Emerging Challenges In Privacy Law: Comparative Perspectives [1st Edition] 1107041678, 9781107041677, 1107300495, 9781107300491, 1306684315, 9781306684316, 1139922580, 9781139922586, 1107614430, 9781107614437

Citation preview

E M E RGI NG CH A L L E NGE S I N PR I VAC Y L AW

h is collection of essays explores current developments in privacy law, including reform of data protection laws, privacy and the media, social control and surveillance, privacy and the Internet, and privacy and the courts. It places these developments into a broader international context, with a particular focus on the European Union, the United Kingdom, Australia and New Zealand. Adopting a comparative approach, it creates an important resource for understanding international trends in the reform of privacy and data protection laws across a variety of contexts. Written by internationally recognised experts, Emerging Challenges in Privacy Law: Comparative Perspectives provides an accessible introduction to contemporary legal and policy debates in privacy and data protection law. It is essential reading for academics, policy makers and practitioners interested in current challenges facing privacy and data protection law in Europe and in the common law world. is a senior lecturer in the Faculty of Law, Monash University, Melbourne, where he researches in the ields of privacy law and torts. NOR M A N N W ITZLEB

is an associate professor in the Faculty of Law, Monash University, Melbourne, and an expert in copyright, privacy and internet law. DAV I D L I N D S AY

is an associate professor in the Faculty of Law, Monash University, Melbourne, where she researches in the ields of freedom of information and privacy. M O I R A PAT E R S O N

is a senior lecturer in the Faculty of Law, Monash University, Melbourne, where her teaching and research focuses on property law and media law. SH A RON RODR ICK

Cambridge Intellectual Property and Information Law As its economic potential has rapidly expanded, intellectual property has become a subject of front-rank legal importance. Cambridge Intellectual Property and Information Law is a series of monograph studies of major current issues in intellectual property. Each volume contains a mix of international, European, comparative and national law, making this a highly signiicant series for practitioners, judges and academic researchers in many countries. Series editors Lionel Bently Herchel Smith Professor of Intellectual Property Law, University of Cambridge William R. Cornish Emeritus Herchel Smith Professor of Intellectual Property Law, University of Cambridge Advisory editors François Dessemontet, Professor of Law, University of Lausanne Paul Goldstein, Professor of Law, Stanford University he Rt Hon. Sir Robin Jacob, Hugh Laddie Professor of Intellectual Property, University College, London A list of books in the series can be found at the end of this volume.

E M ERGI NG CH A L L ENGE S I N PR I VAC Y L AW Comparative Perspectives

Edited by NOR M A N N W I TZ L E B , DAV I D L I N DSAY, MOI R A PAT E R SON a nd SH A RON RODR ICK

University Printing House, Cambridge CB2 8BS, United Kingdom Cambridge University Press is part of the University of Cambridge. It furthers the University’s mission by disseminating knowledge in the pursuit of education, learning and research at the highest international levels of excellence. www.cambridge.org Information on this title: www.cambridge.org/9781107041677 © Cambridge University Press 2014 h is publication is in copyright. Subject to statutory exception and to the provisions of relevant collective licensing agreements, no reproduction of any part may take place without the written permission of Cambridge University Press. First published 2014 Printed in the United Kingdom by Clays, St Ives plc A catalogue record for this publication is available from the British Library Library of Congress Cataloguing in Publication data Emerging challenges in privacy law : comparative perspectives / edited by Normann Witzleb and others. pages cm – (Cambridge intellectual property and information law ; 23) Includes bibliographical references and index. ISBN 978-1-107-04167-7 (hardback) 1. Privacy, Right of. I. Witzleb, Normann, author editor of compilation. K3263.E44 2014 342.08′58–dc23 2013048031 ISBN 978-1-107-04167-7 Hardback Cambridge University Press has no responsibility for the persistence or accuracy of URLs for external or third-party internet websites referred to in this publication, and does not guarantee that any content on such websites is, or will remain, accurate or appropriate.

CONTENTS

Acknowledgements Notes on contributors Foreword xv

page viii ix

Introduction 1 An overview of emerging challenges in privacy law Nor m a n n W i tz l e b, Dav i d L i n dsay, Moi r a Pat e r s on a n d Sh a ron Rodr ick PA RT I

1

Reforming the data protection frameworks: Australian and EU perspectives 29

2 Navigating privacy in the information age: the Australian perspective 31 T i mo t h y Pi l gr i m 3 Responding to new challenges to privacy through law reform: a privacy advocate’s perspective 45 N ige l Wat e r s 4 he reform of EU data protection: towards more efective and more consistent data protection across the EU 62 Pet e r H ust i n x PA RT I I

Privacy in European human right instruments 73

5 Protection of privacy in the EU, individual rights and legal instruments 75 Udo Fink

v

vi

Contents

6 A world data privacy treaty? ‘Globalisation’ and ‘modernisation’ of Council of Europe Convention 108 92 Gr a h a m Gr e e n l e a f PA RT I I I

Privacy protection through common law and statute 139

7 Protection against intrusion in English legislation N. A . Mor e h a m 8 Privacy: common law or human right? M ich a e l T i l bu ry

157

9 English privacy law in the light of the Leveson Report E r ic Ba r e n d t PA RT I V

141

Privacy, surveillance and control

180

199

10 Surveillance in public places: the regulatory dilemma Moi r a Pat e r s on

201

11 Privacy and young people: controlling anti-social behaviour through loss of anonymity 229 t hom a s crof ts PA RT V

Privacy and the Internet

257

12 Data privacy law and the Internet: policy challenges L e e A . Bygr av e 13 he ‘right to be forgotten’ in European data protection law 290 Dav i d L i n dsay 14 Privacy online: reform beyond law reform 338 M e ga n R ich a r dson a n d A n dr ew T. K e n yon 15 Privacy protection and data clouds in Germany and the inluence of European law 353 Di et er D ö r r a n d Eva A e r n eck e PA RT V I

Privacy, the courts and the media

369

16 Open justice, privacy and suppressing identity in legal proceedings: ‘what’s in a name?’ and would anonymity ‘smell as sweet’? 371 Sh a ron Rodr ick

259

Contents

17 Interim injunctions for invasions of privacy: challenging the rule in Bonnard v. Perryman? 407 Nor m a n n W i tz l e b Index

441

vii

AC K NOW L E D GE M E N T S

he editors wish to acknowledge their gratitude for the inancial assistance received for the conference ‘Emerging Challenges to Privacy Law: Australasian and EU Perspectives’ in February 2012, at which the majority of chapters in this book were irst presented. Without the support provided by a DAAD/Go8 grant, by the Monash EU and Europe Centre under its DG Relex Grant and by Monash Faculty of Law, this project would not have been possible. he editors also wish to record their thanks to Mr Jack Bourke for his superb editorial assistance, to Ms Jenny Slater of OOH Publishing for the careful production of the book and to Prof Lionel Bently and Prof William R. Cornish for accepting it as part of the Cambridge Intellectual Property and Information Law Series.

viii

CONTRIBUTORS

EVA AERNECKE is a Counsellor for Media Afairs for the state government of Rhineland-Palatinate (Germany). She worked as a researcher at the Johannes Gutenberg University Mainz (Germany) from 2009 to 2012, where she also obtained her Ph.D. Her doctoral thesis concerned the constitutional protection of electronic data and was published as Der Schutz elektronischer Daten im Verfassungsrecht (2012). Her research focus was on European law, European media law, and in particular the law of data protection. Dr Aernecke undertook her legal traineeship at the Regional Court of Appeal (Oberlandesgericht) in Koblenz (Germany) (2011–13), which included placements at the Oice of the Data Protection Commissioner for the German state of Rheinland-Pfalz and a law irm focusing on European Law in Brussels.

is now Emeritus Professor of Law at University College London (UCL). He was previously the Goodman Professor of Media Law at UCL (1990–2010). He is the author of Freedom of Speech, 2nd edn (2005). E R IC BA R E N DT

L E E A . B YG R AV E is Professor at the Norwegian Research Center for Computers and Law, Department of Private Law, University of Oslo. He is also a research associate (and formerly co-director) of the Cyberspace Law and Policy Centre at the University of New South Wales. Lee has published extensively within the ield of data privacy law. His latest book in the ield is Data Privacy Law: An International Perspective (2014). Lee has advised on data privacy and information security issues for a broad range of organisations, including the European Commission, Nordic Council of Ministers, Norwegian Government, US National Academies, UK House of Lords and Telenor AS. Much of his current research focuses on internet regulation. Lee is a member of the European Network of Excellence in Internet Science (www.internet-science.eu), and he runs a four-year research project titled ‘Governance of the Domain Name System and the Future Internet: New Parameters, New Challenges’ (Igov2), which is jointly funded by the Norwegian Research Council and UNINETT Norid AS.

ix

x

Notes on Contributors

T HOM A S C R O F T S is an Associate Professor and Director of the Sydney Institute of Criminology in the School of Law at he University of Sydney. Prior to this he worked at Murdoch University (2000–10), the European University Viadrina Frankfurt (Oder) (1995–9), where he obtained his Dr Iur., and the Bayerische Julius-Maximilians-University Würzburg (1993–5), where he obtained his LLM. He has held visiting appointments at the Universities of Sheield, Nottingham, Birmingham and Western Australia. His research in criminal law, criminology and criminal justice centres on criminalisation and criminal responsibility. He has a particular interest in the criminal responsibility of children, comparative criminal law, criminal law reform and the role of labelling. He has published in English and German in these ields in national and international journals. In 2011 he was awarded the Australian and New Zealand Society of Criminology’s inaugural Adam Sutton Crime Prevention Award. He is currently conducting research funded by the Australian Institute of Criminology into young people’s perceptions of ‘sexting’.

has been a Professor of Public Law, European and International Law, Media Law at the Johannes Gutenberg University of Mainz (Germany) since 1995 and has been the Director of the Mainz Media Institute since 2000. He completed his Ph.D. at University of Saarbrücken in 1983 and his Habilitation (post-doctoral degree) at University of Cologne in 1987. He has specialised in German, European and international media law, covering both traditional mass media as well as the law of the new information technologies. From 1988 to 1990 he was irst a visiting professor and then a professor at the Institute of International Afairs of the University of Hamburg. From 1990 to 1995 he was the Director of Legal Afairs for the Saarländischer Rundfunk, the public broadcasting corporation of the German state of Saarland. In 2000 he was appointed to the Commission on Concentration in the Media (KEK), and was its chairman from October 2004 to March 2007. Since 2003 he has been a Judge of the Regional Court of Appeal (Oberlandesgericht) Koblenz. DIETER DÖRR

is a Professor of Law at the Johannes Gutenberg University Mainz (Germany). He holds a Chair in Public Law, European Law, International Public Law and International Trade Law. From 1990 to 1996 he was an Assistant Professor at the Institute of Public International Law, University of Cologne, where he obtained his Habilitation (post-doctoral degree). From 1996 to 2000 he was an Associate Professor for Public International Law, International Commercial Law at the University of Göttingen (Germany). UD O FINK

Notes on Contributors

xi

He has been visiting professor inter alia at the Lewis & Clarke Law School, Portland, Oregon, the University of Louisville, Kentucky and Trinity College Dublin, Ireland. Since 2002 he has been the Director of the School of German Law and School of Polish Law, at the University of Krakow, Poland and since 2011 he has been the Co-Director of Mainz Media Institute. His research interests are in the area of the law of the United Nations, international media law, the European Convention on Human Rights and constitutional law. G R A HA M G R E E N L E A F is Professor of Law & Information Systems at the University of New South Wales (Australia), where he has researched and taught since 1983. He specialises in the relationships between information technology and law. He is a co-founder of the Australasian Legal Information Institute (AustLII). Since the mid-1970s, he has been involved in privacy issues. He was a statutory member of the NSW Privacy Committee, an adviser to the Australian Privacy Commissioner, and has authored or co-authored six assessments of privacy laws in AsiaPaciic countries for the European Commission. He is a co-founder and Board Member of the Australian Privacy Foundation. He co-edited Global Privacy Protection (Edward Elgar, 2008). He edited Privacy Law & Policy Reporter (1994-2006) and since 2007 has been Asia-Paciic Editor of Privacy Laws & Business International Report. He is the author of over one hundred articles and book chapters on data privacy issues. P E T E R H U ST I N X has been European Data Protection Supervisor since January 2004 and was reappointed by the European Parliament and the Council in January 2009 for a second term of ive years. He has been closely involved in the development of data protection law from the start, both at national and at international level. Before entering this oice, Mr Hustinx had been President of the Dutch Data Protection Authority since 1991. From 1996 until 2000 he was Chairman of the Article 29 Working Party. He received his law degrees in Nijmegen (Netherlands) and in Ann Arbor (USA). Since 1986 he has been deputy judge in the Court of Appeal in Amsterdam. A N D R EW T. K E N YO N is Professor of Law and a Director of the Centre for Media and Communications Law in the Melbourne Law School. He researches in comparative media law, including defamation, privacy, journalism, copyright and media policy. Between 1999 and 2012 he edited the Media & Arts Law Review. Publications include the authored

xii

Notes on Contributors

or edited books: TV Futures: Digital Television Policy in Australia (2007); Defamation: Comparative Law and Practice (2006); New Dimensions in Privacy Law: International and Comparative Perspectives (Cambridge University Press 2006, with Megan Richardson). DAV I D L I N D S AY is an Associate Professor in the Faculty of Law, Monash University, and an expert in copyright, privacy and internet law. David is the author of International Domain Name Law: ICANN and the UDRP (2007) and of many articles and book chapters in his areas of expertise. He is the General Editor of the Australian Intellectual Property Journal and a member of the Media and Communications subcommittee of the Law Council of Australia. David is a board member of the Australian Privacy Foundation (APF), which is the main Australian privacy advocacy group. N IC O L E M O R E HA M is an Associate Professor of Law at Victoria University of Wellington. Her research covers all aspects of the law of privacy, including theoretical conceptions of the interest and the legal protection of privacy in England, New Zealand and the European Convention on Human Rights. Before returning to New Zealand in 2005, Dr Moreham spent seven years at Gonville and Caius College at the University of Cambridge, irst as a Masters and Ph.D. student and latterly as a Fellow and Lecturer in Law. Dr Moreham is co-editor of, and contributor to, the latest edition of England’s leading privacy text, Tugendhat and Christie’s Law of Privacy and the Media, 2nd edn (2011). M O I R A PAT E R S O N is an Associate Professor in the Faculty of Law at Monash University where she researches in the ields of freedom of information and privacy. She is the author of Freedom of Information and Privacy in Australia: Government and Information Access in the Modern State (2005) and has written extensively on privacy-related topics. Moira is a member of the Privacy Advisory Committee to the Australian Information Commissioner and the FOI Editor of the Australian Administrative Law Service. T I M O T H Y P I L G R I M was appointed as Privacy Commissioner on 19 July 2010 and was irst appointed to the Oice of the Privacy Commissioner as Deputy Privacy Commissioner in February 1998. Prior to this Timothy held senior management positions in a range of Australian government agencies, including the Small Business Program within the Australian

Notes on Contributors

xiii

Taxation Oice and the Child Support Agency. Timothy has made a signiicant contribution to the ield of privacy in Australia. His achievements include involvement in developing the private sector provisions of the Privacy Act 1988, which included widespread consultation with community, business and government organisations. He also played a key role in implementing the private sector provisions, which took efect on 21 December 2001. More recently, Timothy has participated in the Australian Law Reform Commission inquiry into Australian privacy laws and practice, and continues to work on privacy law reform. M E G A N R IC HA R D S O N is Professor of Law and (with Andrew Kenyon) a Director of the Centre for Media and Communications Law in the Melbourne Law School. Her principal areas of research are privacy, media, copyright and trade mark law as well as law reform and legal theory. She is an author or editor of several books including New Dimensions in Privacy Law: International and Comparative Perspectives (2006, with Andrew Kenyon); Fashioning Intellectual Property: Exhibition, Advertising and the Press 1789–1918 (2012, with Julian homas); Breach of Conidence: Social Origins and Modern Developments (2012, with Michael Bryan, Martin Vranken and Katy Barnett); Amateur Media: Social, Cultural and Legal Perspectives (2013, with Dan Hunter, Ramon Lobato and Julian homas).

is a Senior Lecturer in the Faculty of Law at Monash University. Her teaching and research interests are in the areas of Property Law and Media Law. She has published a number of articles on various aspects of open justice and is the co-author with D. Butler of Australian Media Law, 4th edn (2012). S HA R O N R O D R I C K

M I C HA E L T I L BU RY is Kerry Holdings Professor in Law and Chair of Private Law at the University of Hong Kong, and a Professorial Fellow at the University of Melbourne. He was previously the Full-time Commissioner at the New South Wales Law Reform Commission, a position that he had held since 2002. Immediately before that he was Edward Jenks Professor of Law and Deputy Dean of the Law School at the University of Melbourne, and Academic Secretary of the Victorian Attorney-General’s Law Reform Advisory Council. He has also held the positions of Rowland Professor of Commercial Law and inaugural Director of the Commercial Law Institute at the University of Zimbabwe; Professor of Law at the University of Tasmania; and Head of the School of Law at the University of New South Wales. Michael’s teaching

xiv

Notes on Contributors

commitments have centred on contract law, comparative law, conlict of laws, insurance law, remedies, torts and on graduate courses introducing students from civil law jurisdictions or other disciplines to the common law. He has written extensively on private law and conlict of laws. He has contributed to over forty law reform projects in Australia. Between 2006 and 2010 he was the Commissioner-in-charge of the NSW Law Reform Commission’s review of the law of privacy. N IG E L WAT E R S is Principal of Paciic Privacy Consulting (www. paciicprivacy.org.au) in which capacity he has undertaken work for government agencies and businesses in Australia and overseas since 1997. He has also been a researcher and visiting lecturer at the Cyberspace Law and Policy Centre at the University of New South Wales (www.cyberlawcentre. org). Nigel is a Board Member of the Australian Privacy Foundation (www. privacy.org.au) and represents Privacy International (www.privacyinternational.org) at meetings of the APEC Privacy Subgroup and other international fora. He was Deputy Australian Federal Privacy Commissioner from 1989–1997, and before that Assistant UK Data Protection Registrar. He holds Masters degrees from the Universities of Cambridge and Pennsylvania and from the University of Technology, Sydney.

is a Senior Lecturer at the Faculty of Law, Monash University and an Associate Director of the Monash EU and Europe Centre. He previously worked at the University of Western Australia (2001–7) and the European University Viadrina Frankfurt (Oder) (1996–2000), where he also obtained his Ph.D. He has also taught in the postgraduate programme of the Mainz Media Institute. His research focus is on Australian, European and comparative private law, in particular the area of privacy rights and remedies. Among his publications in this ield are Remedies: Commentary and Materials, with M. Tilbury, M. Gillooly and E. Bant, 5th edn (2011) and Geldansprüche bei Persönlichkeitsverletzungen durch Medien, a monograph on remedies for the infringements of personality rights in the UK and Germany (2002). NORMANN WITZLEB

FOR E WOR D

h is book with Australian and European perspectives on emerging challenges in privacy law comes at the right time, since those challenges are increasing both in size and in scope. It also sends a powerful message on the need for reform, so as to ensure that our legal safeguards in this area continue to be relevant in a fast changing world, and that adequate thought is given to diferent ways to make them more efective in practice, and more accessible and understandable for all stakeholders. h is message is very welcome, and this at least for three good reasons. he i rst reason is that ‘privacy’ and ‘data protection’ are more and more relevant in a world that is increasingly driven by information, and where detailed information on the behaviour of individuals is generated and used, almost twenty-four hours a day and seven days a week, in a variety of ways, both online and of line, without these individuals being aware of it, and where at the same time even the most experienced internet users are discovering the limits of their control. he fact that this is happening does not mean that ‘privacy’ and ‘data protection’ as fundamental rights or values have disappeared. he oten repeated statement from Silicon Valley: ‘Privacy is gone, get over it,’ is contradicted by a growing sensitivity among consumers and citizens in many parts of the world, who are demanding more control over their personal information, more transparent data management practices and better accountability of relevant business organisations and government agencies. What is emerging here is a growing disconnect between widespread practices in the ield and consumers’ and citizens’ expectations. Many of them wish to beneit from the positive aspects of the Digital Society, and at the same time, to be more assured that their privacy interests are adequately protected. h is is a powerful driver of legal reform, since more trust and conidence in the online environment are key conditions for economic growth, and particularly so in areas such as eCommerce, xv

xvi

Foreword

eGovernment and eHealth. It is also increasingly clear that a sustainable development in these areas needs to be built on widely shared and practised modern legal safeguards for privacy and data protection. he need for reform of present legal safeguards for privacy and data protection is now also driving important initiatives in diferent parts of the world and at diferent levels. his is another reason why the various contributions in this book are so welcome at this point in time. Both the OECD and the Council of Europe have revisited their current privacy frameworks, in order to update and reinforce them in the light of recent developments. he OECD Privacy Guidelines (1980) was the irst major policy document to lay down privacy principles for its member states, including from Europe and the Asia-Paciic, and a revised version of the Guidelines was published earlier this year. he Council of Europe’s Data Protection Convention (1981) was the irst binding legal instrument, aiming at a comprehensive set of legal safeguards for the protection of personal data at national level. It has been ratiied by forty-ive countries in Europe and recently also by Uruguay, and continues to be open for accession by other countries around the world. he revision of the Convention is now well on its way. he European Union has used the Council of Europe Convention as a reference point for its Data Protection Directive (1995) and other instruments, which speciied its legal safeguards for the EU member states. he EU is now also engaged in an thorough review of its current legal framework for the protection of personal data. he results of this review will be visible in the near future and hopefully contribute to stronger and more efective protection of personal data, both within their own scope and beyond. hese international instruments have inluenced each other, and so far, this continues to be the case. Let me mention two other examples: the US government has launched an initiative to update its approach to privacy, and the World Economic Forum is developing a major initiative to improve, and hopefully mainstream, ‘Personal Data Governance’. All these activities will beneit from high quality input from academia, civil society and other relevant stakeholders. his book will therefore also be helpful as a source of reference and further relection on how to take this subject forward at diferent levels. All this means that we are at a crucial point in time that opens many opportunities. If we get it right and coordinate our eforts well, we will be able to reinforce our legal frameworks in the face of new technologies, and achieve more global privacy at the same time. hat is at least the

Foreword

xvii

perspective in which the EU is currently approaching its own review of the existing legal framework for data protection. It would be great if this book could help us all make progress in the same direction. Peter Hustinx European Data Protection Supervisor

1 An overview of emerging challenges in privacy law Normann Witzleb , David Lindsay, Moir a Paterson and Sharon Rodrick

Privacy holds a highly contested place within contemporary political and legal discourse. One of the diiculties associated with privacy claims is the relatively amorphous nature of privacy. As Robert Gellman aptly said: Lawyers, judges, philosophers, and scholars have attempted to deine the scope and meaning of privacy, and it would be unfair to suggest that they have failed. It would be kinder to say that they have all produced diferent answers.1

Particularly marginal or novel claims for privacy are sometimes resisted with the argument that privacy is meaningless when it potentially encompasses all and any claims to individual liberty and autonomy. Yet it should no longer be doubted that privacy is a fundamental concern and that, in many traditional settings, it has also acquired a fairly speciic scope and meaning. However, privacy is diicult to enforce because it is not an absolute right. Its protection must always be sought against conlicting values or interests. While the conlict between privacy and freedom of expression has been a constant for many decades, it is becoming apparent that public safety and national security concerns have resurged as the nemesis of privacy claims, in particular when states consider themselves under siege from external and internal threats. At the time of writing, that is perfectly illustrated by the public debates surrounding the revelations of former CIA employee Edward Snowden concerning the US National Security Agency’s (NSA’s) ‘Operation PRISM’, under which the NSA obtained access to large amounts of communications data concerning non-US citizens held by Google, Facebook, Apple, 1

R. Gellman, ‘Does Privacy Law Work?’ in Philip Agre and Marc Rotenberg (eds.), Technology and Privacy: he New Landscape (Cambridge, MA: MIT Press, 1997), p. 193.

1

2

Normann Witzleb et al

Verizon and other Internet companies.2 hese debates raise serious questions about the power relations between national governments, private corporations and individuals, which lie at the very heart of socio-political life. he Snowden revelations illustrate that the digitisation of modern communications makes it possible for governments to collect vast amounts of data on their citizens and, indeed, many others around the globe. Even when these communications data do not extend to the content of communications, they reveal patterns of our interactions with others, our physical locations or informational habits that can, if gathered, stored, retrieved and cross-referenced, expose our personalities and private lives in unprecedented detail. Needless to say, corporations are keen to use the same or similar technologies to gauge consumer habits with the objective of personalising advertising. It may be that the implications of emerging privacyinvasive technologies and surveillance practices – including, for example, the mining of ‘big data’3 – are so great that we have yet to develop adequate analytical frameworks.4 Clearly, rapid technological developments are a major driver of the current concern with ‘privacy’. Increasingly sophisticated equipment is providing us with ever-greater ability at ever-lower cost to invade the privacy of others. Such means, be they high-performing cameras, GPS trackers or online tracking and data analysis technologies, are not at the disposal just of the state and large media organisations; they are oten in the hands of ordinary citizens. hese technological developments have coincided with signiicant social change afecting the notion of privacy. he advent of social media has given everyone a forum in which to disclose personal information on a large and permanent scale, and many do so readily, at times to their subsequent regret. he pervasiveness of social media has challenged individual and societal views of what is, or should be, private. Indeed, selfrevelation of information that the vast majority of citizens would have once taken pains to conceal are now commonplace. his may also be a reason why there is now a greater expectation that private information about others will be disclosed. However, it is inherent in the notion of 2

3

4

G. Greenwald and E. MacAskill, ‘NSA Prism Program Taps in to User Data of Apple, Google and Others’, Guardian (Online) 7 June 2013, www.guardian.co.uk/world/2013/ jun/06/us-tech-giants-nsa-data (accessed 5 October 2013). See, for example, V. Mayer-Schönberger and K. Cukier, Big Data (London: John Murray, 2013). For a recent debate concerning how best to conceptualise the harms of widespread surveillance see: N. M. Richards, ‘ he Dangers of Surveillance’ (2013) 126 Harvard Law Review 1934; D. Keats Citron and D. Gray, ‘Addressing the Harm of Total Surveillance: A Reply to Professor Neil Richards’ (2013) 126 Harvard Law Review Forum 262.

An overview of EMERGING challenges in privacy law

3

privacy that, in principle, each person maintains control over how much of their personal information becomes available to others and to whom it should become known. While the migration of peoples’ social lives to the online environment has afected perspectives of what is ‘public’ and what is ‘private’, this has made it more, rather than less signiicant that societies protect individual preferences concerning what private information should become accessible to others. Despite the rapid emergence of social media, the more traditional mass media remain an important focus of privacy concerns. Media convergence and the rise of social media have afected the work and ethics of the mass media. he advent of the twenty-four-hour news cycle and increasing commercial pressures have contributed to declining standards in the media and spawned an increased reliance on infotainment and sensational reporting, both of which have implications for privacy. his includes the cult of the celebrity, which is now part of the fabric of developed societies. Typical targets of the public’s thirst for information about the private lives of others include members of royal families, entertainers, high-proi le sportspersons and ‘ordinary’ persons who, through choice or accident, come to public attention. Information that in the past would not have been published in the mass media may now feature on social media, thereby creating ‘news’ that may then be taken up and be more broadly disseminated by the traditional media. his has created an interdependent relationship between social media and mass media; moreover, it is breaking down the barriers between them. he focus of this book is not, however, primarily on these signiicant technological and social developments. Instead, the essays in this collection are concerned with the current and emerging legal challenges that arise from these developments. While acknowledging the considerable cultural and social diferences between jurisdictions, an important feature of the legal landscape internationally is the increasing recognition of privacy as a human right. A number of signiicant treaties and conventions, including the International Covenant on Civil and Political Rights (ICCPR) and the Convention for the Protection of Human Rights and Fundamental Freedoms, generally known as the European Convention on Human Rights (ECHR), recognise respect for private and family life as a fundamental human right. he constitutions of many countries, such as the USA and Germany, enshrine a list of human rights. Other countries, such as Canada or New Zealand, have enacted legislation containing bills of rights or have adopted an international human rights instrument as part of their domestic law. he enactment of the Human Rights Act 1998

4

Normann Witzleb et al

(UK), which incorporated the ECHR into UK domestic law, is a prime example of the latter. here remain, nevertheless, considerable diferences in how privacy is protected at the level of domestic law. It is universally acknowledged that the complex European human rights framework has been developed to provide the highest level of legal protection of the rights to privacy and data protection.5 he importance placed on these rights in Europe is illustrated not merely by signiicant judgments of the European Court of Human Rights but by the recent European Commission proposal for a new data privacy instrument, which is intended to address the challenges posed by the increased collection and processing of personal data online, including the emergence of social networking services.6 By comparison, the United States provides relatively weak and patchy protection, partly due to the constitutional emphasis placed on freedom of expression and partly due to an entrenched cultural preference for market-based solutions.7 Most other Western-oriented jurisdictions lie somewhere between these two ends of the spectrum. Australia, for example, is the only Western democracy that lacks signiicant constitutional or statutory protection of human rights and, as Greenleaf has pointed out: Australia has … had twenty years’ involvement in developing international privacy standards as an inluential non-EU participant. Its chosen role has been to advocate privacy protection as a legitimate and unavoidable issue, but one that can be managed in the interests of business and government, rather than advocacy of privacy as a human right.8

Most jurisdictions pay lip service to the need for legal protection of the right to privacy, especially in response to the technological and social threats mentioned above. Yet it must be acknowledged that its protection 5

6

7

8

For further detail, see P. Hustinx, Chapter 4 (in this volume) and U. Fink, Chapter 5 (in this volume). See European Commission, Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) (GDPR) (Brussels, 25 January 2012) 2012/0011(COD). See, for example, J. Whitman, ‘ he Two Western Cultures of Privacy: Dignity versus Liberty’ (2004) 113 Yale Law Journal 1151; D. Lindsay, ‘An Exploration of the Conceptual Basis of Privacy and the Implications for the Future of Australian Privacy Law’ (2005) 29 Melbourne University Law Review 131. G. Greenleaf, ‘Country Studies B.2 – AUSTRALIA’ in D. Korf (ed.), Comparative Study on Diferent Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments (Brussels: European Commission D-G Justice, Freedom and Security, 2010).

An overview of EMERGING challenges in privacy law

5

cannot be absolute and that countervailing rights and interests may sometimes trump privacy. We have already referred to the classic conlicts between privacy and public safety and national security, and between privacy and freedom of expression. he work of courts and parliaments, assisted by law reform agencies, civil society academic commentators and the media in setting this equilibrium provides the true test for how adequately a society protects the privacy of its citizens. his book of essays has its origins in a research project funded under the Go8 Germany Joint Research Co-operation Scheme. Grant-holders under this scheme, which is a joint initiative of the Group of Eight (Go8) and the German Academic Exchange Service (DAAD), were the editors, together with Professors Udo Fink and Dieter Dörr, Dr Stephanie Schiedermair and Dr Eva Aernecke, all from the Johannes-GutenbergUniversität in Mainz. he project culminated in a two-day international conference on ‘Emerging Challenges to Privacy Law: Australasian and EU Perspectives’, which took place in February 2012 at the Monash University Law Chambers in Melbourne/Australia. Many of the papers presented at that conference have been revised and adapted for inclusion in this book. Others do not have their genesis as conference papers but were speciically commissioned for the present collection.

Part I: Reforming the data protection frameworks: Australian and EU perspectives Part I of the collection provides an overview of the current data privacy reform processes in Europe and Australia, from the perspective of those with ‘hands-on’ experience with the administration and enforcement of the relevant laws. Contributors include the Australian Privacy Commissioner and the European Data Protection Supervisor. In Chapter 2 of the book, Timothy Pilgrim, the Australian Privacy Commissioner, addresses the challenges and opportunities facing privacy law reform from an Australian perspective. Ater acknowledging the importance of recognising privacy as a fundamental right, Pilgrim reviews the recent history of Australian law reform, which centres on the landmark 2008 report by the Australian Law Reform Commission (ALRC)9 and the Australian Federal Government’s response to that report. As Pilgrim explains, partly due to the large number of recommendations made by the 9

Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report no. 108 (2008).

6

Normann Witzleb et al

ALRC, the Australian Government decided to respond to the report in two stages (or ‘tranches’). he i rst stage of the reforms, enacted via the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), includes the introduction of a single set of privacy principles to apply across the public and private sectors, reforms to the credit-reporting provisions and new powers for the Privacy Commissioner. It may be that the additional enforcement powers given to the Commissioner will encourage a greater emphasis on enforcement than has been the case in Australia, where to date there has been a preference for conciliation of privacy disputes over formal determinations by the Privacy Commissioner. Ater a review of some of the enforcement activities in high-proi le cases in the USA, the UK and France, Pilgrim makes it clear that the Commissioner is prepared to make enforceable determinations, at least in the case of serious breaches. he chapter also conirms that there is a new emphasis on transparency, with the publication of investigation reports of serious or high-proi le breaches. Given the global or transborder nature of many contemporary privacy threats, a key challenge facing data protection authorities is deciding when entities based outside a territorial jurisdiction are, nevertheless, within their jurisdictional reach. Pilgrim explains some of the diiculties that arise from applying the Privacy Act 1988 (Cth) extraterritorially, using the example of the Commissioner’s investigation into the large-scale unauthorised release of personal data by the Sony PlayStation Network in 2010. Later in the chapter, the author returns to this issue to emphasise the importance of initiatives encouraging cross-border collaboration between privacy regulators, such as the Global Privacy Enforcement Network and the Asia-Paciic Economic Cooperation (APEC) Cross-border Privacy Enforcement Arrangement. Pilgrim points out that the Sony investigation also revealed the heightened vulnerability of networked electronic records to massive data breaches. Among the future challenges for Australian privacy law reform, Pilgrim identiies two issues set aside for the second stage of the government’s response to the ALRC report: the exemptions from the Australian data privacy law, including the exemption for small businesses; and the recommendation for introducing a statutory cause of action for serious invasions of privacy. While the government has yet to respond to the ALRC’s recommendations to remove exemptions, the Commonwealth Attorney-General has issued a reference to the ALRC for an inquiry into ‘Serious Invasions of Privacy in the Digital Era’, which, in part, will produce recommendations

An overview of EMERGING challenges in privacy law

7

regarding the ‘detailed legal design of a statutory cause of action for serious invasions of privacy’.10 In Chapter 3, Nigel Waters reviews the privacy law reform process from the perspective of an experienced Australian privacy advocate. As Waters points out, the key issues facing law reform in Australia are shared by all data privacy regimes. hese include new business models and practices, new actors, jurisdictional problems and enforcement issues. New online business models tend to create complex new relationships between multiple parties, oten with limited transparency in how personal data will be collected and used. his creates obvious challenges for writing privacy policies, which are exacerbated by the limitations of screen displays, especially on mobile devices. New applications, including social networking, have given individuals the ability to collect and process considerable amounts of personal data; yet, as Waters points out, there are signiicant uncertainties about applying data privacy laws to the actions of private individuals. he liability of intermediaries for data processing, whether under Australian or European law, also raises diicult issues. he analysis of recent Australian privacy law reform undertaken by Waters provides a counterpoint to Pilgrim’s account of the reform process. Waters observes that in 2010, as the government was responding to the ALRC report, the Oice of the Privacy Commissioner was combined with the freedom of information and information policy roles of the Federal Government to form the Oice of the Australian Information Commissioner (OAIC). his administrative reorganisation resulted in internal tensions and potential distractions from the reform process. Waters further maintains that the consultation process associated with the irst stage of the privacy law reforms resulted in the watering-down of privacy protections, including weaker privacy principles, yet increased their legal complexity. Although not expressly raised by Waters, this may suggest that, in a regime that fails to recognise privacy as a fundamental right, it may be more diicult to resist commercial interests seeking to inluence the policy process in their favour. Waters also comments on the new enforcement powers for the Privacy Commissioner, as discussed in Pilgrim’s chapter. While generally welcoming the new powers, he points to a major omission: as complainants have no right to a formal decision, enforcement remains within the discretion of the Privacy Commissioner. 10

M. Dreyfus, Commonwealth Attorney-General, Terms of Reference: Serious Invasions of Privacy in the Digital Era (12 June 2013), www.alrc.gov.au/inquiries/invasions-privacy (accessed 8 November 2013).

