A Comparative Analysis of Data Protection Laws in Australia and Germany
Philippa Webb
Yale Law School
philippa.webb@yale.edu
The author would to thank Annette Marfording, Lee A. Bygrave and Tim Dixon for their many valuable suggestions
Abstract
Our control over personal information is changing as information technology allows data of greater amounts and increasing sensitivity to be collected and analysed by both public and private sectors. The challenge of protecting personal data is a global concern as information flows across borders and jurisdictions. Countries have taken different approaches to using the law to shape and limit information flows; Germany has been a pioneer in data protection legislation while Australia has reacted in a slower, ad hoc manner.
This article compares the German and Australia data protection systems, including the impact of cultural, political and economic factors on their legal content and their actual operation. It compares the systems using an ideal as a common basis to analyse their similarities and differences as well as the broader contrasts between their cultures. The article begins by assessing the extent to which privacy is protected under the Australian and German constitutions. It then examines the development and content of the legislative frameworks in each country as well as the oversight and enforcement mechanisms.
The ultimate purpose of this article is to evaluate the possibility of Australia using German concepts, institutions and laws for reform purposes. This requires a critical examination of the civil/common law dichotomy and whether it is more misleading than useful as a tool for comparative analysis. The article seeks to demonstrate that the search for solutions to contemporary challenges must take us beyond our domestic jurisdiction; there is much to be learned from other countries' innovations, especially in an increasingly interdependent world.
Keywords: Data Protection - Privacy - Privacy Legislation - Australian Privacy Law - German Privacy Law - Law Reform - Comparative Law
This is a Refereed article published on 15 December 2003.
Citation: Webb, ' A Comparative Analysis of Data Protection Laws in Australia and Germany ', 2003 (2) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/03-2/webb.html>. New Citation (as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2003_2/webb/>.
1. Introduction
The exponential growth of information technology since the 1960s has changed our lives, including our control over personal information. As part of the modern welfare state, more and more personal information is collected from individuals (Bennett, C; 1992, p. 19). That information is also increasingly sensitive (Simitis, S; 2002, p. 1). At the same time, technology has given us the ability to correlate and manipulate this data through computer matching and profiling (Bennett, C; 1992, p. 19). It is therefore unsurprising that surveys reflect rising levels of public concern about privacy. Public opinion research by the Australian Federal Privacy Commissioner in 2001 suggested that Australians' concerns about privacy issues rank among the highest in the world (<http://www.privacy.gov.au/publications/rcommunity.html>). A 1999 IBM Survey showed 50 per cent of German consumers had refused to give information on websites because of privacy concerns (Dixon, T; 2001a, p. 18).
Although the challenge of protecting personal data is almost universal, countries have developed different legal responses at different rates. Germany has been a pioneer while Australia has lingered behind. In this context, this article compares the German and Australia data protection systems, including the impact of cultural, political and economic factors on their legal content and their actual operation. The ultimate purpose is to evaluate the possibility of Australia using German concepts, institutions and laws for reform purposes.
1.1 Definition and Scope
Privacy is very difficult to define because its meaning varies widely according to context. Westin, a seminal author on privacy, says the concept is 'part philosophy, some semantics and much pure passion' (1967, p. x). This article adopts Gavison's definition because it is straightforward yet captures the multifaceted nature of privacy. According to her, privacy has three elements: secrecy ('the extent to which we are known to others'), solitude ('the extent to which others have physical access to us') and anonymity ('the extent to which we are the subject of others' attention') (1980, p. 428).
Given the breadth of this topic, this article will restrict its focus to a specific aspect of privacy - data protection, also known as information privacy.[1] It will concentrate on the overall mechanisms in place to protect personal information rather than specific sectors such as health care, which have distinctive issues associated with them. Finally, this article will focus on federal data protection laws in Germany and Australia and only refer to noteworthy state or länder provisions.
1.2 Methodology
This article adopts a comparative law approach to take account of the impact of cultural, political and economic factors on law as it actually operates in practice.[2] This approach is necessary because the 'law in action' may be entirely different from the letter of the data protection laws in both countries (Reitz, JC; 1998).[3] This article's methodology is mainly influenced by Reitz who recommends explicit comparison using an ideal as a common basis (1998, p. 622). In comparing Australia and Germany to the ideal, this article analyses their similarities and differences as well as the broader contrasts between their cultures. Instead of presenting objective reports on each country and leaving comparison until the end as advocated by Zweigert and Kötz (1992), the article takes Reitz's approach (1998, p. 634) of breaking the subject into natural units and making every part comparative.
This type of comparative analysis involved going beyond simply examining the data protection laws by undertaking a detailed study of the literature and conducting expert interviews and media research.
Academic literature on privacy placed the two systems in context by providing information on the legal frameworks, competing interests and policy choices. Given the rapid developments in technology and the evolving legal instruments, this article focuses on material published in the last two years. However, it also refers to two earlier works because of their groundbreaking comparative analysis and important historical insights (Flaherty, D; 1989 and Bennett, C; 1992). In order to understand how personal information is handled in practice, the article looks beyond the black letter law to political science, philosophy and history. It also utilises a variety of types of sources to enable more complex comparison. Sources include speeches, government documents, annual reports, publications by non-government organisations and articles by privacy experts, judges and administrators. Being unable to speak German has unfortunately restricted access to German language materials. Although I obtained translations of the important laws and some articles, this article cannot claim to represent the complexity of the debates about data protection in Germany. Nonetheless, the German words for important terms are included in case there are nuances lost in the translation.
This examination of the available literature was enriched by in-depth interviews with two leading experts involved in policymaking and the practice of privacy law in Australia and Europe: Tim Dixon and Lee Bygrave. The interviews were directed at the gap between the 'law on the books' and the 'law in action'. The interviews were complemented by media research into public opinion and news articles on the latest regulatory developments.
Despite the constraints on the research, the combination of interdisciplinary sources and interviews allows more than a mere juxtaposition of the laws of Germany and Australia; it enables a critical evaluation based on a variety of perspectives.
1.3 The Ideal
By using an ideal, this article explicitly adopts a normative argument about how personal information should be protected. This is appropriate because privacy is a moral issue entangled with 'social and political dilemmas about the role of public and private institutions and the use of various technologies' (Dixon, T; 2001b, p. 1) (<http://www.austlii.edu.au/au/journals/UNSWLJ/2001/1.html>). It is justifiable to apply the ideal to Australia and Germany because the dilemmas posed by technology and information flows transcend national borders.
Reitz (1998) points out the dangerous tendency to use the ideals of one's own system as the normative measure. To avoid this, the ideal is based on the common requirements of the leading international instruments on privacy, Directive 95/46/EC of the European Parliament ('EU Directive') (<http://www.bfd.bund.de/europa/EU_richtl_en.html>) and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) ('OECD Guidelines') (<http://www.oecd.org/EN/document/0,,EN-document-43-1-no-24-10255-43,00.html>)[4] and expert interviews. It comprises seven elements:
-
Clarity of interests and values that are to be protected, supported by public awareness and education;
-
Comprehensive laws applying across sectors, individuals and organisations;
-
Systems-active rules that integrate data protection concerns with the development and functionalities of information technology;
-
Purpose limitation and justification through limits on the collection of information to that which is relevant, necessary and justified;
-
Oversight and enforcement by a well-resourced, independent body with adequate jurisdiction;
-
Access to justice for review and redress; and
-
Adaptability to changes in technology and the regulatory environment.
1.4 Outline
The substantive part of this article is divided into three parts corresponding to the main sources of law and the supporting legal infrastructure. The first part compares the extent to which privacy is protected under the Australian and German constitutions and its interpretation in the courts. The second part examines the development and content of the legislative frameworks in each country. The oversight and enforcement of these laws is considered in the third part. The article concludes with an evaluation of each system against the ideal and the implications for the civil/common law dichotomy and law reform.
