on the State to prove that such interception is neither arbitrary nor unlawful.
The right to privacy under both UDHR and ICCPR is not an absolute right. It may be restricted or limited as long as it is not ‘unlawful’. This means that member states may implement laws that specifically authorize such derogation. However, member states are not unfettered. The implemented laws must not be in contravention with the provisions in the International Covenant on Civil and Political Rights, and should be ‘reasonable in particular circumstances’.
In determining the reasonableness of such limitation, references may be drawn from Siracusa Principles and case law. In short, they all emphasise the principles of legality, necessity and proportionality. Such a law has to be readily accessible and clear. It must be necessary and should be the least intrusive option to pursue the legitimate aim.
Enshrined under Art 8(1) Charter of Fundamental Rights of the European Union and Art 16(1) Treaty of the Functioning of the European Union, data protection is recognized as a fundamental right in the European Union (EU). To facilitate the increase of trade and digital activities between Member States, the General Data Protection Regulation (GDPR) was enacted in 2016 and came into force in May 2018 to replace the previous Data Protection Directives. This creates a more comprehensive coverage of enhanced rights and protections of individual’s personal data.
The GDPR formalizes 6 legal basis for personal data collection under Art 6(1). This includes:
- Performance of contract
- Compliance with legal obligations
- Protection of vital interests of data subject
- Performance for public interest
- Legitimate interests pursued by the controller or by a third party
Of the 6 legal bases for data collection, consent is the most common one since it can be applied to almost every situation, unlike the other 5 where data processor is required to reach a rigorous situational threshold.
Consent is only valid only if it is freely given, specific, informed and is unambiguous. As to the practical operation of consent required, Art 29 Working Party (WP 29) has provided further clarification on its Guidelines on Consent. While WP 29 was an advisory body replaced by the European Data Protection Board (EDPB) under GDPR, since EDPB so far has not issued anything in replacement, the WP29 document continues to serve as an interpretive guideline for GDPR and EDPB under Art 94(2) GDPR since EDPB has not issued any superseding guidelines. The Guidelines analyzed the requirements under Art 4(11) GPDR, and considered what constitutes valid consent under different situations – such as imbalance of power, bundled consent, performance of a contract etc.
Bundled consent refers to consent that is given via a written declaration that contains multiple data processing purposes. For example, a mobile application asks for consent to collect data for GPS localization in their service agreement, which may also contain a clause stating that the data will be transferred to 3rd parties for advertising purpose. By signing the agreement, the data subject consents to a ‘bundle’ of data processing purposes. Although not explicitly spelt out in the law itself, it entrenched in the ‘freely given’ element and therefore bundled consent is invalid under GDPR.
In order to determine whether the situation render consent not freely given, it is essential to determine the scope of the contract and whether the collection of data is necessary for the performance of the contract. For example, by denying the unnecessary data processing, the data subject will act to their detriment since he will also deny the processing of data for the enforcement of the contract. Thus, such consent is not ‘freely given’.#
A lot of data processing arises out of employment context, no matter whether it is for application for jobs, promotion, removal or monitoring systems in the workplace. Given the imbalance of power, employees are unlikely able to respond to their employer’s request for consent freely, since they are in fear of the detrimental effect for their refusal.
Consent is freely given if three is a real choice, and no risk of deception, intimidation, coercion or significant negative consequences if data subject does not consent. Given the inherent dominance of employer in the employer-employee relationship, it is very unlikely there is no pressure when the employee gives consent. Thus, consent should not be the legal basis for processing personal data in an employment context.
Nevertheless, processing of personal data may still likely to be legitimate under Art6(1)(b) if the employer can show that the processing is necessary for the performance of the employment contract.
Granularity refers to cases where there are multiple purposes for multiple collection of personal data. For example, service application forms may incorporate both terms and conditions of provision of the data user’s services and statements relating to the use of data collected for marketing products or services.
For multiple purpose collection, Art 7(2) and Recital 32 GDPR require consent to be given distinguishably. What this essentially means is that data subject should be given the choice to accept or reject a particular purpose, rather than having to consent to a bundle of processing purposes. A lack of granularity may invalidate consent given since it is not specific, as required under Art 6(1)(a), which is closely linked to the requirement of a freely given consent.
Performance of a contact forms a legal basis for processing personal data where it is necessary in the context of a contract or the intention to enter into a contract.
This requirement does not require a specific law for each individual processing. It is sufficient if the data user can demonstrate that the processing is necessary for the performance of a task carried out in the public interest or for official authority to exercise their power.
As suggested in Recital 46, this basis should come last in line and other legal bases under Art 6 should be exhausted first.
Personal data may be disclosed if it is of the legitimate interest of data controller, provided that the interests or fundamental rights and freedoms of the data subject are not overriding. This has to take into account of the reasonable expectations of data subjects based on their relationship with the controller
Australia does not have a clear law protecting personal privacy as such.