8

Normann Witzleb et al

In Waters’ experience of the Australian regime, the efective protection of data privacy requires more prescriptive laws and more active enforcement. Yet, on both these elements, the recent Australian reforms fall short of the expectations of privacy advocates. In Chapter 4, Peter Hustinx, the European Data Protection Supervisor, provides an overview of the EU data privacy reform process, which culminated in the release of drats of proposed reforms in January 2012. In contrast to the position in Australia, the European reform process can take the human rights guarantees of the right to privacy as its starting point. However, as Hustinx points out, the European data privacy laws historically developed largely as a response to the limitations of the right to private life (in Article 8 of the ECHR) in dealing with large-scale automated processing of personal data in the 1970s. he rights-based orientation of the European regime was reinforced by the adoption of the European Charter of Fundamental Rights11 (the ‘Charter’) in 2000 and, subsequently, the Lisbon Treaty12 in 2009, which both explicitly recognise a distinct fundamental right to data protection. Since the introduction of European data privacy laws in the 1970s, the objective of harmonised protection at the European level has been frustrated by persistent disparities between national data protection regimes. As the chapter explains, disparities between the national implementations of Directive 95/46/EC13 have resulted in unnecessary costs and diminished efectiveness of the European framework. Hustinx identiies the need for greater harmonisation as one of the drivers of the current reform process, the other two being the need to update the law, especially to take into account internet-related technological developments, and the requirement to comply with the Charter and the Lisbon Treaty. he reforms, as released in January 2012, consist of two proposed instruments: a directive relating to the processing of personal data by law enforcement authorities,14 which must be implemented in EU member states; and a General 11 12

13

14

Charter of Fundamental Rights of the European Union [2010] OJ C 83/02. Treaty of Lisbon Amending the Treaty on European Union and the Treaty Establishing the European Community, signed 13 December 2007, [2007] OJ C 306/1 (entered into force 1 December 2009). Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data [1995] OJ L 281. European Commission, Proposal for a Directive of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Ofences or the Execution of Criminal Penalties, and the Free Movement of Such Data (Brussels, 25 January 2012) 2012/0010(COD).

An overview of EMERGING challenges in privacy law

9

Data Protection Regulation (GDPR),15 which has direct efect in member states. he proposed GDPR builds on Directive 95/46/EC but clariies and increases the level of data protection, and enhances enforcement. he chapter identiies the main ways in which the GDPR increases protection, which are as follows: enhancing user control, including increasing the threshold for consent and a stronger right to object; clarifying and tightening the responsibilities of data processors, including requirements for privacy impact assessments; and providing a greater emphasis on supervision and enforcement, including increased enforcement powers for national regulators and a mechanism for ensuring consistency between national regulators in their supervision and enforcement activities. Finally, the chapter explains how the proposed GDPR addresses the challenges of internet-based globalisation of data processing by means of clarifying and extending the rules relating to transborder data lows, and including a speciic provision on Binding Corporate Rules. Together, the three perspectives ofered in the chapters collected in Part I reveal a degree of agreement on the challenges facing data privacy law reform. For example, globalisation of data processing and the widescale use of internet-based applications make it urgent for data protection laws to address issues relating to extraterritorial application and enforcement. Although there is agreement on the need for cooperation between national regulators, there is less agreement on the substantive rules to apply to transborder data processing, or the circumstances in which extraterritoriality is justiied. It is notable that each of the chapters in this Part emphasises the importance of adequate enforcement of data protection laws. he European regime has been criticised as being strong on the books but weak on practical enforcement. However, as Nigel Waters explains, the reticence to issue binding determinations has also been identiied as a key weakness of the Australian law. he relatively disappointing track record of enforcement in Australia and parts of Europe raises questions as to how to ensure the efective use of new enforcement powers. From a broader perspective, the importance placed on the right to data protection within the European legal framework has clearly inluenced the extremely ambitious nature of the current European reform process. By comparison, law reform in Australia has been timid and tentative, with the most diicult and controversial challenges efectively postponed to some point in the future. he centrality of data processing to the global knowledge economy, and to the business models of powerful stakeholders, has made serious law reform a 15

European Commission, GDPR, above n. 6.

10

Normann Witzleb et al

complex, controversial and protracted endeavour. At the time of writing, it remains to be seen whether the current law reform processes in Europe and Australia will indeed substantially enhance data protection regimes against vested business and governmental interests.

Part II: Privacy in European human right instruments In Chapter 5, Udo Fink explains the architecture of privacy protection in Europe and, more speciically, the European Union, and in this way builds upon the material introduced by Peter Hustinx. he most inluential legal instrument for privacy rights is the ECHR, which in its Article 8 guarantees the right to private and family life. All member states of the EU, indeed all members of the Council of Europe, have ratiied the ECHR. Apart from binding each member state, it also forms part of the general principles of EU law and, in addition, the EU itself is now in the process of acceding to the ECHR . he European Union now also has its own human rights instrument in the form of the Charter. With the entry into force of the Lisbon Treaty on 1 December 2009, the Charter has become legally binding. he Charter, which sets out fundamental rights that relect Europe’s common values and its constitutional heritage, contains two relevant provisions on privacy and data protection. Article 7 of the Charter protects private and family life, home and communications, and thus has a similar reach to Article 8 of the ECHR. In addition, Article 8 of the Charter speciically protects personal data, restricting the member states’ ability to collect and process such data, providing rights to access and rectiication, and requiring that an independent authority can be called upon to control compliance with these obligations. Fink then analyses the most important aspects of the jurisprudence of the European Court of Human Rights on Article 8 of the ECHR. he Strasbourg Court has a strong tradition of protecting privacy and its jurisprudence is inluential beyond Europe. A broad understanding of ‘private life’ has enabled the Court to utilise Article 8 in rulings on the legality of bodily searches, homosexual activity and other aspects of a person’s intimate life. In the absence of a more speciic provision, Article 8 is also relevant for data protection. he Strasbourg Court has also made some important decisions on the protection of privacy against the media. Of particular signiicance is the 2004 decision in Von Hannover v. Germany16 (known 16

Von Hannover v. Germany (Application no. 59320/00) [2004] ECHR 294, (2005) 40 EHRR 1.

An overview of EMERGING challenges in privacy law

11

as the irst ‘Princess Caroline decision’), in which the Court held that the protections under German law of the private life of public igures were not suiciently stringent. Fink traces the efect of this decision in subsequent German case law, which aimed to adjust the standard of privacy protection in German law to meet the requirements of the Strasbourg Court. In a second Von Hannover v. Germany17 decision, the Grand Chamber upheld a decision of the German courts refusing an injunction against the publication of a photograph showing Princess Caroline and her husband, Prince Ernst-August of Hannover, in an article concerning the ill health of her father because it concerned a subject of general interest. In another Grand Chamber decision of the same day, Axel Springer v. Germany,18 a 12:5 majority held that a German actor should not have been granted an injunction against a newspaper article containing photographs about his arrest for possession of cocaine. Both judgments show that the decision for or against the protection of privacy is oten inely balanced when it afects freedom of expression, and that even the highest courts of a jurisdiction with sophisticated privacy jurisprudence can ind themselves wrongfooted. Fink’s chapter also encompasses analysis of the protection the ECHR afords to family life and home, as well as correspondence and communication, all of which also fall within the ambit of Article 8. As explained above, the protection of private life and the other interests under Article 8 cannot be absolute because it may come into conlict with the public interest or the legitimate rights of others. Article 8 resolves this tension by providing in its subsection (2) that interferences with private life that pursue one of six stated aims are legitimate, provided they are ‘necessary in a democratic society’. Fink concludes his chapter with the observation that there is a close relationship between the fundamental rights systems of the EU and the ECHR, in both of which the decisions of the European Court of Human Rights play a vital role. He observes that the idea of the ECHR as ‘a living instrument that must be interpreted according to present day conditions is a central feature of the Court’s case law in general and is particularly prominent in the jurisprudence on Article 8’.19 his has enabled the Court to retain the contemporary relevance of its jurisprudence on privacy in an ever-changing social and technological environment. 17

18

19

Von Hannover v. Germany (Application no. 40660/08) [2012] ECHR 228, (2012) 55 EHRR 15 (GC). Axel Springer v. Germany (Application no. 39954/08) [2012] ECHR 227, (2012) 55 EHRR 6 (GC). U. Fink, Chapter 5 (in this volume), pp. 90–91.

12

Normann Witzleb et al

Chapter 6, contributed by Graham Greenleaf, deals with another important European privacy instrument, the Council of Europe’s Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108). In particular, it examines the present eforts simultaneously to modernise the Convention and to expand its territorial reach. In earlier work, Greenleaf came to the conclusion that the main privacy instruments of European origin (Directive 95/46/EC and Convention 108) have had a signiicant, and somewhat underestimated, impact on non-European jurisdictions.20 In this chapter, Greenleaf argues that Convention 108 is the ‘only global data protection treaty we are ever likely to see’.21 his conclusion is reached because other existing instruments are either non-binding (such as the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data or the APEC Privacy Framework) or limited in their territorial reach (such as the EU Directive22), and because the prospect of a UN-sponsored convention remains unrealistic as long as signiicant countries such as the USA and China retain outlier positions in relation to data protection. Greenleaf’s chapter provides an overview of the current state of ratiication, as well as the data protection standards required by Convention 108 and its Additional Protocol23 of 2001. he latter signiicantly strengthens the Convention 108 protections by introducing restrictions on data exports and requiring the establishment of an independent authority to hear and investigate complaints, and to redress non-compliance. he process of globalising Convention 108 recently began when Uruguay became a party to Convention 108 and its Additional Protocol and an accession invitation was extended to Morocco. Greenleaf welcomes the globalisation and modernisation processes of Convention 108 and points out that they are symbiotic. Given the interdependency between both processes it is important that modernisation does not weaken current data 20

21 22

23

G. Greenleaf, ‘ he Inluence of European Data Privacy Standards Outside Europe: Implications for Globalisation of Convention 108’ (2012) 2 International Data Privacy Law 68. G. Greenleaf, Chapter 6 (in this volume), p. 95. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, [1995] OJ L 281. Additional Protocol to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, regarding Supervisory Authorities and Transborder Data Flows, opened for signature 8 November 2001, ETS no. 181 (entered into force 1 July 2004).

An overview of EMERGING challenges in privacy law

13

protection standards so that Convention 108 remains relevant to its existing members and attractive to potential members. At the same time, however, it is also important not to introduce new standards at a level that is unrealistically high for non-European countries considering whether or not to accede. Accession by non-European countries ofers a number of advantages to all parties to Convention 108, particularly in relation to data exports. Once a country has become a member, mutual obligations of free low of personal data arise between the member and existing states parties, unless either derogates because of the other’s lack of a data export restrictions. Greenleaf’s chapter also critically evaluates the modernisation proposals, which, like the globalisation eforts, are currently a work in progress. Aims of the modernisation include efectively absorbing the content of the Additional Protocol into Convention 108, enhancing the standard of protection in many areas to a level that is comparable to the proposed General Data Protection Regulations (GDPR), improving domestic enforcement mechanisms and remedies, and strengthening the powers of the Convention Committee. A particularly critical issue in data protection regimes is the appropriate regulation of cross-border data lows. he modernisation drat continues to guarantee the free low of personal data between parties to Convention 108, coupled with an obligation on parties generally not to allow personal data exports to organisations in states that are not parties, unless ‘an appropriate level of personal data protection based on the principles of Convention 108 is guaranteed’.24 Greenleaf is especially critical of the current drat’s use of the novel term ‘appropriate’, which in his view lacks an established meaning and may therefore lead to data lowing into countries that do have a standard that is not ‘comparable’ to Convention 108 or is not ‘adequate’, as this term is understood under Directive 95/46/EC. He is also concerned about the risks that such a weak term may pose in relation to the USA, which currently demands ‘interoperability’ of its own Privacy Framework with other international data protection frameworks. Greenleaf’s chapter closes on a cautiously optimistic note, anticipating that a further globalisation of Convention 108 is probable (though 24

Art. 12(2) of the Drat contained in Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS no. 108), Modernisation of Convention 108: Propositions of Modernisation (Strasbourg, 18 December 2012) T-PD_2012_04_rev4_E 9, www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD(2012)04Rev4_E_Convention%20108%20modernised%20version.pdf (accessed 8 November 2013).

14

Normann Witzleb et al

not inevitable). He calls on Europe to adhere to the ‘privacy standards it has slowly and relatively consistently developed over forty years’,25 rather than to accept a global privacy order shaped by ‘the economic dominance of Google, Facebook and other US-based companies, business models based on relentless data surveillance, the imperatives of the US economy, and a legal framework that imposes few restraints upon them because of the lack of consistent implementation of most key principles of data privacy protection’.26 hese concerns resonate even more strongly in the atermath of the Snowden revelations already referred to above.

Part III: Privacy protection through common law and statute All developed jurisdictions have laws that protect their citizens against speciic types of privacy invasions. In Western countries they include, but are not limited to, data protection laws, telephone interception laws, defamation, nuisance and the tort of trespass. Privacy protection may be the raison d’ être of such laws or just an incidental by-product of protecting another valued right. Many jurisdictions have also developed a general cause of action for invasions of privacy that gives individuals a private right to sue and seek civil redress, such as an injunction or damages for hurt and distress. One of the problems with laws that target speciic aspects of privacy is that they tend to be piecemeal. hey typically capture speciic acts performed in speciic circumstances by particular individuals or entities using certain technologies. h is is illustrated in Chapter 7, in which Nicole Moreham surveys the nature and extent of the protection currently aforded by UK laws against intrusion on seclusion. Moreham divides intrusion into ive categories according to the nature of the privacy interference and surveys the various laws – most of them statutory – that prohibit or regulate activities that intrude upon seclusion. he ive categories are: unwanted listening and audio recording, which includes phone hacking; unwanted watching, following, photographing and/or ilming; unwanted access to personal documents or iles, whether in hard copy or electronic; unwanted access to home and personal belongings; and harassment. She also examines the Data Protection Act 1998 (UK), which primarily focuses on information privacy but which also impacts on intrusion in so far as it regulates how information is collected and stored. Moreham concludes that this smorgasbord of laws lacks overall 25

G. Greenleaf, Chapter 6 (in this volume), p. 137.

26

Ibid., p. 138.

An overview of EMERGING challenges in privacy law

15

cohesion. Collectively, there are both duplications and gaps in these laws, arbitrary distinctions and boundaries, and a lack of parity between civil and criminal liability, as one form of physical intrusion might attract criminal sanctions while another might confer on the victim a cause of action for damages for hurt or distress. he same conclusion might be reached about the patchwork of laws that target misuse of private information, which is another signiicant subset of privacy. he ‘hit and miss’ nature of this melange of existing laws in many jurisdictions has generated wide support for the development of an overarching cause of action to protect privacy. In the common law world, such an overarching law has already been developed in the UK and New Zealand, although only in respect of the public misuse of private information. Ontario has recognised a general tort of intrusion on seclusion. Moreham concludes that UK law should ofer the same level of protection against unwanted intrusion as is provided against the publication of private facts. While support for a more encompassing protection of privacy appears to be widespread, there is considerable disagreement on the way in which this should be achieved. Debate has centred on four interrelated issues. In jurisdictions that have already developed a private cause of action, many of these issues are now fairly settled; in jurisdictions such as Australia, they are yet to be resolved. he irst is the jurisprudential underpinnings of privacy. On what basis does (or should) the law protect privacy? It is now generally accepted that privacy is rooted in the human need for, and human right to, dignity and autonomy. A human rights framework facilitates the creation of a right to privacy and helps to delineate its reach. his can be seen in Australia, where the failure of courts and legislatures to recognise a right to privacy can be directly attributed to the weak guarantees of human rights under which such protection could be demanded. In the absence of a human rights impetus, it is diicult for a court to justify the bold move of recognising a common law right to privacy. he second issue is deinitional and concerns the notorious diiculty, referred to previously, in ascribing to privacy a precise meaning. hose who support the existence of a private cause of action must grapple with whether it should protect privacy generally, or whether privacy should be broken down into a number of constituent parts, each of which receives protection through a speciic cause of action. Using the terms coined by Moreham in Chapter 7, attention has tended to focus on two primary aspects of privacy: the ‘information component’, which addresses the misuse of private information, and the ‘physical component’, which is

16

Normann Witzleb et al

concerned with unsolicited or unwanted intrusion on a person’s seclusion. It might be argued that even the creation of two actions – against intrusion, for which Moreham has demonstrated a need, and against misuse of private information – is piecemeal, as it fails to provide an overarching framework of protection. However, while such actions fall short of protecting privacy per se, they ofer generalised protection for these signiicant subsets of privacy. he third issue centres on the manner of protection; that is, how and by whom privacy protection is best aforded. Should it be let to be developed by the courts? If so, is this most appropriately achieved through judicial expansion of the cause of action for breach of conidence or through judicial development of a new independent cause of action based in tort? In the context of information privacy, the UK courts started of with the former but now seem to have reached the position that ‘misuse of personal information’ is a separate cause of action. Without this detour, New Zealand has developed a tort of wrongful publication of private information, while Australian courts have yet to take decisive action. If the matter is best let to parliament, further questions arise: should parliament create a statutory cause of action that is rooted in tortious principles or create a sui generis cause of action? h is third issue is addressed at length in Chapter 8. In that chapter, Michael Tilbury argues that optimal privacy protection cannot be achieved via the common law, whether through the development of a privacy tort or via an extension of the action for breach of conidence. In relation to the former, Tilbury argues that a general cause of action for invasion of privacy remains problematic for inclusion in the category of ‘tort’, because it does not it within either of the two main theories that underlie tort law, namely the rights-based model or a loss-allocation model. he former model is unsuitable because rights that give rise to tortious claims must be narrowly drawn, since they give one person a right to insist that another person is under a duty to do, or to refrain from doing, a speciic thing. Privacy per se is too broad to constitute a ‘right’; in fact, it is more appropriately described as a value than a speciic right or rule. he loss allocation model is also problematic because emotional distress – the normal harm resulting from a privacy invasion – ‘is too fragile an interest on which to found tortious liability’,27 both because it is hard to prove and because a degree of stress is regarded as an inevitable hazard of community life. 27

M. Tilbury, Chapter 8 (in this volume), p. 162.

An overview of EMERGING challenges in privacy law

17

One possible solution to make privacy it into a rights-based model would be to create a number of wrongs, each of which deals with a discrete aspect of privacy. As explained above, this process has begun in New Zealand and the UK; both jurisdictions provide protection through a general cause of action against misuse of private information but are still developing their responses to intrusion upon seclusion. Tilbury maintains that while this approach creates more precise claim rights, and therefore resolves the problem of a lack of claim speciicity, practical and theoretical considerations weigh against it. One problem is that new torts may need to be created to address privacy-invasive behaviour as technology continues to provide new ways of invading it. here also remains the need to articulate a unifying principle. Separate torts will only perpetuate the patchy nature of privacy protection. his takes us back full circle to the problem of privacy being too broad to operate as a claim right in tort law. For these reasons, Tilbury rejects both a general tort and speciic privacy torts. Tilbury also argues against treating privacy as a right in equity via an extended action for breach of conidence. Conidentiality and privacy are diferent in nature and to mesh them together creates confusion. For example, it leaves us with unresolved questions as to the status of the traditional equitable cause of action to protect conidentiality. Moreover, breach of conidence cannot be used against intrusion; it is directed only at disclosure scenarios. he equitable cause of action therefore forecloses the opportunity to articulate a uniied principle. Tilbury contends that since privacy is a human right, privacy law should accordingly be treated conceptually as a part of the law of human rights and is best recognised, protected and developed through a statutory cause of action, though one that is free from the constraints of tort law. Such a cause of action is preferable because it can: ‘set the boundaries of the right in a way that allows for the future development of the law’;28 recognise ‘the force of competing interests on the weight to be attached to the interest in privacy in any particular case’;29 and deine the relationship between ‘the general statutory action for invasion of privacy, relevant human rights instruments and other statutory provisions regulating privacy in particular contexts (such as data protection and surveillance)’.30 he inal area of debate in relation to private causes of action has been on how privacy protection, however it is aforded, should interact with competing rights and principles, particularly freedom of speech. For example, when should an individual’s desire for privacy be allowed to prevail over 28

Ibid., p. 179.

29

Ibid.

30

Ibid.

18

Normann Witzleb et al

free speech and when must it be expected to yield to it? While all would agree that both are important, there is disagreement as to the circumstances in which one should trump the other. here are also diferent views on whether the onus should be on the plaintif to demonstrate that his or her privacy rights are not outweighed by considerations of free expression, or whether the defendant should be required to raise and prove facts that establish a defence to a cause of action for invasion of privacy. For example, Tilbury argues that a tort of privacy that relegates freedom of expression to a defence would mediate the clash between privacy and competing considerations in an unsatisfactory manner, since it would privilege privacy above these other public interest considerations without articulating why they should prima facie be trumped by privacy. In the ten years that have elapsed since the House of Lords recognised the existence of a common law action for misuse of personal information,31 courts in the UK have had numerous occasions on which to grapple with how a satisfactory balance between these two signiicant human rights might be achieved. In Chapter 9, Eric Barendt suggests that the UK courts have tended to tip the scales too far in favour of free speech. he chapter is set against the background of the ‘Inquiry into the Culture, Practices and Ethics of the Press’ conducted by Lord Justice Leveson in 2012.32 A report of that inquiry was published in November 2012 (the ‘Leveson Report’). It found that, despite the fact that there are now more legal constraints on how the British press collect and disseminate personal information about individuals, the development of the action for misuse of personal information has not spawned a change in press culture. Indeed, the inquiry exposed the excesses of the British press and the apparent indiference by parts of the press to the harm caused by privacy invasions to individuals and their families. he Leveson Report was damning, both in relation to the methods used by the press to garner information, and in its assessment of the arguments profered by members of the press in privacy disputes as well as in evidence before the inquiry to justify their behaviour on grounds of free speech. While observing that the Leveson Report deals with the culture and ethics of the British press, and not with privacy law reform as such, Barendt’s main concern is to anticipate its likely impact on English privacy law, both in terms of the way in which it might ‘directly inluence the framing of the law or court decisions in particular cases’33 and the ways in 31 32

33

Campbell v. MGN Ltd [2004] UKHL 22, (2004) 2 AC 457. Lord Justice Leveson, An Inquiry into the Culture, Practices and Ethics of the Press, House of Commons Paper no. 780 (London: he Stationery Oice, 2012). E. Barendt, Chapter 9 (in this volume), p. 197.

An overview of EMERGING challenges in privacy law

19

which it might have efects of a less precise kind. In Barendt’s view, likely efects include an increase in the amount of damages awarded, a greater emphasis on intrusion on privacy (as opposed to the information aspect) and an increased preparedness to protect the privacy of public igures. he UK government’s proposal for an independent regulator set up by royal charter, and the recent legislative changes to give the courts power to award exemplary damages in privacy cases and other media torts, conirm that the times when press conduct was largely unbridled are likely to have come to an end.

Part IV: Privacy, surveillance and control A particularly signiicant theme of current debates concerning privacy is how the law should respond to the increased availability and use of surveillance technologies and the extent to which it is appropriate for society to make use of surveillance as a strategy for national security and/or social control. As alluded to above, the increased prevalence and invasiveness of surveillance technologies raise important policy issues, especially to the extent that their use undermines anonymity in many of our everyday dealings. he two chapters in Part IV examine some of the resulting issues. In Chapter 10, Moira Paterson provides a comparative overview of the regulatory frameworks governing surveillance activities in Australia, the United States and the United Kingdom. Her focus is on ive key categories of law: constitutional or quasi-constitutional protections against surveillance; statutory data privacy regimes; civil law actions; laws that restrict telecommunications interceptions; and laws restricting speciic uses of surveillance devices. he comparison of the approaches taken by the three jurisdictions highlights the extent to which regulatory regimes are afected by cultural and constitutional diferences, including the relative values attributed to privacy and freedom of expression. hese diferences are especially important in relation to the regulation of surveillance by media organisations because they will usually seek to defend their practices with free speech arguments. Paterson’s analysis suggests that the complexity is also relective of the multifaceted nature of privacy as a concept. he diversity of existing regulatory frameworks raises the question as to whether it is possible or desirable to ind a more integrated solution. In light of the entrenched diferences, Paterson suggests that eforts should focus on improving and extending existing regimes in each country to ensure that they are better informed by the realities of modern surveillance practices.

20

Normann Witzleb et al

Surveillance technologies have the potential and oten the overt purpose of inluencing social behaviour. his trend to exercising greater social control also underlies legislative measures to give courts greater powers to combat anti-social behaviour. Anti-Social Behaviour Orders (ASBOs) have been available since the late 1990s in the UK, but recently they have also been introduced in Western Australia, in the form of Prohibited Behaviour Orders (PBOs). Such orders are preventive orders by a court, akin to an injunction, intended to protect the public from antisocial behaviour by the person subject to the order. While the orders are civil in nature, a breach without reasonable excuse is an ofence and can be sanctioned with imprisonment. heir use raises important privacy issues, as homas Crots explains in Chapter 11. his is because it is a key feature of the ASBO and PBO schemes that details of the orders are expected to be made public, even in the case of young people who are normally shielded from publicity in relation to court proceedings. Publicity is deemed necessary because it encourages eicient control of ASBO and PBO subjects by the public, it reassures the community that the behaviour is being tackled and it has a deterrent efect on the persons at risk of behaving anti-socially. Crots puts ASBOs and PBOs into the context of other measures of crime control that, taken together, reveal a punitive and interventionist trend in recent law and order reforms. He then deals with the challenges posed to young people’s privacy by ASBOs and PBOs. he chapter explores the extent to which decisions on publicising such orders, as well as details of a young person’s anti-social or ofending behaviour, strikes an appropriate balance between the traditional reasons for protecting children’s privacy in criminal matters and the above-mentioned rationales for publicity. Crots concludes that the ‘decline of welfarism and rehabilitation has created a climate where there is less concern directed towards protecting the privacy of young people’34 who come into conlict with the law. He notes, however, that the ‘privacy interests of young people are not diametrically opposed to the public interest in community safety and crime prevention. Indeed, respect for a young person’s privacy, and minimising their public exposure, can foster their development into law-abiding citizens.’35 Referring also to the lack of compelling evidence that publicity orders are efective, Crots calls for a more cautious use of publicity in ASBO and PBO proceedings.

34

T. Crots, Chapter 11 (in this volume), p. 254.

35

Ibid.

An overview of EMERGING challenges in privacy law

21

Part V: Privacy and the Internet As an open communications platform, the Internet is an unprecedented system for the delivery of information.36 While it has been an engine for innovation, the undoubted beneits of open access fostered by the Internet also pose real dilemmas for privacy advocates.37 As Ian Brown has noted, the ubiquity of personal information online and the ease of data gathering have prompted a shit in the default position so that personal data are increasingly automatically collected and processed by government and private entities, whereas previously information was generally only collected following a conscious decision to do so.38 Part V of the book examines privacy issues posed by the Internet from a variety of perspectives. In Chapter 12, Lee Bygrave analyses the extent to which the traditional data privacy law paradigm is adequate to deal with the challenges of the Internet. he chapter approaches this in two logically distinct but related stages: irst, by examining the degree to which the terminology of data privacy law translates to the Internet; and, second, the deeper structural challenges that the Internet poses for the data privacy paradigm. Regarding the ‘it’ between the terminology of data privacy law and the Internet, Bygrave concludes that the technology-neutral terms used by data privacy law are pitched at a suiciently general level to apply to internet-based platforms. his is, for example, clear from the number of decisions of the European Court of Justice (ECJ) that have applied Directive 95/46/EC to internet-based data processing. here are, nevertheless, speciic instances where the application of data privacy terminology has been problematic. Possibly the most signiicant problems arise in determining whether or not an IP address amounts to ‘personal data’ and, accordingly, falls within the scope of data privacy law. As Bygrave points out, court decisions on this issue are inconsistent in Europe, resulting in continued ambiguity. Data privacy terminology also struggles to deal with internetbased activities in two further important respects: irst, the extent to which 36

37

38

See R. E. Kahn and V. G. Cerf, ‘What is the Internet?’ in M. N. Cooper (ed.), Open Architecture as Communications Policy (Center for Internet and Society, Stanford Law School, 2004), p. 17. J. E. Cohen, Coniguring the Networked Self (New Haven: Yale University Press, 2012), pp. 10–12. I. Brown, ‘Comparative Study on Diferent Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments: he Challenges to European Data Protection Laws and Principles’ (Working Paper no. 1, European Commission, 20 January 2010).

22

Normann Witzleb et al

the online actions of private individuals, and particularly interactions on social networking services such as Facebook, fall within the exception for ‘personal or household activity’; and, second, whether or not information that is globally accessible, such as material posted on a website or posted to a social networking service, is subject to the rules on transborder data transfer. As Bygrave explains in the context of an analysis of the ECJ decision in Bodil Lindqvist,39 these issues remain unresolved. From the perspective of law and regulation, the Internet is inherently transgressive: it is global, radically decentralised and, in terms of governance, messy. he transgressive nature of the Internet poses deep challenges for law and regulation, and nowhere more so than in relation to data privacy law. As Bygrave explains, the core principles of data privacy law, which are aimed at limiting the collection and processing of personal data (including across national borders), are incompatible with the ‘open’ logic of the Internet. hese tensions are especially apparent in Europe, where data protection is regarded as a fundamental right. It is therefore unsurprising that the current EU reform process, which is generally intended to strengthen EU data privacy law, has exposed the structural challenges of applying the data privacy paradigm to the Internet, especially in relation to the deinition of ‘personal data’ and the potential extraterritorial application of EU law. As Bygrave points out, the fault lines exist not only between the data privacy paradigm and the logic of the Internet, but also between the European model of a ‘high level’ of data protection and the business interests of US-based technology companies such as Google and Facebook, which depend upon harvesting personal data. While fully acknowledging the privacy-transgressive characteristics of the Internet, Bygrave also points to privacy-enhancing aspects of the Internet’s architecture that have so far proved to be technical hurdles to some intrusive forms of surveillance. A fundamental theme of the chapter is that, in the struggle to apply data privacy principles to the online world, it is important to avoid ‘regulatory overreach’. In particular, Bygrave identiies the dangers that over-rigorous data protection laws could stile the ‘open’ Internet’s potential to generate innovation or prove to be unenforceable in practice. Just as collection of personal data rather non-collection has become the ‘new normal’ in the digital world, the migration of social interactions from oline to online, especially with user-generated social networking, has been associated with a switch in defaults from forgetting 39

Bodil Lindqvist (Case C-101/01) [2003] ECR I-12971.

An overview of EMERGING challenges in privacy law

23

to remembering.40 he prospect of people being tethered to their moreor-less permanent digital pasts has given rise to European proposals for introducing a ‘right to be forgotten’, which has clearly been the most controversial aspect of the current EU data protection reform process. In Chapter 13, David Lindsay analyses the potential new right as it appears in Article 17 of the proposed GDPR.41 By way of background, the chapter irst gives some examples of the potential consequences of perpetual online information for individuals. Much of the public debate about the proposed right has been marred by terminological confusion. Lindsay addresses this by distinguishing between three distinct but related concepts: the ‘right to oblivion’, or droit a l’oubli, which refers to the right that has developed in civil law jurisdictions to be free from one’s judicial or criminal past; the ‘right to erasure’, which refers to the right to remove or delete personal data under data privacy law; and the ‘right to be forgotten’, properly so-called, which refers to the right to have online personal data removed, or to have access restricted, especially in the context of user-generated social networking services. Lindsay sees the right to be forgotten as an attempt to apply concepts underpinning the right to oblivion in order to extend the right to erasure under data privacy law to deal with the problems of persistent online personal data. As Lindsay explains, the current debate about the right to be forgotten takes place in the context of two complex endeavours: as an aspect of the fundamental reform of European data privacy law that aims to strengthen the privacy rights of individuals, it seeks to adapt existing protections to deal with persistent online personal data, especially in the context of social networking services. he implementation of a right to be forgotten involves, irst, balancing the rights of data subjects and rights to freedom of expression and, second, determining the extent to which intermediaries, such as social networking service providers, should be obliged to remove data. Lindsay argues that it is impossible for these two issues to be satisfactorily resolved in the abstract, as the particular contexts in which one seeks to remove the data must be taken into account. he chapter therefore concludes that the European law reform process would beneit from giving more attention to how the proposed right would apply in particular practical scenarios. In Chapter 14, Megan Richardson and Andrew Kenyon deal with potential solutions to a range of other internet-related privacy issues, such 40

41

See V. Mayer-Schönberger, Delete: he Virtue of Forgetting in the Digital Age (Princeton University Press, 2009). European Commission, GDPR, above n. 6.

24

Normann Witzleb et al

as ‘sharing’ of personal data on social networks and behavioural advertising. he authors begin by pointing out that Europe appears to prefer to deal with online privacy issues through a data protection paradigm, whereas the USA tends to resort to consumer protection laws, especially the prohibition of unfair or deceptive trade practices. In this way, both jurisdictions build upon existing laws but, as a result of fundamentally diferent orientations, Europe recognises a ‘right to data protection’ while the USA appears concerned to protect consumer choice through the market. Richardson and Kenyon also review data privacy law reform activities in the Asia-Paciic region, including the recent emergence of data privacy laws in Malaysia and Singapore, but then turn to the Australian law reform process. he authors explain that, despite the recommendations of law reform and Senate Committee reports, Australian data privacy law reform has remained cautious. Notwithstanding some relatively minor concessions to online privacy issues in the recent Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), major law reform recommendations, such as proposals for introducing a statutory cause of action for serious invasions of privacy,42 have not yet been adopted. Although the authors acknowledge the potential advantages of full-scale data privacy law reform, they consider that the immediate future of the protection of online privacy under Australian law depends upon the incremental development of existing legal actions. Following cases brought in the USA (and other jurisdictions) against Google and Facebook under consumer protection laws, Richardson and Kenyon emphasise the relatively unexplored potential for actions under the Australian Consumer Law, and especially actions brought for misleading and deceptive conduct in trade, to be used as a means of protecting privacy online under Australian law. Given the variety and diversity of online conduct giving rise to privacy concerns, Richardson and Kenyon conclude that, while not optimal, there may be some advantages in the piecemeal Australian approach. he i nal chapter in this Part, Chapter 15, by Dieter Dörr and Eva Aernecke, addresses the legal challenges posed by the rise of cloud computing from the perspective of European and German data privacy law. As the authors explain, the remote storage of personal data in the cloud raises two conceptual issues: ownership of the data and the law that applies to data stored in the cloud. he chapter deals with the rules relating to the jurisdictional reach of German laws over ofshore cloud service providers, explaining the European legal background to the German law. 42

See, e.g., Australian Law Reform Commission, For Your Information, above n. 9.

An overview of EMERGING challenges in privacy law

25

he authors explain that there are considerable challenges in applying the existing jurisdictional rules established under EU directives to cloud computing, especially those set out in Article 4 of Directive 95/46/EC, which is the key provision. In particular, uncertainties arise in determining whether or not a cloud service provider that is not ‘established’ in the EU is nevertheless ‘acting’ in the EU in the requisite sense. In view of these uncertainties, the Article 29 Data Protection Working Party (WP29), an advisory body established under the EU Data Protection Directive, has recommended that the responsibilities of the parties involved in cloud computing agreements be spelt out in their contractual arrangements so as to safeguard compliance with EU data protection law.43 Given that the proposed GDPR is speciically designed to address new forms of communication, the chapter describes the mooted changes to the rules governing jurisdictional reach. he proposed regulation adopts the recommendations of WP29 to extend the application of EU data protection law to cases in which goods or services are ofered to data subjects in the EU and the behaviour of EU data subjects is monitored.44 If these proposals were adopted, EU data protection law would apply to cloud services, wherever located, provided the service is targeted at EU residents. However, as Dörr and Aernecke go on to point out, there remain uncertainties about the efect of the proposed new rules, including the absence of a provision dealing with applicable law. Conlicts of data protection laws remain potentially signiicant, given that the proposed regulation allows, in important respects, for the continued application of national laws of EU member states. hat said, the authors conclude that the proposed GDPR represents an important step towards the desirable adoption of a common set of transborder rules. Dörr and Aernecke propose that, in developing such rules for new forms of electronic data storage, the diferences between encrypted and unencrypted data are taken into account.