2. Constitutional Protections and Case Law
2.1 Australia
Even though the Australian legal system recognises and protects human rights in many ways[5], there is no overarching instrument that safeguards such rights, such as Bill of Rights. The absence of a constitutional right to privacy has an insidious effect on data protection. Although it has little significance for the constitutionality of privacy legislation[6], it has led to a highly restrictive mode of judicial review.
Greenleaf (2001, p. 1) argues the absence of a Bill of Rights means Australian courts do not have a 'convenient platform in domestic law from which to develop privacy law as an aspect of human rights'. This was vividly demonstrated in Victorian Park Racing & Recreation Grounds Co Ltd v Taylor where the High Court rejected a general right to privacy.[7] Latham CJ, Dixon and McTiernan JJ held no authority could be found for such a right, however desirable it might be.[8] Kirby J later reflected that this case came at a time when Australia was 'chained to the English law' (2001, p. 2) (<http://www.austlii.edu.au/au/journals/UNSWLJ/2001/2.html>). Nonetheless, even when the High Court was no longer subject to the Privy Council, the ratio remained unquestioned until 2001.[9] In ABC v Lenah Game Meats, the High Court finally suggested that the limited recognition of the right to privacy could change in the future. Gummow and Hayne JJ stated that, 'Victoria Park does not stand in the path of the development of such a cause of action… the decision does not stand for any proposition respecting the existence or otherwise of a tort identified as unjustified invasion of privacy'.[10] However, a close reading of this case suggests that the most that can be expected from any future High Court's consideration of the right to privacy is only a broader application of the right of action arising from a breach of confidence.[11] Therefore, privacy continues to be protected by the courts merely as a 'by-product' of the protection of other interests such as breach of confidence, defamation, nuisance, and trespass (Taylor, G; 2000, p. 247), which is far from a general law of data protection.
2.2 Germany
In contrast to Australia, Germany's Basic Law (Grundgesetz) contains a catalogue of human rights.[12] The ones relevant to data protection are the inviolability of human dignity (article 1(1)), the right to free development of one's personality (article 2(1)) and the privacy of letters, posts and telecommunications (article 10).[13] Articles 1(1) and 2(1) are related to rights of the personality (Persönlichkeitsrechte) and the protection of the private sphere (Privatsphäre) (Riccardi, JL; 1983).
The impact of the rights contained in the Basic Law was significantly increased by the Lüth case.[14] The Federal Constitutional Court ('FCC') held that individual rights are not just defensive rights of the individual against the state, but the Basic Law actually 'erects an objective system of values'. Consequently, basic rights 'must apply as a constitutional axiom throughout the whole legal system'. Limbach (2000, p. 429), former President of the FCC, sees Lüth as leading to the 'omnipresence of rights in the process of interpreting and applying ordinary statute law'. This encouraged a mode of judicial review that was more willing to develop affirmative duties.
Lüth lay the foundation for the landmark Census Case in 1983 where the FCC struck down parts of the federal Census Act for lack of data protection guarantees for questions about rent and housing.[15] In the process, the FCC found a 'right to informational self-determination' (informationelle Selbstbestimmung) derived from articles 1(1) and 2(1) of the Basic Law.[16] The justices held the fundamental right of the free development of personality 'guarantees the individual the authority to decide for himself [sic] about the disclosure and use of his personal data' (translated in Reidenburg, JR and Schwartz, PM; 2002, p. 14) (<http://europa.eu.int/comm/internal_market/en/dataprot/studies/regul.pdf>). Moreover, the state has an obligation to create legislation that authorises and regulates data collection and processing of personal data.[17]
2.3 Evaluation
Bennett (1992, pp. 195-200) argues that the constitution of a country is a minor factor in explaining the content and form of data protection compared to external forces such as elite networking. This may be true of the sample of countries he compares (US, UK, Britain and West Germany), but I believe that the constitutional differences between Australia and Germany have a powerful explanatory force. Taylor (2000, p. 272) also comes to this conclusion after discussing privacy in the context of defamation law; he says:
'In… Germany, constitutional provisions played an important part in the creation by courts of right of privacy in private law… In contrast to this, there is just no foothold whatsoever for a right of privacy in the Australian Constitution.
The strong constitutional commitment to human rights underpins the German judiciary's willingness to make law to protect privacy. Contrary to Merryman's (1995) 'slot-machine operator' view of the German judge, the FCC has engaged in more norm-making and innovations than the High Court in the area of privacy. Former Australian Chief Justice Mason (1998) rightly suggests there are grounds for believing that Australia is 'not as deeply committed to judicial protection of human rights' as other nations which possess a Bill of Rights.
The different cultures of Germany and Australia, especially historical factors, have also shaped attitudes to data protection. The German experiences in the 1930s and 40s under the Nazi regime and the horrors of the Gestapo and Stasi created an awareness of the vulnerability of ordinary people to invasions of privacy and, as a result, a strong belief in the need to protect privacy rights. There is still an historical fear that 'public officials [cannot] be trusted with personally related data or with the sole control over new technologies' (Bennett, C; 1992, p. 234). The complete disregard for personality rights and human dignity under the Third Reich prompted the focus on such rights in the Basic Law (Taylor, G; 2000, p. 249). Moreover, in the 1970s, there was a rising consciousness of post-materialist issues such as the environment and nuclear power. Data protection resonated with this political culture and achieved a high priority on the government's agenda.[18] Bygrave's (Interview, 18 October 2002) impression is that:
Germans generally take data protection very seriously and this is reflected partly in the extensive amount of… policy documentation (government-commissioned reports), case law, and public discussion… and multiple academic journals, reporters, newsletters devoted specifically to privacy.
Further evidence is the response to a recent survey of citizens on their experiences with implementation of the EU Directive. Of 9156 replies from 16 European countries, 3425 (37 per cent) were from Germans, more than France, UK, Denmark and Sweden combined (<http://europa.eu.int/comm/internal_market/en/dataprot/lawreport/consultation_en.htm>)
Australians express concern about privacy when questioned in polls, but have a fairly passive attitude in practice. They have not experienced first-hand the events that could raise privacy issues in public consciousness, such as a revolution or dictatorship, and their British heritage puts trust in parliamentary sovereignty to protect individual rights.[19] The Constitution was drafted in a time of peace through a series of conferences. The main concerns were procedural issues, such as balancing state and federal rights, rather than protecting human rights. As Bygrave (Interview, 18 October 2002) puts it:[20]
I firmly believe that much of the Australian reluctance to introduce stringent privacy rules is due to the fact that (white) Australia has never experienced Fascism at first hand, whereas Germany has.
This diffident attitude towards privacy issues could also be related to how privacy rights are presented in public discourse; Dixon (Interview, 23 October 2002) observes:
I have been doing interviews on privacy issues for 10 years. In the early days I quickly realised that the idea of 'citizens' rights' did not resonate with Australians. However, once I started talking about 'consumer rights', I got a reaction. That is what most people will respond to, and it reflects how they see themselves.
This observation is supported by the major event in the history of Australian privacy - the defeat of the Australia Card in 1987. This proposal for a national identification scheme was something 'tangible' that Australians could engage with; it had a definite physical token that would need to be carried by Australians and presented as evidence of who they were, and it therefore had concrete implications for their status as consumers (Dixon, T; Interview, 23 October 2002). The ensuing protests led to the establishment of the Australian Privacy Foundation and generated a fever of controversy on talkback radio and hundreds of letters to editor: 'there has never been a debate like it on the letters page; there has never been such a cry of opposition from the nation over one topic' (Clarke, R; 1998, p. 1) (<http://www.anu.edu.au/people/Roger.Clarke/DV/OzCard.html>). However, while this activism defeated the specific scheme, it did not prompt debate about constitutional protection for privacy rights. It seems that privacy, like freedom of expression, is an ethereal concept for many Australians and the interests and values that it protects are not strongly articulated or protected by the Constitution or the courts. It was therefore left to statute to protect personal information.