Unlike the Constitutions of many other liberal democracies, the Australian Constitution does not contain a right to privacy. Australia does not have a comprehensive Bill of Rights, either as part of the Constitution or as federal legislation. The ACT and Victoria do have legislated bills of rights enforceable against the territory- and state-level public agencies.
At the international level, Australia is a signatory to the International Convention on Civil and Political Rights (ICCPR), which does protect the right to privacy, but the Convention rights are not directly enforceable in domestic Australian law. The Australian Government views the Privacy Act 1988 (Cth) as implementing the ICCPR’s right to privacy. However, this implementation does not include a strong human right to privacy which can invalidate conflicting legislation, as is the case in many other jurisdictions which recognise the right to privacy in their Constitutions or Bills of Rights.
Various areas of law have evolved to protect aspects of an individual’s space and reputation, including copyright, defamation, trespass, nuisance and confidentiality.
Until about 100 years ago, there was no formal legal notion of privacy in common law countries. But in 1890, a seminal US article from Warren and Brandeis called for a ‘right to privacy’, conceptualised as a ‘right to be left alone’ to be established in law.
In Australia, there is speculation as to whether whether a right to privacy or a tort of invasion of privacy exists in common law.
An early case, Victoria Park Racing, seemed to suggest that there was no such common law right in Australia.
But in the 2000s, there was significant development of English common law on privacy, as a result of the UK Human Rights Act (1998) coming into force which gave rise to some enforceability in domestic law of European Convention on Human Rights (ECHR) rights, including privacy and free expression. In England there is no separate tort of invasion of privacy, but the courts during this period have ‘stretched’ the tort of breach of confidence to cover privacy breaches. Furthermore, in 2004, a common law tort of invasion of privacy was found to exist in New Zealand.
A more recent Australian case, Lenah Game Meats, suggested that there could be a common law tort of invasion of privacy in Australian law. The High Court did not need to rule on that specific point given the facts of the case, but refused to rule out a more ‘suitable’ future case finding the existence of a privacy tort. The High Court suggested that a more ‘suitable’ scenario would involve a natural person rather than a legal person trying to establish the privacy tort.
So far, no such case has come up to the Australian High Court but there have been various decisions in lower courts on this issue.
Rita Matulionyte Explains the Legal Protections for Privacy in Australia
The Privacy Act 1988 (Cth) protects information privacy - that is, it prescribes what ‘personal information’ organisations and federal government agencies can collect about Australians, how that information can be collected and how it must be stored, the circumstances in which the information can be used and disclosed, and what Australian citizens must be told about the information collected about them. Personal information includes things like name, address, phone number, occupation, and sensitive information like health information. Other, state-level information privacy legislation also exists, which usually applies to state government agencies e.g. Information Privacy Act 2009 (QLD).
Personal privacy in Australia is protected in a de facto way, through a myriad of laws that are not designed specifically to protect privacy but which may have that effect. For example, a person may be able to preserve the privacy of their home through trespass laws. Privacy of movement may be asserted against another individual who offends against stalking laws. Laws designed to protect reputation, such as defamation laws and passing off laws, may be used to protect a person’s privacy in some cases. Finally, there are laws which protect privacy in communications, such as breach of confidence laws and the Telecommunications (Interception and Access) Act 1979 (Cth).
The Privacy Act 1988 (Cth) contains 13 Australian Privacy Principles (APPs) in Schedule 1. These principles apply to “APP entities”.
An “APP entity” is defined in section 6 to mean a Commonwealth government agency or an organisation. Organisation, in turn, is defined in s. 6C to include individuals, but not small business operators. Small business operators are those businesses with an annual turnover of $3 million or less and which meet the other requirements set out in section 6D.
When considering the APPs, it is important to first identify whether you are dealing with personal information or sensitive information (or both). Sensitive information is defined in section 6 and includes health information.
If a person thinks that their privacy has been breached under the Act, they may complain to the Office of the Australian Information Commissioner (OAIC) under section 36. Section 40 gives the Commissioner the power to investigate the complaint, and under section 52, the Commissioner may make a determination that an APP entity has breached the privacy principles in the Act. The Commissioner may also order that the entity take steps to ensure that the breach is not repeated and to provide redress to the complainant. If an entity does not comply with the Commissioner’s declaration, then either the individual complainant or the Commissioner can apply to the Federal Court to have the declaration enforced under s.55A.
Sections 65 and 66 of the Privacy Act provide that entities must cooperate with a Commissioner’s investigation, and there are financial penalties imposed for the failure to do so.
Rita Matulionyte Explains the APPs
Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.
Outlines how APP entities must deal with unsolicited personal information.
Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.
Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
Video Overview of APP 8
Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access,modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
Video Overview of APP 12
Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.
There has been very little case law on the application of the Privacy Act and APPs. One recent exception is the Privacy Commissioner v Telstra case involving technology journalist Ben Grubb’s metadata. Unfortunately, it is unclear in the aftermath of the case whether dynamic IP addresses constitute ‘personal information’ for the purposes of Australian privacy law. (NB It would constitute ‘personal data’ in EU data protection law.)