Part VI: Privacy, the courts and the media he impact of privacy laws on the collection and dissemination of information by the media has been discussed in a number of the chapters in Parts III and IV of this book. he two chapters in Part VI consider whether, and to what extent, respect for a litigant’s privacy should impact on court 43

44

Article 29 Data Protection Working Party (WP29), Opinion 05/2012 on Cloud Computing (WP 196, adopted 1 July 2012). WP29, Opinion 08/2010 on Applicable Law (WP 179, adopted 16 December 2010).

26

Normann Witzleb et al

processes and remedies, such as suppression orders and the granting or withholding of injunctive relief. Judicial decisions on such matters have a consequential efect on what the media can publish. In Chapter 16, Sharon Rodrick considers the circumstances in which courts in Australia and the UK are prepared to make anonymity orders in order to protect the privacy of parties and witnesses. hese orders derogate from the principle of open justice, which is a fundamental characteristic of court proceedings. While courts have always been prepared to qualify open justice where this is necessary in order to achieve a just outcome in a case, they have traditionally peremptorily rejected the notion that the privacy interests of litigants and others who become embroiled in legal proceedings might trump open justice. However, in recent years courts have increasingly been making anonymity orders that suppress the names of litigants and witnesses, while continuing to pay lip service to the sacrosanct status of open justice. Such orders impose restraints on the extent to which the media can report the work of the courts. Parliaments have been complicit in this departure from orthodoxy, as all jurisdictions have legislation that prohibits litigants in certain types of cases from being identiied. Rodrick investigates the extent to which deference to privacy is responsible for this increase in anonymity orders. he chapter contrasts the position in Australia, which lacks a constitutional or statutory bill of rights, with that in the United Kingdom, where by virtue of the Human Rights Act 1998 (UK) any request for an anonymity order falls to be resolved in light of Articles 6, 8 and 10 of the ECHR, which respectively enshrine a right to a fair and public trial, respect for privacy and freedom of expression. Particular attention is paid to anonymity orders that are sought in conjunction with an application for an interim injunction to restrain the misuse of private information, as there is now a considerable corpus of UK case law on this issue. Not surprisingly, the increased recognition and protection of privacy in the UK has strengthened the position of litigants who wish to conceal their identity. he chapter also considers, in more theoretical terms, the advantages and disadvantages of naming persons who become involved in legal proceedings. While Rodrick maintains that arguments in favour of publication will be ordinarily far more compelling than arguments in favour of name suppression, she argues that privacy issues should at least be able to be articulated by a litigant, as this obliges the court to have regard to the efect of the revelation of identity on the litigant, thereby engaging it in a consideration of all of the issues at stake. As the law currently stands, this is more likely to occur in the UK than in Australia.

An overview of EMERGING challenges in privacy law

27

In Chapter 17, Normann Witzleb contrasts the principles that govern the grant of interlocutory relief in privacy and defamation actions. Obtaining an interlocutory injunction is of critical importance for persons who claim that information about their private life is about to be published, as once the information reaches the public domain the damage is done and monetary redress may be an inadequate remedy. Courts called upon to grant an interlocutory injunction must, therefore, engage in a inely tuned and case-speciic balancing process in order to determine whether the privacy of the claimant or the freedom of expression of the defendant should enjoy priority. Although s. 12 of the Human Rights Act 1988 (UK) has ‘raised the bar’, where the grant of an interlocutory injunction would afect freedom of expression, interlocutory injunctions in privacy cases remain quite common. By contrast, injunctive relief against a threatened defamation is notoriously diicult to obtain. In these cases, courts continue to adhere to a rule against the imposition of any prior restraint. Under this rule – known as the rule in Bonnard v. Perryman45 – such an injunction will be denied unless it is clear to the court that the defendant’s actions cannot be defended. Witzleb’s chapter analyses how UK courts should proceed where a threatened publication might amount to both an invasion of privacy and defamation. hese cases are becoming more current in an era where privacy has risen to the fore as a protected interest. Given that media organisations are frequently the defendants in actions for breach of privacy and defamation, the resolution of this tension has implications for their ability to report a story and, therefore, for freedom of speech. A number of recent decisions, in particular Terry (formerly LNS) v. Persons Unknown,46 consider that it may constitute an abuse of process for applicants to ‘dress up’ an action to protect their reputation as a privacy claim in order to circumvent the rule against prior restraint. Witzleb argues, however, that there are reasons of principle, policy and pragmatism why this inlexible rule should not apply where privacy and defamation are simultaneously at stake and submits that a claimant should be at liberty to elect which cause of action to pursue. In particular, the author considers the impact of Article 8 of the ECHR and suggests that it is incompatible for courts to apply the inlexible rule in Bonnard v. Perryman to threatened publications that afect the claimant’s private life, merely on the basis that the publication may also be defamatory. 45 46

Bonnard v. Perryman [1891] 2 Ch 269. Terry (formerly LNS) v. Persons Unknown [2010] EWHC 119 (QB), [2010] EMLR 16.

28

Normann Witzleb et al

Conclusion Issues that fall within the general rubric of ‘privacy’ have tentacles that can increasingly be seen to spread into most aspects of the relationships between governments, private corporations and citizens in technologyrich societies. he seemingly unstoppable trajectory of social and technological developments undermining privacy suggests that controversies concerning the balance to be struck between privacy and other competing interests, and how best to achieve an appropriate level of privacy protection, will be a permanent feature of our legal and political debates for the foreseeable future. his book of essays suggests that there is considerable scope for learning from research into the policy issues, the law reform debates and the regulatory responses adopted across jurisdictions. While the social and political contexts must be borne in mind, the essays in this volume illustrate that much can be gained from detailed analysis of speciic legal issues, especially when it incorporates cross-jurisdictional perspectives.

PA RT I Reforming the data protection frameworks: Australian and EU perspectives

2 Navigating privacy in the information age: the Australian perspective Timothy Pilgrim Introduction With the rise of instantaneous and electronic methods of communication, information collection and storage, and cultural changes in the way personal information is viewed and accessed, privacy is an increasingly relevant issue. In May 2012 the Australian Attorney-General announced major legislative reforms to the Privacy Act 1988 (Cth) (Privacy Act). he Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Reform Act), which was passed in November 2012, commences on 12 March 2014. It constitutes the irst step in a long and complex process to ensure that privacy remains both relevant and up to date in a changing world.

Privacy in the modern world While Australia’s privacy framework may be undergoing reform, and while we may be witnessing revolutionary new technologies that are changing the way we think about the handling of personal information, community concern about privacy is a determined constant. h is quotation, for example, concerns community perceptions of privacy: Recent inventions and business methods call attention to the next step which must be taken for the protection of the person … photographs and newspaper enterprises have invaded the sacred precincts of private and domestic life, and numerous mechanical devices threaten to make good the prediction that what is whispered in the closet shall be proclaimed from the house tops.1

1

L. Brandeis and S. Warren, ‘he Right to Privacy’ (1980) 4 Harvard Law Review 193.

31

32

Timothy Pilgrim

Given recent media reporting of the impact of new technologies on people’s privacy, such as incidents like the News of the World phone hacking scandal, and the recent changes by Google to its privacy policy, you could be forgiven for thinking that this quotation is contemporary. It is actually from the late nineteenth century. hese words were written by Samuel D. Warren and Louis D. Brandeis (who later became a US Supreme Court judge); they show the impact of the rise of the newspaper enterprise and of the emergence of new technologies, such as instantaneous photographs, on people’s privacy. he following is a more contemporary comment, made by Mark Zuckerberg, the creator of Facebook: people have really gotten comfortable not only sharing more information and diferent kinds, but more openly and with more people. hat social norm is just something that has evolved over time. You have one identity … he days of you having a diferent image for your work friends or co-workers and for the other people you know are probably coming to an end pretty quickly … Having two identities for yourself is an example of a lack of integrity.2

And Scott McNeally, co-founder of Sun-Microsystems, famously said in 1999: ‘You have zero privacy. Get over it.’3

Privacy – a human right How do the above views, which are arguably driven from the perspective of particular business models, sit with the concept of privacy as a human right? I have no doubt that, innately, people continue to feel strongly about their right to have their privacy protected. hat is why privacy is recognised as a basic human right, enshrined in Article 17 of the International Covenant on Civil and Political Rights (ICCPR).4 At a time when Australia was signing as a party to the ICCPR, the late Sir Zelman Cowen delivered six lectures entitled ‘he Private Man’, as part of the ABC’s annual Boyer lecture series. In one of these he observed that: 2

3

4

D. Kirkpatrick, he Facebook Efect: the Inside Story of the Company that Is Connecting the World (New York : Simon & Schuster, 2010), p. 199. S. McNeally, ‘Sun on Privacy: Get Over It’, (26 January 1999) Wired, www.wired.com/ politics/law/news/1999/01/17538 (accessed 8 October 2013). International Covenant on Civil and Political Rights, opened for signature 16 December 1966, 999 UNTS 171 (entered into force 23 March 1976).

Navigating privacy in the information age

33

A man without privacy is a man without dignity; the fear that Big Brother is watching and listening threatens the freedom of the individual no less than the prison bars.5

he recognition of privacy as a human right, deserving of the protection of law, is one of the reasons we have the Privacy Act.6 Today we tend to view the concept of privacy through the lens of the law. All too oten privacy is seen as an impediment to business practices or an administrative inconvenience – another box to be ticked on a compliance checklist. It is important to remember that privacy is a fundamental human right and is of key importance to the preservation of our free and democratic society. Of course, we also recognise that privacy rights are not absolute – they must be balanced against other important rights and ideals, such as freedom of expression and national security.

Privacy law reform In 2006, almost twenty years ater the Privacy Act was introduced, the Australian Government asked the Australian Law Reform Commission (ALRC) to conduct an inquiry into how well Australia’s privacy framework was functioning. In 2008, ater signiicant public consultation, the ALRC concluded its inquiry with the release of its report ‘For Your Information: Australian Privacy Law and Practice’,7 which contained 295 recommendations for reforms to the Commonwealth privacy regime. In the course of its consultations, the ALRC found that Australians care deeply about privacy – they want a simple, workable system that provides efective solutions and protections. Australians also want the considerable beneits of the information age, such as shopping and banking online, and communicating instantaneously with friends and family around the world.

ALRC recommendations While the ALRC report concluded that the Privacy Act had worked well, it proposed reinements to bring it up to date. hese included: • A new set of harmonised privacy principles to cover both the public and private sector; 5 6 7

Z. Cowan, ‘he Private Man’ (1970) 24 he Institute of Public Afairs Review 26, 26 –7. Privacy Act 1988 (Cth). Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report no. 108 (2008).

34

Timothy Pilgrim

• Provisions introducing comprehensive credit reporting to improve individual credit assessments and supplement responsible lending practices; • Provisions relating to the protection of health information; • A review of the exemptions to the Privacy Act; • Mandatory data breach notiication; • A statutory cause of action for a serious invasion of privacy.8 Given the significant size of the ALRC’s Report, the Australian Government decided to respond in a two-stage process. In October 2009 the government released its irst stage response to 197 of the 295 recommendations contained in the Report. hese include a harmonised set of privacy principles, credit reporting and strengthening and clarifying the Commissioner’s powers and functions.

he government’s irst-stage response he Privacy Law Reform agenda is ultimately the responsibility of the Federal Government, not the Oice of the Australian Information Commissioner (OAIC). In May 2012 the government introduced the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Bill), announcing that this Bill would include the Australian Privacy Principles (APPs), changes to credit reporting and a strengthening of the Commissioner’s powers. Following consideration by two Parliamentary Committees, a number of amendments were suggested (speciically in regards to changing the commencement period from nine months to i teen months and a number of small changes to the sections on credit reporting and crossborder disclosure of information), and the Reform Act was passed on 29 November 2012, receiving Royal Assent on 12 December. he APPs will replace the two separate sets of privacy principles that currently cover the public sector and the private sector in Australia. Having a uniied set of privacy principles covering business and government will simplify compliance obligations, particularly in the context of private sector-contracted service providers to Australian Government agencies. his new set of principles replace the existing Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) that apply to 8

Ibid.

Navigating privacy in the information age

35

government agencies and businesses respectively. hey include a number of signiicant changes to the current law, particularly in the area of direct marketing and cross-border information lows. he APPs are structured to more closely relect the information lifecycle – from notiication and collection, through to use and disclosure, quality and security, and access and correction. hey aim to simplify privacy obligations and reduce confusion and duplication. he Reform Act will allow for more comprehensive credit reporting, designed to provide consumer credit providers with suicient information to enable them to adequately assess credit risk while ensuring the protection of personal information to the greatest possible extent, and to encourage responsible lending.

Commissioner’s powers In October 2009 the government stated that it intended to give the Privacy Commissioner a range of new powers, and it also accepted the ALRC’s recommendation that the Commissioner be empowered to make enforceable determinations following investigations. he Reform Act includes these new powers, making substantial changes to the powers of the Privacy Commissioner, including more power to resolve complaints, conduct investigations and promote privacy compliance. From the date of commencement, the Commissioner will be able to conduct a Performance Assessment of private sector organisations to determine whether they are handling personal information in accordance with the new APPs, the new credit-reporting provisions and other rules and codes. he power will consolidate the Commissioner’s existing discretions to conduct audits of Australian Government agencies, tax i le number recipients and credit-reporting agencies and providers, and extend the discretion to include organisations. hese assessments may be conducted at any time – an added incentive for organisations to ensure that they are handling personal information in accordance with the Privacy Act. he reforms will also allow the Commissioner to make determinations, accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders of up to $220,000 for individuals and up to $1.1 million for companies, when s/he has investigated on his/her own initiative (an own motion investigation, or OMI). hese enhanced enforcement powers also extend to the handling by certain entities of credit information, tax ile number information and health information.

36

Timothy Pilgrim

Overseas experience Overseas experience indicates that regulators with the power to pursue large penalties will oten do so. he United States is perhaps the best example of this. One notorious data breach in the USA was the disclosure by ChoicePoint, a large identiication and credential veriication organisation, of sensitive information it had collected on 163 individuals. A Federal Trade Commission (FTC) investigation of this matter led to the imposition of a US$15 million ine.9 here have been many other breaches. In 2010 Massachusetts Eye and Ear Inirmary was ined US$1.5 million for losing the medical records of approximately three thousand patients,10 and in 2009 HSBC Bank was ined £3 million by the Financial Services Authority in the UK for failing to secure customer data.11 However, it is important to realise that privacy enforcement is about more than just inancial penalties. In November 2011 the FTC in the USA reached a settlement with Facebook over allegations of deceptive conduct in relation to its privacy practices. As part of the settlement, Facebook must obtain independent, third-party audits certifying that it has a privacy programme in place that meets or exceeds the requirements of the FTC order every two years for the next twenty years.12 he FTC accepted an undertaking in similar terms in settlement of a matter involving Google Buzz earlier in 2011.13 On the other hand, in January 2013 the UK Information Commissioner’s Oice ined Sony PlayStation Network £250,000 for failing to adequately secure personal and inancial information of their customers, ater their 9

10

11

12

13

United States, Federal Trade Commission, ‘he Federal Trade Commission’s Settlement with ChoicePoint’ (18 March 2008), www.tc.gov/bcp/cases/choicepoint/index.shtm (accessed 8 October 2013). United States, Department of Health and Human Services, ‘Health Information Privacy: Breaches Afecting 500 or More Individuals’ (2 July 2013), www.hhs.gov/ocr/privacy/ hipaa/administrative/breachnotificationrule/breachtool.html (accessed 8 October 2013). United Kingdom, Financial Services Authority, ‘HSBC Firms Fined Over £3m for Information Security Failings’ (22 July 2009), www.fsa.gov.uk/library/communication/ pr/2009/099.shtml (accessed 8 October 2013). United States, Federal Trade Commission, ‘Facebook Settles FTC Charges that it Deceived Consumers by Failing to Keep Privacy Promises’ (Media Release, 29 November 2011), www.tc.gov/opa/2011/11/privacysettlement.shtm (accessed 8 October 2013). United States, Federal Trade Commission, ‘FTC Gives Final Approval to Settlement with Google over Buzz Rollout’ (Media Release, 24 October 2011), www.tc.gov/opa/2011/10/ buzz.shtm (accessed 8 October 2013).

Navigating privacy in the information age

37

system was hacked.14 It is interesting to compare and contrast these approaches to enforcement. One wonders how efective a £250,000 ine would be for a multi-billion dollar organisation like Sony. Another key factor in enforcement is that in order to efectively pursue legal avenues of redress, the privacy authority must have the necessary resources to fund an investigation and the court costs that would be involved in taking a large multinational to court.

Enforcement by the OAIC In its current form, the Privacy Act only gives the Commissioner the power to make determinations on complaints received from individuals. In these complaints a conciliation-focused approach is usually adopted. However, for particularly serious privacy breaches or where, for example, conciliation is not achieving an outcome, the OAIC has demonstrated that it is prepared to use its power to make determinations directing how complaints should be resolved. Its determinations are enforceable in the Federal Court.

Determinations In December 2012, I issued a determination made under s. 52 of the Privacy Act. he determination arose from a complaint by an individual against a credit-reporting agency.15 he complainant lodged a complaint with the Oice of the Privacy Commissioner (now the OAIC) alleging that the credit-reporting agency held information about her that was not complete, correct or up to date, and was misleading. Additionally, she alleged that, when notiied of the errors, the credit-reporting agency did not reply appropriately. I found in the complainant’s favour and determined that, to redress this matter, the credit-reporting agency needed to: • apologise in writing to the complainant within four weeks of the date of the determination; 14

15

United Kingdom, Information Commissioner’s Oice, ‘Monetary Penalty Notice: Sony Computer Entertainment Europe Limited’ (14 January 2013), www.ico.gov.uk/enforcement/ines.aspx (accessed 8 October 2013). ‘S ’ v. Veda Advantage Information Services and Solutions Limited [2012] AICmr 33, www.oaic.gov.au/privacy/applying-privacy-law/privacy-complaint-determinations/sand-veda-advantage-information-services-and-solutions-limited-2012-aicmr-33-20december-2012 (accessed 8 October 2013).

38

Timothy Pilgrim

• amend the complainant’s credit information iles; • cease to provide the complainant’s credit report to any entity, prior to amending the errors; • pay the complainant $2,000 for non-economic loss caused by the interferences with the complainant’s privacy. Further, I recommended that the credit-reporting agency: • develop revised training packages and user information guides for subscribers, which clearly address the issue raised in this complaint; • engage an independent auditor to assess processes relevant to the complaint.16 Determinations are important, not just because they provide an avenue for resolving complaints where conciliation fails, but because they provide a public record of the OAIC’s views on how privacy laws should be interpreted, and can assist complainants and respondents to better understand how privacy laws apply. A number of other complaints are now in the process of determination.

Own motion investigations he OAIC is also changing its approach to particularly serious or highproi le privacy incidents. he publication of investigation reports will increase the transparency of its investigation process and help organisations and agencies better understand their privacy responsibilities. Four investigation reports available on its website will provide information about investigations into incidents involving Medvet, Dell Australia, Telstra and First State Super Trustee Corporation.17 One of the most recent reports published was that concerning the Telstra Corporation Ltd investigation, which concluded in June 2012. 16 17

Ibid. Commonwealth of Australia, Oice of the Australian Information Commissioner, Own Motion Investigation Report: Medvet Science Pty Ltd (July 2012), www.oaic.gov.au/privacy/ applying-privacy-law/privacy-omi-reports/medvet-science-pty-ltd-own-motion-investigation-report (accessed 8 November 2013); Commonwealth of Australia, Oice of the Australian Information Commissioner, Own Motion Investigation Report: Dell Australia and Epsilon (June 2012), www.oaic.gov.au/privacy/applying-privacy-law/privacyomi-reports/dell-australia-and-epsilon (accessed 8 October 2013); Commonwealth of Australia, Oice of the Australian Information Commissioner, Own Motion Investigation Report: Telstra Corporation Ltd (June 2012), www.oaic.gov.au/privacy/applying-privacy-law/privacy-omi-reports/telstra-corporation-limited (accessed 8 October 2013);

Navigating privacy in the information age

39

h is investigation was opened when the OAIC received information that customers’ personal information was accessible online. he personal information included names, phone numbers, service holdings and order numbers, as well as a free text ield where consultants could write a customer’s username and password, or email or online bill account reference. My investigation focused on whether Telstra’s handling of the personal information it held was consistent with the NPPs contained in sch. 3 of the Privacy Act. hese principles include requirements about when personal information may be disclosed (NPP 2), and what security measures must be in place to protect the personal information (NPP 4). My investigation concluded that the incident amounted to an unauthorised disclosure of customers’ personal information by Telstra, and therefore breached NPP 2. I also concluded that at the time of the incident, Telstra did not have adequate security measures in place to protect the personal information it held from misuse and loss, or from unauthorised access, modiication or disclosure, resulting in a breach of NPP 4.18 Immediate or early notiication that personal or inancial details have been compromised can limit or prevent a breach of privacy and inancial loss to individuals, by enabling them to re-establish the integrity of their personal information. Evidence shows it can be very diicult for individuals to re-establish the authenticity of their identity when their personal information has been stolen and used fraudulently. I have raised this concern publicly, both in media releases and in investigation reports, by stating that I would like to see organisations act swit ly to let their customers know about data breach incidents.

Data breach notiication On 17 October 2012 the government released a discussion paper, ‘Australian Privacy Breach Notiication’, to inform its response to the ALRC’s recommendation to amend the Privacy Act to include a mandatory requirement

18

Commonwealth of Australia, Oice of the Australian Information Commissioner, Own Motion Investigation Report: First State Super Trustee Corporation (June 2012), www.oaic. gov.au/privacy/applying-privacy-law/privacy-omi-reports/i rst-state-super-trustee-corporation-own-motion-investigation-report (accessed 8 October 2013). Commonwealth of Australia, Oice of the Australian Information Commissioner, Own Motion Investigation Report: Telstra Corporation Ltd (June 2012), www.oaic.gov.au/privacy/applying-privacy-law/privacy-omi-reports/telstra-corporation-limited (accessed 8 October 2013).

40

Timothy Pilgrim

for agencies and organisations to notify the Privacy Commissioner and afected individuals when there has been a data breach that may give rise to a real risk of serious harm to any afected individual.19 he OAIC has made a submission in response to the government’s discussion paper and it will be very interesting to see how this issue develops. Although this issue was slated to be dealt with in the second-round response to the ALRC recommendations, the early release of the discussion paper indicates a high level of interest in this issue, both within the government and the general public. While there is no requirement in Australian law for organisations to notify individuals or the OAIC of a data breach, the OAIC strongly recommends that all organisations review how they apply the OAIC’s ‘Data Breach Notiication: A Guide for Handling Personal Information Security Breaches’.20 In 2009–10 organisations and agencies came to the OAIC on fortyfour occasions to report that they had been subject to a data breach. his increased to it y-six in 2010–11, and forty-six reports were received in 2011–12.21 he OAIC now receives more data breach notiications than it implements own-motion investigations. Increasingly, it is the organisation or agency subject to a breach, rather than a tip-of or media report, that brings its attention to these issues. hat being said, there are reports that indicate that the OAIC is only being notiied of data breaches in a fraction of cases.

Industry is standing up and taking notice Since the adoption of the OAIC’s new approach to privacy compliance, public commentary has indicated increased awareness by business of the need for compliance. A partner from Allens Arthur Robinson wrote an article in December 2011, following a previous determination, saying: 19

20

21

Commonwealth of Australia, Attorney-General’s Department, Australian Privacy Breach Notiication (Discussion Paper, 17 October 2012), www.ag.gov.au/Consultations/ Pages/AustralianPrivacyBreachNotiication.aspx (accessed 8 October 2013). Commonwealth of Australia, Oice of the Australian Information Commissioner, Data Breach Notiication – A Guide to Handling Personal Information Security Breaches (April 2012), www.oaic.gov.au/privacy/privacy-resources/privacy-guides/data-breachnotiication-a-guide-to-handling-personal-information-security-breaches (accessed 8 November 2013). Commonwealth of Australia, Oice of the Australian Information Commissioner, OAIC Annual Report 2011–12 (28 September 2012), www.oaic.gov.au/about-us/corporateinformation/annual-reports/oaic-annual-report-201112/ (accessed 8 October 2013).

Navigating privacy in the information age

41

If there was ever any doubt, it is clear that there is now a real and present need for the private sector to adhere to the National Privacy Principles (the NPPs).22

Similarly, in its December 2011 ‘Privacy Update’, Minter Ellison wrote: he Privacy Commissioner is prepared to take a more robust approach to the exercise of his powers to direct organisations on the steps they must take to remedy substantiated complaints and pay compensation.23

In the last two or three years, it has been noticeable that some respondents have adopted a more proactive approach to conciliation of privacy complaints and have showed a greater willingness to ofer compensation. So far, this is only anecdotal evidence gathered over a short period of time, but I think that it bodes well for the future of privacy compliance in Australia. he challenge to business and government in Australia is to ensure that privacy practices and procedures are rigorous, and that they will stand up to scrutiny if there is a data breach. All privacy complaints should be taken seriously.

Other challenges and opportunities In the 1980s, when the Privacy Act was introduced, fax machines were still a relatively new addition to the oice environment. he term ‘hacking’ meant having a bad round of golf. he commercialisation of the Internet was still a decade away. he vast majority of i ling was physical, and personal information was mostly held in paper records. Securing these documents was relatively easy – all you really needed was a lock and key. In our modern world of cloud computing, portable storage devices, electronic databases and hackers, the parameters around data security and document storage have shited immeasurably. All it takes is a single careless incident to cause a massive data breach. he 2011 Sony data breach involved the personal information of up to seventy-seven million people worldwide.24 A data breach on this scale would have been inconceivable when the Privacy Act was introduced. 22

23

24

M. Pattison, N. Arasaratnam, G. Smith and I. McGill, ‘Focus: Privacy Commissioner’s Tough New Approach to Information Leaks’ (5 December 2011) Allens Linklaters, www. aar.com.au/pubs/cmt/fotmt5dec11.htm (accessed 8 October 2013). M. Silberer and V. Scott, ‘Federal Privacy Commissioner Issues First Enforceable Determination’ (23 December 2011) Minter Ellison Lawyers, www.minterellison.com/Pub/NL/201112 _PU4/?utm_ source=privacy %20newsletter& utm_ medium=email&utm_campaign=201112_pu4 (accessed 8 October 2013). C. Annesley, ‘Chancellor Faces Up to UK’s Worst-ever Data Breach’ (20 November 2007) CIO, www.cio.co.uk/news/2300/chancellor-faces-up-to-uks-worst-ever-databreach/ (accessed 8 October 2013).

42

Timothy Pilgrim

Data security has emerged as a major challenge for organisations and agencies. hey must ensure that they have implemented robust information security measures; however, data breaches can occur even when all reasonable steps have been taken to protect information. Organisations and agencies need to have contingency plans in place so that if a data breach occurs, they can deal with it swit ly, mitigating any risk of harm that the breach may cause. While a data breach alone can cause reputational damage, recent experience shows that customers can understand if an organisation openly acknowledges a breach, apologises and acts promptly to resolve it. Greater reputational damage can occur if an organisation is seen to be attempting to cover up a breach. Communicating with clients about privacy is another key challenge for businesses. Too oten privacy policies are unwieldy documents, littered with legal jargon, with which the average consumer is unable to engage. In 2010, as an April Fool’s Day prank, the British gaming retailer Gamestation.co.uk slipped an ‘immortal soul clause’ into its privacy agreement,25 knowing full well that most people would never read it. It was proven right – thousands of people unwittingly sold their souls to the company. My point is not that privacy policies are insigniicant – this is far from the truth. he challenge for organisations is to ensure that their privacy policies are clear, relevant and easily understandable. he importance of privacy policies is demonstrated by the recent example of Google, which has recently reviewed its privacy policies. he new policy (implemented in March 2012) includes some signiicant changes to the way Google interacts with the personal information of its users. hese changes have caused signiicant public controversy and have attracted media attention.26 Members of the Asia Paciic Privacy Authorities (APPA) Forum, which includes Australia and eleven other privacy enforcement authorities in the region, asked its cross-jurisdictional Technology Working Group to review the changes made to Google’s privacy policy. he APPA Forum issued a communication to Google on the implications of this new policy.27 At the same time, the European Union’s Article 29 Data Protection 25

26

27

J. Martin, ‘GameStation: “We Own Your Soul”’ (15 April 2010), www.bit-tech.net/news/ gaming/2010/04/15/gamestation-we-own-your-soul/ (accessed 8 October 2013). R. Cellan-Jones, ‘Google Told to Fix Privacy Policy by EU Data Regulators’ (16 October 2012) BBC News: Technology, www.bbc.com/news/technology-19959306 (accessed 8 October 2013). T. Pilgrim on behalf of Asia Paciic Privacy Authorities to L. Page (28 February 2012), w w w.appaforum.org/resources/correspondence/120228_appa_to_google.html (accessed 8 October 2013).

Navigating privacy in the information age

43

Working Party submitted a letter to Google, outlining similar issues from the EU perspective.28 Globalisation of information lows is a particular challenge for privacy regulators. A company might be based in the USA, hold information in databases in Europe and provide services online to customers in Australia. If that information is compromised, it can be very diicult to establish which country’s privacy regulator has jurisdiction to investigate the matter. Australia’s Privacy Act only applies to Australian organisations and to organisations with an organisational link to Australia. In the scenario mentioned above, it may be that the organisation concerned is not covered by the Privacy Act. Privacy commissioners worldwide are working together to address this issue. For example, APEC (Asia-Paciic Economic Cooperation) economies have recently established the APEC Cross-border Privacy Enforcement Arrangement, under which privacy regulators can cooperate and share information to assist in the enforcement of laws in crossborder privacy matters.29 he Global Privacy Enforcement Network,30 established in response to an Organisation for Economic Co-operation and Development (OECD) recommendation, is an informal network that facilitates cross-border cooperation in the enforcement of privacy laws. A particular challenge in this area is that there are subtle diferences between privacy laws in diferent countries. An act or practice that breaches one country’s privacy laws might be lawful in another country. he creation of the APPs has enabled a new focus on international privacy issues, with the introduction of ‘APP 8 – Cross-border disclosure of personal information’. his new privacy principle aims to permit cross-border disclosure of personal information, but also to ensure that any personal information disclosed is still treated in accordance with the Privacy Act. his principle will apply to both government agencies and private sector organisations. Cross-border cooperation in privacy enforcement is still a relatively new concept, and I expect that, as we gain more experience in this area, 28

29

30

Letter from J. Kohnstamm on behalf of the Article 29 Data Protection Working Party to L. Page (2 February 2012), http://ec.europa.eu/justice/data-protection/g-29/index_ en.htm (accessed 8 October 2013). Asia-Pacific Economic Cooperation, APEC Cross-border Privacy Enforcement Arrangement (CPEA), www.apec.org/Groups/Committee-on-Trade-and-Investment/ Electronic-Commerce-Steering-Group/Cross-border-Privac y-EnforcementArrangement.aspx (accessed 8 October 2013). Global Privacy Enforcement Network, ‘About the Network’, www.privacyenforcement. net (accessed 8 October 2013).

44

Timothy Pilgrim

we will unlock the opportunities presented by the prospect of greater global collaboration.

Conclusion he privacy landscape in Australia, and around the world, is constantly shiting as individuals and business adjust their behaviour, practices and opinions to engage with new technologies and changes to the way we communicate. hese changes present a number of challenges and opportunities. As well as the key aspects of the government’s irst-stage response to the law reform process, there are a number of other changes on the horizon. Once the government has implemented its irst-stage response, it will move on to the second stage, which includes the prospect of mandatory data breach notiication and consideration of some of the exemptions in the Privacy Act.31 In 2011 the government released an Issues Paper on the introduction of a statutory cause of action for serious invasion of privacy.32 It received more than seventy submissions from a variety of stakeholders. When or whether these reforms will take place is still not entirely clear, but depending on how the process unfolds, they could present both challenges and opportunities, as individuals, business and government come to grips with these new rights and responsibilities and take a further step in the evolution of privacy law in Australia.

31

32

See Commonwealth of Australia, Attorney-General’s Department, Australian Privacy Breach Notiication (Discussion Paper, 17 October 2012), www.ag.gov.au/Consultations/ Pages/AustralianPrivacyBreachNotiication.aspx (accessed 8 October 2013). Commonwealth of Australia, Attorney-General’s Department, A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy (Issues Paper, September 2011), www.ag. gov.au/Consultations/Pages/Righttosueforseriousinvasionofpersonalprivacyissuespaper. aspx (accessed 8 October 2013).

3 Responding to new challenges to privacy through law reform: a privacy advocate’s perspective Nigel Waters Introduction Data protection in Australia is regulated via the Privacy Act 1988 (Cth) (the Privacy Act) and various similar State and Territory laws.1 he Privacy Act was originally conined in its operation to federal government agencies and the use of Tax File Numbers, but it was later extended to apply to consumer credit reporting (from 1990) and then, more broadly, to larger private sector organisations (from 2000). It is based on a similar model to data protection laws in Europe and elsewhere, with an express reference to the 1980 OECD Privacy Guidelines.2 his chapter presents some relections on new challenges to privacy law and on recent, pending and desirable changes to the Privacy Act that aim to improve Australian federal privacy law, both on paper and in practice. While Australian privacy laws have some unique weaknesses, most of the key challenges also exist in many other countries, making the observations on the need for law reform equally relevant internationally. hey also apply to Australian State and Territory privacy laws, which mainly address the privacy obligations of their governments’ agencies. Current challenges to privacy arise from a number of diferent sources, including changes in the business models used by governments and the commercial entities, and an inlux of new actors into the informationprocessing arena. hese add to the long-standing jurisdictional challenges that arise from information lows across state boundaries in the modern internet context. 1

2

Privacy and Personal Information Protection Act 1998 (NSW), Information Privacy Act 2000 (Vic), Information Privacy Act 2009 (Qld), Personal Information Protection Act 2004 (Tas) and Information Act 2002 (NT) apply to the relevant public sectors. Victoria and New South Wales also have health privacy laws that apply more broadly. Organisation for Economic Cooperation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (23 September 1980) C(80)58/FINAL.

45

46

Nigel Waters

New business models and practices he world in which businesses and government agencies now operate poses a number of diferent challenges in terms of privacy regulation. Key changes to operating models include the use of more joined-up service delivery models such as ‘one stop shops’,3 increased reliance on electronic transactions and business models based on inherently insecure technologies. he convenience of internet interfaces has led to well-known vulnerabilities being overlooked in many applications, and data encryption remains the exception rather than the rule. hese activities occur in a context where businesses are subject to complex legal obligations and in which boundaries between sectors, states and countries are increasingly eroding. he trend towards a more joined-up approach to service delivery increases the complexity of transactions on ofer, due to the multiplicity of participants and transactions available in relation to any single encounter. Even such a supericially simple service as change of address across multiple agencies is fraught with diiculties given that many individuals use diferent names and addresses in diferent contexts. Once governments and businesses seek to use personal information for multiple purposes, it becomes very diicult to provide individuals with suiciently adequate notice about the collection and handling of their personal information so they can exercise meaningful choices before providing their personal information. he increased reliance on electronic transactions poses similar challenges due to the limitations of the screen-based media in conveying even simple information. Ofers presented on a web page or in an SMS text message, inviting a simple ‘click here’ response, do not lend themselves to presentation of even basic terms and conditions. Even where it is technically easy to present information – such as through a clickable link on a website – it is widely recognised that most users cannot be bothered to take the time to access it, and therefore make their primary decisions about participation in ignorance of what they are actually committing to. 3

here have been several federal government initiatives including: Government 2.0 Taskforce, Engage: Getting on with Government (22 December 2009); Commonwealth of Australia, Department of Human Services, Service Delivery Reform: Transforming Government Service Delivery (August 2011); Australian Information Commissioner, ‘he Australian Information Commissioner will Protect Information Rights and Advance Information Policy’ (Media Release, 1 November 2010), www.oaic.gov.au/news-andevents/media-releases/information-policy-media-releases/the-australian-information-commissioner-will-protect-information-rights-and-advance-information-policy (accessed 15 October 2013).