3. Statute
3.1 Australia
3.1.1 Development
The development of Australia's privacy legislation has been a slow, reactive process. Australia passed the Privacy Act 1988 (Cth) ('Privacy Act') at a time when many other industrialised countries were already implementing second or third generation privacy laws (Dixon, T; 2001a, p. 3). It was a delayed response to the recommendations of the Australian Law Reform Commission ('ALRC') in its report on privacy in 1983. Although the ALRC noted that there is a tendency for large institutions to use new technology without paying appropriate attention to the private interests of individuals, it was reluctant to 'create an entirely new and separate body of jurisprudence about privacy' (1983, para 731). Consequently, the report recommended only modest statutory protections and rejected public listing of record systems storing personal information, licensing of record systems, and providing criminal remedies or damages for breach of privacy standards (Bygrave, LA; 1990, p. 135). It was a report marked by caution, complacency and a desire to avoid legislative measures that would burden government (Bygrave, LA; 1990, p. 137).
When the Government finally came to draft the Privacy Bill three years after the ALRC Report, it expressed even less enthusiasm for implementing privacy measures. The 1986 Privacy Bill was significantly weaker than the ALRC's Draft Privacy Bill (1983). In the end, the Government was forced to amend the Bill when the opposition parties in the Senate refused to pass the Government's Tax File Number legislation without a strengthened Privacy Bill being tabled (Bygrave, LA; 1990, p. 138). The delay between the ALRC report and the Bill as well as the context of political legislative bargaining suggest that the Privacy Act was introduced reluctantly and largely functioned as 'symbolic' legislation (Bygrave, LA; 1990, p 153).
In 2000, the Privacy Amendment (Private Sector) Act 2000 (Cth) ('Private Sector Act') extended regulation to the private sector. This legislation was driven by the strong business orientation of the Federal Government, and only came about after two policy reversals in 1997 and 1998. Dixon (2001a, p. 5) points to three main influences: first, the Victorian Government was threatening to go ahead with its own private sector legislation; second, the EU Directive imposed complex legal requirements on trade in personal information with countries without 'adequate' protections; third, there was pressure from information industry groups because research indicated privacy protection was vital to consumer confidence in new technologies. Through this combination of economic and political forces, Australia had a data protection framework in operation by December 2001.[21]
3.1.2 Content
Privacy Act 1988 (Cth)
The Privacy Act (ss. 14-16) creates a set of eleven Information Privacy Principles ('IPPs'), based on the OECD Guidelines, covering the activities of Federal agencies. It also sets out rules on consumer credit information and guidelines on tax file numbers that apply to public and private sectors. IPPs can be waived through a 'Public Interest Determination'. However, since this involves a complex consultation process and is subject to disallowance (ss. 71-80), only a handful of Determinations have actually been made (Waters, N; 2001, p 4) (<http://www.austlii.edu.au/au/journals/PLPR/2000/6.html>). A definitional problem is that IPPs apply to 'records' not the information itself, and 'record' excludes 'generally available publications' (s. 41(4)). In practice, this means the Act cannot address the secondary use of public registers. Further problems are that only citizens and permanent residents have the right to seek rectification of personal information (s. 41(4))[22] and there are no special provisions for 'sensitive data', which includes data on people's racial origin, political opinions, religious beliefs, health and sexual orientation.
Privacy Act Amendment (Private Sector) Act 2000 (Cth)
The heavy influence of economic interests is seen in the Private Sector Act. It establishes a co-regulatory scheme that allows organisations to choose between abiding by National Privacy Principles ('NPPs') (Schedule 3) or developing their own 'equivalent' Code of Practice (Pt IIIAA). The Federal Privacy Commissioner has already approved the two such codes (<http://www.privacy.gov.au/news/media/02_4.html> and <http://www.privacy.gov.au/news/media/02_17.html>). Dixon says that the input of business into the design of the Private Sector Act is 'very measurable': on the committee that developed the NPPs business representatives outnumbered consumer and public interest representatives by more than three to one (Interview, 23 October 2002).
Clarke has called the Private Sector Act 'the world's worst privacy legislation' (quoted in EPIC; 2002, p. 104). This is an extreme view, but it makes the point that the Act is riddled with exemptions that favour business and government. A significant exemption is for 'employee records' (s. 7B(3)), which leaves information on health, contact details, salary and performance unprotected. Media organisations and political parties are also given comprehensive exemptions from data protection requirements (ss. 7B(4), 7C).
The most significant exemption is for small businesses with annual turnovers under $A3m and that do not disclose personal information for a benefit (ss. 6C(1), 6D)[23]. This exempts about 94 per cent of Australian businesses (House of Representatives Legal & Constitutional Affairs Committee; 2000, p. 11) (<http://www.aph.gov.au/house/committee/laca/Privacybill/contents.htm>). Moreover, Waters (2001, p. 18) observes if organisations combine the 'small business' exemption with the special rules for 'related bodies corporate' (Privacy Act, s. 13B), they could transfer personal information between entities without the normal application of the notice, use and disclosure requirements. This could severely weaken the effectiveness of Australia's data protection regime.
These problems with the Private Sector Act have attracted the attention of the European Commission, which is progressively reviewing the data protection frameworks of its trading partners.[24] The Working Party set up under Article 29 of the EU Directive expressed eight reservations about the Act and recommended additional safeguards (Hughes, A; 2001, p. 1) (<http://www.austlii.edu.au/au/journals/UNSWLJ/2001/5.html>).[25] The Attorney-General said the reservations 'display an ignorance about Australia's law and practice' (Quoted in EPIC; 2002, p 105). He admitted that Australia and the European Commission would 'obviously' continue to negotiate, but 'Australia will only look at options that do not impose unnecessary burdens on business'. This interchange demonstrates the tension between the Government's desire to minimise the regulatory burdens on domestic business and its commercial interest in transborder data flows.
Freedom of Information
The Freedom of Information Act 1982 (Cth) ('FOI Act') establishes a legal right of access to official Federal Government documents, including personal files (ss. 11, 50). However, the right of correction only applies to Australian citizens and permanent residents (ss. 11, 19(1)(b), 48) and there are multiple exemptions (ss. 33, 33A, 36, 45).[26] Moreover, in terms of the 'law in action', budget cuts have severely restricted the capacity of the Attorney-General and Ombudsman to support and monitor the FOI Act (EPIC; 2002, p. 112).
3.2 Germany
3.2.1 Development
The Länd of Hesse passed the world's first data protection act in 1970 (Bennett; 1992, p. 77). From this auspicious beginning, the Federal Data Protection Act 1977 (Bundesdatenschutzgesetz) ('BDSG') had a difficult birth. Its genesis was in elite networks including the National Conference of Lawyers (Deutsche Juristentag), which promulgated a series of principles in 1972, as well as a 'policy community' of international experts who exchanged information on data protection practices in their jurisdictions (Bennett, C; 1992, pp. 78, 151). The legislation was driven by the evolving Länder regulations as well as public concern over rapid developments in information technology (Bennett, C; 1992, pp. 78, 120).
The Bill took over seven years of debate; few German laws have had such a 'complicated legislative history' (Simitis, S quoted in Bennett, C; 1992, p. 81). Bureaucrats resisted scrutiny by the proposed oversight body and the Länder fought to organise and control their public agencies. Consequently, the Bundesrat refused to approve the Bill and a Joint Conference Committee was convened. The Bundestag, supported by public opinion in favour of privacy rights, pushed through a compromise (Bennett, C; 1992, p. 212). The law was reviewed in 1990 and amended in 1994, 1997 and 2001. While the BDSG covered both public and private sectors from the outset, it did differentiate between the two. However, this differentiation has decreased, particularly after the 2001 amendments.
In 1997, the Government passed the Teleservices Data Protection Act ('Teleservices Act'), the first data protection legislation specifically addressing the online environment (Bygrave, LA; 2002, p 379) (<http://www.austlii.edu.au/au/journals/UNSWLJ/2001/6.html>).
3.2.2 Content
The BDSG covers the collection, processing and use of personal data by public federal and länd authorities (if not covered by länd law) and private companies which process and use data commercially (EPIC; 2002, p. 183). The BDSG requires that automated files are registered with the Federal Data Protection Commissioner and that information about their systems be published in the official bulletin (s. 39(1)). The police, military and tax authorities are exempt from the publishing requirement (s. 39(1)).