Mandatory data breach requirements were introduced in early 2017 as an amendment to the Privacy Act.
The amendments contain a notification scheme for certain types of data breaches involving unauthorised access/disclosure of personal information likely to lead to serious harm to individuals
The requirements are binding on APP entities, credit reporting bodies, credit providers, tax file number recipients and Internet Service Providers.
If an entity becomes aware of data breach, it must inform the federal Privacy Commissioner and inform individuals whose data is affected; if this is not practicable, the entity can publish a statement on own website.
The data breach notification scheme commences on 22 February 2018
Surveillance is the monitoring of behaviour, activities, or other changing information, usually of people for the purposes of influencing/managing/directing/protecting them (Lyon 2007). For a glossary of commonly-used terms in surveillance studies, have a look at this open access book edited by Guy McHendry.
Surveillance is by governments for intelligence gathering, prevention of crime, protection of process/group/person/object or for investigation of crime.
The extent of government surveillance powers go to heart of issues about appropriate role of the state in our lives, including:
- Rule of law
- Liberal democratic
- Public safety and security
- Civil liberties and human rights (especially privacy)
Since 9/11, the War on Terror in Western countries has seen expansion of anti-terrorism and law enforcement surveillance powers in many countries.
- Makes it an offence to intercept (listen to or record) a communication passing over a ‘telecommunications system’ without the knowledge of the person making the communication
- Also an offence to publish or retain a record of information gained in this way
- Allows access to communications content for law enforcement and national security purposes after obtaining a judicial warrant.
This Act imposes obligations on telecoms providers inc to provide assistance to law enforcement agencies for:
- enforcing the criminal law and laws imposing pecuniary penalties
- assisting the enforcement of the criminal laws in force in a foreign country
- protecting revenue
- safeguarding national security.
Most Australian government agencies are covered by the Privacy Act including AFP, Border and Crim Trac But some are not covered:
- Office of National Assessments
- Defence Intelligence Organisation
- Australian Geospatial Intelligence Org Instead, the Inspector General of Intelligence and Security provides oversight of these agencies’ activities & reviews activities for legality and propriety
Law passed in 2015 to implement data retention scheme: Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth).
Telecommunications companies must retain and secure for 2 years a set of information:
- source and destination of a communication
- date, time and duration of a communication
- communication type
- location of communications equipment.
22 law enforcement agencies are able to access this information without a needing a court warrant (except if it is a journalist’s data)
Video Overview of the SPAM Act by Anna Hall
The SPAM Act 2003 (Cth) prohibits the sending of unsolicited commercial electronic messages with an Australian link. A message has an Australian link if it originates or was commissioned in Australia, or originates overseas but was sent to an address accessed in Australia.
Electronic messages include Email, SMS and instant messaging. An electronic message is commercial if it offers, advertises or promotes the supply of goods, services, land or business or investment opportunities, or if it advertises or promotes the supplier of any of these things.
Messages are SPAM if they are sent without the prior consent of the recipient. A single message may be SPAM; messages do not have to be sent in bulk.
To avoid contravening the SPAM Act, electronic messages should only be sent with the consent of the recipient, must contain clear and accurate identification of the sender and how they can be contacted, and should include an unsubscribe facility.
The financial penalties for breaching the SPAM Act are steep and indexed to the Commonwealth penalty unit ($210 from July 1, 2017). A single day’s contravention may result in a penalty of up to $420,000 (2,000x), and repeated breaches of the Act may give rise to penalties of up to $2.1 million (10,000x). [Refer - Crimes Act 1914(Cth) s 4AA(1); Spam Act 2003(Cth) s 25]
Art 21 Constitution of India ‘No person shall be deprived of his life or personal liberty except according to procedure established by law.’
There is no express provision for the right to privacy in the Constitution of India. Over the past 60 years, there was a divergence of opinion as to whether the right to privacy is a fundamental right in India, resulting in inconsistent judgments being laid down.
In 2017, it was unanimously held in Justice KS Puttaswamy (Retd) v Union of India & Ors that the right to privacy is protected as a fundamental constitutional right under the right to life or personal liberty in Art 21 of the Constitution of India. This case serves as a landmark judgment and it explicitly overrules previous judgments where it was held that there is no fundamental right to privacy.
The right to privacy under the Indian Constitution is not an absolute right. An invasion of personal liberty must pass through the 3 fold test of legality, necessity, and proportionality.
Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011
The Rules is a subordinate legislation which regulates the collection and disclosure of information by any bodies corporate. It provides for a consent requirement where businesses must obtain consent in writing through letter or fax or email from the provider of sensitive personal data or information before any collection of such information. Businesses must take reasonable steps to ensure that the person has sufficient knowledge regarding the collection.
The rules also control the disclosure and transfer of information. They are permissible in cases where prior permission is obtained from the provider or when it is necessary for the performance of the lawful contract between the business and the provider of information.
Although the implementation of security practices and standards are not mandatory under the Rules, in the event of an information security breach, businesses are required to demonstrate that they have implemented security control measures.