Responding to challenges through law reform

47

he design of many technology-based business models is based on what is possible in terms of functionality, rather than what is desirable from a security standpoint. Examples include design of electronic health records systems, including those being implemented in Australia,4 that can be accessed by tens of thousands of health workers, irrespective of whether such broad access is required or whether it poses unnecessary risks to the privacy of patients’ data. Similar issues arise in relation to the use of contactless smart cards in applications such as travel cards and mobile payment systems. At the same time, credit card issuers have recently unilaterally decided to allow small payments without requiring either a signature or PIN, apparently without asking or even notifying cardholders; arguably, this is a clear breach of the requirement in most privacy laws to implement ‘reasonable’ security measures. Financial institutions may be prepared to indemnify customers against any unauthorised use, but the burden of identifying abuse and making a complaint lies with the customer. his raises the question: how many cardholders who do not routinely check their statements will incur multiple small losses without noticing? Businesses are also required by law to share information they collect for unrelated secondary purposes, such as reporting telephone subscriber information5 and inancial transactions,6 with government agencies, adding to the complexity of explaining proposed uses. hese legal requirements mean that the secondary uses and disclosures are lawful under privacy principles without consent. here remains a requirement to notify individuals about such uses, but an argument is frequently put that there is no point in ‘bothering’ people with detailed information when they have no choice and, in most cases, do not care. Privacy regulators around the world have accepted these arguments to the extent that they use their discretion in allowing a ‘layered’ approach to privacy notices, with detailed information about uses and disclosures available to those wanting it only by following a chain of links, typically from a privacy notice to a summary privacy statement and then to a full privacy policy.7 While this approach 4

5 6 7

For example, the federal Personally Controlled Electronic Health Record (PCEHR) and the ‘NSW Health Healthelink electronic health record (EHR) pilot’: see, respectively, www.ehealth.gov.au and www0.health.nsw.gov.au/pubs/2008/healthelink_summary. html (both accessed 8 November 2013). Under the Telecommunications Act 1997 (Cth). Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). he Australian Federal Privacy Commissioner has endorsed a ‘layered’ approach, which is used on its own website: Commonwealth of Australia, Oice of the Australian Information Commissioner, Condensed Privacy Policy (March 2013), www.oaic.gov.au/ condensed-privacy-policy (accessed 15 October 2013).

48

Nigel Waters

may well suit most people, it arguably fails to achieve one of the objectives of the notice principles in privacy laws, which is to ensure that individuals are regularly reminded about the extent of secondary uses of their personal information, in case they want to object or challenge such use – either with the collecting organisation where it is discretionary, or through political processes where the secondary use is controlled by law. More generally, the increasing aggregation of data from multiple sources inevitably gives rise to data quality issues. Many systems and business models seem to struggle with the reality that most individuals have various personas in which names, addresses and other contact details are held in diferent contexts and that these will oten be diicult to match. Oten the starting assumption is that individuals have a single identity, and all sorts of problems arise from attempts to reconcile diferent identities and ‘it’ people into a single mould of identity data.

New actors We are also seeing an increasing role for individuals as data controllers. Social media allow individuals to become ‘publishers’ to a hitherto unprecedented extent, and it is arguable that the exemption in most privacy laws for ‘personal, family or domestic uses’8 of personal information is no longer sustainable. Too much damage can be done without redress or remedy if individuals are relieved of even basic obligations as data controllers. But the prospect of the Privacy Act applying to all individuals is daunting and fraught with practical diiculties, not least in educating them about their obligations. Another type of actor, always present but now more obvious and central to much handling of personal information, is the service provider or data processor that handles at least some aspects of personal information for a client. Unlike some European data protection laws, the Australian Privacy Act does not make a distinction between data controller and data processor, leaving the question of who ‘holds’ or ‘controls’ personal information as a question of fact to be determined in individual cases. However, there has always been an underlying assumption by those drating and implementing privacy laws that such issues are readily determinable and that processors would be acting under strict instructions – oten set out in contracts or service level agreements – as to how to handle personal information. In practice, this has probably always been the exception rather 8

For example, Privacy Act 1988 (Cth) ss. 7B(1) and 16E.

Responding to challenges through law reform

49

than the rule. Many contracts for services merely specify an outcome; how the service provider (data processor) delivers that outcome is let as a matter of discretion and commercial choice. Contracts and agreements are oten silent on the issue of what, if any, secondary use processors can make of personal information they are handling for a client.

Jurisdictional issues Jurisdictional issues arise in relation to cross-border processing of personal information. his increasingly occurs in the course of both business and government operations. For instance, it occurs: when global enterprises transfer data between oices in diferent territories; in on-line shopping transactions; as a result of increasing use of cloud computing and other ‘foreign-based’ processing services; and when information is shared between governments, for a wide range of purposes. Privacy regulators struggle with determining the territorial reach of their laws with regard to cross-border processing (for example, who actually holds or controls data?) and with creating adequate processes for cross-border investigations, including handling of complaints, which requires cooperation between authorities operating with diferent legal systems. Governance of cross-border information lows oten involves both commercial contracts and other agreements, including inter-governmental treaties, memoranda of understanding or service level agreements. Private–public partnerships, which involve both businesses and government agencies, add complexity to these issues.

Enforcement issues hese challenges make it very important to provide for adequate supervision and enforcement. he efectiveness of privacy protection also depends, crucially, on regulators having adequate investigative powers, resources (including technical expertise) and sanctions for non-compliance at their disposal. In Australia, a Privacy or Information Commission typically regulates privacy-related matters. However, various other bodies perform regulatory functions in this regard: for example, the Australian Competition and Consumer Commission, the Australian Securities and Investment Commission and industry ombudsmen such as the Telecommunications Industry Ombudsman and the Financial Services Ombudsman. Moreover, collaboration between regulators is also necessary, both domestically and internationally, to deal with cross-border issues and complaints.

50

Nigel Waters

Recent law reform Privacy Act In 2008 the Australian Law Reform Commission (ALRC) published its Report 108, For Your Information, ater an exhaustive review of Australia’s privacy law during a three-year inquiry. he federal government’s response to the 295 recommendations made by the ALRC has been painfully slow. he government announced in 2009 that it would address the ALRC’s recommendations in two ‘tranches’ of amendments. he irst ‘tranche’ of amendments was enacted by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) in November 2012. his Act introduces a new set of uniied Australian Privacy Principles (APPs), a revised consumer credit-reporting regime and some changes to the enforcement provisions, including new powers and functions for the Privacy Commissioner. Prior to its enactment, the government issued exposure drats of the Australian Privacy Principles and the consumer credit provisions for further consultation, and referred both to a Senate Committee.9 he Bill was, unusually, the subject of both House of Representatives and Senate Committee Inquiries, and there were some late amendments, mostly tabled by the government. he changes will not come into efect until March 2014, allowing for a longer than initially planned preparation and transition period. While these changes to the Privacy Act were being considered and debated, parliament enacted other signiicant changes in 2010, largely as a result of major amendments to the Freedom of Information Act 1982 (Cth), and the government decided to form a new Oice of the Australian 9

See G. Greenleaf and N. Waters, Submission no. 25 to Senate Standing Committee on Finance and Public Administration: Legislation Committee, Exposure Drat s of Australian Privacy Amendment Legislation, 16 August 2010, accompanied by Attachment 1. Also see: Australian Privacy Foundation, Submission no. 33 to Senate Standing Committee on Finance and Public Administration: Legislation Committee, Exposure Drat s of Australian Privacy Amendment Legislation , 18 August 2010; Australian Privacy Foundation, Submission no. 33 to Senate Standing Committee on Finance and Public Administration: Legislation Committee, Exposure Drat s of Australian Privacy Amendment Legislation: Part II Credit Reporting, March 2011. All submissions can be viewed at www.aph.gov.au/Parliamentary_Business/Committees/Senate/Finance_ and_Public_Administration/Completed%20inquiries/2010-13/privexpdrat s/submissions (accessed 8 November 2013).

Responding to challenges through law reform

51

Information Commissioner (OAIC). he new oice incorporates the existing Privacy Commissioner and his staf into a new agency with separate freedom of information and government information policy functions, and two more Commissioners.10 In the author’s opinion, these administrative changes have had a mostly negative efect on privacy protection. he reorganisation distracted the Privacy Commissioner and his staf for more than twelve months, and there has been a major (and avoidable) loss of brand awareness – efectively abandoning the painstaking build-up of the Privacy Commissioner brand over twenty-three years. here are also concerns about the overall priorities and emphasis within the OAIC, particularly given its third role, ‘government information policy’. Arguably, this involves the OAIC too closely in the information-sharing agenda of executive government.11 Colocation of freedom of information and privacy, which are both ‘watchdog’ roles despite some obvious tensions between them, has been a common trend both overseas and in Australian States and Territories, and appears to have both advantages and disadvantages. Another relevant administrative change has been the shit in responsibility over privacy-related matters from the Department of Prime Minister and Cabinet back to the Attorney-General’s Department;12 this transition occurred in late 2011. Privacy policy clearly remains an ‘orphan’ child with a series of temporary homes and lacks an efective champion at senior levels of government. he major Privacy Act amendments that were enacted in November 2012 are a mixture of some welcome and desirable changes and some very unfortunate losses. he losses are partly due to the government’s backdown in the face of determined lobbying by Commonwealth agencies and private business lobby groups, particularly by the credit-reporting and direct marketing industries. 10

11

12

See Commonwealth of Australia, Oice of the Australian Information Commissioners, Home Page, www.oaic.gov.au/. See correspondence between OAIC and Australian Privacy Foundation over the period November to December 2011 about this matter: Email from John McMillan, Australian Information Commissioner, to Dan Svantesson, 14 December 2011, www.privacy. org.au/Papers/IC-111214.pdf ; and Email from Dan Svantesson to John McMillan, Australian Information Commissioner, 14 December 2011, www.privacy.org.au/Papers/ IC-Reply-111214.pdf (both accessed 15 October 2013). his move was made in October 2011, but it took six months for the position to be clariied on government websites.

52

Nigel Waters

New principles he amending legislation has replaced the previously separate National Privacy Principles (NPPs) (for the private sector) and Information Privacy Principles (IPPs) (for the public sector) with one uniform set of APPs. In theory, one uniied set of privacy principles is desirable, but unfortunately none of the thirteen APPs is, in my view, an overall improvement on the previous principles. Eight of the thirteen APPs are actually worse for privacy protection, and the other ive remain largely unchanged. As detailed in previous critiques,13 there are major concerns about the use and disclosure principles and the cross-border data transfer and anonymity principles. Moreover, there is concern about the introduction of a range of new exemptions for speciic activities and government agencies. As recommended by the ALRC, the dei nition of ‘personal information’ has been changed from meaning information ‘about an individual whose identity is apparent, or can reasonably be ascertained, from the information’ to meaning information that refers to an individual who is ‘reasonably identiiable’. Whether this change proves signiicant will depend on the interpretation of this deinition. Unfortunately, both the ALRC’s report and the new amendments ‘ducked’ the very signiicant issues relating to the meaning and role of ‘consent’ in the Privacy Act.

Direct marketing he amendments include a new principle (APP 7), which deals with direct marketing (by the private sector only); uses and disclosures for direct marketing purposes were previously addressed in an unclear exception to the existing use and disclosure principle NPP 2. Responding to industry lobbying, the government made a late change to APP 7 to ensure it is not seen as a prohibition of direct marketing but rather as a set of conditions under which personal information can be used for direct marketing. he conditions are complex and their efect uncertain, although the intention is to ensure that, in most circumstances, individuals are ofered an ‘optout’ opportunity, and that their choices must be respected. he Australian 13

See N. Waters and G. Greenleaf, ‘A Critique of Australia’s Proposed Privacy Amendment (Enhancing Privacy Protection) Bill 2012’ (Law Research Paper no. 2012–35, University of New South Wales, 15 August 2012); and G. Greenleaf and N. Waters, ‘Australia’s Privacy Bill 2012: Weaker Principles, Stronger Enforcement ’ (2012) 118 Privacy Laws & Business International Report 16, 16 –18.

Responding to challenges through law reform

53

Direct Marketing Association (ADMA) welcomed the late changes, which also limit the need for notice of opt-out in all communications, and limit individuals’ right to use pseudonyms – potentially a loss to consumers. ADMA remains concerned that the law does not accommodate modern business practices; this might suggest that the new principle may have struck the right balance for consumers!

Credit reporting he special rules in Part IIIA of the Privacy Act applying to credit reporting have been substantially changed, mainly to accommodate a form of ‘positive reporting’, allowing lenders to exchange information about borrowers’ repayment histories, as well as whether or not they have defaulted on payments. Unfortunately, the complex regime has, if anything, been made even more complicated and diicult to explain or understand. he main reason for the delayed commencement date of the amendments is to allow for the inance industry to change its systems. here are some minor enhancements to the credit-reporting provisions from a consumer perspective but, overall, the new regime results in a major loss of inancial privacy. Australia had, until now, been one of the few countries to restrict reporting to negative (that is default) information, and consumer groups fear that lenders will use the new information to increase the overall level of lending, with a corresponding rise in the number of borrowers getting into diiculties.

Privacy codes he amendments continue the provisions relating to voluntary codes, which can supplement but not detract from the APPs, and also give the Commissioner the power to develop and register codes in the public interest that are binding on speciied agencies and organisations.

Enforcement he Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) gives additional enforcement powers to the Information Commissioner, the key aspects of which are as follows: • Complaint determinations under s. 52 of the Privacy Act may now include directions to respondents to take speciic actions to remedy a complaint.14 14

Privacy Act 1988 (Cth) s. 52(1)(b)(ia).

54

Nigel Waters

• he Commissioner has a new power to make similar determinations following ‘own motion’ investigations.15 he Commissioner reported on four such investigations in 2011 and 2012.16 • Enforceable undertakings may now be accepted,17 with an option to publish the undertaking on the Commissioner’s website.18 • here are new civil penalty provisions for ‘serious’ or ‘repeated’ breaches,19 for which the Commissioner will have to apply to a court,20 although the criteria for determining when these breaches occur are not clearly deined. • he Commissioner has powers to require Privacy Impact Assessments (PIAs) from federal agencies21 (but they do not require PIAs to be either independent or public, or ensure that requested PIAs are completed before decisions are made to proceed with the activity in question). • A new function enables the Commissioner to conduct ‘assessments’ of the compliance of any public or private sector organisation in relation to its compliance with the APPs or other forms of enforceable privacy principles.22 his replaces the previous audit power, which was limited to agencies and some speciic private sector organisations – the Commissioner reported on three audits in 2012 and four in 2011.23 hese changes are more extensive than had been foreshadowed in the irst tranche response to the ALRC, and are mostly welcome, although their efectiveness will depend on the Commissioner’s capacity and willingness to use the new powers, as further discussed below. Although not an addition to the Commissioner’s powers, another signiicant reform is the addition of a right of appeal to the Administrative Appeals Tribunal against decisions made by the Commissioner under s. 52(1) or (1A); this section enables the Commissioner to make a ‘determination’ concerning a complaint.24 While very desirable, these improvements to enforcement powers do not deal directly with the key problem of the existing Privacy Act: complainants cannot require the Commissioner to make formal decisions under s. 52. Successive Commissioners, including 15 16

17 19 23

24

Ibid., s. 52(1A). See Commonwealth of Australia, Oice of the Australian Information Commissioners, Privacy OMI Reports, www.oaic.gov.au/privacy/applying-privacy-law/privacy-omireports/ (accessed 15 October 2013). Privacy Act 1988 (Cth) s. 33E. 18 Ibid., s. 33E(5). Ibid., s. 13G. 20 Ibid., s. 80W. 21 Ibid., s. 33D. 22 Ibid., s. 33C. See Commonwealth of Australia, Oice of the Australian Information Commissioners, ‘List of Privacy Audits’, www.oaic.gov.au/privacy/applying-privacy-law/list-of-privacyaudits/ (accessed 15 October 2013). Privacy Act 1988 (Cth) s. 96(1)(c).

Responding to challenges through law reform

55

the current one, have taken the view that complainants have no right to a formal decision, even if they disagree with the Commissioner’s view that a complaint has been successfully resolved. Without this discretion being removed, and complainants being given a right to a Determination, the new right of appeal may turn out to be of little use. he current Commissioner has now been in oice for over two years, but in that time only two persons would have had a right of appeal, because he has made only two s. 52 Determinations, despite having investigated 291 complaints (out of 2,550 that have been closed25) in the two years 2010–11 and 2011–12).26

Missing reforms None of the major exemptions from the Privacy Act – for employee records, small business, journalism, political acts and practices, and for an arbitrary list of agencies via the Freedom of Information Act 1982 (Cth) schedules – all criticised in whole or part by the ALRC, are removed by the recent amendments, while others have been added. he government announced that it would deal with these matters in the second ‘tranche’ of reforms. It published an Issues Paper in September 2011 on a possible statutory cause of action against serious invasion of privacy (see below) and a discussion paper about mandatory data breach notiication in October 2012. With a federal election announced for September 2013, it seemed unlikely that any of these matters would proceed before that, but, in April 2013, the government unexpectedly issued an exposure drat Bill on breach notiication for comment. his is discussed further below.

Sectoral legislation/regulation Leaving aside the changes to the Privacy Act itself, there have been major initiatives having a negative efect on privacy in several areas.

Telecommunications Changes to the telecommunications interception regime have continued, with more than twenty amendments in the last decade alone. Almost all 25

26

Most complaints are closed without investigation, including on grounds that there is no jurisdiction, that the complainant has not irst exhausted internal complaint processes, or ater preliminary enquiries that the complaint has been adequately dealt with. See Oice of the Australian Information Commissioner (OAIC), Annual Report for 2010–11; Annual Report for 2011–12, www.oaic.gov.au/about-us/corporate-information/ annual-reports/all/ (accessed 8 November 2013).

56

Nigel Waters

of them have either increased the scope of interception powers or weakened the safeguards within the legislation. A major review of the integrated public number database – a compulsory centralised database of all telephone numbers used by emergency services, law enforcement and for some private sector purposes – has been under way for some time and is likely to lead to an even more intrusive system. A proposal for mandatory retention of telecommunications data for up to two years was included in a 2012 federal government discussion paper on national security legislation, which has been before a joint parliamentary committee since July 2012.27

Health In 2010 the federal parliament legislated for a system of Individual Health Identiiers (IHIs) and then, in 2011, it legislated for so-called ‘Personally Controlled’ Electronic Health Records (PCEHRs), which became available on an opt-in basis in July 2012.28 he IHI is issued automatically, efectively to everyone in Australia, with no ‘opt-out’ choice. he IT infrastructure underlying the IHI, operated by the federal government agency Medicare Australia, is, arguably, almost identical to what would have been required for the various national identity systems that have been proposed, and politically defeated, on various occasions since the 1980s. Examples of these proposed systems include the 1986 Australia Card system (which gave rise to the Privacy Act) and the 2006 Health and Welfare Access Card scheme. While the IHI system is currently legislatively quarantined from wider uses, this restriction is, of course, subject to future legislative amendment, and the technocrats may have inally succeeded in laying the foundations for their long-held dream of a future national identity scheme. While these privacy-negative changes in health and telecommunications have been progressing, the government’s response to the ALRC recommendations on health and telecommunications privacy has been deferred. here is still no clear timetable for what should be the 27

28

See Commonwealth of Australia, Attorney-General’s Department, Equipping Australia Against Emerging and Evolving hreats (Discussion Paper, July 2012), www. aph.gov.au/Parliamentary_Business/Committees/House_of_Representatives_ Committees?url=pjcis/nsl2012/index.htm (accessed 15 October 2013). See Commonwealth of Australia, Department of Human Services, ‘Healthcare Identiiers Service’ (24 June 2013), www.humanservices.gov.au/customer/services/medicare/ healthcare-identiiers-service (accessed 15 October 2013).

Responding to challenges through law reform

57

‘foundation’ principles for these sectors against which speciic initiatives could be judged.

Identity management Various other identity management initiatives continue to surface, including various elements of a National Identity Security Strategy coordinated by the Attorney-General’s Department.29 hese include an enhanced version of the Document Veriication Service, currently in use by all levels of government, but now proposed to be made available to the private sector. he Commonwealth Department of Human Services has, since 2011, also been consulting on a proposed National Trusted Identities Framework (NTIF). here is a clear common theme of a bureaucratic desire to identify, monitor and control behaviour, with most initiatives being supericially attractive and justiiable but cumulatively of major concern to those worried about the overall efect of government monitoring and surveillance.

Quasi-regulators Under the auspices of the Council of Australian Governments (COAG), up to thirty oicials have been designated as function-speciic ‘Privacy/ Freedom of Information Commissioners/Ombudsmen’. While supericially positive, this is not only confusing to the public, but also devalues the regulatory brand by substituting agency employees for independent regulators (with real powers).

Action on unsolicited marketing Two major privacy-enhancing initiatives in 2000–10 were the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth). Arguably, these were relatively heavy-handed responses to widespread concern about relatively trivial, but irritating privacy intrusions. he speed with which these controls were legislated contrasts markedly with the painfully slow passage of reforms to the Privacy Act that would deal with more serious privacy threats outlined above. In 2012 a private member’s Bill to establish a ‘do not knock register’ to control door-to-door sales lapsed, with a 29

See Commonwealth of Australia, Attorney-General’s Department, ‘Identity Security’, www.ag.gov.au/identitysecurity (accessed 15 October 2013).

58

Nigel Waters

Parliamentary Committee recommending that co-regulatory initiatives, including ‘do-not-knock’ stickers, be given a chance to work before any further legislation.30

Pending reforms Statutory cause of action As already mentioned above, the government published an Issues Paper in 2011 on a private right of action for breach of privacy.31 Such actions could be brought for privacy intrusions whether or not they involved ‘personal information’ covered by the Privacy Act – something that privacy advocates have long called for to ill a major gap in privacy protection. Many commentators question the government’s motives in lying this ‘kite’, suggesting that it may have been a convenient political response to perceived abuses by the media rather than relecting a genuine commitment to extending privacy protection. Since submissions closed in late 2011, the issue has become caught up in a more general policy response to media regulation – following the Finkelstein report on media regulation32 and the major recommendations of a separate review of ‘convergence’ in media and communications, both published in March 2012.33 he government’s attempt to legislate in this area in March 2013 attracted ferocious criticism from media organisations and the Bills were subsequently withdrawn. In passing, the government announced that it would refer the ‘privacy right of action’ proposal back to the Australian Law Reform Commission,34 despite the ALRCs clear support for such a cause of action in its 2008 Report.

30

31

32

33

34

Do Not Knock Register Bill 2012 (Cth); House of Representatives Standing Committee on Social Policy and Legal Afairs, Advisory Report: Do Not Knock Register Bill 2012 (September 2012). See Commonwealth of Australia, Attorney-General’s Department, A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy (Issues Paper, September 2011), www.ag.gov.au/Consultations/Pages/Righttosueforseriousinvasionofpersonalprivacyissues paper.aspx (accessed 15 October 2013). R. Finkelstein QC, Report of the Independent Media Inquiry (28 February 2012), www.archive.dbcde.gov.au/2013/august/independent_media_inquiry (accessed 8 November 2013). Commonwealth of Australia, Department of Broadband, Communications and the Digital Economy, Convergence Review Final Report (30 April 2012), www.archive.dbcde. gov.au/2013/august/convergence_review (accessed 8 November 2013). Terms of reference for a new ALRC inquiry into serious invasions of privacy, including the detailed design of a statutory cause of action, were released in June 2013: see M.

Responding to challenges through law reform

59

Data security breach notiication In recent years there has been a wave of legislation providing for notiication of data security breaches in foreign jurisdictions, perhaps surprisingly led by the USA, where most of the states now have mandatory notiication requirements.35 Interest in such laws is a response to the many well-publicised serious breaches involving major businesses and government agencies and is driven by more general security concerns and risks to non-personal information, as well as by the threat to individuals’ privacy. his means that there is a wider constituency and support base for breach notiication than just the privacy community. he 2008 ALRC Privacy Report recommended that there be a requirement to notify both the Privacy Commissioner and afected individuals in cases where unauthorised access to personal information created a risk of serious harm. he federal government had initially deferred its response to this recommendation to the proposed second tranche of reforms. However, in October 2012 it unexpectedly issued a Discussion Paper,36 seeking views on the desirability and design of a notiication scheme. he paper canvassed, and sought submissions on, various key issues such as appropriate threshold triggers, and the pros and cons of notifying afected individuals instead of, or in addition to, a regulator. In April 2013 the AttorneyGeneral’s Department circulated exposure drat legislation for comment by stakeholders and a Bill, based on the drat, was introduced to parliament in June 2013.37

Regulator efectiveness Good privacy laws can be rendered inefective by poor promotion and enforcement, while weaker laws can and are used to great efect by

35

36

37

Dreyfus, Commonwealth Attorney-General, Terms of Reference: Serious Invasions of Privacy in the Digital Era (12 June 2013), www.alrc.gov.au/inquiries/invasions-privacy/ terms-reference (accessed 8 November 2013). N. Waters, ‘Privacy and Information Security – Is Mandatory Data Breach Notiication the Answer?’ (Paper presented at iappANZ Breakfast Seminar, Corrs Chambers Westgarth, Sydney, 27 July 2011), www.paciicprivacy.com.au/Papers.htm (accessed 15 October 2013). See Commonwealth of Australia, Attorney-General’s Department, Australian Privacy Breach Notiication (Discussion Paper, 17 October 2012), www.ag.gov.au/Consultations/ Pages/AustralianPrivacyBreachNotiication.aspx (accessed 15 October 2013). Privacy Amendment (Privacy Alerts) Bill 2013 (Cth). he Bill failed to pass in the i nal parliamentary sitting week before the 2013 election.

60

Nigel Waters

proactive regulators. Unfortunately, there has been a long-standing concern about both the capacity and willingness of successive Privacy Commissioners (and now the Information Commissioner as well) to vigorously enforce Australia’s privacy law and to tackle hard issues. here has been a declared preference for ‘sot’ education, consultation and guidance over ‘hard’ enforcement. his is likely to continue with the recent amendments to the Privacy Act, leaving the Commissioner with the need to develop and issue a long list of new guidance material. Arguably, there has also been a recurrent preoccupation with ‘fair information practices’ or the ‘eiciency’ function of privacy law (good housekeeping) at the expense of a wider ‘surveillance limitation’ function.38 Commissioners have been unwilling to make determinations on complaints, both to deliver remedies to individuals and to invite court adjudication to set precedents – an important element of most efective regulatory regimes. hey have also appeared slow to engage with other regulators, both domestically and internationally, to tackle cross-jurisdictional issues.39 hese criticisms are not unique to Australian regulators – similar criticisms can be made of most privacy/data protection authorities worldwide. he net result is that, for most data controllers applying risk management principles, privacy is a low priority and low-risk issue. he common mantras that ‘privacy is good business’ and that the threat of reputational damage will suice, are furphies. Most businesses, and governments, will inevitably try to get away with as much privacy intrusion as they can, as long as the perceived beneits, in inancial return and/or cost savings, far outweigh any costs or risks.

Conclusion he only hope of preventing further major reductions in privacy, for those who share this objective, lies in stronger, more prescriptive laws with 38

39

h is distinction was i rst made in J. Rule, D. McAdam, L. Stearns and D. Uglow, he Politics of Privacy (New York : Mentor Books, 1980). A lot of cooperation machinery has been set up in recent years, for example: the Asia Paciic Privacy Authorities (APPA) group (www.privacy.gov.au/aboutus/international/ appa); the Global Privacy Enforcement Network (www.privacyenforcement.net/), and the APEC Cross Border Privacy Enforcement Arrangement (CPEA) (www.apec.org/ Groups/Committee-on-Trade-and-Investment/Electronic-Commerce-Steering-Group/ Cross-border-Privacy-Enforcement-Arrangement.aspx) (all accessed 15 October 2013). But there is little practical evidence of efective cooperation beyond (no doubt valuable) liaison and information-sharing.

Responding to challenges through law reform

61

signiicant inancial penalties and more active enforcement. Australia’s federal regime will, from 2014, have one of these ‘legs’ – a strong enforcement regime, penalties and sanctions – but it will also continue to have ambiguous requirements in many areas, which will let personal information controllers of the hook on many contentious practices. he other aspect of an efective regime – vigorous proactive enforcement – remains, as always, largely within the git of the Commissioners and the constraints of their resources.

4 he reform of EU data protection: towards more efective and more consistent data protection across the EU Peter Hustinx Introduction his chapter aims to provide a brief overview of the ongoing reform of the EU legal framework for data protection. Ater an introduction to the background and the main features of the existing legal framework, it discusses the main drivers of the review, the main elements of the Commission proposals submitted in January 2012 and the likely next steps in the reform process.

History and background he EU legal framework for data protection has developed in diferent stages and at diferent levels, but, for the purpose of this chapter, it is most useful to concentrate on the role of the Council of Europe and the European Union. he Council of Europe is an organisation with fortyseven member states and 800 million citizens. Established in Strasbourg (France), it is, inter alia, dedicated to the rule of law and legal standardsetting. Its irst and still most important achievement was the adoption of a European Convention on Human Rights (ECHR) in 1950,1 which also provides for judicial enforcement of its provisions by a European Court of Human Rights. Article 8 of the ECHR provides for a right to the respect for private and family life, subject to restrictions under certain conditions. h is chapter is partly based on the following speech: P. Hustinx, ‘What Role for EU and International Policymakers in Ensuring Global Interoperability’ (Speech delivered at the 14th Annual Conference on Datenschutz und Datensicherheit (Privacy and Security), Berlin, 18 June 2012), https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/ shared/Documents/EDPS/Publications/Speeches/2012/12-12-04_Forum_Europe_EN.pdf (accessed 8 November 2013). 1

Convention for the Protection of Human Rights and Fundamental Freedoms, opened for signature 4 November 1950, 213 UNTS 222 (entered into force 3 September 1953).

62

The reform of EU data protection

63

Mainly established in Brussels (Belgium), the European Union developed from an organisation with six member states and a chiely economic agenda (European Community) in the 1950s, into an organisation with, presently, twenty-eight member states and a broad policy agenda. Its chief executive is the European Commission, but legislative proposals are jointly adopted by the Council, with representatives of the national governments, and the European Parliament, with over 700 members directly elected by the 500 million citizens of the member states. Among the other EU institutions is the Court of Justice, the judgments of which are binding on all member states.

Privacy and data protection In the 1970s the Council of Europe concluded that the right to privacy, as laid down in Article 8 of the ECHR, had a number of limitations: the scope of the right was uncertain, and in any case did not cover all personal information; it was mainly directed against public authorities, even though private sector organisations could also create privacy risks through the use of large databases; and inally, it was felt that a comprehensive and more proactive approach was necessary in view of the challenges of an information society already visible on the horizon. his resulted in the adoption of the Convention on Data Protection (the Convention),2 with basic principles for the processing of personal data in automated or otherwise structured data i les. he term ‘data protection’ was deined as the protection of fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data. In other words: data protection is closely related to, but also distinguishable from, the right to privacy. he Convention principles were based on the US ‘Fair Information Principles’3 that also inspired the OECD Privacy Guidelines.4 hey provided substantive requirements for data controllers, rights for data subjects and arrangements for institutional oversight, enforcement and 2

3

4

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, opened for signature 28 January 1981, CETS no. 108 (entered into force 1 October 1985). hese consisted of ive principles developed by the Advisory Committee on Automated Personal Data Systems in the Department of Health, Education and Welfare as set out in: US Department of Health, Education and Welfare, Report of the Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computer, and the Rights of Citizens (1973). Organisation for Economic Co-Operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Paris, 1980).

64

Peter Hustinx

international cooperation. International data lows to third countries were, in principle, subject to adequate levels of protection in the country of destination. he Convention has been ratiied by more than forty member states, including all EU member states.

EU Data Protection Directive When the Convention was implemented into national law, it became clear that the general wording of its provisions allowed widely divergent national laws on data protection. At the same time, the development of an information society required more harmonisation and consistency among national laws than the Convention could facilitate. his pushed the European Commission into action and eventually resulted in the adoption of the Data Protection Directive (Directive 95/46/EC) in 1995.5 Directive 95/46/EC took the Convention as its starting point, but speciied it in diferent ways, inter alia, requiring supervision and enforcement by a data protection authority acting with complete independence. A higher level of protection and harmonisation also resulted in stricter rules on data lows to third countries. he adoption of Directive 95/46/EC resulted in the revision of existing laws, or the adoption of new laws in all member states, including those joining the EU from Central or Eastern Europe at a later stage. Meanwhile, other more speciic directives were adopted using the same approach. he most recent step, which occurred in 2008, was the adoption of similar rules in the area of police and judicial cooperation in criminal matters.6

he Charter and Lisbon Treaty Two more elements should be mentioned: i rst, the adoption of the European Charter of Fundamental Rights7 (the Charter) in 2000; and second, the commencement of a set of new treaties for the EU (the Lisbon Treaty)8 at the end of 2009. 5

6

7 8

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data [1995] OJ L 281, p. 31. Council Framework Decision 2008/977/JHA on the Protection of Personal Data Processed in the Framework of Police and Judicial Cooperation in Criminal Matters, [2008] OJ L 350, p. 60. Charter of Fundamental Rights of the European Union, [2010] OJ C 83/02. Treaty of Lisbon Amending the Treaty on European Union and the Treaty Establishing the European Community, signed 13 December 2007, [2007] OJ C 306/1 (entered into force 1 December 2009).

The reform of EU data protection

65

Although the Charter is based on the ECHR, it also contains innovations, such as the recognition of a right to the protection of personal data (Article 8), in addition to a right to respect for private and family life (Article 7). he Lisbon Treaty turned the Charter into a binding document, and also inserted a horizontal legal basis for legislation on data protection that is independent of the needs of the internal market.9 his step fully relects the nature of data protection as a fundamental right, with speciic characteristics that enable it to operate efectively in a modern information society. his conirmed a legal development of almost four decades.

Drivers of EU review Let us now return to the current review of the EU legal framework for data protection, which is taking place for three reasons. he irst reason is that there is a need to update the current framework, and more speciically Directive 95/46/EC, which is still the key element of the framework. ‘Updating’ means, in this case, ensuring most of all its continued efectiveness in practice. When Directive 95/46/EC was adopted, the Internet barely existed, and now we live in a world where the Internet is becoming increasingly relevant, so we need stronger safeguards that deliver good results in practice. he challenges of new technologies and globalisation require some imaginative innovation to ensure more efective protection. he second reason is that the current framework has given rise to increased diversity and complexity. Because Directive 95/46/EC was transposed into national law by the twenty-eight member states, we have ended up with twenty-eight versions of the same basic principles. hat is simply too much. It results in costs and loss of efectiveness. In other words, there is a need to scale up harmonisation and make the system not only stronger and more efective in practice, but also more consistent. his will lead to a reduction of unhelpful diversity and complexity. he third reason has to do with the new legal framework of the EU. he Lisbon Treaty has put a strong emphasis on fundamental rights. his includes a special provision on the protection of personal data in Article 8 of the European Charter of Fundamental Rights and a new horizontal 9

Consolidated Version of the Treaty on the Functioning of the European Union, [2010] OJ C 83/47, Art. 16.

66

Peter Hustinx

legal basis in Article 16 of the Treaty on the Functioning of the European Union,10 which provides comprehensive protection in all EU policy areas, regardless of whether it relates to the internal market, law enforcement or almost any other part of the public sector. So, the review of the framework is about stronger, more efective, more consistent and more comprehensive protection of personal data. If we now look at what is on the table, we see a package of at least two main proposals: a Directive for – briely put – the law enforcement area (the proposed Directive),11 and a directly binding Regulation to replace Directive 95/46/EC, which applies to the commercial areas and the public sector other than law enforcement (the proposed Regulation).12 his architecture in itself signals that there is a problem with the comprehensiveness of the package. And indeed, if you look more closely, this is where the main weaknesses of the package can be found. he level of protection in the proposed Directive is substantially lower than in the proposed Regulation. his can be analysed on its own merits, but exchange of data between public and private entities, for example law enforcement and banks, telephone, travelling and so on is increasing, and substantial diferences in protection between those sectors will have practical consequences in a wider ield.