The EU Directive had a significant impact on the BDSG. According to the Directive, Germany should have harmonised its laws by October 1998 (EPIC; 2002, p. 183). After a threat of court action, German passed an amending bill which came into effect in May 2001. Although its response was delayed, Germany made substantial revisions including regulations on transmitting personal data overseas, anonymisation, and sensitive data. Moreover, companies that handle personal data must appoint an internal data protection officer to monitor data processing, familiarise employees with the BDSG and advise on the selection of persons to be employed in processing personal data. [27]
In addition to the BDSG, nearly all German statutes dealing directly or indirectly with the handling of personal information contain references to the relevant data protection law or carry special sections that reflect the right to privacy (EPIC; 2002, p. 186). In this way, data protection is infused throughout the legal system. However, there are two problematic aspects of the German regime. First, there is no general Freedom of Information act. The rights of access and correction in the BDSG are limited and many agencies are exempt (ss 13(3)(1), (2) and (3)). In June 2001, the Government presented the design for a Freedom of Information act, but the Bundenstag elected not to enact it in 2002.[28] Second, as discussed below, the Federal Data Commissioner still functions essentially as a mere ombudsman.
3.2.3 Recent Developments
Recent events have raised concerns that Germany's privacy protection is decreasing. After September 11, the Interior Ministry announced plans for encrypted biometric identification cards for all citizens (EPIC; 2002, p. 190). Germany also has draft legislation requiring emails and website address records to be retained by Internet Service Providers and the Office for the Protection of the Constitution has been given direct access to information held by banks, the postal service and airlines (Economist; 2002, p. 22). In the judicial sphere, in 2003 the FCC ruled on two cases involving another aspect of privacy: the limits of police investigatory powers and the freedom of the press. The Court found surveillance of journalists' mobile phone communication to be justified and proportional in some circumstances such as cases involving grave offences. These decisions have understandably been denounced by journalists, but have also attracted criticism for the uncertainty created about information collected on uninvolved or innocent persons and the weighing of the freedom of the press against the gravity of the offences (Albers, M and Witzke, S; 2003, pp. 655, 660).
3.3 Evaluation
Both Australia and Germany drafted data protection laws in the context of internal and external pressures, federal-state friction, political bargains, commercial interests and social concerns. Germany emerged with a fairly comprehensive BDSG covering the public and private sectors and with provisions for data protection in all relevant statutes. On the other hand, Australia's Privacy Act addressed the public and private sectors 13 years apart, mixes sectoral and co-regulatory approaches, and includes wide exemptions. As Dixon (Interview, 23 October 2003) puts it:
From a distance, Australia's privacy legislation looks like Hadrian's wall when it was first built - it went for miles, it was 16 feet high, it was big and grand and kept the barbarians out. But the reality is a lot more like Hadrian's wall today - people find their way over it, they find the weak points and enlarge them, and they start to get around it. Then, you look back and realise the wall is only 3 feet high and everyone is hopping over it.
These disparate outcomes can partly be explained by the starting points for each law. The BDSG was drafted in the wake of Hesse's pioneering legislation with inputs from domestic and international experts. Australia's Privacy Act came eleven years later in reaction to economic and political pressures. Interestingly, both laws state their purpose in human rights terms: the BDSG aims to protect the individual against violations of their right of personality (s. 1), while the Privacy Act intends to give effect to the right of privacy under article 17 of the International Covenant on Civil and Political Rights (Privacy Act, Preamble). However, the scope of Australia's law is restricted, and it contains discriminatory provisions against foreigners (e.g. s. 41(4)). Since economic factors had a large impact on its drafting, its exemptions favour commercial interests such as small businesses. In contrast, Germany's exemptions tend to be for the police or the military.[29] The focus of Australia is the 'protection of mere data' rather than the 'protection of people's privacy' (Clarke, R; 2001, p. 4) (<http://www.austlii.edu.au/au/journals/UNSWLJ/2001/8.html>), while Germany's law protects individual rights subject to state security.
Each government's position on data protection has also shaped how the statutes work in practice. In Germany, the Government's overall approach has been respectful of privacy rights, although this must be qualified by the recent counter-terrorism measures and the failure to pass FOI legislation. In Australia, the Government has given the private sector generous exemptions and autonomy to develop their own rules. Its approach is pragmatic rather than being oriented towards the protection of human rights. Dixon (Interview, 23 October 2002), who was involved in drafting committees for the Private Sector Act, observes:
The policymaking process does not convince me that the policymakers are all that committed to a particular set of outcomes - the attitude was 'well, if we put in a general framework, the political problem will go away'.
This reluctance to do more than is necessary is also evidenced by the resistance of the Federal Parliament to the suggestion of the Privacy Commissioner that its Members be subject to a code of conduct incorporating the IPPs (Waters, N; 2000, p. 6) (<http://www.austlii.edu.au/au/journals/PLPR/2000/6.html>).
The Australian and German Governments have also responded to international privacy instruments differently. To some extent this reflects a wider political debate in Australia about whether Australian society should follow the pro-business, anti-regulation model of American society, or the more process-oriented social democratic model of European states.[30] The current Australian Government leans strongly towards the former model, and this is reflected in the repeated references to 'light-handed' regulation in relation to the Privacy Act's coverage of business (Attorney-General; 2000) (<http://www.ag.gov.au/privacy>). Although Australia was critical of the European Commission's concerns and has not made the requested amendments, Germany responded with substantial, albeit delayed, improvements. While Germany's responsiveness can be partly explained by its membership of the EU, non-EU jurisdictions such as Canada, New Zealand and Hong Kong have amended their laws to meet EU standards. Australia is obviously conscious of the international dimension of data protection,[31] but its policies appear to be driven by the influence of domestic political factors and a resistance to European-style regulation.
An overall difference between the two legislative frameworks is the extent to which the laws are 'systems-active'.[32] Do they directly address the quality of the information systems supporting data protection? While some of Australia's NPPs and IPPs may imply that systems must be configured to ensure compliance, the structure and design of these systems is taken for granted. On the other hand, German legislation is characterised by 'systemic data protection' (systemdatenchutz) which integrates data protection concerns with the development and functionalities of information technology (Bygrave, LA; 2002, p. 378). Bygrave (Interview, 18 October 2002) calls this the 'greatest strength' of the German legislation. For example, the BDSG's provision for transactional anonymity positively requires the reconfiguration of information systems to ensure a high degree of compliance (s. 3a; see also Teleservices Act, s. 4(6)). Moreover, the Ministry of Economy and Technology recently presented a software prototype that would let consumers make anonymous internet purchases; this is part of a Government-sponsored project called 'Data Protection in Teleservices' (DASIT) (EPIC; 2002, p. 187) . In contrast, the Australian Privacy Act's requirement for anonymity simply states 'wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation' (NPP 8). This exemplifies the tendency for Australian data protection law to be 'systems-passive' (Bygrave, LA; 2002, p. 366); this passivity is consistent with the reactive origins of the law and the Government's emphasis on appearance rather than substance. It is also exacerbated by the mechanisms for oversight and enforcement discussed below.
4. Oversight, Enforcement and Access to Justice
4.1 Australia
The Privacy Act is enforced by the Office of the Federal Privacy Commissioner (<http://www.privacy.gov.au>). Its functions include handling complaints, auditing compliance, promoting community awareness and advising the Government on privacy matters (Privacy Act, s. 28). Only New South Wales and Victoria have State Privacy Commissioners (<http://www.lawlink.nsw.gov.au/pc.nsf/pages/index> and <http://www.privacy.vic.gov.au/>). Under the co-regulatory scheme, private organisations can have a Code Adjudicator to fulfil some of the Commissioner's functions (Privacy Act, Pt IIIA). Although the Office has theoretically been independent since July 2000, it has been subject to a range of budgetary pressures especially in the 1990s (Waters, N; 2001, p. 10). Dixon says that the Attorney-General's office has regularly called the Commissioner's office when it was dissatisfied with a comment or decision, and that the Commissioner is very conscious of the six-monthly Senates Estimates Hearings which examine his budget, advice and cases (Interview, 23 October 2002). While accountability for resources is important, the intense and often politicised scrutiny tends to make the Commissioner risk-averse.