Continuity and change If we now focus on the proposed Regulation, there are some main messages that need to be kept in mind. he i rst one is that – in spite of all the innovation – there is a lot of continuity. All basic concepts and principles that we have now will continue to exist, subject to some clariication and some innovation. An example of innovation is that there is now a stronger emphasis on ‘data minimisation’: that no more data should be processed than is strictly 10 11

12

Ibid. European Commission, Proposal for a Directive of the European Parliament and of the Council on the Protection of Individuals with regard to the Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Ofences or the Execution of Criminal Penalties, and the Free Movement of Such Data (Brussels, 25 January 2012) COM(2012)10Final. European Commission, Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) (Brussels, 25 January 2012) 2012/0011(COD).

The reform of EU data protection

67

necessary. Another example is the recognition of ‘Privacy by Design’, that is the idea of embedding privacy at the design stage, rather than as a later add-on. Where the innovation really comes in mainly concerns ‘making data protection more efective in practice’. his implies, as we will see, a strong emphasis on implementation of principles, and on enforcement of rights and obligations, to ensure that protection is delivered in practice. At the same time, the proposed Regulation provides for simpliication and reduction of costs. A clear example is that prior notiication of processing operations has been eliminated. his is required only in situations of speciic risks. he proposed Regulation also provides for a one-stopshop for companies with establishments in diferent member states. his involves the introduction of a lead Data Protection Authority. A directly binding regulation will also bring much greater harmonisation (in principle, one single applicable law in all member states) and greater consistency. In itself, this will also bring an important simpliication and reduction of costs for companies operating in diferent member states.

General scope Let me also emphasise that the proposed Regulation has a general scope: it will apply both in the private and in the public sector. his is completely consistent with the situation under Directive 95/46/EC. he possibility of a systematic distinction in Directive 95/46/EC between the public and the private sector was explicitly considered and rejected. he comprehensive approach of Directive 95/46/EC has been feasible because of the fact that some of its provisions – such as public tasks – are more relevant for public bodies and other provisions – such as contracts or legitimate interests – are more relevant for private actors. he European Court of Justice clearly explained in its judgment in the Rechnungshof case13 that Directive 95/46/EC applies in the public sector of a member state. However, it also emphasised that national law can only serve as a legitimate ground for processing if it complies with fundamental rights. his position is only reinforced by the fact that Article 8 of the Charter provides for an explicit recognition of the right to the protection of personal data, and that Article 16 of the Treaty on the Functioning of the 13

Rechnungshof v. Österreichischer Rundfunk and others (C-465/00) [2003] ECR I-4989.

68

Peter Hustinx

European Union14 provides an explicit horizontal legal basis for the adoption of rules on the protection of personal data, both at EU level and in the member states when acting within the scope of EU law. At the same time, a much closer analysis of the relationship between EU law and national law on the basis of the proposed Regulation is needed. he impression that it will simply replace all relevant national law is not correct. here are at least four diferent ways in which national law and EU law will coexist and interact – one way being the fact that the proposed Regulation will build on national law in much the same way as happened in the Rechnungshof case. It may well be that more space is needed for an even better interaction between EU law and national law. If we come to the substance of the proposed Regulation, it strengthens the roles of the key players: the data subject, the responsible organisation and the regulatory authorities.

User control he irst perspective could also be seen as enhancing user control. he current rights of the data subject have all been conirmed, strengthened and extended. he requirement of consent has been clariied: when consent is needed, it must be real and robust consent. here is also a stronger right to object. here are stronger means to ensure that the rights of the data subject are respected in practice. here is more emphasis on transparency. And there is a provision introducing a collective action, not a class action in US style, but organisations acting on behalf of their members or constituencies. here is also much talk about the ‘right to be forgotten’, but, on further analysis, it is basically an emphasis on deleting data when there is not a good enough reason to keep them. Lastly, the right to data portability is, basically, a speciication of the present right to require a copy of personal data in a particular format.

Responsibility he biggest emphasis is on real responsibility of responsible organisations. Responsibility is not a concept that comes only at the end when something has gone wrong. Instead, an organisation has an obligation 14

Consolidated Version of the Treaty on the Functioning of the European Union, [2010] OJ C 83/01.

The reform of EU data protection

69

to develop good data management in practice. his appears in language such as taking all appropriate measures to ensure compliance, and verifying and demonstrating that these measures continue to be efective. his is one of the major shits. It also implies that the burden of proof lies, in many cases, with the responsible organisation; that is organisations must demonstrate that there is an adequate legal basis, that consent is real consent and that measures continue to be efective. he proposed Regulation also provides for a number of speciic requirements, such as the need for a privacy impact assessment, the keeping of documentation and the appointment of a data protection oicer. Some of these provisions, especially on documentation, are in my view overly detailed and would require some modiication to make them more appropriate. Moreover, some exceptions in the same provisions may not be fully justiied. A better balance in this part of the proposal may in fact solve both problems. A general provision on security breach notiication is also included. EU law currently provides for such a notiication only in the case of telecommunication providers.

Supervision and enforcement A third main emphasis in the proposed Regulation is on the need for more efective supervision and enforcement. he safeguards for complete independence of data protection authorities have been strengthened fully in line with the judgment of the European Court of Justice in the case Commission v. Germany.15 It also provides for regulators with strong enforcement powers in all member states. Administrative i nes of millions of Euro – competitionsize i nes – catch a lot of attention, but the message is: if this is important, it should be dealt with accordingly. h is will therefore drive ‘data protection’ higher up the agenda of corporate boardrooms, which is welcome. If we look more closely, we see a growing practice of more vigorous enforcement through various means: remedial sanctions, administrative ines and also some increased civil liabilities. International cooperation among data protection authorities is also strongly encouraged and facilitated. he introduction of a lead authority for companies with multiple establishments is welcome. his lead 15

European Commission v. Federal Republic of Germany (C-518/07) [2010] ECR I-1885.

70

Peter Hustinx

authority will not be acting on its own, but will in fact be part of a network of close cooperation with other competent authorities. he introduction of a consistency mechanism in the context of a European Data Protection Board is also very important. his is to be built on the basis of the present group of data protection authorities (the Article 29 Data Protection Working Party). his mechanism will ensure consistent outcomes of supervision and enforcement in all member states. Its secretariat will be provided by the European Data Protection Supervisor.

Global privacy A inal element to be considered here is the wider international dimension of the proposed Regulation. Its scope has been clariied and extended. hese provisions now apply not only to all data processing in the context of an establishment in the EU, but also when goods or services are delivered on the European market from a third country, or when the behaviour of Europeans is being monitored online. his is a reality on the Internet nowadays. And, at the same time, it is a realistic approach that, in my view, builds on an increasing synergy of thinking on data protection around the world. As to other international aspects, provisions on transborder data lows have been extended and in some ways streamlined and simpliied. here is a speciic provision now on Binding Corporate Rules, which contains a number of simpliications. A further important fact is that international cooperation is developing among data protection authorities in a wider context – for example between the Federal Trade Commission in the USA and data protection authorities in the EU – as part of a global network (GPEN: Global Privacy Enforcement Network). his will make it more possible to deal with global actors on the Internet, again based on a growing convergence of data protection principles and practices around the world.

Final remarks In conclusion, my view is that this is a very welcome proposal, but subject to certain improvements of some important elements. Apart from the current lack of balance between the proposed Regulation and the proposed Directive for law enforcement, arguably there is also a need for more space for interaction between EU law and national law, and a need to reconsider some of the present exceptions, including those for

The reform of EU data protection

71

small and medium-sized enterprises. In my view, it is essential that general provisions are inherently scalable. Inappropriate speciications may only call for unnecessary exceptions. Finally, a word on procedure: discussions are now taking place in the Council and Parliament. hese will take more than a few months. But I think the main proposal has a good chance of being adopted by 2014. I expect that the proposed Regulation, with the addition of some necessary improvements, will make it to the end.

PA RT I I Privacy in European human right instruments

5 Protection of privacy in the EU, individual rights and legal instruments Udo Fink Human rights as part of EU law Human Rights have only been part of the European Union Treaties since 2009, when the Charter of Fundamental Rights (the Charter) was ratiied. However, the Court of the European Union has been developing human rights, based on general principles of EU primary law, since 1974.1 hese general principles derive from the domestic law of the member states and from the European Convention on Human Rights (ECHR). he ECHR is part of the legal system governed by the European Council, an international organisation with forty-seven member states including the Russian Federation and Turkey,2 in distinction to the twenty-seven members of the EU. Although the EU is not yet legally bound by the ECHR, the Court of the European Union has declared that its provisions form part of the general principles of EU law.3 his was because all member states of the EU have ratiied the ECHR; it has therefore become part of the domestic law of each member state and, consequently, of the general principles of EU law. he ECHR forms the foundation for the protection of human rights all over Europe and in the European Union. It is the minimum standard for all rights granted in the Charter, which can provide more but never less protection than the ECHR.4 his is important, not only for the interpretation 1 2

3

4

Nold v. Commission (C-4/73) [1974] ECR 491, §13. Information regarding the Council of Europe and its member states is available at: Council of Europe, ‘he Council in Brief’, www.coe.int/ (accessed 17 October 2013). his case law is also relected in the Treaty on European Union, opened for signature 7 February 1992, [2009] OJ C 191/1 (entered into force 1 November 1993) Art. 6(3), which states: ‘Fundamental rights, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and as they result from the constitutional traditions common to the Member States, shall constitute general principles of the Union’s law.’ See Charter of Fundamental Rights of the European Union [2000] OJ C 364/1 (the Charter) Art. 52(3), which states: ‘In so far as this Charter contains rights which correspond to rights guaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, the meaning and scope of those rights shall be the same as those

75

76

Udo Fink

of the diferent human rights instruments, but also for determining the powers of the Court of the European Union (the Luxemburg Court) and the European Court of Human Rights (the Strasbourg Court or the Court). When deciding human rights questions, the Luxemburg Court has to take into account the decisions of the Strasbourg Court, as only the latter is entitled to make inal and binding decisions with regard to the ECHR. Due to an obligation imposed by the Lisbon Treaty, the EU itself is now in the process of acceding to the ECHR.5 As a member of the Convention, the EU and its legal system will be directly inluenced by the ECHR. his means that all legal acts of EU organs, including the Luxemburg Court, may be subject to scrutiny by the Strasbourg Court. Consequently, the ECHR and the decisions of the Strasbourg Court will play a vital role in shaping the protection of privacy in the EU.

Right to privacy in the EU he right to privacy is guaranteed in Article 8 of the ECHR and Article 7 of the Charter – the wording of both provisions is similar. Article 8(1) of the ECHR states: ‘Everyone has the right to respect for his private and family life, his home and his correspondence.’ Article 7 of the Charter states that ‘[e]veryone has the right to respect for his or her private and family life, home and communications’. he irst problem encountered when dealing with this right is the lack of any clear deinition as to what constitutes a ‘private life’ (arguably the term ‘private life’ is synonymous with the term ‘privacy’ and so these two terms

5

laid down by the said Convention. his provision shall not prevent Union law providing more extensive protection.’ Article 6(2) of the Treaty on European Union [2010] OJ C 83/13. See also Convention for the Protection of Human Rights and Fundamental Freedoms, opened for signature 4 November 1950, 213 UNTS 222 (entered into force 3 September 1953), as amended by Protocol no. 14 to the Convention for the Protection of Human Rights and Fundamental Freedoms, Amending the Control System of the Convention, opened for signature 13 May 2004, CETS no. 194 (entered into force 1 June 2010), which, in Art. 59(2), permits the EU to accede to the ECHR; see also he Steering Committee for Human Rights of the Council of Europe, Report to the Committee of Ministers on the Elaboration of Legal Instruments for the Accession of the European Union to the European Convention on Human Rights (2011) CDDH(2011)009, www.coe.int/t/dghl/standardsetting/hrpolicy/ accession/Meeting_reports/CDDH_2011_009_en.pdf (accessed 17 October 2013). For details regarding the negotiation process see: Council of Europe, European Convention on Human Rights: Accession of the European Union, http://hub.coe.int/what-we-do/humanrights/eu-accession-to-the-convention (accessed 17 October 2013).

Protection of privacy in the EU

77

will be used interchangeably throughout this chapter). When dealing with the continuous media intrusion into the private life of the late Diana, Princess of Wales, the Calcutt Report6 found that ‘nowhere have we found a wholly satisfactory statutory deinition of privacy’. In the 1890s, Warren and Brandeis articulated a concept of privacy they called the ‘right to be let alone’.7 However, this negative approach is only one aspect of privacy. he preamble to the Australian Privacy Charter, a non-legally binding text developed by the Australian Privacy Foundation, provides that ‘[a] free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organisations to intrude on that autonomy’.8 However, autonomy encompasses much more than the mere right to be let alone. Individual autonomy characterises the capacity to be self-determining. Alan Westin, author of ‘Privacy and Freedom’9 and a US pioneer of data protection, believes that private autonomy is the desire of people to freely choose under what circumstances, and to what extent, they expose themselves, their attitudes and their behaviour to others. he protection of privacy is not an unconditional right, however. It protects an individual’s existence and autonomy, provided these interests are not outweighed by the privacy rights of others or by conlicting public interests. he Strasbourg Court has developed a large body of jurisprudence based on speciic situations where the interests of public organs and individuals overlap. In these cases, protection is necessary to preserve the freedom and autonomy of citizens.10 Lastly, the concept of a ‘private life’ is clearly far wider than a person’s intimate sphere. In 1992 the Strasbourg Court stated ‘it would be too restrictive to limit the notion [of private life] to an “inner circle” in which the individual may live his own personal life as he chooses and to exclude therefrom entirely the outside world not encompassed within that circle. Respect for a private life must also comprise to a certain degree the right to establish and develop relationships with other human beings.’11 6

7 8

9 10

11

D. Calcutt , Report of the Committee on Privacy and Related Matters (London: Her Majesty’s Stationery Oice, 1992). L. Brandeis and S. Warren, ‘he Right to Privacy’ (1890) 4 Harvard Law Review 193. Australian Privacy Charter, Preamble (June 2003), www.privacy.org.au/About/ PrivacyCharter.html (accessed 17 October 2013). A. Westin, ‘Privacy and Freedom’ (1968) 25 Washington and Lee Law Review 166. For a detailed analysis of the case law see A. Mowbray, Cases, Materials, and Commentary on the European Convention on Human Rights, 3rd edn (Oxford University Press, 2012), pp. 488f. Niemietz v. Federal Republic of Germany (Application no. 13710/88) [1992] ECHR 80, (1993) 16 EHRR 97.

78

Udo Fink

he following sections explore how wide the right to privacy, as protected under the ECHR, extends.

Privacy and intimacy When the Strasbourg Court used the term ‘inner circle’ in its decision in Niemietz, it was referencing the most basic aspects of the right to privacy – a person’s right to have their identity and integrity protected. A person’s identity encompasses various special qualities of human existence; for example, one’s name, clothing, hairstyle, gender, genetic code and the history of a person. A person’s integrity encompasses more abstract elements of human existence, such as self-esteem, autonomy, feelings, thoughts and notions of morality. he personal integrity of an individual can be violated in a number of ways. For instance, the personal integrity of a patient is violated if they are provided with medical treatment against their will.12 Likewise, body searches and blood tests have been considered invasions of personal integrity.13 As far as body searches are concerned, efective measures have to be carried out in a manner consistent with the dignity of the person who is being searched. Persons who are subjected to bodily searches by state oicials or medical personnel acting at the request of the state should only be examined by persons of the same sex. Physical intimacy is protected against the forced showing of the naked body. he ‘inner circle’ privacy rights also protect sexual autonomy. he Strasbourg Court has, in several decisions, conirmed that this means all forms of sexual behaviour, including homosexual activities, provided that no individual rights are violated. In Dudgeon v. the United Kingdom,14 the applicant was a shipping clerk and gay activist in Belfast, Northern Ireland, who was interrogated by the Royal Ulster Constabulary about 12

13

14

In YF v. Turkey (Application no. 24209/94) [2003] ECHR 391, the Court held that a forced gynaecological exam whilst in police custody was in breach of Art. 8 of the ECHR. In Glass v. United Kingdom (Application no. 61827/00) [2004] ECHR 103, (2004) 39 EHRR 15, the Court found that a breach of physical and moral integrity occurred when diamorphine was administered to a son against his mother’s wishes and a DNR (Do Not Resuscitate) order was placed in his records without his mother’s knowledge. Wainwright v. United Kingdom (Application no. 12350/04) [2006] ECHR 807, (2007) 44 EHRR 809 (body search); X v. Austria (Application No. 8278/78) [1979] ECHR 6 (blood test); Peters v. the Netherlands (Application no. 21132/93, 6 April 1994) (Unreported) (urine test). Dudgeon v. the United Kingdom (Application no. 7525/76) [1981] ECHR 5, (1981) 4 EHRR 149.

Protection of privacy in the EU

79

his sexual activities. he Strasbourg Court held that, given the personal circumstances of the applicant, the very existence of legislation that outlawed homosexual acts committed in private between consenting males ‘continuously and directly, afect[ed] his private life’.15 Moreover, in Christine Goodwin v. UK,16 the Strasbourg Court decided that member states have a legal obligation to recognise a change of gender, by allowing the correction of birth certiicates and other oicial documents of transsexual persons. However, not every sexual activity carried out behind closed doors necessarily falls within the scope of Article 8 of the ECHR. In Laskey v. United Kingdom,17 the applicants were part of a group of homosexual men involved in consensual sado-masochistic activities, which they recorded on videotape. he House of Lords18 dismissed an appeal by the applicants against their criminal convictions for assault occasioning actual bodily harm. In the proceedings before the Strasbourg Court, the applicants submitted that the House of Lords’ decision that consent did not constitute a valid defence to the ofences constituted an unlawful interference with their private lives. In accepting the decision of the House of Lords, the Strasbourg Court expressed doubt as to whether the applicants’ activities fell within the notion of private life; the activities involved a considerable number of people, which included the recruitment of new members and the shooting of videotapes which were distributed amongst the members.19

Social aspects of private life To what extent do social activities fall within the scope of private life? As indicated above, there is some evidence in the jurisprudence that suggests that there is a sphere of personal relationships beyond the ‘inner circle’. In McFeeley v. the United Kingdom,20 the European Commission of Human Rights found that prisoners are entitled to associate and form relationships with one another and that this entitlement stems from the right to respect for one’s private life. Moreover, on other occasions, the Strasbourg 15 16

17

18 20

Ibid., [40]. Christine Goodwin v. the United Kingdom (Application no. 28957/95) [2002] ECHR 588, (2002) 35 EHRR 18 (GC). Laskey v. the United Kingdom (Application Nos. 21627/93; 21628/93; 21974/93) [1997] ECHR 4, (1997) 24 EHRR 39. R v. Brown (1994) 1 AC 212. 19 Laskey v. the United Kingdom, above n. 17, [36]. McFeeley v. the United Kingdom (Application No. 8317/78) [1980] ECHR 9.

80

Udo Fink

Court has expressed the view that the enjoyment of a social life forms an aspect of private life.21 In light of these decisions, freedom to associate with others appears to be a social aspect of private life.

Data protection Modern forms of communication leave individuals more exposed to invasions of privacy. In particular, personal photos, letters and diaries that are stored electronically are vulnerable to public disclosure. In addition, an oicial census that includes compulsory questions regarding sex, marital status, place of birth and so on may violate personal privacy.22 And the same argument can be extended to the recording of ingerprints, the taking of photographs and the collection of other personal information by the police. Moreover, the collection of medical data and maintenance of medical records, the compulsion by tax authorities to reveal details of personal expenditure (and thus intimate details of private life) and systems of personal identiication that form part of health and social services all interfere with personal privacy.23 Under the ECHR, member states are required to regulate the manner in which public authorities and private entities gather and hold personal information on computers, databases and other devices. Moreover, member states must provide their citizens with the legal right to ascertain: which government authorities and private companies hold their personal data; the nature of the data that is held; and the purpose for which the data is held. States must take efective measures to ensure that information concerning a person’s private life does not reach the hands of entities that are not authorised by law to receive, process and use that information. Further, entities are required to guarantee that personal data is never used for purposes that would be incompatible with the ECHR. 21 22

23

Mikulic v. Croatia (Application no. 53176/99) [2002] ECHR 27. X v. the United Kingdom (Application no. 9702/82, 6 October 1982) (Unreported). he Census Decision of the German Federal Constitutional Court (FCC) had a similar background. As the German Constitution does not provide explicitly for data protection, the FCC derived a fundamental ‘right to informational self-determination’ from the more general right to personality: Bundesverfassungsgericht [Federal Constitutional Court], 1 BvR 209, 15 December 1983, 1983) 65 BVerfGE 1, 209, 269, 362, 420, 440, 484/83. For details see T. Keber, ‘Online Surveillance within the Framework of German Data Protection Law’, in D. Dörr, U. Fink, R. Weaver and T. Keber (eds.), Brandeis meets Gutenberg (Frankfurt: Peter Lang, 2012), pp. 79, 82. See e.g., Leander v. Sweden (Application no. 9248/81) [1987] ECHR 4, (1987) 9 EHRR 433, [84]. See also Rotaru v. Romania (Application no. 28341/95) [2000] ECHR 192 (GC), [46]; Z v. Finland (Application no. 22009/93) [1997 ECHR 10, (1998) 25 EHRR 371.

Protection of privacy in the EU

81

For efective protection of his or her private life, every individual should have the right to ascertain, in an intelligible form, what personal data is stored in automatic data i les and for what purposes. Depending on the type of information held, denial of access to personal data held by government authorities and private companies can be detrimental to an individual. In Gaskin v. United Kingdom , 24 a local government authority held i les on the applicant. he i les concerned highly personal aspects of his childhood, his development and history. he Strasbourg Court held that the lack of access to this ‘principal source of information about his past and formative years’ raised issues under Article 8 of the ECHR. he right to ascertain data also helps individuals ensure that data that concerns them is accurate and has not been collected and processed in an illegal manner. If data is found to be inaccurate or illegally obtained, the individual concerned has the right to request rectiication or elimination.25 he Strasbourg Court has accepted that, in order to protect national security, states can pass laws granting their authorities the power to collect and store information in registers that are not accessible to the public.26 Moreover, it is also acceptable for the authorities to use this information when assessing the suitability of candidates for employment in positions that are important for national security. It is the state’s responsibility to identify those exceptional conditions and special jobs. However, the Strasbourg Court has stated that, in such cases, it must be satisied that there exist adequate and efective guarantees against abuse. It speciied that such guarantees are necessary in view of the risk that ‘a system of secret surveillance for the protection of national security poses of undermining or even destroying democracy on the ground of defending it’.27 herefore, states must have in place an adequate framework of safeguards ofering minimum standards of protection in order to prevent the abuse of power and the violation of Article 8 rights. When the purpose for data collection no longer exists, collected data must be erased. In S and Marper v. United Kingdom,28 the irst applicant, 24

25

26 28

Gaskin v. the United Kingdom (Application no. 10454/83) [1989] ECHR 13, (1990) 12 EHRR 36. For a case considering rectiication see Khelili v. Switzerland (Application no. 16188/07, 18 October 2011) (Unreported). Leander v. Sweden, above n. 23, [59]. 27 Ibid. S and Marper v. the United Kingdom (Application Nos. 30562/04 and 30566/04) [2008] ECHR 178 (GC).

82

Udo Fink

S, was arrested at the age of eleven and charged with attempted robbery. His i ngerprints and DNA samples were taken. He was later acquitted. he second applicant, Mr Michael Marper, was arrested and charged with harassment of his partner. His ingerprints and DNA samples were taken. Before a pre-trial review took place, he and his partner reconciled, and charges were not pressed. he Crown Prosecution Service then formally discontinued the case. Both applicants asked for their ingerprints and DNA samples to be destroyed, but the police and the UK courts refused. he Strasbourg Court stated that ‘the blanket and indiscriminate nature of the powers of retention of the ingerprints, cellular samples and DNA proi les of persons suspected, but not convicted of ofences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard’.29 Article 8 of the Charter speciically protects personal data as a human right and restricts the member states’ abilities to collect this data.30 Directive 95/46/EC31 provides that the object of national laws on processing personal data notably protects the right to privacy as recognised both in Article 8 of the ECHR and in the general principles of Community law.32 he Directive sets out a number of principles that give substance to, and amplify, those contained in the Data Protection Convention of the Council of Europe.33 It allows member states to adopt legislative measures to restrict the scope of certain obligations and rights provided for in the Directive, when such restriction constitutes a necessary measure for the prevention, investigation, detection and prosecution of criminal ofences.34 29 30

31

32 33

34

Ibid., [125]. he Charter, above n. 4, Art. 8 (titled ‘Protection of personal data’) states: 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for speciied purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data that has been collected concerning him or her, and the right to have it rectiied. 3. Compliance with these rules shall be subject to control by an independent authority. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data [1995] OJ L 281/31 (the Directive). Ibid., rec. 10. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, opened for signature 28 January 1981, CETS no. 108 (entered into force 1 October 1985). Ibid., Art. 13.

Protection of privacy in the EU

83

Privacy and freedom of the press – the Caroline case he protection of privacy against intrusion by the press was an issue that speciically concerned Germany. Since the early 1990s, Princess Caroline von Hannover, a member of the family ruling the Principality of Monaco, has repeatedly taken legal action to prevent pictures of her private life from appearing in the tabloid press. On two occasions, German courts, including the Federal Constitutional Court, denied her relief. he Federal Constitutional Court conirmed an earlier decision of the German Federal Court of Justice that Princess Caroline was a ‘igure of contemporary society “par excellence”’ and therefore had to tolerate reports about her private life without her consent.35 When balancing the freedom of press against the right to privacy of prominent people considered igures of contemporary society ‘par excellence’, the freedom of the press prevailed due to its importance in forming public opinion. However, the Strasbourg Court came to a diferent conclusion when weighing the freedom of the press under Article 10 of the ECHR against the right to respect for private life under Article 8(1) of the ECHR (the ‘fair balance test’).36 It accepted that photos depicting one’s private life constituted a particular encroachment on one’s private life. hus, it concluded that a signiicant intrusion into the Princess’ private life had taken place; photos, by their very nature, can expose the private life of an individual to a far greater extent than the written or spoken word. he Strasbourg Court decided that the voyeuristic interest of certain members of the public in the private lives of prominent people was not enough to justify any invasion as the photos did not make a meaningful contribution to public debate. Although Princess Caroline is a member of the ruling house of Monaco and her political behaviour is, as such, an object of public interest, she appears only infrequently as a representative of that house for charitable or cultural events. As she exercises no public position in the house, her role is not comparable to that of a politician, who nearly always has to be aware that his life will be observed by press and other media.37 35

36

37

Bundesverfassungsgericht [Federal Constitutional Court], 1 BvR 1861/93, 1864/96, 2073/97, 14 January 1998, (1998) 97 BVerfGE 125 (Caroline I ); Bundesverfassungsgericht [Federal Constitutional Court], 1 BvR 653/96, 15 December 1999 (1999) 101 BVerfGE 361 (Caroline II ). Von Hannover v. Germany (Application no. 59320/00) [2004] ECHR 294, (2005) 40 EHRR 1 (ECtHR Caroline I ). Ibid., [72].

84

Udo Fink

Subsequently, the German Federal Court of Justice accepted the Strasbourg Court’s criticism of the concept of a ‘igure of contemporary society “par excellence”’. It considered that, irrespective of the issue as to whether the applicant should be regarded as a igure of contemporary society ‘par excellence’, she was, in any case, a well-known person who attracted public attention. In the view of the Federal Court of Justice, that, combined with the fact that she had not been in a secluded place out of the public eye when the photos had been taken, was suicient to deprive her of protection of her private life. he Federal Constitutional Court reiterated the Strasbourg case law regarding Articles 8 and 10 of the ECHR and also referred to its own case law on the respective fundamental rights in the German Constitution as established in its leading judgment of 15 December 1999.38 It explained that, in so far as an image alone did not make any contribution to the formation of public opinion, its informative value had to be assessed in the context of the accompanying article. However, if that article was merely a pretext for publishing a photo of a well-known person, no contribution was made to the formation of public opinion. In such cases, there are no grounds for allowing the interest in publication to prevail over the protection of personality rights. However, if the photos are shown in the context of an article dealing with aspects of public interest, such as her visit to her dying father in hospital or renting out a villa in Kenya, public interest can prevail over the protection of privacy.39 Princess Caroline applied again to the Strasbourg Court but the Grand Chamber accepted that the private life of prominent persons without an oicial function could be of public interest.40 he Court developed several criteria for striking a fair balance between the protection of privacy and press freedom. hese criteria include: (1) whether the publication contributes to a debate of general interest; (2) how well known the person concerned is; (3) what the subject of the report is; (4) the prior conduct of the person concerned; (5) the content, form and consequences of the publication and (6) the circumstances in which the photos were taken. In allowing member states a broad margin of appreciation, the Court was satisied with the way the German Courts handled the fair balance test.

38

39 40

Bundesverfassungsgericht [Federal Constitutional Court], 1 BvR 1602/07, 26 February 2008, (2008) 120 BVerfGE 180 (Caroline III ). Ibid., [106]. Von Hannover v. Germany (No. 2) (Application no. 40660/08) [2012] ECHR 228, (2012) 55 EHRR 15 (GC) (ECtHR Caroline II ).

Protection of privacy in the EU

85

Protection of family Apart from one’s private life, Article 8 of the ECHR also protects family and home. he question of whether a relationship falls within the ambit of ‘family life’ for the purposes of Article 8 depends on the nature of the relationship and the existence of close personal ties. he concept of family life has evolved steadily in the lifetime of the ECHR and it continues to develop in order to take account of social and legal change. Similar to its approach to the concept of private life, the Strasbourg Court maintains a lexible approach to the interpretation of family life, bearing in mind the diversity of modern family arrangements and the implications of divorce and medical advances. Marriages that are proven to be lawful and genuine are protected under Article 8. hose lacking substance, or existing in form only – such as a sham marriage, entered into for the purpose of avoiding immigration rules or acquiring nationality – may fall outside the scope of Article 8. A child born to parents lawfully and genuinely married will ipso iure be part of that relationship from the moment the child is born. hus, the relationship between married parents and their children will always fall within the scope of Article 8(1) of the ECHR. Unmarried couples who live together with their children are ordinarily understood to enjoy a family life. his was established in the case of Johnston v. Ireland41 where, in reaching its conclusion, the Strasbourg Court was persuaded by the stable nature of the applicants’ relationship with one another and the fact that it was otherwise indistinguishable from a family based on marriage. Moreover, Article 8 of the ECHR naturally applies to the relationship between a mother and her child, regardless of her marital status. However, it was not until 2009 that the Strasbourg Court accepted that the relationship between an unmarried father and his children is also protected.42 Further, in Schalk and Kopf v. Austria,43 the Court held that same-sex relationships are protected by both the ‘private life’ and ‘family life’ terms in Article 8, due to the evolving nature of family relationships in Europe. Consequently, it found that same-sex couples and opposite-sex couples were in a comparable situation. However, there is no obligation on member states to grant a same-sex couple the opportunity of marriage, as Article 12 of the ECHR speaks only of marriage between men and women. 41 42

43

Johnston v. Ireland (Application no. 9697/82) [1986] ECHR 17, (1987) EHRR 203. Zaunegger v. Germany (Application no. 22028/04) [2009] ECHR 1982, (2010) 50 EHRR 38. Schalk and Kopf v. Austria (Application no. 30141/04) [2010] ECHR 218.

86

Udo Fink

Separation of family members will normally constitute an interference with the right to respect for family life. However, such interference may be justiied when a child is taken into care for his or her own protection or a parent is sentenced to imprisonment. Family life can be at issue in deportation cases, if the person to be deported has an established personal and family life in the foreign state. However, the courts have been reluctant to ind that deportation constitutes a violation of Article 8 of the ECHR. his has been the case when there is an alternative country in which a husband and wife or a family can reside and there are no ‘insurmountable obstacles’ to moving there, or where a person could return to their country of origin and obtain entry clearance as a family member in the ordinary way without risk or excessive delay.

Protection of home ‘Home’, within the meaning of Article 8 of the ECHR, is a place where one lives on a settled basis. If a person lives in multiple residences on a settled basis, then each residence can be a ‘home’. his protection is granted regardless of the legal ownership of the residence. Rented or rent-free accommodation falls within the scope of Article 8 of the ECHR, whereas illegal possession against the will of the owner is not protected. In Gillow v. United Kingdom,44 the Strasbourg Court held that the applicants’ house, which they had not lived in for nineteen years, was a ‘home’ within the meaning of Article 8 of the ECHR. his was because, despite the length of their absence, they had always intended to return and they had retained a suicient link with the property for it to be considered their home. Moreover, the Court observed that, regarding the use of the word ‘home’ in Article 8 of the ECHR, certain member states, notably Germany, have extended the scope of protection to business premises. Such an interpretation is fully consistent with the French text, since the word ‘domicile’ has a broader connotation than the word ‘home’ and may extend, for example, to a professional person’s oice.45 In this context, it may not always be possible to draw up a precise definition of ‘home’, since professional or occupational activities may well be conducted from a person’s private residence and private activities might 44

45

Gillow v. the United Kingdom (Application no. 9063/80) [1986] ECHR 14, (1989) 11 EHRR 335. Niemietz v. Federal Republic of Germany, above n. 11.

Protection of privacy in the EU

87

be conducted in an oice or commercial premises. herefore, a narrow interpretation of the words ‘home’ and ‘domicile’ could give rise to the same risk of inequality of treatment as a narrow interpretation of the notion ‘private life’. In the case of Niemietz v. Germany,46 a warrant to search the law oice of the applicant was issued when he was being investigated for alleged defamation of a Judge of a District Court. he Strasbourg Court stated that there is: no reason of principle why the notion of ‘private life’ should be taken to exclude activities of a professional or business nature since it is, ater all, in the course of their working lives that the majority of people have a signiicant, if not the greatest, opportunity of developing relationships with the outside world. h is view is supported by the fact that it is not always possible to distinguish clearly which of an individual’s activities form part of his professional or business life and which do not. hus, especially in the case of a person exercising a liberal profession, his work in that context may form part and parcel of his life to such a degree that it becomes impossible to know in what capacity he is acting at a given moment of time.47

he EU Court of Justice conirmed this decision in the case of Roquettes Frères v. Council.48 Under Article 8, interference with the home only occurs if the building, garden or garage is physically invaded. Spying on a house from outside, or hacking computers is not considered interference of this kind. Searches of a person’s home have to be restricted to a search for necessary evidence and should not amount to harassment.

Correspondence and communication Article 8 of the ECHR and Article 7 of the Charter protect the right to private correspondence and communication respectively. he modern wording of Article 7 of the Charter shows that all forms of communication are covered, including letters, phone calls and emails. his right has been successfully used to challenge the bugging of phones by public authorities. In Copland v. United Kingdom,49 the applicant was employed by a college in the UK. During the applicant’s employment, 46 48 49

Ibid. 47 Ibid., [29]. Roquette Frères (C-94/00) [2002] ECR I-9011. Copland v. the United Kingdom (Application no. 62617/00) [2007] ECHR 253, (2007) 45 EHRR 37.

88

Udo Fink

her telephone, email and internet usage was monitored. According to the government, this monitoring took place in order to ascertain whether the applicant was making excessive use of college facilities for personal purposes. he Strasbourg Court stated that the collection and storage of personal information relating to the applicant’s telephone, as well as to her email and internet usage, without her knowledge amounted to an interference with her right to respect for private life and correspondence within the meaning of Article 8 of the ECHR.

Article 8 ECHR as a qualiied right Article 8 of the ECHR is a qualiied right. his means that interference with this right can be justiied in certain circumstances. Article 8(2) of the ECHR states: ‘here shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.’ Where the interference falls within these parameters, there is no breach of Article 8. Interference can only be justiied if it is ‘in accordance with the law’ – this means generally that there has to be a clear legal basis for the interference and that the law should be readily accessible.50 In the context of secret surveillance, ‘in accordance with the law’ means that member states must insert legal protections against arbitrary interference into their domestic law.51 Regarding the interception of telecommunications, the Strasbourg Court stated that member states must provide the following minimum safeguards, which should be set out in statute law, in order to avoid abuse of power: the nature of the ofences which may give rise to an interception order; a deinition of categories of people liable to have their telephones tapped; a limit on the duration of telephone tapping; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the 50

51

Sunday Times v. the United Kingdom (Application no. 6538/74) [1979] ECHR 1, (1980) 2 EHRR 245, [49]; Silver v. the United Kingdom (Application Nos. 5947/72, 6205/73, 7052/75, 7061/75, 7107/75, 7113/75 & 7136/75) [1983] ECHR 5, (1983) 5 EHRR 347, [87] and [88]. Malone v. the United Kingdom (Application No. 8691/79) [1984] ECHR 10, (1985) 7 EHRR 14.

Protection of privacy in the EU

89

circumstances in which recordings may or must be erased or the tapes destroyed.52 Similarly, in the context of secret collection and storage of personal data, the Court held in the Rotaru Case53 that domestic law must deine: the kind of information that can be recorded; the categories of people against whom surveillance measures such as gathering and keeping information can be taken; and the procedures to be followed when such activities are carried out. Domestic law must also state the length of time that information will be kept. Lastly, member states must enact provisions concerning the persons authorised to consult the iles and the procedure to be followed. Moreover, interference by the state must pursue a legitimate aim. here are six legitimate aims set out in Article 8(2) of the ECHR including: ‘the prevention of disorder or crime’ and ‘the protection of the rights and freedoms of others’. However, the legitimate aims are so widely drawn that it is rarely a problem for a public authority to show that its measures pursue one of these six legitimate aims. Importantly, the interference must be ‘necessary in a democratic society’. his is usually the crucial issue. here must be a good reason for the interference with the right and the interference must be proportionate, which means that it should go no further than is necessary to achieve this aim. If there is an alternative, less intrusive way of achieving the same aim, then this alternative measure has to be used.

Positive obligations Article 8 and other qualiied articles of the ECHR are largely concerned with preventing the government, police and other state bodies from interfering with their citizens’ rights. hese are negative obligations in that they require the state to refrain from certain conduct. However, there may be circumstances where the state is under a positive obligation – a duty to do something in order to protect or promote particular rights. In cases involving positive obligations, the Strasbourg Court generally emphasises the states’ wide margin of appreciation in determining how to ensure compliance with the ECHR.54 Whether there is a duty to act is determined by applying the ‘fair balance test’, which requires a balance 52

53 54

Liberty v. the United Kingdom (Application no. 58243/00) [2008] ECHR 568, (2009) 48 EHRR 1. Rotaru v. Romania, above n. 23. X and Y v. Netherlands (Application No. 8978/80) [1985] ECHR 4, (1986) 8 EHRR 235, [24].

90

Udo Fink

to be struck between the interests of the public and the interests of the individual.55 In I v. Finland,56 the Strasbourg Court found that states have to take positive steps to ensure respect for private life by means of a system of data protection rules and safeguards. he applicant (I) worked on i xedterm contracts as a nurse in a Finnish public polyclinic for eye diseases. As she had previously been diagnosed with HIV, she regularly attended the same hospital’s infectious diseases clinic. he applicant began to suspect that information about her medical condition had been spread to fellow employees in the department where she worked. In fact, the hospital’s access controls did not prevent her colleagues from accessing her records in the infectious diseases department. he applicant’s temporary contract was not renewed. She brought proceedings against the District Health Authority for failing to keep her medical records conidential, but she was unsuccessful. Essentially, this was due to the fact that she was unable to prove a causal connection between the deiciencies in the access security rules and the dissemination of information about her medical condition. In its decision, the Court noted that, by placing such a high burden of proof on the applicant, the domestic court overlooked the acknowledged deiciencies in the hospital’s record-keeping at the relevant time. Had the hospital maintained better control over her health records by restricting access to health professionals directly involved in the applicant’s treatment, or had it maintained a log of all persons who had accessed the applicant’s medical ile, the applicant would have been in a less disadvantageous position before the domestic courts.57 hus, the Court found that a violation of Article 8 of the ECHR had occurred.

Conclusion Even if the EU has yet to accede to the ECHR, as provided for in Article 6(2) of the Treaty on the European Union,58 there is already a close relationship between the two fundamental rights systems of the EU and the ECHR. When dealing with privacy in the EU, the ECHR and the decisions of the Strasbourg Court play a vital role; however, the Court has refrained from providing a comprehensive deinition of private life. he idea that the ECHR is a living instrument that must be interpreted 55

56 57

Van Kück v. Germany (Application no. 35968/97) [2003] ECHR 285, (2003) 37 EHRR 51, [71]. I v. Finland (Application no. 20511/03) [2008] ECHR 623, (2009) 48 EHRR 31. Ibid., [4]. 58 [2010] OJ C 83/13.

Protection of privacy in the EU

91

according to present-day conditions is a central feature of the Court’s case law in general and is particularly prominent in the jurisprudence on Article 8. he ever-changing scope of what constitutes private life is informed by technical innovations and data protection issues, such as the storage of a person’s DNA proi le by the police. Addressing social changes, the Court held that same-sex relationships fall within the meanings of ‘private life’ and ‘family life’ due to the evolving nature of family relationships in Europe. Finally, future case law regarding positive obligations should be observed closely.

6 A world data privacy treaty? ‘Globalisation’ and ‘modernisation’ of Council of Europe Convention 108 Gr aham Greenleaf

Adoption of ‘European’ data privacy standards outside Europe h is chapter considers the Council of Europe (CoE) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data1 (Convention 108 or the Convention) primarily from a non-European perspective, emphasising the potential (and risks) of it becoming a global data privacy (or data protection) treaty. Two symbiotic processes are underway. Since 2008 the CoE has been attempting to activate Convention 108’s long-dormant Article 23(1), which, since 1981, has provided for accession by non-European States to the Convention. In April 2013 Uruguay became the irst such state to complete the accession process; it will become a party on 1 August 2013. he accession process has started with other non-European States. he Convention and its Additional Protocol 2 are also undergoing a reform process (referred to as ‘modernisation’). he Convention’s Consultative Committee released its inal proposals for ‘modernisation’ of the Convention in November 2012, but at the time of writing the CoE’s Committee of Ministers had not yet considered them.

Developments discussed in this chapter are to 30 April 2013. 1

2

Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, opened for signature 28 January 1981, CETS no. 108 (entered into force 1 October 1985). Additional Protocol to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, regarding Supervisory Authorities and Transborder Data Flows, opened for signature 8 November 2001, ETS no. 181 (entered into force 1 July 2004).

92

A world data privacy treaty?

93

Why are these two processes symbiotic? If ‘modernisation’ signiicantly weakens the standards currently found in the Convention and its Additional Protocol, then this would undermine, and possibly make void, the key beneits of ‘globalisation’ (non-European accession). On the other hand, if ‘modernisation’ makes the standards too high, there may be few non-European countries willing or able, as a matter of domestic law, to meet those standards. Similarly, with both the current and future standards of the Convention, the ‘globalisation’ process must uphold credible criteria for new (i.e. non-European) accessions, otherwise both existing and prospective parties may be obliged to allow data exports to countries with substandard protections. But the accession procedures cannot be so strict that they destroy the impetus for globalisation. In relation to both modernisation and globalisation, the Convention must pass the ‘Goldilocks Test’: not too hot, not too cold, but ‘just right’. his chapter explores these tensions in the current processes.

he real world of data privacy laws Nearly one hundred jurisdictions have enacted data privacy laws, almost half of them being outside Europe.3 In 2011, when the total was eightynine, with thirty-nine of those jurisdictions being outside Europe, an examination of the laws of thirty-three of those jurisdictions4 showed that ‘European standards’ have exerted far more inluence outside Europe than previously realised. ‘European standards’ were identiied as the ten most important diferences between the two European privacy instruments (the EU’s Directive 95/46/EC5 (the Directive) and the Convention) and the two most signiicant non-European instruments (the Organisation for Economic Co-operation and Development (OECD) Guidelines and Asia-Paciic Economic Cooperation (APEC) Framework). 3

4

5

G. Greenleaf, ‘Global Data Privacy Laws: 89 Countries, and Accelerating’ (2012) 115, Special Supplement to Privacy Laws & Business International Report. Since 2012 additions to those eighty-nine laws are those of Singapore, the Philippines, Ghana, Georgia, Nicaragua and Yemen, plus Nepal, Zimbabwe and Greenland (not previously included), giving a total of ninety-eight. Many countries currently have Bills, so the number is likely to reach 100 during 2013. G. Greenleaf, ‘ he Inluence of European Data Privacy Standards Outside Europe: Implications for Globalisation of Convention 108’ (2012) 2 International Data Privacy Law 68. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data [1995] OJ L 281.

94

Graham Greenleaf

In analysing these thirty-three jurisdictions, it was found that all except four (Japan, Bahamas, Vietnam and Chile) had at least four of the ten ‘European’ elements. Nineteen of the thirty-three had seven or more elements, and thirteen of the thirty-three had at least nine of the ten elements. his last group is geographically diverse – it includes Peru, Burkina Faso, Argentina, Macau, Morocco, Angola, South Korea and Mauritius. his led to the inference that European privacy standards have been inluential, either directly or indirectly, in all these countries excepting Japan, Bahamas, Vietnam and Chile. Since then, another ten non-European jurisdictions have enacted laws, and other countries have strengthened their existing laws. While no follow-up statistics have been prepared, it does not appear that the inluence of ‘European standards’ has declined since 2011. For the purposes of this chapter, the signiicance of this background is that there are a signiicant number of countries across the world where data privacy laws already have strong similarities to the two key European instruments, of which Convention 108 is one. he prospects for the ‘globalisation’ of Convention 108 – the accession to the Convention of non-European countries – is therefore strengthened by the existence of these laws that already show strong European inluences. Furthermore, if the ‘modernisation’ of Convention 108 strengthens the CoE’s data privacy standards in ways that are similar to stronger EU standards likely to emerge from the proposed new EU Regulation, then it is likely that a new and stronger ‘European standard’ will also have an inluence outside Europe.

Convention 108 compared with other international instruments Among international instruments concerning data protection, 6 Convention 108 is the only genuine treaty, and it is the only treaty dealing explicitly with data protection.7 It is global in its potential membership and it is binding and enforceable (within the limits that treaty enforcement allows). Other international agreements concerning data privacy are either merely unenforceable guidelines (e.g. the OECD Guidelines and APEC 6

7

See L. Bygrave, ‘International Agreements to Protect Personal Data’ in J. B. Rule and G. Greenleaf (eds.), Global Privacy Protection: he First Generation (Cheltenham and Northampton, MA: Edward Elgar, 2008), pp. 15–49. International Covenant on Civil and Political Rights, opened for signature 16 December 1966, 99 UNTS 171 (entered into force 23 March 1976) (ICCPR) Art. 17; First Optional Protocol to the International Covenant on Civil and Political Rights, opened for signature 16 December 1966, 999 UNTS 302 (entered into force 23 March 1976) are important treaties dealing with privacy generally, but with no detailed focus on data protection.

A world data privacy treaty?

95

Framework), or only regional in potential scope (e.g. the EU framework as between EU members, and the Supplementary Act on Personal Data Protection within the Economic Community Of West African States (ECOWAS)8), or unilateral conditions or impositions (e.g. the ‘adequacy’ aspect of the EU’s Directive). No global competitor to Convention 108 is likely to arise from the UN or anywhere else; it is the only global data protection treaty we are ever likely to see. As Bygrave says, ‘there is no truly global convention or treaty dealing speciically with data protection’, ‘there is, realistically, scant chance of, say, a UN-sponsored convention being adopted in the short term’, and Convention 108 is the ‘closest to such an instrument at present’.9 It will remain uncertain for quite some time whether its advantages – and the ability of the CoE to convince non-European countries of them – will prove to be compelling enough to convince suicient nonEuropean countries to join so that a genuinely global treaty emerges.

Council of Europe Convention 108: history, status and standards his section outlines the history of Convention 108 and its Additional Protocol, the status of ratiications of both, and the standards they require of state parties.

Convention 108 and its Additional Protocol: origins and purposes Convention 108 had its origins, in part, in various CoE resolutions and recommendations from the late 1960s onward, which concerned ‘electronic data banks’ and contained sets of principles derived from various European national laws.10 Further impetus came from the perception that the 1950 Convention for the Protection of Human Rights and Fundamental Freedoms did not provide suicient protection in relation to the increasing computerised processing of personal data, and that something was needed to encourage more European States to enact data protection laws.11 By the time drat ing was underway, the OECD had set out on a similar task (but from more of a trade than human rights perspective), and the 8

9

10 11

Supplementary Act on Personal Data Protection within the Economic Community Of West African States (Abuja, 2010). L. Bygrave, ‘Privacy and Data Protection in an International Perspective’ (2010) 55 Scandinavian Studies in Law 165. Bygrave, ‘International Agreements to Protect Personal Data’, above n. 6, p. 20. Ibid.

96

Graham Greenleaf

similarities of many aspects of both the OECD Privacy Guidelines and Convention 108 ‘are due partly to the extensive co-operation that took place between the bodies charged with drating the two codes’.12 Articles 5–8 of Convention 108 outline a set of data privacy principles that, while stated briely, do contain versions of most of the elements we now recognise as core data privacy principles. However, Convention 108 contains few of the enforcement mechanisms now regarded as essential. he details are discussed later. he 2001 Additional Protocol to the Convention, which has been in force since 2004, adds a commitment by its parties to data export restrictions, to an independent data protection authority and to a right of appeal to the courts. It therefore brings the standards of Convention 108 up to approximately the same level as the EU Directive. Among other things, this shows how the EU Directive has also inluenced other international instruments.13 Moreover, it also provides a basis upon which we can talk realistically about a ‘European standard’ of data protection that has now existed for a decade.

Ratiications: the state of play Whichever non-European countries do decide to apply to accede to Convention 108, they will not be joining a small club. Forty-four of the forty-seven CoE member states have ratiied the Convention and have data privacy laws,14 with Georgia and Turkey the only nations that have not enacted a data privacy law. Forty-two states have signed the Additional Protocol,15 and thirty-four have ratiied it (including Uruguay’s recent ratiication). 12 13 14

15

Ibid., p. 27. Bygrave, ‘Privacy and Data Protection in an International Perspective’, above n. 9, p. 197. As at 30 April 2013, Turkey and the Russian Federation had signed but not ratiied the Convention. San Marino has done neither. However, Russia does now have a data privacy law (in force since 2011). Belarus is not a CoE member because of human rights concerns, and the Vatican (Holy See) is not a member because it is not a democracy. he UK and other countries have acceded to the Convention on behalf of their self-governing territories. For details, see Council of Europe: Treaty Oice, Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data CETS no. 108: Member States of the Council of Europe (14 May 2013), Council of Europe Conventions, http://conventions. coe.int/Treaty/Commun/ChercheSig.asp?NT=108&CM=1&DF=&CL=ENG (accessed 23 October 2013) for a list of states that have acceded to and ratiied the Convention. As at 30 April 2013, there are thirty-four ratiications. he ive states that have not yet signed the Additional Protocol are Azerbaijan, Georgia, Malta, San Marino and Slovenia.

A world data privacy treaty?

97

Twelve European countries have ratiied the Convention (plus three territories on whose behalf the UK acceded to the Convention) but have not ratiied the Additional Protocol. In almost all cases their failure to ratify the Additional Protocol does not matter a great deal because they are EU member states, or their laws have been found ‘adequate’ by the EU; therefore, they are already under the same obligations imposed by the Additional Protocol.

he standards required by Convention 108 How high is the standard of data privacy that non-European states must meet in order to accede to the Convention and the Additional Protocol? (Accession to both seems to be required in practice, as discussed below.) It is necessary to consider both data protection principles and how they are enforced. he Convention applies to automated processing of personal data, but parties may extend its application to other categories of data. First, Articles 5–8 of Chapter II set out Convention 108’s data protection principles in what has been correctly described as ‘broad brush fashion’.16 Most of the work is done by Article 5 (Quality of data), which requires that: Personal data undergoing automatic processing shall be: 1. obtained and processed fairly and lawfully; 2. stored for speciied and legitimate purposes and not used in a way incompatible with those purposes; 3. adequate, relevant and not excessive in relation to the purposes for which they are stored; 4. accurate and, where necessary, kept up to date; 5. preserved in a form which permits identiication of the data subjects for no longer than is required for the purpose for which those data are stored.

Other than that, all that Chapter II includes is familiar principles requiring ‘appropriate’ data security (Article 7), and rights to ascertain the existence of personal iles, to access them and to correct them (Article 8). here is also a provision for ‘sensitive’ data in Article 6: Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life [or criminal convictions], may not be processed automatically unless domestic law provides appropriate safeguards.

he Convention applies to both public sector and private sector organisations. Application to non-automated data is optional. 16

Bygrave, ‘International Agreements to Protect Personal Data’, above n. 6, pp. 15–49.

98

Graham Greenleaf

hese are not very high standards for a data protection law to meet. Even so, the ease of compliance is increased by Article 9, which allows derogation from these principles (except the security principle) where: [S]uch derogation is provided for by the law of the Party and constitutes a necessary measure in a democratic society in the interests of: a. protecting State security, public safety, the monetary interests of the State or the suppression of criminal ofences; b. protecting the data subject or the rights and freedoms of others.

As Bygrave notes, ‘these principles were hardly ground-breaking at the time of the Convention’s adoption’17 over twenty-ive years ago, and they appear even more modest today. Nevertheless, they are a basic set of data privacy principles. he OECD Guidelines are similar, but even they are stronger on some points (e.g. provision of notice; application to non-automated iles). However, the Additional Protocol has considerably strengthened the Convention, causing it to be closer to the EU Directive than the OECD Guidelines. Nevertheless, there are important matters that neither the Convention nor the Additional Protocol cover, including how to resolve issues of which country’s data protection law applies (choice/conlict of laws), various issues of enforcement and implementation (see later), and the abstract nature of many of the principles and lack of deinition of key terms.18

Data export restrictions: the complex relationship between the Convention and protocol he Convention neither prevents nor requires data export restrictions to states that are not parties to the Convention and do not have similar data privacy laws. However, it does allow such restrictions under some circumstances (as do the OECD Guidelines). Article 12 of Convention 108 only requires that its parties ‘shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder lows of personal data going to the territory of another Party’. In other words, it guarantees free low of personal data between parties to the Convention because they have adopted a minimum required standard of data protection. Article 12 then allows restrictions on data exports to other parties to the Convention in limited circumstances concerning (a) speciic classes 17

Ibid., p. 24.

18

Ibid.

A world data privacy treaty?

99

of data where the other party does not provide equivalent protection, and (b) where necessary to avoid transfers resulting in onward transfers via a party to a non-party with no similar data protection laws. However, the party wishing to so limit data exports to another party must lodge a derogation to that efect. he 2001 Additional Protocol altered this situation and makes provision for data export restrictions mandatory. Once a party to the Convention also becomes a party to that Protocol, it is required to ‘provide for the transfer of personal data to a recipient that is subject to the jurisdiction of a State or organisation that is not Party to the Convention only if that State or organisation ensures an adequate level of protection for the intended data transfer’ (Article 2 – emphasis added). he main efect of this provision is that it makes Convention 108 more closely aligned with the EU Directive by adding a data export restriction in similar terms (‘adequate protection’), even though it is expressed in simpler terms. However, by the italicised words, this data export limitation requirement does not apply to transfers to other parties to Convention 108. If they are a party to the Convention, then that is the end of the matter as far as the Convention is concerned (though it might not be the end of the matter for countries bound by the Directive). In theory, therefore, it is not necessary for a non-European country to have a data export restriction provision in its law in order to accede to Convention 108. his only becomes necessary if the non-European country wishes also to accede to the Additional Protocol. As discussed later, this poses a signiicant issue for the ‘globalisation’ of Convention 108 because the Convention’s Consultative Committee wants to ensure that non-European parties acceding to the Convention also accede to the Additional Protocol.

he problem of enforcement: shortcomings of the Convention and Additional Protocol Convention 108 is vague about the sanctions and remedies that the laws of state parties must provide to enforce the Convention principles. It only provides that ‘[e]ach Party undertakes to establish appropriate sanctions and remedies for violations of provisions of domestic law giving efect to the basic principles for data protection set out in this chapter’ (Article 10). It does add that a person must ‘have a remedy’ of access or correction rights under Article 8, but that does not add anything to Article 10. In short, Convention 108 by itself does not say anything about whether individuals must have a right of individual action to enforce rights, or access to the

100

Graham Greenleaf

courts. herefore, Convention 108 data protection laws could be enforced through criminal sanctions or administrative remedies against individuals/entities. Further, the Convention does not provide a right of individual complaint against a state party to any court or other body, so there is no efective method in the Convention itself by which individuals can test whether a party’s implementation of the principles are suicient, or its enforcement methods are ‘appropriate’ (as required by the Convention). Recourse to the European Court of Human Rights (ECtHR) is a separate remedy, but one only available to Europeans and, even then, only indirectly. Recourse to the ECtHR must be based on an alleged violation of one of the principles of the European Convention on Human Rights (ECHR), not Convention 108 or the Additional Protocol. However, the case law under Article 8 of the ECHR shows that it includes principles similar to those found in Convention 108. Individual Europeans could therefore reasonably argue before the Court that a breach of a Convention 108 principle was in fact a breach of their Article 8 rights, and perhaps also that Convention 108 gives substance to part of what is meant by the brief words of Article 8 of the ECHR. As an expert report to the Consultative Committee19 put it, the ECtHR ‘may decide to sanction a State party to the ECHR for reasons connected with its regulation of data protection’, noting that the ECtHR has ruled on several occasions that Article 8 applies to the protection of personal data, referring to Convention 108. he Additional Protocol to the Convention also deals with this deiciency by requiring that parties to it ‘shall provide for one or more authorities to be responsible for ensuring compliance’ in its domestic law, and sets out requirements of independence, ability to investigate complaints, to ‘hear claims’ and to bring matters before a Court or to its attention (Article 1). It also requires that the decisions of supervisory authorities ‘may be appealed against through the courts’. hese standards are currently met by many data protection laws outside Europe, whilst other non-European jurisdictions are reforming their existing laws and bringing them closer to these standards.20 19

20

Bureau of the Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD), Report on the Lacunae of the Convention for the Protection of Individuals with Regard to Automatic Procession of Personal Data (ETS no. 108) Resulting from Technological Developments (Part 1), T-PD-BUR(2010)09, p. 57, www.coe.int/t/dghl/standardsetting/dataprotection/ TPD_documents/T-PD-BUR_2010_09_En.pdf (accessed 23 October 2013). For example, Australia’s current federal data protection law does not provide a general right of appeal against decisions of the Privacy Commissioner. Reforms to come into

A world data privacy treaty?

101

From this brief discussion, it should be clear that, taken together, Convention 108 and the Additional Protocol provide a set of standards roughly equivalent to those found in the Directive. However, whilst the Convention 108 standards have been described in this section as ‘European standards’, Convention 108 by itself no longer counts as ‘European standards’ in the sense in which that expression is used in the irst part of this chapter. his is particularly important in relation to the data export requirements.

‘Globalisation’: accession by non-European countries A journey has to start somewhere, and the Council of Europe has started its long march towards Convention 108 becoming the world’s only data protection treaty in Uruguay. On 12 April 2013 Uruguay completed its accession to both Convention 108 and to its Additional Protocol; on 1 August 2013 it will be the forty-it h state, and irst non-European state, to become a party to the Convention. he Council said of the Convention: ‘Being open to signature by any country, it is the only binding standard which has the potential to be applied worldwide, providing legal certainty and predictability in international relations.’ In January 2013 at a meeting of Ministers’ Deputies, the Kingdom of Morocco was also invited to accede, at its request. Article 23(1) of the Convention always provided for accession by states outside Europe,21 but the Committee of Ministers did not invite a state to accede for the irst twenty-ive years of the Convention’s life. However, since 2008 the CoE, in light of the increasing globalisation of data lows and the increased advantages of greater harmonisation, has actively sought non-European accessions. In 2011 the CoE Secretariat published a very short and formal description of the accession process (the 2011 ‘Note’).22 he two decisions to invite states to accede shed light on a

21

22

efect in 2014 provide such a right of appeal, but even then its efectiveness will still be open to question: See N. Waters and G. Greenleaf, ‘Australia’s 2012 Privacy Act Revisions: Weaker Principles, More Powers’ (2013) 121 Privacy Laws & Business International Report 12. ‘[T]he Committee of Ministers of the Council of Europe may invite any State not a member of the Council of Europe to accede to this convention by a decision taken by the majority provided for in Art. 20.d of the Statute of the Council of Europe and by the unanimous vote of the representatives of the Contracting States entitled to sit on the committee’ (Art. 23). Council of Europe, Secretariat General, Directorate of Legal Advice and Public International Law (Jurisconsult) Legal Advice Department and Treaty Oice, Note of

102

Graham Greenleaf

number of key issues. his chapter examines these examples and analyses the procedures that are being followed.

he quarter-century hibernation of Article 23(1) Since the Convention’s inception Article 23(1) has provided that ‘the Committee of Ministers of the CoE may invite any State not a member of the CoE to accede to this convention by a decision taken by the majority provided for in Article 20.d of the Statute of the CoE and by the unanimous vote of the representatives of the Contracting States entitled to sit on the committee’. However, until recently the Committee of Ministers had not invited a state to accede to the Convention, despite having the power to do so since 1981. Global conventions originating from Europe are not unprecedented, and some other CoE Conventions are open to ratiication by non-member states.23 In 2005 the world’s Privacy and Data Protection Commissioners, at their twenty-seventh International Conference in Montreux, Switzerland, gave this aspect of Convention 108 a wake-up call; in their concluding ‘Montreux Declaration’,24 they issued a number of challenges to global organisations and national governments. One was their appeal ‘to the Council of Europe to invite, in accordance with Article 23 [of Convention 108 on data protection] … non-member-states of the Council of Europe which already have a data protection legislation [sic] to accede to this Convention and its [A]dditional Protocol.’ he Secretary General took note of the Declaration and expressed his willingness to promote the Convention internationally.

23

24

Information: Accession to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and to its Additional Protocol Regarding Supervisory Authorities and Transborder Data Flows by States which are not Member States of the Council (September 2011) (updating previous publications from at least 1999). For example, Convention on Cybercrime, opened for signature 23 November 2001, ETS no. 185 (entered into force 1 July 2004) has been ratiied by thirty-nine states, and another twelve have signed it but not yet ratiied it. Outside Europe, four states have ratiied it (Australia, Dominican Republic, Japan and the USA) and two others have signed but not ratiied it (Canada and South Africa). See Council of Europe: Treaty Oice, Convention on Cybercrime CETS no. 185: Member States of the Council of Europe (14 May 2013), Council of Europe Conventions, http://conventions.coe.int/Treaty/Commun/ ChercheSig.asp?NT=185&CM=&DF=&CL=ENG (accessed 23 October 2013). 27th International Conference of Privacy and Data Protection Commissioners, Montreux Declaration – he Protection of Personal Data and Privacy in a Globalised World: A Universal Right Respecting Diversities (September 2005), www.privacyconference2005. org/i leadmin/PDF/montreux_declaration_e.pdf (accessed 23 October 2013).

A world data privacy treaty?

103

In March 2008 the Consultative Committee of the Convention (T-PD) considered accession of non-member states under Article 23. Its minutes indicate the CoE’s very tentative attitude toward ‘globalisation’:25 53. Lastly, the representative of Switzerland recalled [the call made to the CoE in the ‘Montreux Declaration’]. He considered that now would be a good time for the Council of Europe to issue such an invitation, as these accessions could be a step towards a much called-for universal right to data protection which is becoming all the more important in today’s world of borderless telecommunication networks. hey would also contribute to reinforce the Council of Europe’s visibility in this area. 54. he T-PD agreed and therefore recommended that non-member states, with data protection legislation in accordance with Convention 108, should be allowed to accede to the Convention. It invited the Committee of Ministers to take note of this recommendation and to consider any subsequent accession request accordingly.

On 2 July 2008 the Committee of Ministers,26 meeting at Deputy level, made the following Decisions: 1. took note of the T-PD’s recommendation that non-member states with data protection legislation in accordance with the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) should be allowed to accede to this convention; 2. agreed to examine any accession request in the light of this recommendation; 3. instructed the Secretariat to disseminate information about the convention; [and] 4. took note of the abridged report of the 24th plenary meeting of the T-PD as a whole, as it appears in document CM(2008)81.

herefore, accession to the Convention by non-European countries became possible from mid 2008.27 However, ‘[t]he Council of Europe never really promoted the Convention outside Europe. It was only in December 2009 that the EU’s Stockholm Programme explicitly called for the promotion of Convention 108 worldwide’.28 A month earlier, civil society representatives started to show interest, urging European countries that had not yet ratiied the Convention or the Additional Protocol ‘to do so as 25

26

27

28

Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD), Abridged Report of the 24th Plenary Meeting, Strasbourg, 13–14 March 2008 (15 May 2008) CM(2008)81. Council of Europe: Committee of Ministers, Ministers’ Deputies Decisions: 1031st Meeting, 2 July 2008 (4 July 2008) CM/Del/Dec(2008)1031. G. Greenleaf, ‘Non-European States May Join European Privacy Convention’ (2008) 94 Privacy Laws & Business International Newsletter 13. J. Polakiewicz, ‘Convention 108 as a Global Privacy Standard?’ (Presented at International Data Protection Conference, Budapest, 17 June 2011).

104

Graham Greenleaf

expeditiously as possible’.29 However, they failed to clarify whether nonEuropean countries could also accede. he irst two invitations to accede, ofered to Uruguay and Morocco, are discussed next.

he irst non-European accession: Uruguay On 6 July 2011 the Committee of Ministers decided to invite Uruguay to accede to the Convention, on the basis of an Opinion provided to it by the Convention’s Consultative Committee.30 he Opinion of the Consultative Committee31 explains that the forty-three members of the Consultative Committee (the then-current parties to the Convention) were provided with Uruguay’s letter requesting accession, its legislation and the Opinion of the EU’s Article 29 Data Protection Working Party (WP29) in relation to Uruguay’s request for a inding of ‘adequacy’ of its law by the EU.32 Fourteen of the forty-three delegations replied positively to conirm that, in their view, Uruguay had taken the necessary measures in its domestic law to give efect to the basic data protection principles of Convention 108.33 No delegation objected. he Consultative Committee then adopted its own Opinion, supporting accession to the Convention and to its Additional Protocol through written procedure. he Consultative Committee’s Opinion takes only two pages to detail that Uruguay’s legislation does contain provisions that cover all the elements needed to give efect to the basic data protection principles of Convention 108. However, the Opinion does not directly provide any information to verify that these provisions have any efect in reality or deliver meaningful privacy protection to Uruguayan citizens. hat being said, the Opinion refers to the WP29 Opinion,34 which found Uruguay’s law adequate. hat WP29 Opinion contains twenty pages of detailed 29

30 31

32

33

34

he Civil Society Madrid Privacy Declaration: Global Privacy Standards for a Global World (3 November 2009), he Public Voice, http://thepublicvoice.org/madrid-declaration/ (accessed 23 October 2013). At its 1,118th meeting. Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Opinion on Uruguay’s Request to be Invited to Accede to Convention 108 and its Additional Protocol (26 May 2011) T-PD(2011)08rev. Article 29 Data Protection Working Party (WP29), Opinion 6/2010 on the Level of Protection of Personal Data in the Eastern Republic of Uruguay (WP 177, adopted on 12 October 2010). hese were Bosnia and Herzegovina, Cyprus, the Czech Republic, Estonia, Finland, Hungary, Italy, Latvia, the Former Yugoslav Republic of Macedonia, Monaco, Slovenia, Sweden, Switzerland and the United Kingdom. WP29, Opinion 6/2010, above n. 32.

A world data privacy treaty?

105

analysis of Uruguay’s law and how it satisies the EU’s requirements. It is based on a much longer expert report obtained by the European Commission and, moreover, interaction between the Commission and the Uruguayan government. Concerning the issue of enforcement, the WP29 Opinion says: Furthermore, the LPDP [the Uruguayan law], as shown below, includes speciic regulations in relation to investigation, inspection and sanctions, and the [Uruguay legislation] establishes speciic regulations for certain procedures to be brought before the URCDP [the Uruguayan Data Protection Authority] and, particularly, for registering processing and authorising international data transfers. he Working Party wishes to state that evidence has been provided by the URCDP of performance of these powers in a range of information provided during the analysis of data protection adequacy detailed in this document.

A reading of the WP29 Opinion leaves little doubt that, as a matter of reality and not merely of legislative form, Uruguay’s data protection system meets the requirements of Convention 108 and the Additional Protocol. herefore, although the Consultative Committee Opinion could not in itself be seen to give much assurance that Uruguay had an efective system of data protection, when taken together with the WP29 Opinion, as was possible in this case, it can be seen to provide suicient assurance. Although the Consultative Committee’s Opinion did not require Uruguay to adopt the Additional Protocol as part of its accession, Uruguay’s request concerned accession to both the Convention and the Additional Protocol and the Uruguayan legislation that has been passed refers to both.35

he second non-European accession invitation: Morocco Morocco’s Ministry of External Afairs and Cooperation wrote to the Secretary General of the CoE in July 2012, expressing its interest in accession to Convention 108. he Consultative Committee’s Opinion36 on Morocco’s request was seven pages, more substantial than in relation to Uruguay. he request was assessed by reference to Article 4, that is a party must ‘take the necessary measures in its domestic law to give efect to the 35 36

Email from Council of Europe Secretariat to Graham Greenleaf, 26 March 2013. Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Kingdom of Morocco – Request to be Invited to Accede to Convention 108 (Strasbourg, 18 October 2012) T-PD(2012)09rev.

106

Graham Greenleaf

basic principles for data protection set out in the Convention (Chapter II)’. he Opinion went through each clause of Convention 108, conirming that the Moroccan data protection law (Act 09–08) corresponds to the Convention requirements on each point. However, the comments on each Article range from ‘fully corresponds’ to ‘relects’, and it appears that something like ‘substantial’ rather than ‘exact’ compliance is allowed, at least in relation to some Articles. here is not yet any clearly articulated standard beyond the vague words of Article 4. he Opinion concluded that there was ‘overall conformity of the Moroccan legislation with the principles of Convention 108, with the exception of the scope of application of the protection and the deinition of special categories of data’. his referred to (1) exceptions for ‘processing connected with public safety, defence, national security and law enforcement activities’ without any speciic legislation necessarily dealing with those matters; and (2) a lack of any additional protection being provided for information about the data subject’s sexual life or criminal convictions. Consequently, the Opinion requested further information ‘in order for [the Committee … to properly assess if the Moroccan data protection regime gives efect to the basic data protection principles of the Convention’, and did not speciically state that an invitation to accede should be issued. Article 23 of the Convention does not require accession to the Additional Protocol (which added the requirements of a Data Protection Authority (DPA), restrictions on data exports and access to the courts), so the Opinion merely ‘underlines the importance, with a view to providing a coherent and efective data protection system, for the Kingdom of Morocco to also seek accession to the additional protocol to Convention 108’. Notably, the Consultative Committee’s Opinion with respect to Uruguay’s accession was titled ‘Opinion on Uruguay’s Request to Be Invited to Accede to Convention 108 and its Additional Protocol’; therefore, because there was no mention of the Additional Protocol in the Consultative Committee’s Opinion with respect to Morocco, it is reasonable to presume Morocco did not mention it in its request. he Opinion was adopted by written procedure, with seventeen positive votes and twenty-seven abstentions. he Consultative Committee, at its later meeting in November 2012, noted the transmission of its Opinion to the Committee of Ministers ‘as well as … the opportunity that an invitation to accede to the convention, where necessary accompanied of complements, could represent in terms of reform and evolution of a legislative system as well as its implementation,

A world data privacy treaty?

107

in the time elapsing between the invitation made and the efective accession’.37 ‘Complements’ refers to ‘complementary measures’, presumably such as amendments to law to remedy the deiciencies in relation to sensitive information, as identiied in the Opinion. he way in which this has been conveyed to the Moroccan government has not been made public. he decision to issue the invitation was made by the Committee of Ministers, without beneit of a clear recommendation by the Consultative Committee. However, it does seem to be CoE policy that there should be accession to both Convention and Additional Protocol. Although no other assessments of the Moroccan law were mentioned in the Opinion, a brief published expert assessment by Gayrel,38 noting that it adhered closely to the standards of the Directive (except not fully in relation to sensitive information and noting the exclusions) is quite consistent with the conclusions reached in the Opinion.