During 2000-2001, the Office received 8500 enquiries of which nearly 50 per cent fell outside jurisdiction (Federal Privacy Commissioner; 2001, pp. 36, 46) (<http://privacy.gov.au/publications/01annrep.pdf>). The complaints outside jurisdiction were mainly about private sector records, public registers and exempt government agencies. Even though jurisdiction was extended to the private sector in December 2001, the exemptions for small businesses and employee records meant 45 per cent of complaints still fell outside jurisdiction in the first half of 2002 (Pridmore, B; 2002, p. 2). This large proportion of out-of-jurisdiction complaints suggests the legislation's limited scope renders it irrelevant in many cases.
The Commissioner has legally binding powers (Privacy Act, Pt V), but these are rarely exercised in practice. Instead, the Office states 'cooperation and education is [its] first preference' (Pridmore, B; 2002, p. 6). In fact, in the history of the Privacy Act, the Commissioner has only made two section 52 determinations (Greenleaf, G; 2001, p. 4) even though this is arguably the greatest power because it can be enforced by the Federal Court (Privacy Act, s. 55A). Another potentially significant provision is the injunctive power under section 98, but it has never been used (Greenleaf, G; 2001, p. 5). This tentativeness may be exacerbated by the high turnover of staff in the Commissioner's office. Few staff stay longer than two or three years (Dixon, T; Interview, 23 October 2002), which could prevent a deep level of experience and the confidence to use legally binding powers. Another deterrent against strict enforcement could be section 29(a) of the Privacy Act, which instructs the Commissioner to have regard to, inter alia, 'the right of government and business to achieve their objectives in an efficient way'.
A further weakness is the limited right of appeal. The Commissioner and Code Adjudicators can have determinations enforced by the Federal Court after a de novo hearing, and are subject to judicial review on points of law (Privacy Act, ss. 55A, 61). However, there is no provision for complainants to appeal against an adverse decision by the Commissioner. This means that while a respondent organisation has a right of appeal on the merits of a complaint (by refusing to comply with a determination or having their case re-heard in court), a complainant can only appeal against a procedural defect (Waters, N; 2001, p. 23).[33] This creates the unusual situation where a complainant has 'no redress against a questionable but reasonable application of the law to the facts' (Greenleaf, G; 2001, p. 3). A pragmatic, economic reason for this limit on the access to justice is that the Commissioner's Office has no separate budget allocation for legal representation (Dixon, T; Interview, 23 October 2003). This scarcity of resources could make the Commissioner reluctant to amend the law to allow for more potential legal challenges.
4.2 Germany
The Federal Data Protection Commission (Bundesbeauftragte für den Datenschutz) ('BFD') supervises the BDSG (<http://www.bfd.bund.de>). Each länd has a commission to enforce the länd data protection laws. The BFD is complemented by internal data protection officers in agencies and companies. Like the Australian Commissioner, the BFD's independence is compromised by having to negotiate with the Ministry of the Interior for its budget and staff even though BFD's Commissioner is expected to be 'independent in the performance of his or her duties and subject to the law only' (BDSG, s. 22).
BFD staff are organised into divisions dealing with specific aspects of data protection such as health care or statistics. Many employees have a legal background as well as training in computer science and information processing, and the BFD 'takes pride' in the considerable expertise of its staff (Bennett, C; 1992, p. 182).
The BFD monitors compliance through supervision, investigation and auditing based on a systematic annual plan and individual complaints. The BFD has virtually unlimited monitoring rights, but its powers of enforcement are weak. Unlike the Australian Commissioner, the BFD cannot issue legally binding orders (BDSG, ss. 24-26). If it discovers a violation, it can only submit a complaint to the relevant authority and hope that political, public and media pressure will force agencies to correct the irregularities (BDSG, s. 25). The BFD therefore emphasises its educative and advisory functions. For example, it makes recommendations on the improvement of data protection to the Federal Government and advises on the implications of legislative proposals (BDSG, s. 26). This work has been very influential on the 1990 amendment to the BDSG and the implementation of the EU Directive into German law (<http://www.bfd.bund.de/information/dataprotec_en.html>).
Access to justice for individuals is less relevant because the BFD only issues recommendations not legally binding orders. Nonetheless, if an individual wants to use the courts, Germany has a principle of compulsory representation supported by generous legal advice, legal aid provisions and legal expenses insurance (Foster, N; 1996, pp. 110, 113, 115).
4.3 Evaluation
The difference in how the Australian and German Commissioners exercise their powers is illustrative of the gap between text and practice. The BFD's advisory role is enshrined in the BDSG and reflected in the 'law in action'. The fact that the 2001 amendments did not give the BFD binding powers, also suggests it is working well as it is.[34] Bygrave (Interview, 18 October 2002) believes:
The effectiveness of the([BFD) seems to be the result of a combination of factors, most notably the seriousness with which Germans generally take data protection, the relatively conformist political and bureaucratic culture, and the strong personalities of the men who have been appointed Commissioner.
These factors, in addition to the well-qualified staff, provide a supportive basis for the BFD's activities. On the other hand, the Australian Commissioner works under close Government scrutiny with relatively inexperienced personnel. This instability is expressed through contradictory actions. The Commissioner refrains from exercising his binding powers, yet does not have a systematic method of informal enforcement. The text of the Privacy Act suggests the Commissioner is mainly engaged in investigations (ss. 36-51), determinations (ss. 52-53B) and enforcement (ss. 54-62), but the latest annual report reveals that a lot of time was spent on ad hoc public relations activities such as presentations and networking with organisations (Federal Privacy Commissioner; 2001, pp. 33-35). There seems to be a closer relationship between text and practice in the activities of the German Commissioner.
The differences between the Australian and German oversight and enforcement schemes can also be traced back to the political commitment to privacy as a human right. The historical experiences of each country are once again informative, as is the underlying constitutional framework. Hans Peter Bull, the first German Federal Data Protection Commissioner says the BDSG was 'not a law to protect data, but to protect the citizen' (Quoted in Flaherty, D; 1989, p. 34). In contrast, Australia's Office of the Federal Privacy Commissioner emphasises 'giv[ing] organisations a fair chance to get it right'(Pridmore, B; 2002, p. 6). Australian Commissioners have not seen themselves as privacy advocates; they have 'preferred backroom negotiations with government agencies and networking with business, rather than being the champion of individuals' privacy rights' (Dixon, T; Interview, 18 October 2002). Consequently, oversight and enforcement of the Act is guided by a pragmatic assessment of how to achieve specific results, rather than a more comprehensive vision of strengthening privacy rights.
5. Conclusions
5.1 Measuring Up Against the Ideal
The strengths and weaknesses of the Australian and German data protection systems have been evaluated throughout this article. This section will now summarise how each system measures up against the ideal established in the introduction.
In terms of clarity of interests and values, German law reflects a strong sense of the human rights dimension of privacy, expressed through the right of informational self-determination. Australian law is more ambivalent about the interests to be protected; although the legislation mentions human rights, the content mainly reflects economic factors. There is no explicit right to privacy in the Constitution and the courts have been reluctant to imply one.
Germany's data protection legislation is more comprehensive than Australia. It applies across sectors and has only a few exemptions based on the democratic state or national security. Australia's law is more ad hoc; it addresses different sectors, contains broad exemptions, and gives private organisations the option of developing their own codes. Australia's law is also more 'systems-passive' than Germany and fails to integrate regulatory requirements with information systems. Germany's detailed regulations are better at limiting the collection of information to that which is relevant, necessary and justified. The Australian system has poor control over sensitive data, which is exacerbated by the limited jurisdiction of the Commissioner and the disjunction between legal powers and the reliance on soft measures. Although Germany's BFD also suffers from constraints on its independence, it has an effective system of informal enforcement complemented by internal data protection officers. German citizens also have greater access to justice and exhibit high levels of public awareness. In contrast, users of the Australian system cannot appeal the Commissioner's decision and the level of education about privacy is low; as Dixon (Interview, 23 October 2002) says:
If you look at the issues that fill the 6:30pm current affairs shows, they are concrete issues like consumer ripoffs and unsafe products. Due to this culture, people are aware of how to complain when a used car salesman cheats them, but most people don't know where to start with a privacy issue.