What we now know about the accession process By studying the information in the 2011 ‘Note’,39 the authorities on CoE treaty processes 40 and the examples of the accession procedures for Uruguay and Morocco, we can draw the following implications for future assessments of candidates for accession: 1. In principle, the Committee of Ministers may take the initiative of inviting a non-member state to accede to the Convention, but it is customary for the non-member state to request accession in a letter (from their foreign minister) addressed to the Secretary General of the CoE. (2011 Note; both accessions). 2. The Committee of Ministers will obtain an Opinion from the Consultative Committee (T-PD) (although it is not currently obliged to do so), putting T-PD into a position similar to that of the EU WP29 (both accessions). here is nothing unusual about the CoE ‘vetting’ 37

38

39

40

Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD), Abridged Report of the 29th Plenary Meeting, Strasbourg, 27–30th November 2012 (Strasbourg, 10 December 2012) T-PD(2012) RAP29Abr. C. Gayrel, ‘Data Protection in the Arab Spring: Tunisia and Morocco’ (2012) 115 Privacy Laws and Business International Report 18. Council of Europe, Secretariat General, Directorate of Legal Advice and Public International Law (Jurisconsult) Legal Advice Department and Treaty Oice, Note of Information, above n. 22. J. Polakiewicz , Treaty-making in the Council of Europe (Strasbourg: Council of Europe Publishing, 1999).

108

3.

4.

5.

6.

7.

8.

41 42

Graham Greenleaf

countries that wish to accede to treaties. It is not a process of ‘selfcertiication’.41 he standard applied by the Consultative Committee is that of Article 4 of the Convention. A party must ‘take the necessary measures in its domestic law to give efect to the basic principles for data protection set out in the Convention (Chapter II)’. Compliance with each Article is required, but it appears that something like ‘substantial’ rather than ‘exact’ compliance is allowed, at least in relation to some Articles (Morocco accession). As yet there is no clear guidance on this point. he Consultative Committee needs assurance that the domestic law of the acceding country provides substantive protection (Uruguay accession). Presumably, an expert report can be commissioned if necessary.42 If an EU WP29 Opinion is available regarding a country’s law, it will be utilised to support a Consultative Committee Opinion (Uruguay accession). However, it is not clear that other published expert materials about a country’s law are consulted (Morocco accession). he Consultative Committee requires consensus from all (currently forty-four) members on its Opinions, but positive votes and abstentions, with no negative votes, are suicient, even if the positive votes are a minority (both accessions). Before putting the matter on the Committee of Ministers’ agenda, the Secretariat usually informally ascertains opinion among member states’ delegations. For Convention 108, unanimous agreement between all forty-four member states is required. Moreover, formal requests for accession are examined by the Committee of Ministers, in addition to a prior examination by its Group of Rapporteurs. (2011 Note). he Committee of Ministers may issue an invitation on the basis of a recommendation to do so by the Consultative Committee (Uruguay accession) or in the absence of such a recommendation (Morocco accession). Ibid., pp. 34–5. If there is a lack of information about the real extent of protection, then the Consultative Committee could appoint members or experts to prepare such an opinion, including, if necessary, a fact-i nding mission to the country in question. h is has already happened in the past in respect of other CoE conventions, notably in the criminal law ield (see ibid., pp. 35–6). he European Commission follows a similar practice when it obtains an expert report and the WP29 Opinion draws on and refers to that expert report (as it did in its Opinion on New Zealand).

A world data privacy treaty?

109

9. Once there is an agreement in principle within the Committee of Ministers to give a positive reply to a request, it instructs the Secretariat to consult the other non-member states that are parties to the Convention (none as yet), giving them a time-limit for the formulation of objections, which is usually two months (2011 Note). 10. In the absence of objections, the decision to invite the non-member state is (usually) taken at the level of the Ministers’ Deputies. he Secretariat General then notiies the state concerned of the invitation to accede to the Convention (2011 Note; Moroccan accession). 11. Prior to acceding to Convention 108, the invited state has to take the ‘necessary measures’ to ensure that its domestic law allows the Convention to be implemented (‘to give efect to the basic principles for data protection set out in this chapter’) (2011 Note; Moroccan accession). 12. It is not clear what happens if a state attempts to accede, having received an invitation to do so, without addressing the ‘complements’ that have been drawn to its attention, or without also acceding to the Additional Protocol. Although it seems that these matters are in fact compulsory, they are formal weaknesses of the current system; this is clear from the comments by Polakiewicz, cited below. hey are, however, being addressed in the proposals for ‘modernisation’ of the Convention (to be discussed in the next section). 13. States are also ‘asked’ to accept the 1999 Amendments to Convention 108, which allowed the European Union to accede to the Convention, as those amendments require unanimous agreement (2011 Note). 14. he instrument of accession is to be deposited with the CoE in Strasbourg, or delivered by diplomatic courier. he Convention enters into force in relation to the state ater three months on the irst day of the next month following (2011 Note). It appears that the accession process is evolving, and is overcoming the problems that result from the lack of a complete it between the Convention and the Additional Protocol, and ambiguities inherent in Article 23. But no obviously faulty decisions, which would lower the standards of the Convention and thus endanger its future, have yet been made. Moreover, the ‘modernisation’ proposals, if adopted, should improve the process and reduce the problems. here is nothing unusual about the CoE ‘vetting’ countries that wish to accede to treaties. It is, as mentioned above, not a process of

110

Graham Greenleaf

‘self-certiication’. Polakiewicz43 makes it clear that Convention 108’s provisions for non-European accession, by invitation from the Committee of Ministers, are typical of an ‘open’ treaty. An invitation ‘constitutes an unconditional and deinitive undertaking to accept the requesting state as a future party to the treaty’.44 He does not state whether such invitations can explicitly be made conditional. He explains that ‘pre-vetting’ in a variety of forms is allowed, and is quite normal: he Committee of Ministers may request that an expertise be carried out, concerning the compatibility of the domestic law of the state concerned with the standards of the treaty. Although there is no explicit provision in any of the European treaties for such a procedure, it takes place particularly if the subject of the treaty renders it advisable and if at least one member state so requests during the deliberations of the Council of Ministers. For instance, as far as treaties concerning extradition and mutual assistance in criminal matters are concerned, it is important that the judicial system and procedures of candidate countries respect minimum standards of human rights.45

Data export restrictions and the problem of accession to the Convention alone As explained earlier, Convention 108 does not require a country to have data export restriction provisions in order for it to accede. However, they are required as part of the Directive’s notion of adequacy, and as a requirement of the Convention’s Additional Protocol. herefore, if non-European countries without data export restriction provisions were able to accede to the Convention, without acceding to the Additional Protocol, they would obtain the beneit of free low of personal data from any countries that had also acceded to the Additional Protocol, unless each of those countries lodged a derogation in relation to exports to that particular country under Article 12(3)(b). It is therefore important that the standards for accession are kept high and that accession to the Additional Protocol is mandated: otherwise parties to both the Convention and Additional Protocol could be required to allow exports of personal data to countries with lower privacy standards than their own (e.g. countries with no data protection authority, no recourse to the courts or no data export restrictions). his would 43 44

Polakiewicz, Treaty-making in the Council of Europe, above n. 40. Ibid., p. 34. 45 Ibid., p. 35.

A world data privacy treaty?

111

undermine the reciprocity of the Convention, put EU member states in potential breach of their obligations under the Directive and make accession less attractive for non-European states that already have data export restrictions in their laws. Whatever view one takes on the merits of ‘border control’ data export restrictions as the best way to deal with the dangers of international personal data transfers, they have become part of ‘European standards’ and of the standards of most other countries with data privacy laws (as discussed earlier). An international Convention that lies in the face of that accumulated history is unlikely to succeed in becoming globalised. We do not need to demonstrate here, nor assume as a necessary step in the argument, that ‘border control’ data export restrictions are superior to other approaches. But their prevalence does show that they are almost as common in data privacy laws outside Europe as they are within Europe. his allows the assumption that an international convention that relects this approach, and accommodates it, is more likely to succeed than one that does not. Under the current Convention, the CoE cannot make accession to the Additional Protocol ‘mandatory’ in a strict legal sense. But neither is the Committee required to issue invitations to a non-member state just because they would like to receive one; and there is plenty of room for de facto imposition of criteria or conditions. he irst Opinion by the Consultative Committee regarding an accession request is entitled ‘Opinion on Uruguay’s Request to Be Invited to Accede to Convention 108 and its [A]dditional Protocol ’ (emphasis added; discussed below), and Uruguay has in fact become a party to both. What will happen with Morocco remains unclear. h is issue will be resolved by the proposed ‘modernisation’ of the Convention, as explained below. However, because modernisation will take years, the Committee of Ministers needs to determine (or clarify in a public document) in relation to the current Convention that there can be no non-European accessions without accession to both the Convention and Additional Protocol. he main disadvantage to non-European countries could be that, if the Committee of Ministers allows countries outside the EU to accede to the Convention with laws of lower standard than the Additional Protocol requires, or without acceding to the Additional Protocol as well, this could result in an obligation (at least on non-EU countries) to allow data exports to countries with substandard laws. Allowing accession to the Convention alone will drastically undermine

112

Graham Greenleaf

European privacy standards, and is likely to create untenable inconsistencies between the Convention and the Directive. Georges46 refers to ‘the Committee of Ministers’ decision of 2 July 2008 to encourage [non-Member] States having an adequate standard to accede to Convention 108 and its Additional Protocol’, and also assumes in further recommendations to the Consultative Committee that the Convention and the Additional Protocol should be treated as a package. he Convention 108 Bureau has also advised47 that a requirement to accede to both instruments relects the Consultative Committee and Bureau position. It would be important to relect this key decision in the above-mentioned Note, which explains accession procedures, and in a consolidated publication stating all policy decisions. It appears that this key policy position has been resolved correctly, but it still needs to be stated explicitly in explanatory documents.

Other unresolved issues in the accession process he current Note, which explains accession procedures, and the two examples of accession applications to date do not fully resolve other major issues in relation to non-European accessions. he CoE has only started, in recent years, to explain to the rest of the world that non-European accession to Convention 108 is possible, but so far it has done relatively little to explain why it is desirable or to demonstrate a reasonably transparent procedural mechanism. It has now created a heading ‘Accession’ on its website, but this contains little more than the September 2011 Note. It explains some aspects of the process but does not provide (for example) all documents relevant to the invitations to accede that have been issued. he issues discussed next need to be resolved, or explained clearly, so that non-European states can properly understand the advantages and implications of acceding to the Convention. In some cases, reform of the Convention (‘modernisation’, discussed in the next section), may be necessary to fully resolve these issues. However, the completion of the modernisation process is likely to take at least two years, and probably longer, and, if globalisation of Convention 108 is to gain any momentum, 46

47

M. Georges for the Bureau of the Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and its Additional Protocol, Report on the Modalities and Mechanisms for Assessing the Implementation of the Convention for the Protection of Individuals with Regard to Automatic Processing of Data and its Additional Protocol (Strasbourg, 27 September 2011) T-PD-BUR(2010)13Rev, para. 83. Email from Convention Bureau to G. Greenleaf, 5 October 2011.

A world data privacy treaty?

113

it needs to do so before then. hese matters also need to be clariied in the Explanatory Report that should accompany the modernisation proposals. herefore, this section considers what needs to be done before modernisation is complete and describes the implications for the modernisation process.

he standard for accession he Committee needs to clarify the standard by which an assessment is made, regarding whether a country meets the standards for accession to the Convention (and Additional Protocol). he standards for accession are not speciied in Article 23, but Article 4 requires that ‘[e]ach Party shall take the necessary measures in its domestic law to give efect to the basic principles for data protection set out in [Chapter II of Convention 108]’ prior to ratiication. he Note, discussed above, does not elaborate on what this standard means. It cannot merely be a formal assessment of what a country’s law says on paper. Otherwise, countries such as Angola or Malaysia, which have laws including a DPA, but which have not yet appointed one, would appear to be compliant when in fact they are not. Similarly, India appears to have, on paper, a strong law of credit reporting in force, but it has never been implemented or observed by anyone, including the regulator or the credit bureaus. Because of its previous focus on European accessions, the Convention 108 Consultative Committee has, until now, been dealing with relatively mature Western democracies, all of them being within the jurisdiction of the ECtHR. But some of the countries with data privacy laws outside Europe are countries without substantial track records in relation to the rule of law, human rights or democratic institutions, and none of them are within the ECtHR’s jurisdiction. So the Consultative Committee must exercise extra vigilance to ensure that ‘laws on the books’ are not merely shams. he EU’s approach, which requires a inding that a law actually delivers ‘a good level of compliance’, ‘support and help’ and ‘appropriate redress’ must be close to what should also be required for accession. Polakiewicz48 suggests that expert reports, or other forms of vetting, can consider matters that are outside the precise scope of the treaty being acceded to, because they provide support for its efectiveness. he requirements of the Additional Protocol (a DPA and export restrictions) might well be considered such factors. Furthermore, interesting arguments arise from Polakiewicz’s stipulation that an invitation could be 48

Polakiewicz, Treaty-making in the Council of Europe, above n. 40.

114

Graham Greenleaf

suspended or revoked ‘if the candidate country departed from basic principles of democracy and human rights’ because ‘[a]dherence to democracy, human rights and the rule of law are preconditions for membership in the [CoE]’.49 If this is so for a revocation of an invitation, it should be so a fortiori for refusal to issue an invitation in the irst place. herefore, invitations to accede to Convention 108 should not be issued to countries that fail the tests of democracy, human rights and the rule of law, even if they do have a data privacy law. On this basis, Vietnam and some other countries that do have data privacy laws should not be entitled to accede, and a set of criteria can be built up for conditions for Convention 108 accession that go beyond the terms of the Convention itself. Decisions to allow accession are obviously sensitive, and require consideration of more than whether a country has a strong enough data privacy law. If the decisions are made early on, it will help avoid invitations being issued that subsequently cause embarrassment. One related matter is that Convention 108 requires a comprehensive data protection law applying to both the public and private sectors, so that should rule out as potential candidates Singapore, Malaysia and India (private sector only) and the USA, hailand, Yemen and Nepal (public sector only).

he relationship between Convention 108 accessions and EU adequacy he standard to be applied for Convention accession should not be exactly the same as that applied by the EU Commission in determining whether a non-European country’s law is ‘adequate’, but it should be similar in most respects.50 he key diference is that the CoE should be primarily concerned with the strength of protection of the non-European law, from the perspective of the citizens of that country, with no particular weight being given to the interests of Europeans, if it is intended that Convention 108 is to become a neutral, global convention. However, when adequacy assessments are made, the Article 29 Committee quite correctly allows more lexibility in the application of the Directive’s standards concerning aspects of a country’s law and does not require all the standards of the Directive to be satisied when adherence to these standards is unlikely 49 50

Ibid., p. 35. h is is a diferent question from the sub-question ‘what should be the standard of data export restriction required of countries seeking accession’. he Additional Protocol currently requires that exports only be allowed to countries providing ‘adequate’ protection but, as discussed later, the ‘modernisation’ proposals include a diferent standard.

A world data privacy treaty?

115

to have any signiicant inluence on the protection of European data subjects.51 While the standards of the Directive and the Convention should be slightly diferent, it remains to be seen if, in practice, Convention 108 accession becomes something of a ‘short cut’ to an EU adequacy inding for nonEuropean countries because it is an ‘international commitment’ into which a non-European country has entered and is therefore relevant under Article 25 of the Directive. he process is also likely to work in reverse, with the CoE taking into account and giving appropriate weight to a prior adequacy inding for a country (and the EU WP29 Opinion on which it is based) when considering requests by non-European states to accede to the Convention and Additional Protocol. his occurred in the Uruguay accession. But while ‘fast-tracking’ of countries that have prior adequacy assessments might be reasonable,52 it should not be automatic. As a practical matter, it would be desirable if the European Commission and the CoE could ind a cooperative mechanism by which they could take each other’s indings into account in order to expedite their own. It also remains to be seen whether non-European countries will be satisied with either a Directive adequacy inding or Convention 108 accession, or whether they will want both.

Procedures to test ongoing compliance here needs to be some procedure to test whether a member state does adhere to its commitments over time, and some sanctions that can be triggered if it does not (somewhat similar to an adequacy assessment being revoked). Georges proposes53 the establishment of a periodic review mechanism, such as is found in areas such as anti-corruption. It is possible that post-ratiication assessment of compliance could be dealt with, without need for an amendment to the Convention, by such means as a Committee of Ministers’ resolution (a separate legal instrument), which non-member states would have to accept upon accession. One of the aims of the Convention ‘modernisation’ process is to strengthen the Convention’s follow-up mechanism54 and the interests of non-European states and their citizens need to be kept irmly in mind as part of this process. 51

52

53 54

G. Greenleaf and L. Bygrave, ‘Not Entirely Adequate But Far Away: Lessons from How Europe Sees New Zealand Data Protection’ (2011) 111 Privacy Laws & Business International Report 8. J. Michael, ‘EU “Adequate” States to be Fast-Tracked by Council of Europe’ (2008) 94 Privacy Laws & Business International Newsletter 14. Georges, above n. 46, p. 98. Polakiewicz, Treaty-making in the Council of Europe, above n. 40.

116

Graham Greenleaf

Remedies for citizens of non-European countries Perhaps the most diicult problem is ensuring that there are mechanisms in place that enable citizens of countries outside Europe to enforce the Convention. hey cannot take cases to the ECtHR because the ECHR is a closed convention to which non-European states cannot accede.55 Nor can citizens of CoE member states directly enforce the Convention before the ECtHR. However, Article 8 ECHR implies suiciently similar data protection standards that data protection failures by CoE member states could very oten be brought before the Court. Perhaps the UN human rights mechanisms for individual ‘communications’, found in Article 17 of the International Covenant on Civil and Political Rights (ICCPR), could play a role in relation to non-European countries that are parties to both Convention 108 and also to the Optional Protocol under the ICCPR. But that could only apply to some countries. Another option is that the Consultative Committee could be empowered to accept ‘communications’ from individuals, civil society organisations or businesses who wish to complain that a party to the Convention is not observing its terms. his would not be comparable to taking a case to the ECtHR, but it would be better than nothing. he ‘modernisation’ proposals do not include this, but the new roles for the Consultative Committee do include to ‘facilitate, where necessary, the friendly settlement of all diiculties related to the application of this Convention’. All the Consultative Committee or the Council of Ministers can do is resort to persuasion or public criticism of recalcitrant countries, and it would be much better if data subjects and their representatives could play some role in ensuring that issues concerning individual member states are heard. he answers are not obvious, but they need to be addressed if Convention 108 is to become genuinely global and to give individuals outside Europe genuine means of redress. Otherwise it will remain too biased in favour of the interests of Europeans to be genuinely global. Procedural clarity Although the examples of accession do assist, there needs to be more explicit clariication of the procedure that is to be followed by CoE bodies in making accession invitations and assessments, and which parties will be involved. his has now been addressed to some extent in the ‘modernisation’ proposals, but given how long it will take for these proposals to 55

Michael, above n. 52; Polakiewicz, ‘Convention 108 as a Global Privacy Standard?’, above n. 28.

A world data privacy treaty?

117

be adopted formally as a new Convention, interim measures are needed. Georges had proposed to the Consultative Committee detailed procedures by which applications for accession could be assessed, including a major choice of modalities between a ‘peer assessment’ by representatives of existing member states, or a ‘committee of independent experts’. It appears that the former has been adopted. However, Georges’ recommendations do not fully deal with the question of what ‘to give efect to the basic principles’ should mean.56 All of these issues need to be addressed by the Council’s Secretariat in a comprehensive document concerning accession by non-member states if non-European parties, business and civil society organisations are to obtain an understanding of the advantages of accession.

Implications and advantages of accession for non-European states To summarise the previous discussion, Article 23 Convention 108 always allowed, in principle, for non-European states to accede to the Convention (and thus to the Additional Protocol as well) by invitation of the Committee of Ministers under the Convention. But, until recently, the Committee never issued any such invitations, and there was no means of applying. However, in 2008 the Committee explicitly agreed that the Consultative Committee under the Convention could receive and assess applications to accede and that it would consider such applications and issue invitations to accede where appropriate. he importance of this is that Convention 108 is the only realistic possibility for a globally binding international agreement on data protection to emerge. In comparison, the likelihood of a new UN treaty being developed from scratch is minuscule or, as Bygrave puts it, a ‘realistically, scant chance’.57 Moreover, the resolutions of the meeting of the world’s data protection and privacy commissioners are unlikely to amount to anything by themselves. Because it has forty-three existing members, there are signiicant advantages for non-European states in acceding to Convention 108 and the Additional Protocol. hese fall into three categories. In relation to EU countries, non-European states obtain a guarantee of free low of personal data from the EU country (unless the EU country derogates from Convention 108 on that point), which the Directive does not give them. While Convention 108 accession will not automatically lead to a inding 56 57

Georges, above n.46. Bygrave, ‘Privacy and Data Protection in an International Perspective’, above n. 9, 181.

118

Graham Greenleaf

of ‘adequacy’ by the EU, it is hard to see the EU denying a inding of adequacy to a non-European state that accedes to the Additional Protocol as well as the Convention. Practically, a Directive adequacy inding does not even seem necessary: none of the non-EU European countries that are CoE members (and parties to the Convention) have even bothered applying for an adequacy inding.58 In relation to other non-EU countries that are parties to the Convention, mutual obligations of free low of personal data arise between them, unless either derogates because of the other’s lack of a data export restriction. hen there are more general advantages: only a modest step toward a stronger international data protection regime is required, not a radical one; it involves voluntary acceptance as an equal party to a treaty of obligations concerning data, rather than what might be seen as the unilateral imposition of a standard by the EU; and it avoids the necessity for individual countries to make decisions about which other countries have privacy laws that are ‘adequate’ or ‘suficient’ to allow personal data exports to them. Depending on how long it takes the Committee of Ministers to make decisions, and whether those decisions are perceived to be fair and not unduly political, it could be a more attractive process than applying for an ‘adequacy’ inding to the EU Commission, and suicient in practice even though not technically a substitute for that (discussed below).

Advantages for European states in non-European accessions An adequacy inding from the EU does not impose any reciprocal obligations on the recipient country outside the EU to allow free low of personal data from it to EU countries. Such a reciprocal obligation can arise if the non-EU country becomes a party to Convention 108. his will soon be a signiicant advantage to European states. As the number of countries outside Europe with data privacy laws increases, and if those laws include data export limitations (as they almost always do), then in theory European countries (including EU member states) will face the same problems of data export limitations as those faced by non-European countries. How can they be sure that they can import personal data from non-European countries without having to comply with a myriad diferent data export laws in those countries? he simplest and best answer should be, from their point of view, for those 58

See the table in G. Greenleaf, ‘Global Data Privacy Laws: Forty Years of Acceleration’ (2011) 112 Privacy Laws & Business International Report 11.

A world data privacy treaty?

119

non-European countries to become parties to Convention 108 and the Additional Protocol. hen both countries will have reciprocal obligations of free low of personal data, and those obligations will also be consistent with the European country’s obligations under the Directive (for the European countries that are also part of the EU).

How rapidly is globalisation likely to occur? he CoE is ‘conident that [Uruguay] will only be the irst country in a long list’.59 Which countries are most likely to be invited to accede to Convention 108 next? Authorities in Mexico have stated its intention to accede.60 Countries from South America and North Africa have already been invited, and two other African countries are believed to have expressed interest in receiving an invitation, which would create a signiicant global spread. Canada, already considered ‘adequate’ by the EU, is an Observer to Convention 108’s Consultative Committee, as is South Korea’s Personal Information Protection Commission. As the country with the strongest data protection law in Asia,61 South Korea would seem to be a good prospect as the irst Asian member.62 New Zealand, with an EU adequacy report to assist its application, would seem to have better prospects than Australia (a Consultative Committee Observer) if it wished to become the irst country from Oceania to join the treaty. he opening of this chapter noted the geopolitical fact that nearly it y jurisdictions outside Europe have now enacted data privacy laws covering most of their private sectors (and most of those also cover their public sectors), and this growth outside Europe is accelerating. In 2011 an examination of thirty-three of (at that time) thirty-nine laws showed that, to a surprising extent, they share most of the factors (average 7/10) that are distinctive of European data privacy laws. Since then, the introduction of more new laws appears to have continued this pattern, and revisions of existing laws have strengthened it. Since there is already a large and growing number of data privacy laws outside Europe, with most of 59 60

61

62

Polakiewicz, ‘Convention 108 as a Global Privacy Standard?’, above n. 28. ‘México y Uruguay Aspiran a Integrar el Convenio Europeo de Protección’ Datos (12 February 2011) ABC.es Agencias, www.abc.es/agencias/noticia.asp?noticia=1023213 (accessed 23 October 2013). G. Greenleaf and W. Park, ‘Korea’s New Act: Asia’s Toughest Data Privacy Law’ (2012) 117 Privacy Laws & Business International Report 1. Even though the People’s Republic of China can allow Hong Kong to accede to some international agreements, Convention 108 is only open to States (Art. 23) at present. But see later concerning the ‘modernisation’ proposals.

120

Graham Greenleaf

them having, at least supericially (i.e. on paper), a strong resemblance to European privacy laws, there seems to be fertile ground for a signiicant number of non-European countries to accede to Convention 108. A few would be ruled out by their failure to cover the public sector (Vietnam, Malaysia and India).63 Laws on paper are not suicient for accession, but a high degree of ‘family resemblance’ does at least suggest a plausible order for the CoE to assess possible candidates for membership (as it has asked the Venice Commission to do). It can then encourage suitable candidates to apply where it appears that reality might match the law on paper. Another key factor may be whether members of a regional data privacy agreement (such as ECOWAS, the Economic Community of West African States) see Convention 108 accession as a collective means of establishing free low of personal data between their region and Europe, and other countries. he CoE has a joint project with ECOWAS to help ensure that the data privacy laws of its member countries meet international standards.64 It is also intended that the ad hoc committee of member states (CAHDATA) that has the task of inalising the ‘modernisation’ of Convention 108 (discussed next) is to include ‘as observers, an extensive list of non-member States and certain international organisations (United Nations, Organization of American States, African Union, Economic Community of West African States, Association of Southeast Asian Nations, [and] APEC)’.65 It seems, therefore, that part of the CoE’s strategy for ‘globalisation’ is to engage signiicant regional organisations in the process of ‘modernisation’ of the Convention, as well as individual states that may have an interest in accession and some prospects of success. While successful ‘globalisation’ cannot be assumed, there is no reason to be unduly pessimistic about its prospects for success. Convention 108 may become a much larger club.

‘Modernisation’: reform of Convention 108 he Convention and Additional Protocol are at present undergoing a revision process (referred to as ‘modernisation’), endorsed by the CoE 63

64

65

Both the existing and the proposed ‘modernised’ Convention must apply to both the public and the private sectors (Arts. 1–2). Although territorial limitations are allowed (Art. 24), sectorial limitations are not (unlike EU i ndings of ‘adequacy’). J. Polakiewicz, ‘Opening Intervention’ (Presented at International Data Protection Conference, 21 September 2011, Warsaw). Bureau of the Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD-BU), Abridged Report of

A world data privacy treaty?

121

Ministers of Justice in November 2010. he arguments presented in the previous parts of this chapter concerning the beneits of non-European accession assume that ‘modernisation’ will not weaken the standards currently found in the Convention and its Additional Protocol, because this would undermine or void most of those arguments. In October 2011 the Parliamentary Assembly of the CoE made Recommendations66 supporting the strengthening and globalisation of Convention 108 and its Additional Protocol, and the accompanying Resolution also makes it clear that ‘any global initiative should be based on Convention 108 and its Additional Protocol’, and not on the Convention alone.67 In November 2012 the Consultative Committee of the CoE68 adopted its inal proposals69 for ‘modernisation’ of the Convention70 and submitted them to the Committee of Ministers for adoption. he proposals are to be inalised by an ad hoc committee (CAHDATA) of the Committee of Ministers.71 he ad hoc committee or the Committee of Ministers as a whole may decide to amend the proposals, so how ‘inal’ they are remains to be seen. A drat Explanatory Report, to be prepared by the Convention

66

67

68

69

70

71

the 29th Meeting of the Bureau, Strasbourg, 5–7 February 2013 (Strasbourg, 13 February 2013) T-PD-BUR(2013)RAP29Abr. Council of Europe Parliamentary Assembly, Recommendation 1984 (2011): he Protection of Privacy and Personal Data on the Internet and Online Media, text adopted 7 October 2011. Points found in the Recommendation are similar to some of the points raised earlier in this Chapter – that reform ‘should not lower the established protection’; that the parties should ‘establish a mechanism for monitoring compliance’; and that the CoE should encourage ratiications by non-member states. Council of Europe Parliamentary Assembly, Resolution 1843 (2011): he Protection of Privacy and Personal Data on the Internet and Online Media , text adopted 7 October 2011, para. 11. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, above n. 1. Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD), Modernisation of Convention 108: Final Document (Strasbourg, 29 November 2012) T-PD(2012)4Rev3, www.coe.int/t/ dghl/standardsetting/dataprotection/TPD_documents/T-PD%282012%294Rev3E%20 -%20Modernisation%20of%20Convention%20108.pdf (accessed 23 October 2013). T-PD, Abridged Report of the 29th Plenary Meeting, above n. 37, item 2 states that the T-PD ‘gave a third reading to the proposals for modiication of Convention 108, revised by its Bureau following the 28th plenary meeting, and adopted those proposals for transmission to the Committee of Ministers (set out in app. 3), and invited the Committee of Ministers to entrust the i nalisation of the proposals to an ad hoc committee, instructing its Bureau to inalise the drat explanatory report in the light of the discussions’. To be called the Ad-Hoc Committee on Data Protection (CAHDATA), and to include observers from numerous international organisations – see T-PD-BU, Abridged Report of the 29th Meeting of the Bureau, above n. 65, item 3.

122

Graham Greenleaf

108 Bureau, is not yet available publicly but it is due to be inalised and circulated for consideration at the Bureau’s meeting at the end of May 2013.72 It may clarify or resolve some of the issues raised in this chapter. he ‘globalisation’ of Convention 108 (developing it into a global data agreement, open to all countries providing the required level of data protection) is now underway,73 and Uruguay has become the i rst non-European state to become a party to the Convention. he advantages of ‘globalisation’ are signiicant for both existing parties and new entrants,74 but these advantages depend upon the Convention requiring a suiciently high level of privacy protection from those non-European countries that wish to accede (including restrictions on data exports to recipients in states not parties to the Convention) and requiring that these protections be provided in practice. h is chapter argues that, in relation to both of these requirements, adoption of the ‘modernisation’ proposals will make ‘globalisation’ work better for everyone, provided the data export restriction issue is resolved somewhat better than as currently proposed. Some general observations can be made about the proposals. First, many changes will make the ‘globalisation’ of Convention 108 more efective, both in terms of the procedures for accession of new members and in terms of providing post-accession mechanisms to ensure that the Convention is in fact being complied with by the parties to it. his is particularly so with the provisions that, in efect, absorb the Additional Protocol into the Convention (requiring a DPA, data export restrictions and access to the courts), so that it is not possible to accede to one without also acceding to the other. Second, some aspects of the proposals will help the Convention ‘keep pace’ with stronger provisions likely to be included in the proposed EU Regulation. hird, it will become clearer that the standards required for a non-European country to accede to the Convention difer from those by which the EU assesses the ‘adequacy’ of a non-EU country’s data protection provisions. hat being said, it remains unclear whether ‘adequacy’ is a suitable standard by which to measure data export restrictions. his section analyses the signiicance of the proposed ‘modernisation’ changes, comparing them to the previous proposals under consideration 72 73

74

Ibid., item 2. G. Greenleaf, ‘Morocco and Uruguay Start Convention 108’s Journey to Global Privacy Treaty’ (2013) 122 Privacy Laws & Business International Report. hese advantages are analysed in Greenleaf, ‘he Inluence of European Data Privacy Standards Outside Europe’, above n. 4.

A world data privacy treaty?

123

in March 2012.75 It also considers whether the inal proposals are a sound basis for a global data protection treaty. he less controversial aspects of the proposals are considered irst, saving for last that hardy perennial of contention, data export restrictions, which necessarily overshadows other considerations. Finally, this section considers whether a modernised Convention would pass the Goldilocks Test. References to Articles of the Convention are, unless stated otherwise, references to the Article numbers in the inal proposals.

Obligations of the parties Parties must apply their data protection laws to ‘every individual subject to the jurisdiction of the Parties, whatever their nationality or residence’ (Article 1). Restricting protection to citizens is not permitted. A party must ‘apply this Convention to data processing subject to its jurisdiction’ (implying all data processing), with the exception of ‘data processing carried out by a natural person for the exercise of purely personal or household activities’ (Article 3). he Convention states that its primary role is as a human rights instrument (Article 1). Further, it states: ‘[e]ach Party shall take the necessary measures in its domestic law to give efect to the provisions set out in this Convention and ensure their efective application’ (Article 4(1)). h is means that the requirement for both compliance with the Convention, and accession to it, is simply that a party’s domestic law and practice must show full compliance with all the Convention’s terms (though of course there is always some leeway as to what counts as full compliance). he wording is diferent from the existing Convention, but the efect is the same. hese measures must be taken ‘prior to ratiication or accession’ (Article 4(2)), and not simply prior to entry into force, as is the case presently (which is three months ater ratiication). his closes a loophole where a state could, in theory, ratify the Convention without having brought all necessary measures into efect. Most important, a party ‘undertakes to allow the Convention Committee … to evaluate the observance of its engagements and to contribute actively to this evaluation, notably by submitting reports on the 75

For analysis, see G. Greenleaf, ‘Strengthening and “Modernising” Council of Europe Data Privacy Convention 108’ (2012) 117 Privacy Laws & Business International Report 21; see also S. Kierkegaard, N. Waters, G. Greenleaf, L. Bygrave and S. Saxby, ‘30 Years On: the Review of the Council of Europe Data Protection Convention 108’ (2011) 27 Computer Law and Security Review 223.

124

Graham Greenleaf

measures it has taken and which give efect to the [Convention] provisions’ (Article 4(3)). What this probably means (but this will need to be conirmed in the Explanatory Report) is that parties will have to show that they ‘give efect’ to Convention requirements as a matter of practice, and not merely as a matter of passage of legislation. In the context of EU ‘adequacy’ determinations, terminology such as ‘a good level of compliance’, ‘provision of appropriate redress’ and ‘provision of support and help’ are used to indicate the substantive efect that is required. No reservations from Convention provisions are allowed (Article 25). It applies to all personal data. Domestic legislation is permitted to derogate from some of the data protection standards (Article 9); the permitted derogations are somewhat more narrowly deined in the proposed Convention than in the existing Convention.

Data protection standards he Convention’s current data protection standards are in Articles 5–9. hey are minimum standards and parties may choose to provide stronger protection (Article 11). here are two new general requirements for processing data. hese are found in Article 5: (1) Data processing shall be proportionate in relation to the legitimate purpose pursued and relect at all stages of the processing a fair balance between all interests concerned, be they public or private interests, and the rights and freedoms at stake. (2) Each Party shall provide that data processing can be carried out on the basis of the free, speciic, informed and [explicit, unambiguous]76 consent of the data subject or of some legitimate basis laid down by law. Requiring proportionality at all stages of processing is a notable improvement. Article 5(3) is much the same as the processing principles in the current Article 5, including the existing weak restriction on secondary use (‘not processed for incompatible purposes’). However, collection and processing of personal data is now limited by the higher EU standard of the ‘minimum necessary’ rather than ‘not excessive’. he categories of sensitive data that must have additional ‘appropriate’ safeguards (particularly against discrimination) are expanded to include 76

Sets of terms in brackets mean that the Consultative Committee did not agree on which was the preferable term.

A world data privacy treaty?

125

genetic data, identifying biometric data and trade union membership data (Article 6). ‘Appropriate’ is undeined, but that does not matter here because the protection of sensitive data is additional to (‘complementing’) the base standards. he security principle has had added to it a requirement of notiication ‘without delay’ to the supervisory authorities ‘of those data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects’ (Article 7). However, this does not include a requirement to notify the data subject. A new Article 7bis (‘Transparency of processing’) requires that data subjects be notiied of various matters at the time their data is collected. Article 7bis will also apply when the personal data is collected from third parties, except where the processing is ‘expressly prescribed by law’ or notiication ‘proves to be impossible or involves disproportionate eforts’ (Article 7bis(2)). Article 8 expands the existing rights of the data subject in various ways, which better align the Convention with the EU Directive (and proposed Regulation), including rights to: have their views considered before decisions are made on the basis of automated processing; object to processing; know on request ‘the reasoning underlying the data processing’ applying to them; and beneit from assistance of a supervisory authority no matter where they reside.