It seems that the Australian public's concern about privacy measured in opinion polls is based on an amorphous fear rather than an informed opinion on the state of data protection.
The German system is also more adaptable than Australia's even though it has been amended only four times since 1977. It maintains responsiveness through development by the judiciary and the Government's active involvement in designing technological solutions. Australia's Government appears reluctant to invest time and energy in more than a general framework.
Overall, Germany comes closer to fulfilling the ideal. Bygrave (Interview, 18 October 2002) gives a good summary of its strengths: 'relative to many other jurisdictions, [the German system] is comprehensive and systematic and regularly "stirred" by the judiciary'. Nonetheless, he admits a major weakness of the BDSG is that 'there are so many layers of regulation that rules are difficult to find… the framework is too dense and unwieldy'. The procedural framework of Australia's Privacy Act is clearer and perhaps easier to comply with. Australia also has an FOI Act unlike Germany. It is therefore important to acknowledge that this normative evaluation of the two systems has a 'relative character' (Kokkini-Iatridou, D; 1986, p. 192) and neither Australia nor Germany perfectly embodies the ideal.
5.2 Implications for Law Reform
Policymakers in the area of data protection have a difficult job. Their task is not just to master well-known problems, but also to 'anticipate possible future developments' (Simitis, S; 1983, p. 95). It is therefore useful to expand the range of 'thinkable possibilities' (Fletcher, GP; 1998, p. 695) by being aware of innovative solutions developed by other countries. However, this should be tempered with an understanding of how 'transferable' legal solutions are from one country to another (Bennett, C; 1990, p. 565). As Bygrave (2002, pp. 11-12) warns:
The exact manner in which a particular country's system of data protection functions tends to be tied closely not just to the formal rules of the system but also to a myriad of informal, national traditions and attitudes which can be easily overlooked or misunderstood.
In particular, we must be aware of the different 'cultural starting points' which have affected the trade-offs made between competing interests in both countries (Waters, N; 2000, p. 6). Australia's relatively peaceful history means citizens probably assign less importance to the human rights dimension of data protection and passively rely on governments to address privacy issues. This may entrench the inertia which prevents the search for the best solution.[35] It will be vital to make the argument for domestic law reform 'in terms of normative claims acceptable' to Australians (Reitz, JC; 1998, p. 625). The most effective approach could be to emphasise consumer issues and the notion of the 'fair go' given that these issues resonate with Australian citizens. The opposition of business should be neutralised by showing the link between privacy protection and consumer confidence.[36]
Despite the different cultural, political and economic forces in Australia and Germany, it must not be forgotten that data protection is a concern that transcends national boundaries. To this end, several possible reforms to the Australian system based on the German data protection regime deserve serious discussion, and may bring it closer to the ideal:
-
Clarity: Include a right to privacy in the Constitution to enhance rights consciousness, especially in judicial review. However, given the difficulty of constitutional amendment or introducing a Bill of Rights (Constitution of Australia (1900), s. 128), awareness could also be raised through a longer-term strategy of education and training, especially of the judiciary and policymakers.
-
Comprehensive laws: Remove the exemptions for small businesses and employee records, delete discriminatory provisions and tighten rules for the media and political parties. Harmonise data protection laws across different sectors. Replace co-regulatory model with expanded NPPs relevant to all industries. Include references to data protection in all relevant legislation, so it is infused throughout the legal system.
-
Systems-active rules: Invest in development of privacy-enhancing technologies and include practical requirements in the legislation.
-
Oversight and enforcement: Empower the Commissioner to use legally binding powers by ensuring adequate resources and stable, committed staff. Formalise the soft measures used by the Commissioner by requiring a systematic plan of education, training and public relations activities.
-
Purpose limitation and justification: Legislate to better protect public registers and sensitive data.
-
Access to justice: Allow appeals from Commissioner's findings on the merits and allocate a legal budget to the Commissioner.
-
Adaptability: Schedule regular reviews of the legislation with wide community consultation, not just business groups. Given that it is now two decades since the ALRC's report on privacy, it may now be time for a similar review process.
If Australia adopts these measures, it will not just be a matter of changing the 'law on books'. These reforms require educating citizens, training administrators, allocating resources, altering institutions and possibly amending the Constitution. Reformers must be prepared for 'transplant bias' (Watson, A; 1978, pp. 326-7) against German law. The Australian legal profession traditionally accords more prestige to English or American legal systems, and the training and linguistic traditions of local lawyers are rarely German. Thus, the innovative features of the German system would need to be clearly articulated and supported by educational exchanges and training opportunities. The reform process would involve trial and error as well as a struggle against inertia and strong opposition in the Australian business community and political leadership to German approaches to regulation. However, if implemented, Australia will be better placed to protect personal information even in the face of constantly changing threats to privacy, and to more accurately reflect the Australian public's apparent concern about privacy issues.
5.3 Implications for the Civil/Common Law Dichotomy
A potential source of resistance against the above reforms is the belief that Germany's civil law tradition is incompatible with Australia's common law system. Classifying legal systems into different 'families', including the civil/common law dichotomy, is a classical comparative technique (Zweigert, K and Kötz, H; 1992, pp. 63-74).[37] This approach has been criticised for not adequately describing how legal systems work or the relationship between law and society (Friedman, LM; 1969, p. 33). A stronger critique states that 'classification theories are more likely to mislead than inform' (Marfording, A; 1997, p. 88).
The findings of this article have implications for this classification debate, especially the civil/common law dichotomy. An argument in favour of the dichotomy is presented by Hondius, a privacy expert of the Council of Europe. He believes common law countries prefer case law, regard legislation as a last resort, and the courts play the main role in developing data protection law on a reactive basis (1980, p. 97). On the other hand, civil law countries codify detailed rules and exceptions in anticipation of problems with data protection and have a regulatory body to enforce comprehensive regulations.
However, this article's analysis of Australia and Germany presents contrary evidence. First, case law actually played a major role in the development of German data protection: Lüth set the course for the 'radiating effect' (Limbach, J; 2000, p. 104) of basic rights in all areas of law while the Census Case established the right to informational self-determination. In Australia, the courts have hardly contributed to the development of data protection (Greenleaf, G; 2001, p. 4). Instead, the ALRC Report recommended leaving privacy issues to the legislature and since then statute has been the main form of regulation. Second, both Australia and Germany adopted the data commissioner model and Australia's Commissioner actually has more binding enforcement powers than the German counterpart. Finally, while Germany's scheme is more comprehensive and anticipatory than Australia's, is this because it is a civil law country or due to a combination of cultural, political, and economic factors? The latter is more likely, since other civil law countries such as Japan have ad hoc privacy legislation. In his comparative analysis of European data protection laws, Bygrave (Interview, 18 October 2002) did not notice variations obviously connected to the dichotomy and does not think it has much relevance.
Therefore, in the area of data protection, the civil/common law dichotomy is blurred at best, artificial and misleading at worst. This supports Marfording's critique and suggests that classification theories stifle critical or contextual analysis because the initial categorisation influences everything that follows. Instead of trying to fit Australia or Germany into the dichotomy, each legal system should be analysed on its own terms and in its own context.
5.4 Conclusion
Bygrave (2002, p. 379), speaking of the German Teleservices Act, states:
The Act should not be viewed as an ideal endpoint of regulatory strategy. It is rather a useful point of departure that, like all law in this area, will have to be continuously revised in light of technological developments and changing societal attitudes. [emphasis added]
The distinction between 'ideal endpoint' and 'useful point of departure' is essential when using comparative methodology for law reform purposes. Australia cannot perfectly emulate the German system or the ideal set up at the beginning of this article. However, it can make major improvements by using these models as a starting point and then adjusting for the cultural, political and economic forces that affect how Australian law operates in practice.
On a broader level, this critical examination of data protection laws demonstrates that law reform requires us to broaden our frame of reference in three ways. First, our search for solutions to contemporary challenges must take us beyond our domestic jurisdiction; there is much to be learned from other countries' innovations, especially in an increasingly interdependent world. Second, we should not restrict our search to countries from the same 'legal family'; the civil/common law dichotomy is more misleading than useful. Third, an interdisciplinary approach is essential because the law does not operate in isolation. Law reform involves balancing multiple interests as well as interacting with changing technologies and public attitudes. It is a complex task that must be approached with an open mind and a global perspective.
Notes and References
1. This is defined as the establishment of rules governing the collection, handling and dissemination of personal data (EPIC; 2002, p. 3).
2. Marfording (1997) takes a similar approach in examining the Japanese legal system.
3. For example, the extent to which privacy is treated as a human rights issue is not detected by a simple comparison of the Australian and German Constitutions.
4. These instruments have been widely adopted even outside of the EU and OECD and form the basis for the development and harmonisation of data protection laws.
5. Eg, statutes, treaties incorporated into domestic law, implied rights, and some express provisions of the Constitution.
6. It is likely the Commonwealth can legislate under a number of constitutional powers including telecommunications (s 51(x)), corporations (s 51(xx)) and external affairs (s 51(xxix)).
7. (1937) 58 C.L.R. 479 at 496, 508, 524.
8. (1937) 58 C.L.R. 479 at 496, 508, 524.
9.It has been followed in cases including: Olympic Amusements Pty Ltd v Milwell Pty Ltd (1998) 81 F.C.R. 403; Autodesk Inc v Dyason (No1) (1992) 173 C.L.R. 330.
10. ABC v Lenah Game Meats (Pty Ltd) (2001) 76 A.L.J.R. 1 at 67.
11. The breach of confidence action may no longer be restricted to the traditional categories of circumstances in which a duty of confidentiality exists, such as the relationship between doctors and patients or banks and customers.
12. German Basic Law of 23 May 1949, as amended to 1998, Chapter 1.
13. Article 10 is forfeited if it is 'abused in order to combat the free democratic basic order' (article 18).
14. Lüth (1958) 7 BVerfGE 198.
15. 65 BverfGE 1.
16. This notion has become influential not just in German data protection discourse, but also internationally (Bygrave, LA; Interview, 18 October 2002).
17. 6 BverfGE 43 (translated in Tye, L; 1993). Although many cases have applied the Census Case, there have not been any similarly significant cases in the area of data protection (Bygrave, LA; Interview, 18 October 2002).
18. The Census Case articulated this need for government action.
19. ACTV v Cth (1992) 177 C.L.R. 106 at 135-6.
20. Bygrave's parentheses.
21. This is when the Private Sector Act came into effect.
22. The rest of the Act appears to apply to individuals of any nationality or place of residence.
23. These provisions became effective on 21 December 2001. In January 2002, the Privacy Commissioner detailed the procedures for otherwise exempt businesses to 'opt-in' to the Act, but these businesses can always opt-out at any time.
24. Under articles 25 and 26 of the EU Directive, data can only be transferred to non-EU countries with an 'adequate' level of protection or specific contractual arrangements (Hughes, A; 2001, p. 2).
25. The Working Party was constituted by representatives of the national data protection authorities in the EUand had advisory powers only.
26. Eg, national security, federal-state relations, internal working documents and confidential materials.
27. This role was previously called 'internal data controller' and limited to companies with a certain number of employees engaged in data processing: BDSG, repealed ss. 36, 37.
28. Four Länder have enacted their own FOI laws.
29. This is consistent with the primacy of state order in article 20 and the provision for forfeiture of basic rights in article 18 of the Basic Law.
30. Hughes (2001) discusses this debate in terms of the Private Sector Act.
31. The Privacy Act expressly refers to OECD Guidelines and the intention meet international obligations: Preamble.
32. Bygrave (2002, p. 366) makes this point more generally.
33. This anomaly was partly remedied for the private sector by providing a right of appeal from decisions of the Code Adjudicator to the Commissioner, but no change has been made for the public sector: Privacy Act, s. 18BI.
34. The EU Directive recommended a regulator with binding enforcement powers (Bygrave, LA; 2002, p. 72).
35. Australia has already shown a preference for the status quo in its case law on privacy and delay in passing legislation.
36. See Dixon (2001a, p. 5) for a discussion of research on this link.
37. Although the criteria used may be challenged, the underlying assumption is that classification serves a useful analytical purpose.
References
ABC v Lenah Game Meats (Pty Ltd) (2001) 76 A.L.J.R. 1.
ACTV v Cth (1992) 177 C.L.R. 106
Albers M and Witzke S (2003) 'The End of the Woodward and Bernstein Era? The German Constitutional Court and Journalists' Privacy on Mobile Phones', German Law Journal 647.
Attorney-General (2000) 'Information Paper on the Privacy Amendment (Private Sector) Act 2000' <http://www.ag.gov.au/privacy>
Australian Law Reform Commission (1983) Privacy (Sydney: ALRC).
Basic Law of Germany (Grundgesetz), 23 May 1949.
Bennett C (1992) Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Ithaca: Cornell University Press).
Bygrave LA (2002) Data Protection Law: Approaching its Rationale, Logic and Limits (London: Kluwer Academic Publishers).
Bygrave LA (2000) 'Where have all the judges gone? Reflections on judicial involvement in developing data protection law', Privacy Law and Policy Reporter 19 <http://www.austlii.edu.au/au/journals/PLPR/2000/19.html>
Bygrave LA (2001) 'The Place of Privacy in Data Protection Law', University of New South Wales Law Journal 6 <http://www.austlii.edu.au/au/journals/UNSWLJ/2001/6.html>
Bygrave LA (1990) 'The Privacy Act 1988 (Cth): A Study in the Protection of Privacy and the Protection of Political Power', Federal Law Review 128.
Census Case 65 BverfGE 1.
Clarke R (1988) 'Just Another Piece of Plastic for your Wallet: The 'Australia Card' Scheme', Computers & Society 1 <http://www.anu.edu.au/people/Roger.Clarke/DV/OzCard.html>
Clarke R (2001) 'Privacy as a means of engendering trust in cyberspace', University of New South Wales Law Journal 8 <http://www.austlii.edu.au/au/journals/UNSWLJ/2001/8.html>
Constitution of Australia (1900).
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data <http://www.bfd.bund.de/europa/EU_richtl_en.html>
Dixon T (2001a) 'Australia's New Privacy Legislation', Baker & McKenzie Cyberspace Law and Policy Centre Continuing Legal Education Conference, May 2001.
Dixon T (2001b) 'Valuing Privacy: An Overview and Introduction', University of New South Wales Law Journal 1 <http://www.austlii.edu.au/au/journals/UNSWLJ/2001/1.html>
Economist (31 August 2002) 'For whom the Liberty Bell tolls', The Economist(US) 22.
Electronic Privacy Information Centre (EPIC) (2002) Privacy and Human Rights: An international survey of privacy law and developments (Washington DC: EPIC).
European Commission (2002) 'Your Views on Data Protection: Results of on-line consultation 20 June - 15 September 2002' <http://europa.eu.int/comm/internal_market/en/dataprot/lawreport/consultation_en.htm>
Federal Data Protection Act 1977 (Bundesdatenschutzgesetz) <http://www.bfd.bund.de/information/bdsg_eng.pdf>
Federal Privacy Commissioner (2001) Annual Report 2000-2001 <http://privacy.gov.au/publications/01annrep.pdf>
Federal Privacy Commissioner (17 April 2002), Media Release, <http://www.privacy.gov.au/news/media/02_4.html>
Federal Privacy Commissioner (5 August 2002), Media Release <http://www.privacy.gov.au/news/media/02_17.html>
Flaherty D (1989) Protecting Privacy in Surveillance Societies: the Federal Republic of Germany, Sweden, France, Canada, and the United States (Chapel Hill: University of North Carolina Press).
Fletcher GP (1998) 'Comparative Law as a Subversive Discipline' American Journal of Comparative Law 683.
Foster N (2nd ed, 1996) German Legal System & Laws (London: Blackstone Press).
Freedom of Information Act 1982 (Cth)
Friedman LM (1969) 'Legal Culture and Social Development', Law & Society Review 29.
Gavison R (1980) 'Privacy and the Limits of the Law', Yale Law Journal 421.
Greenleaf G (2001)'Tabula Rasa - Ten Reasons Why Australian Privacy Law Does Not Exist',University of New South Wales Law Journal 4.
Hondius F (1980) 'Data Law in Europe', Stanford Journal of International Law 87.
House of Representatives Legal & Constitutional Affairs Committee Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000) <http://www.aph.gov.au/house/committee/laca/Privacybill/contents.htm>
Hughes A (2001) 'A Question of Adequacy? The European Union's Approach to Assessing the Privacy Amendment (Private Sector) Act 2000 (Cth)', University of New South Wales Law Journal 5 <http://www.austlii.edu.au/au/journals/UNSWLJ/2001/5.html>
Kirby M (2001) 'Privacy - In the Courts', University of New South Wales Law Journal 2 <http://www.austlii.edu.au/au/journals/UNSWLJ/2001/2.html>
Kokkini-Iatridou D (1986) 'Some Methodological Aspects of Comparative Law', NILR 143.
Limbach J (2000) 'The Role of the Federal Constitutional Court' SMU L Rev 429.
Lüth (1958) 7 BVerfGE 198.
Marfording A (1997) 'The Fallacy of the Classification of Legal Systems: Japan Examined' in Taylor, V (ed) Asian Laws through Australian Eyes (Sydney: LBC Information Services).
Mason A (1998) 'The Role of the Judiciary in Developing Human Rights in Australian Law' in Kinley, D (ed) Human Rights in Australian Law: Principles, Practice and Potential (Sydney: Federation Press).
Merryman JH (2nd ed, 1985) The Civil Law Tradition (Stanford: Stanford University Press).
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1998) <http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM>
Pridmore B (Director of Compliance) (2002), 'Analysing the Aftermath of 21 December 2001: expectations and results to date', Privacy Officer Summit, August 2002.
Privacy Act 1988 (Cth)
Privacy Amendment (Private Sector) Act 2001 (Cth)
Reidenberg JR and Schwartz PM (2002) 'Data Protection Law and On-Line Services: Regulatory Responses' <http://europa.eu.int/comm/internal_market/en/dataprot/studies/regul.pdf>
Reitz JC (1998) 'How to Do Comparative Law' American Journal of Comparative Law 617.
Riccardi JL (1983) 'The German Federal Data Protection Act of 1977: Protecting the Right to Privacy?', Boston College International and Comparative Law Review 245.
Simitis S (2002) 'Safeguarding Sensitive Personal Data', Transition Newsletter 1.
Simitis S (1983) 'Data Protection: A Few Critical Remarks', Transnational Data Report 95.
Taylor G (2000) 'Why is there no Common Law Right of Privacy?', Monash University Law Review 236.
Teleservices Data Protection Act (1997).
Victoria Park Racing & Recreation Grounds Co Ltd v Taylor (1937) 58 C.L.R. 479.
Waters N (2000) 'Rethinking information privacy - a third way in data protection?', Privacy Law and Policy Reporter 6 <http://www.austlii.edu.au/au/journals/PLPR/2000/6.html>
Watson A (1978) 'Comparative Law and Legal Change' CLJ 313.
Westin A (1967) Privacy and Freedom (New York: Atheneum).
Zweigert K and Kötz H (2nd ed, 1992) An Introduction to Comparative Law (Oxford: Clarendon Press).
Interviews
Lee A Bygrave, 18 October 2002, Oslo (via email): Senior Research Fellow, Norwegian Research Centre for Computers and Law, University of Oslo; Barrister of the Supreme Court of NSW; author of Data Protection Law: Approaching its Rationale, Logic and Limits (2002) (London: Kluwer Academic Publishers).
Tim Dixon, 23 October 2002, Sydney (via telephone): Chair of the Australian Privacy Foundation; author, CCH Private Sector Privacy Handbook, looseleaf service; Member of the Attorney-General's Core Consultative Group on Privacy Legislation (1999) and the Federal Privacy Commissioner's NPP Working Group (1997-98); Asia-Pacific Coordinator of the Global Privacy Group, Baker & McKenzie Solicitors and Attorneys.
Links
Materials
Attorney-General (2000) 'Information Paper on the Privacy Amendment (Private Sector) Act 2000' <http://www.ag.gov.au/privacy>
Bygrave LA (2000) 'Where have all the judges gone? Reflections on judicial involvement in developing data protection law', Privacy Law and Policy Reporter 19 <http://ww.austlii.edu.au/au/journals/PLPR/2000/19.html>
Bygrave LA (2001) 'The Place of Privacy in Data Protection Law', University of New South Wales Law Journal 6 <http://www.austlii.edu.au/au/journals/UNSWLJ/2001/6.html>
Clarke R (1988) 'Just Another Piece of Plastic for your Wallet: The 'Australia Card' Scheme', Computers & Society 1 <http://www.anu.edu.au/people/Roger.Clarke/DV/OzCard.html>
Clarke R (2001) 'Privacy as a means of engendering trust in cyberspace', University of New South Wales Law Journal 8 <http://www.austlii.edu.au/au/journals/UNSWLJ/2001/8.html>
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data <http://www.bfd.bund.de/europa/EU_richtl_en.html>
Dixon T (2001b) 'Valuing Privacy: An Overview and Introduction', University of New South Wales Law Journal 1 <http://www.austlii.edu.au/au/journals/UNSWLJ/2001/1.html>
European Commission (2002) 'Your Views on Data Protection: Results of on-line consultation 20 June - 15 September 2002' <http://europa.eu.int/comm/internal_market/en/dataprot/lawreport/consultation_en.htm>
Federal Data Protection Act 1977 (Bundesdatenschutzgesetz) <http://www.bfd.bund.de/information/bdsg_eng.pdf>
Federal Privacy Commissioner (2001) Annual Report 2000-2001 <http://privacy.gov.au/publications/01annrep.pdf>
Federal Privacy Commissioner (17 April 2002), Media Release, <http://www.privacy.gov.au/news/media/02_4.html>
Federal Privacy Commissioner (5 August 2002), Media Release <http://www.privacy.gov.au/news/media/02_17.html>
House of Representatives Legal & Constitutional Affairs Committee Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000) <http://www.aph.gov.au/house/committee/laca/Privacybill/contents.htm>
Hughes A (2001) 'A Question of Adequacy? The European Union's Approach to Assessing the Privacy Amendment (Private Sector) Act 2000 (Cth)', University of New South Wales Law Journal 5 <http://www.austlii.edu.au/au/journals/UNSWLJ/2001/5.html>
Kirby M (2001) 'Privacy - In the Courts', University of New South Wales Law Journal 2 <http://www.austlii.edu.au/au/journals/UNSWLJ/2001/2.html>
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1998) <http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM>
Reidenberg JR and Schwartz PM (2002) 'Data Protection Law and On-Line Services: Regulatory Responses' <http://europa.eu.int/comm/internal_market/en/dataprot/studies/regul.pdf >
Waters N (2000) 'Rethinking information privacy - a third way in data protection?', Privacy Law and Policy Reporter 6 <http://www.austlii.edu.au/au/journals/PLPR/2000/6.html>
Organisations
Australian Federal Privacy Commissioner <http://www.privacy.gov.au>
German Federal Data Protection Commissioner <http://www.bfd.bund.de>
New South Wales State Privacy Commissioner <http://www.lawlink.nsw.gov.au/pc.nsf/pages/index>
Victoria State Privacy Commissioner <http://www.privacy.vic.gov.au/>
|