Additional obligations A new Article 8bis goes further, building into the Convention protections similar to those expected to be included in the EU Regulation, which require the controller, or where applicable the processor: 1. To take ‘all appropriate measures to implement’ the principles and obligations in the Convention and ‘to establish internal mechanisms to verify and be able to demonstrate at least to the supervisory authorities’ compliance with the applicable law (an ‘accountability’ principle); 2. To carry out a risk analysis of the potential impact of the intended data processing on the rights and fundamental freedoms of the data subject and design data processing operations in such a way as to prevent or at least minimise the risk of interference with them (a ‘privacy by design’ and ‘privacy by default’ principle); 3. To design products and services to take into account the implications of the right to the protection of personal data and facilitate compliance of processing with applicable law (a ‘privacy by design’ principle);

126

Graham Greenleaf

4. To adapt (at their discretion) the previous requirements, according to the size of the controller or processor, the volume or nature of data processed and, more generally, in light of the risks for the interests, rights and fundamental freedoms of the data subjects. he data protection principles proposed for the revised Convention are therefore considerably stronger than those in the OECD Guidelines, and may end up being comparable to those in the proposed EU Regulation.

Domestic enforcement mechanisms required Article 12bis inserts into the Convention the requirements previously found in the Additional Protocol for Supervisory Authorities (with a right of appeal against their decisions to the courts). It adds stronger requirements and functions, involving: obligations to ensure member states are transparent in their activities; requirements to have powers to make decisions concerning Convention obligations, including sanctioning administrative ofences; requirements that the Supervisory Authority be consulted on legislative and administrative changes; and the function of ‘approval of standardised safeguards’ concerning data exports. here are also detailed provisions requiring cooperation between supervisory authorities (Articles 13–17), which are valuable when complaints involve acts occurring within the jurisdiction of more than one party. Article 10 now requires appropriate ‘judicial and non-judicial’ sanctions and remedies for violations. he Explanatory Report to the existing Convention (paragraph 60) mentions ‘civil, administrative [and] criminal’ sanctions, the choice of which should be let to each state. Article 10 now adds that these sanctions should be both ‘judicial and non-judicial’, implying that both the courts and non-judicial bodies should be able to issue sanctions. However, it does not go so far as requiring that data subjects have a direct right to sue in a civil action in court for breaches.

New roles for the Convention Committee he Consultative Committee is to be renamed the Convention Committee and its functions will be expanded and strengthened (Article 19). he new functions and powers include that it: (d) May express an opinion on any question concerning the interpretation or application of this Convention [no longer requiring the request of a party];

A world data privacy treaty?

127

(e) Shall prepare, before any new accession to the Convention, an opinion for the Committee of Ministers relating to the level of data protection of the candidate for accession; (f) May, at the request of a state or an international organisation or on its own initiative, evaluate whether the level of data protection the former provides is in compliance with the provisions of this Convention; (g) May develop or approve models of standardised safeguards referred to in Article 12; (h) Shall periodically review the implementation of this Convention by the parties in accordance with the provisions of Article 4.3 and decide upon measures to take where a party is not in compliance with the Convention; (i) Shall facilitate, where necessary, the friendly settlement of all diiculties related to the application of this Convention. hese functions are signiicant, and could give the Committee a role of similar importance to that of WP29 under the EU Directive. he big diference is that this is not a committee made up of Data Protection Commissioners, but one comprised of state representatives (but they are oten drawn from data protection authorities). How energetic will they be in exercising the above powers to ensure that other states that are parties to the Convention (or applying to become parties) are fully protecting the rights of data subjects as required by the Convention? It is not a question to which an a priori answer can be given. he Committee will also have the ability to invite observers to its meetings by a two-thirds majority of members entitled to vote, rather than requiring unanimity (Article 18(3)). he input from these non-state observers is likely to help ensure that problems with the Convention’s operation are brought to the attention of the Committee, and that they ind it diicult to ignore them.

Accession by non-European states Currently, Article 23 concerns accession by states that are not members of the CoE. In the modernised Convention, Article 23 will require the Committee of Ministers to only invite accessions ‘ater consulting the Parties to the Convention and obtaining their unanimous agreement and in light of the opinion prepared by the Convention Committee in accordance with Article 19.e’. he requirement to consider (but not necessarily to follow) the opinion of the Convention Committee relects the practice

128

Graham Greenleaf

adopted in the two non-European accession invitations to date. Because unanimous agreement between member states will be necessary under the new Article 23, non-European parties (such as Uruguay and Morocco) will have the same powers of veto, in relation to other new memberships, as CoE member states have already. It is possible for states to accede in relation to only part of their territory (Article 24(1)). For example, if China wished to accede in relation to the Hong Kong SAR only, it could do so.

Evaluating accession candidates and the performance of parties Anticipating the adoption of the modernisation proposals, the Consultative Committee has put forward its own proposal for discussion. It features provisions that deal with: the evaluation of candidates for accession; periodic evaluations of all parties’ compliance with the Convention; and the measures that should be taken in the event of noncompliance.77 he evaluations would be carried out by a committee of probably six members of the Consultative Committee, with a mix of government and supervisory authority members, with geographic balance and a partial rotation of members over six-year terms. he committee would examine the prospective/incumbent party’s legislation, supervisory authority and the remedies available to data subjects by performing in-person visits and requesting the completion of questionnaires. An open process is proposed, which is very diferent from EU ‘adequacy’ evaluations. It would involve dialogues with the candidates/parties and interested NGOs would be permitted make submissions. he committee would produce a drat opinion and inal opinion, for comment by the candidate/party. Both the inal opinion and the comments would be made public ater transmission to the Convention Committee. Such openness would increase conidence in the quality of the Convention and its processes. In the event of finding non-compliance, the Convention Committee would aim to assist the relevant government and supervisory authority to draw up plans that deal with the deficiencies and report on progress. This is not unusual with treaty bodies, as there are usually no powers to take other enforcement actions. In this respect, it is unlike 77

Bureau of the Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD-BU), Information Elements on the Evaluation and Follow-up Mechanism (Strasbourg, 29 January 2013) T-PDBUR(2013)02.

A world data privacy treaty?

129

the power of the European Commission to take recalcitrant governments before the European Court of Justice in relation to the data protection Directive.

Ratiication: a new twist While the new Convention (technically, a Protocol to the existing Convention) requires ratiication by all existing parties, this is only so in theory. his is because the proposals have a ‘silence-implied consent’ clause, which provides that, unless all parties give positive consent, the Protocol ‘shall enter into force following the expiry of a period of [two] years ater the date on which it has been opened to signature, unless a Party to the Convention has notiied the Secretary General of the Council of Europe of an objection to its entry into force’ (Article un-numbered). It would then only enter into force when the objecting party ratiies the Protocol.

Data export restrictions: ‘modernisation’ at risk he guarantee of free low of personal data between parties to the Convention (Article 12(1)) is only justiiable if it is coupled with an obligation on parties not to export personal data to organisations in states that are not parties, unless the protection of privacy continues to be guaranteed despite the data export. his is the basic principle of balancing free low of personal data with data export restrictions. A year ago, there were deep diferences within the Consultative Committee about how to deine the required data export restrictions and competing proposals.78 he inal proposals seem to be a reasonable compromise in some respects, but in other respects are so ill-deined that they are dangerous for data subjects unless they receive clariication.

Why is adequate not appropriate (and vice versa)? he Additional Protocol to the existing Convention requires that data exports (‘transfers’) can only be allowed if ‘an adequate level of protection’ is provided; the explanation of this is in very similar terms to ‘adequacy’ in the context of the EU data protection Directive. In 2012 the 78

See Greenleaf, ‘Morocco and Uruguay Start Convention 108’s Journey to Global Privacy Treaty’, above n. 73, 23 (Data Export Restrictions Remain Contentious).

130

Graham Greenleaf

Consultative Committee was sticking to ‘adequacy’ as the touchstone for export limitations: he proposed provisions are still based on the well-known notion of an ‘adequate level of protection’. he Convention shall continue to require such protection, in particular if data is communicated or disclosed to recipients not subject to the jurisdiction of a Party to the Convention, recognising that this rule has promoted the development of data protection laws around the world.79

However, the i nal proposals refer instead to ‘an appropriate level of personal data protection based on the principles of the Convention’ (Article 12(2)). his ‘appropriate’ protection can be provided by a country’s domestic law (and international commitments) and can also be provided by various forms of ‘safeguards’ (discussed later) (Article 12(3) (b)). ‘Appropriate’ protection does not mean that all ‘principles of the Convention’ must be observed, otherwise Article 12(2) would say so. What ‘an appropriate level’ of protection requires in a country’s domestic law, or in the ‘safeguards’, could be clariied to some extent by the Explanatory Report. However, it is uncertain whether the Explanatory Report will do this. he danger of such non-explanation is that the term ‘appropriate’ has little or no meaning in the history of data protection. On the other hand, ‘adequate’ has a known and reasonably strong meaning that has developed over nearly twenty years. ‘Adequacy’ is a term and a concept that has been disliked by some countries in various forums over the years, but, without access to the minutes of the Consultative Committee discussions, it is not helpful to speculate which parties or observers led the Consultative Committee to abandon ‘adequacy’. In the longer term, the meaning of ‘appropriate’ will be a question of interpretation on which the Convention Committee will be entitled to give opinions (Article 19(d)); however, its opinions are not binding. here are no inal judicial arbiters of the meaning of such terms.80 Disputes about the meaning of Convention 108 can only be settled by diplomacy, not by a court. hat is why the meaning of key terms must be reasonably clear on the face of the Convention itself, or at the very least in the Explanatory Report accompanying the Convention. Such replacement of key meaningful terms by 79 80

Ibid. Citizens of European countries may be able to take the same issues to the European Court of Human Rights under Art. 8, though not formally invoking the Convention. he same may apply to regional human rights courts in Latin America.

A world data privacy treaty?

131

terms whose meanings are more easily contestable is common in multilateral trade and intellectual property negotiations,81 and indicates the need for careful and sceptical consideration of such changes in terminology in data protection agreements. ‘Adequate’ may not be the perfect term, but its retention would pose much less risk to the interests of data subjects and would keep Convention 108 better aligned with both the EU Directive and its proposed successor Regulation, where ‘adequacy’ is retained as the key term.82 ‘Equivalent’ protection, or protection ‘of similar efect’, are other terms that are meaningful and connote a standard that may not be identical but is at least functionally equivalent. ‘Appropriate’, in contrast, is meaningless by itself, even when ‘based on the principles of the Convention’. To see this, just ask the question, ‘what would the US State Department think is appropriate?’ For anyone whose main interest is strong data protection standards, such as civil society organisations, Article 12 is the key provision of the Convention. If it is faulty in this way, it will not be remedied by inserting strong provisions elsewhere, because accession would then mean a commitment to export personal data to places that ofer low protection. A special exception has been added to the obligation of free low of personal data between parties in order to accommodate the position of EU member states and their need to comply with the EU Directive. EU member states may restrict data exports to other parties to the Convention, unless those data exports comply with Article 12(3)(b): ‘ad hoc or approved standardised safeguards’ (proviso to Article 12(1)). Claims that a country’s domestic legislation is ‘appropriate’ are not suicient. he reasoning behind this is presumably that the EU member state’s DPA can, under Article 26 of the Directive, veto any ad hoc safeguards that do not meet EU requirements and that ‘standardised safeguards’ will meet the EU requirements.83 his convoluted provision might not be needed if the Convention also used the term ‘adequate’. 81

82

83

For discussion of the politics of such negotiations, see P. Drahos and J. Braithwaite, Information Feudalism (London: Earthscan Publications, 2002). See European Commission, Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) (Brussels, 25 January 2012) 2012/0011(COD), particularly Arts. 25(2), 41 (passim), and 45(2). It is envisaged in Hong Kong’s constitutional arrangements that it can be a party to some international bodies and arrangements, such as its membership of APEC.

132

Graham Greenleaf

Data exports ‘safeguards’ and exemptions: how safe are they? ‘Appropriate’ protection can also be provided by ‘ad hoc or approved standardised safeguards provided by legally binding and enforceable instruments adopted and implemented by the persons involved in the transfer and further processing’ (Article 12(3)(b)). ‘Standardised’ safeguards must be approved by a state’s Supervisory Authority (Article 12bis(2)(b)). he Convention Committee may ‘develop or approve models of standardised safeguards’ (Article 19(d)), but cannot mandate uniform safeguards. Where such standardised safeguards exist, approval of data exports in individual transactions by the Supervisory Authority is not required if they are complied with. Each party may provide for further exceptions allowing data exports in three situations (Article 12(4)): (a) he data subject has given his/her speciic, free and [explicit, unambiguous] consent, ater being informed of risks arising in the absence of appropriate safeguards, or (b) he speciic interests of the data subject require it in the particular case, or (c) Prevailing legitimate interests, in particular important public interests, are provided by law and constitute a necessary measure in a democratic society.84 It is important to note that these three exceptions are neither compulsory nor automatic but depend upon domestic enactment by parties and may be subject to any additional conditions those enactments may impose, but may not be any broader than the conditions speciied by Article 12(4). However, within the limits of Article 12(4), states may make exceptions that: apply to classes of data subjects of unlimited breadth; involve very broad descriptions of the relevant interests; do not necessarily impose any duties of care (or even stronger liabilities) on the exporter; and do not necessarily require any minimal protections to be provided by the importer. If misused by states, through overly broad legislation or regulations, they could result in massive lows of personal data being allowed to jurisdictions ofering little or no data protection. If these exceptions are overly broad, they pose a risk to data subjects. Moreover, they might 84

h is is reiterated in a somewhat redundant provision in Art. 9(2), allowing restrictions on Art. 12 ‘where they are provided by law and constitute a necessary measure in a democratic society for the freedom of expression’.

A world data privacy treaty?

133

not be consistent with the data export laws of some countries considering accession to Convention 108. What guarantees must be provided in order to ensure that the ad hoc ‘safeguards’ required under Article 12(3)(b) actually exist, or that the conditions for exemptions required by Article 12(4)(b) or (c) are actually satisied? he protection of the data subject depends entirely on such guarantees; otherwise companies will simply export personal information wherever they want, while pretending to comply with these provisions and obtaining a ig leaf of legitimacy. Article 12(5) provides that: Each Party shall provide that the competent supervisory authority … [must] be informed of the modalities regulating the transfers of data provided for in paragraphs 3.b when ad hoc safeguards are set up, 4.b and 4.c. It shall also provide that the supervisory authority be entitled to request that the person who transfers data, or the recipient, demonstrate the quality and efectiveness of actions taken and that the supervisory authority be entitled to prohibit, suspend or subject to condition such transfers of data.

his seems to imply that the supervisory authorities must be informed in advance of any ad hoc measures before data is transferred, but it is unclear whether ex post facto notiication of transfers pursuant to Article 12(4) (b) or (c) would be acceptable. he Explanatory Report (or, better still, the Convention) needs to conirm these matters. In relation to Article 12(4) (b) and (c), the authorisation of these exceptions in domestic legislation must also comply with Article 12(5). It is also unfortunate that Article 12(3)(b) does not explicitly state ‘enforceable by the data subject’ nor that the enforceability is against any party involved in the transfer. If there are non-European parties to Convention 108, particularly from common law countries, it cannot be assumed that contracts for the beneit of data subjects will be enforceable by them, because the doctrine of privity of contract may apply.

he present danger: ‘interoperability’ across the species barrier It is a current strategy of the Obama Administration to demand ‘interoperability’ with and ‘mutual recognition’ for its proposed ‘Framework’ before that initiative has any reality.85 he USA and its allies have been 85

G. Greenleaf and N. Waters, ‘Obama’s Privacy Framework: an Ofer to be Let on the Table?’ (2012) 119 Privacy Laws & Business International Report 6.

134

Graham Greenleaf

pushing, since at least late 2011,86 for ‘interoperability’ to be recognised as a primary goal in all international forums, particularly when agreements and standards concerning data protection are being revised (e.g. the OECD’s revision of its Guidelines; the APEC/EU discussions). herefore, there must be great sensitivity to this issue in the forums of the CoE until the modernisation process is complete. ‘Interoperability’ cannot be an end in itself in data protection negotiations; it can only be a means of reducing formalities through cross-recognition of fully compatible and equivalent standards and mechanisms. Otherwise ‘interoperability’ or ‘mutual recognition’ is just a mask for capitulation to the demands of the stronger party. ‘Interoperability’ is only sensible (and perhaps it is only meaningful) between legal instruments of like pedigree. Convention 108 is a binding international agreement. However, the OECD Guidelines are just that – guidelines – and they have no legal efect anywhere. he APEC Framework is the same: there are no APEC ‘rules’, its Framework is a non-binding instrument, APEC is not an international organisation in the normal sense and there is no treaty.87 here cannot be any worthwhile interoperability or ‘mutual recognition’ between legally binding requirements and mere voluntary commitments. APEC’s proposed Cross Border Privacy Rules (CBPR) scheme does not yet have a single country complying with it88 and, if and when it does, its standards will fall so far short of the Convention as to be derisory. herefore, the CoE must be vigilant in asking what is any interoperability between, and what is the equivalence or similar efect that justiies mutual recognition when considering the revised OECD Guidelines and the ‘promises’ of APEC’s CBPR. Seen in this light, the CoE must take particular care in choosing to replace the standard of ‘adequacy’ with the standard of ‘appropriate’. In doing so it must ensure that it does not accommodate ‘interoperability’ with other supposed data protection standards. his would result in the abandonment of proper investigation into whether the privacy standards existing in countries at the other end of the interoperability chain do in fact meet the standards of the Convention. hose who support data 86

87

88

K. Rodriguez, ‘Data Protection Regulation and the Politics of Interoperability’ (22 December 2011) Electronic Frontier Foundation, www.ef.org/deeplinks/2011/12/dataprotection-regulation-and-politics-interoperability (accessed 23 October 2013). G. Greenleaf, ‘Five Years of the APEC Privacy Framework: Failure or Promise?’ (2009) 25 Computer Law & Security Report 28. N. Waters, ‘US Enters APEC Privacy Rules System, but Value for Business?’ (2012) 120 Privacy Laws & Business International Report 19.

A world data privacy treaty?

135

protection need to help stifen European resolve to confront the challenges presented by American pressure to prematurely adopt ‘interoperability’ and the ideologies that drive it.89

he future of Convention 108, its modernisation and globalisation Bygrave, writing in 2008, could ofer only the faint praise that the Convention was ‘far from passé ’.90 But the ive years since then have seen the CoE attempt to reinvigorate the Convention both through globalisation and modernisation. he conclusion of this chapter is that its future is now bright with possibility, but still fraught with risk.

Will a modernised Convention pass the Goldilocks Test? Putting aside for the moment the question of data exports, the ‘inal proposals’ for the modernisation of Convention 108 provide a higher, but reasonable standard of data protection. Moreover, it is likely to be largely consistent with the standards that may emerge from the European Union’s development of a new Regulation to replace the existing Directive. If this occurs, then these two instruments will together constitute a new ‘European standard’ to replace the current standard created jointly by the EU Directive and the current Convention 108 (and its Additional Protocol), which has had a dominant efect on the development of national data protection laws around the globe.91 However, because of the ‘globalisation’ of Convention 108, if there is a signiicant increase in non-European accessions, this will mean that countries outside Europe will have an increasing inluence on the development of this originally European standard, making it more of a global standard in both ‘ownership’ and inluence. But the success of globalisation depends largely on the perceptions of non-European states, and whether they wish to apply to accede to the Convention. he ‘modernised’ Convention will have to pass the Goldilocks Test. Its standards cannot be too ‘hot’: they must not impose 89

90 91

he Committee on the Present Danger, www.committeeonthepresentdanger.org/, is a US foreign policy advocacy group, which states that its mission is ‘to stifen American resolve to confront the challenge presented by terrorism and the ideologies that drive it’. Bygrave, ‘International Agreements to Protect Personal Data’, above n. 6, p. 26. As argued in Greenleaf, ‘he Inluence of European Data Privacy Standards Outside Europe’, above n. 4.

136

Graham Greenleaf

data protection standards so high that domestic political opinion will not accept them. But the standards must not be too ‘cold’, either. As parties to the Convention agree to the free low of personal information, if the Convention standards are too low, then parties with high standards of data protection would be required to allow personal information to low to parties with low standards of data protection; moreover, those parties with the low standards would then be able to re-export personal data to non-Convention countries that possess even lower data protection standards. herefore, the Convention’s standards of data protection must be ‘just right’ in order to ensure eventual global adoption. At present, we cannot say whether it will be ‘just right’. While modernisation is still cooking, care must be taken to avoid Convention 108 becoming too cold and unpalatable because of the quest for ‘interoperability’.

‘Globalisation’ is probable but not inevitable Global conventions oten take decades to obtain a ‘critical mass’ of ratiications. Convention 108, starting from its substantial European base, and now with a more coherent strategy for expansion outside Europe, is well placed to become a genuine global treaty by 2020. his chapter has stressed the inherent potential advantages of non-European accession to both European and non-European states, and to businesses operating within them. However, there is no inevitability in this result; it will take a lot of determined work and avoidance of serious errors in both the ‘globalisation’ and ‘modernisation’ processes. he CoE will need to take more efective steps to promote the advantages of accession to the rest of the world, and to make its own policies concerning the standards that must be met for accession, and the procedures to be followed more coherent and more transparent. From the perspective of civil society (the perspective of this author) there are two main pitfalls to be avoided. First, the ‘modernisation’ process should not weaken the ‘European data privacy standards’, and it does not seem that this is likely except (as argued above) in the one crucial area of data export limitations, where it is a serious risk. Second, the ‘globalisation’ (non-European accession) processes must also maintain those standards. Otherwise, the arguments in favour of globalisation are invalidated.

Europe should stick to its standards: sot power vs surveillance economics Increasingly, versions of the European privacy standards are becoming part of the laws of most non-European countries (as well as all European

A world data privacy treaty?

137

countries); at the time of writing nearly one hundred jurisdictions have adopted new data privacy laws.92 Consequently, it is important for Europe to adhere to those standards; this will help reinforce their intrinsic merit as a statement of human rights. here are no good reasons for Europe to retreat from the privacy standards it has slowly and relatively consistently developed over forty years. here are no alternative global standards worth considering. here are good reasons for European institutions to do a better job of enforcing their own standards, but not for abandoning them. he signiicant outliers – principally the USA93 and (to a decreasing extent94) China – are few but powerful and, increasingly, they are living in neighbourhoods of countries that do have data privacy laws. Notably, each of these outlier countries has initiated developments that are sympathetic to efective privacy protection. However, European and other countries with data privacy laws should continue to put pressure on US and Chinese business and government agencies to ensure that they comply with what is an increasingly global standard for data privacy. Applying pressure is particularly important when the operation of US and Chinese businesses involves the personal data of citizens of other countries. Respect for their domestic prerogatives should not be confused with any need to reduce fundamental aspects of global data privacy standards. In ‘Norms over Force: he Enigma of European Power’, Zaki Laidi argues95 that Europe has no choice but to try to exercise ‘normative power’, as it cannot exercise the power exercised by states because the idea of Europe is based on the sharing of sovereignty. ‘Normative power … seeks the integration of a world order based on the legitimacy of rules, the predictability, and especially the enforceability of accepted principles.’ In Europe’s case, the norms it seeks to see enforced are ‘constructed on the principles of democracy, the rule of law, social justice and human rights’. he global dif usion of data privacy laws that are signiicantly inluenced by ‘European standards’ gives a number of interesting illustrations of Laidi’s argument. he Convention and the Directive are examples of the ‘sovereignty-sharing’ on which Europe is built. Moreover, the Convention 92

93 94

95

hese conclusions are largely unchanged from Greenleaf, ‘he Inluence of European Data Privacy Standards Outside Europe’, above n. 4. For a summary see Greenleaf and Waters, above n. 85, 6–9. For discussion on the growing ‘Europeanisation’ of Chinese data privacy standards, see G. Greenleaf and G. Y. Tian, ‘China Expands Data Protection through New 2013 Guidelines’ (2013) 122 Privacy Laws & Business International Report 1, 2, 4–6; and G. Greenleaf, ‘China’s NPC Standing Committee Privacy Decision: a Small Step, not a Great Leap Forward’ (2013) 121 Privacy Laws & Business International Report 1, 1, 4–6. Z. Laidi, Norms Over Force: he Enigma of European Power (Melbourne: Palgrave Macmillan, 2008), p. 43.

138

Graham Greenleaf

and Directive are examples of the strong inluence human rights discourse exerts in Europe. he global inluence of those European standards on the laws of countries outside Europe exempliies the projection of ‘sot power’; in this case combining the carrot of perceptions of best international practice with the stick of ‘adequacy’. Europe’s new enthusiasm to project Convention 108 onto the world stage as a potential global treaty demonstrates the desire for a world order beyond the boundaries of Europe. he most likely alternative is the global order imposed by the economic dominance of Google, Facebook and other US-based companies, business models based on relentless data surveillance, the imperatives of the US economy, and a legal framework that imposes few restraints upon them because of the lack of consistent implementation of most key principles of data privacy protection.96

96

Greenleaf and Waters, above n. 85.

PA RT I I I Privacy protection through common law and statute

7 Protection against intrusion in English legislation N. A. Moreham

Introduction As Lord Justice Leveson’s ‘Inquiry into the Culture, Practices and Ethics of the Press’ has highlighted, there is more to privacy than the unwanted dissemination of private information.1 Privacy is also breached when people hack the telephone calls of others, photograph or ilm them without their consent, ‘doorstep’ them, go through their personal papers or belongings, or follow them around in public. hese activities interfere with what is oten called ‘physical privacy’. his is the right to be free from unwanted physical access; in other words, the right to be free from unwanted listening, watching and physical encroachment. These kinds of intrusions have a similar effect on an individual to the unwanted dissemination of private information. The subjects’ choices about who can see, hear or find out about them are overridden by the intruder’s desire to observe. The individual, to use Lord Justice Leveson’s language, is commodified; treated as something to entertain, titillate or benefit the observer rather than a person to be treated with dignity and respect. 2 Physical privacy intrusions – hacking, breaking in, spying and eavesdropping – can therefore cause significant distress and harm. Witnesses to the Leveson Inquiry spoke of

I would like to thank the European and EU Centre at Monash University for funding my participation in the conference ‘Emerging Challenges in Privacy Law: Australasian and EU Perspectives’, at which the paper on which this chapter is based was i rst presented in February 2012. 1

2

Lord Justice Leveson, An Inquiry into the Culture, Practices and Ethics of the Press, House of Commons Paper no. 780 (London: he Stationery Oice, 2012) (the ‘Leveson Report’). See, for example, ibid., vol. II, pt. F, p. 505 ([3.2]), p. 540 ([1.7] and [1.10]), p. 548 ([3.4]), p. 553 ([3.27]) and p. 602 ([2.44]). See also S. Benn, ‘Privacy, Freedom and Respect for Persons’ in J. Pennock and J. Chapman (eds.), Privacy: NOMOS XIII (New York : Atherton Press, 1971), p. 1.

141

142

N. A. Moreham

a ‘corrosive loss of trust’ in confidants and feelings of violation, paranoia and anxiety resulting from such intrusions. 3 he importance of the physical privacy interest is, however, being increasingly recognised. Courts in Ontario and New Zealand have recently followed the US approach of recognising that a tort is committed by those ‘who intentionally intrude, physically or otherwise, upon the solitude or seclusion of another or his private afairs or concerns’ in circumstances where the ‘intrusion would be highly ofensive to a reasonable person’.4 Law reform bodies in England, Australia and New Zealand have consistently recommended similar protections. 5 hese developments echo the widely held academic view that privacy has both a physical and informational component.6 Indeed, according to some commentators it is the desire to protect against physical privacy interferences which ‘brings us to the core of our expectations and intuitions about privacy and hence of our rights to it’.7

3

4

5

6

7

Leveson Report, above n. 1, p. 484 ([3.4]) (referring to the evidence of actress Sienna Miller). See also descriptions of the efects of media ‘doorstepping’ in AM v. News Group Newspapers Ltd [2012] EWHC 308 (QB), [4]; and AAA v. Associated Newspapers Ltd [2012] EWHC 2103 (QB), [15]–[16] and [31]. American Law Institute, Restatement (Second) of Torts (1977) s. 652B. In Jones v. Tsige (2012) ONCA 32, 18 January 2012, the Ontario Court of Appeal held that a bank clerk who repeatedly accessed (but did not disseminate) the banking records of her partner’s former wife committed the tort of intrusion into solitude and private af airs. Having said that the ‘facts cry out for a remedy’ (at [69]), the Court adopted the Restatement ’s formulation of the intrusion tort (at [70]). A similar action was recognised and successfully relied on by a woman who was videoed in the shower by her boyfriend’s latmate in the New Zealand High Court decision of C v. Holland [2012] NZHC 2155, [2012] 3 NZLR 672, [93]–[97]. Both parties agreed that the claimant had sufered actionable harm (see [20]). See, for example, M. Littman and P. Carter-Ruck (chairmen), Privacy and the Law: A Report by Justice (London, 1970), pp. 41–2; K. Younger (chairman), Report of the Committee on Privacy (London, 1972), [53]; D. Calcutt (chairman) Report of the Committee on Privacy and Related Matters (London, 1990), [17.8]–[17.9]; New South Wales Law Reform Commission, Invasion of Privacy, Report no. 120 (2008), [4.3]; Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report no. 108 (2008) vol. 3, [74.119] and recommendation 74; and New Zealand Law Commission, Invasion of Privacy: Penalties and Remedies – Review of the Law of Privacy Stage 3, Report no. 113 (2010), p. 3. See, for example, R. Gavison, ‘Privacy and the Limits of the Law’ (1979) 89 Yale Law Journal 421, 428–40; T. Gerety, ‘Redeining Privacy’ (1977) 12 Harvard Civil Rights – Civil Liberties Law Review 233, 261f.; Benn, above n. 2, pp. 1, 3–4. Gerety, ‘Redeining Privacy’, p. 265.

Protection against intrusion in English legislation 143

he United Kingdom’s obligations under Article 8 of the European Convention on Human Rights (ECHR) extend well beyond protection against dissemination of private information.8 he right to respect for private life includes wide-ranging protection of ‘physical and psychological integrity’,9 a right to ‘personal development’,10 and protection against the collection and/or storage of private information even if it is neither used nor disseminated.11 Consistently with this, recent decisions of the English High Court have held that there are ‘two core components of the right to privacy: “unwanted access to private information and unwanted access to [or intrusion into] one’s … personal space”’.12 Yet, in spite of these tentative irst steps, physical privacy in England is still only protected by a patchy combination of legislative, criminal and common law measures. Debate is, therefore, needed about whether and how those protections should be extended. Before that discussion can take place, however, existing physical privacy protections must be identiied. his chapter will undertake the surprisingly complex task of locating protections for physical privacy in English legislation. Five categories of privacy interference will be considered: unwanted listening and audio recording; unwanted watching, photography and/or ilming; unwanted access to personal documents; unwanted access to home and personal belongings; and harassment. A inal section will examine the broad-ranging Data Protection Act 1998. 8

9

10

11

12

Article 8 provides: ‘(1) Everyone has the right to respect for his private and family life, his home and his correspondence; (2) here shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.’ See, for example, Pretty v. United Kingdom (Application no. 2346/02) [2002] ECHR 427, (2002) 35 EHRR 1, [61]; and YF v. Turkey (Application no. 24209/94) [2003] ECHR 391, (2004) 39 EHRR 34, [33]. See, for example, Peck v. United Kingdom (Application no. 44647/98) [2003] ECHR 44, (2003) 36 EHRR 41, [57]. See for example, Leander v. Sweden (Application no. 9248/81) [1987] ECHR 4, (1987) 9 EHRR 433, [48]; Rotaru v. Romania (Application no. 28341/95) [2000] ECHR 192 (GC), [44]; Segerstedt-Wiberg v. Sweden (Application no. 62332/00) [2007] ECHR 597, (2007) 44 EHRR 2, [72]–[73]. Goodwin v. MGN Ltd [2011] EWHC 1437 (QB), [2011] EMLR 27, [85] citing N. Moreham in M. Warby, N. Moreham and I. Christie (eds.), Tugendhat and Christie’s Law of Privacy and the Media, 2nd edn (Oxford University Press, 2011), [2.07], [2.08], [2.16] and [12.71]. See also, Re A (a minor) [2011] EWHC 1764 (Fam), [30]; and Bristol City Council v. News Group Newspapers Ltd [2012] EWHC 3748 (Fam), [12].

144

N. A. Moreham

he survey shows that, whilst numerous measures address some aspects of physical privacy, overall protection is piecemeal and incomprehensive.

Speciic legislative protections for physical privacy Unwanted listening and/or audio recording Turning to the ive categories of physical intrusion, the irst way an individual can interfere with the physical privacy of another is by listening to and/or recording his or her conversations. he interception of telephone calls or messages awaiting collection is prohibited by the Regulation of Investigatory Powers Act 2000 (RIPA).13 It is an imprisonable ofence under that Act to intercept a communication in the course of its transmission by means of a public or private telecommunication system.14 RIPA does not apply, however, if individuals are bugged outside the telecommunications network. No ofence is committed, for example, if a person installs a listening device in the home or car of another15 or if he or she attaches a recording device to the outside of a telephone.16 Nor is it an ofence surreptitiously to record the other party to a conversation in which one is participating.17 Except where phone tapping is authorised by the controller of an internal phone network such as those found in hotels, universities or police stations (in which case there is no criminal liability),18 RIPA also confers no civil liability.19 It follows that, even if a conviction under RIPA is secured, damages for the victim 13

14 15

16 17

18 19

See, for example, Phillips v. Mulcaire [2012] UKSC 28, [2012] 3 WLR 312, [4] in which the Supreme Court refers to the defendant’s convictions under s. 1(1) of the Regulation of Investigatory Powers Act 2000 (UK) (RIPA) for intercepting mobile telephone voicemail messages. RIPA, ss. 1(1) and (2). See, for example, R v. E [2004] EWCA Crim 1243, [2004] 1 WLR 3279, [20] (in which the Court held there was no ‘interception’ for the purposes of RIPA when a listening device installed in the defendant’s car picked up just his end of a conversation on a mobile telephone) and R v. Smart [2002] EWCA Crim 772, [2002] Crim LR 684, [68] (in which the same conclusion was reached under the Interception of Communications Act 1985 (UK)). See generally RIPA, above n. 13, s. 2(2). R v. Hardy [2002] EWCA Crim 3012, [2003] 1 Cr App R 30, [31]. Ibid.; R v. E [2004] EWCA Crim 1243, [2004] 1 WLR 3279, [29] (citing R v. Hammond [2002] EWCA Crim 1243; and R v. McDonald [2002] SLCR 33, per Astill J). RIPA, above n. 13, s. 1(6). A person who intercepts a communication on a private telecommunication system will be civilly liable to the sender, recipient or intended recipient of the communication unless he or she had ‘lawful authority’ to make the interception (s. 1(3)), which is only established if both parties to the communication consented to the interception or the

Protection against intrusion in English legislation 145

will not automatically result. And, as the telephone hacking scandal has shown, no conviction will be secured if the police are, for whatever reason, unwilling to investigate. Legislative protection against eavesdropping and bugging is, therefore, far from comprehensive.

Unwanted watching and/or visual recording he second category of physical intrusion – unwanted watching and/or visual recording – is also criminal in some circumstances. Prosecutions have been successfully brought against individuals who have watched, photographed or i lmed others getting changed, 20 toileting or showering either in the ofender’s home,21 workplace,22 in public facilities23 or ‘in the shrubbery’.24 he relevant provision, s. 67 of the Sexual Ofences Act 2003 (SOA), makes it an imprisonable ofence to observe and/or record for sexual gratiication a person doing a private act, knowing that the person does not consent to being observed for that purpose.25 A person will be engaged in a ‘private act’ if he or she is ‘in a place which, in the circumstances, would reasonably be expected to provide privacy’.26 he

20

21

22

23

24

25

26

interceptor reasonably believed that they had so consented (ss. 1(5)(a) and 3(1)). (See further RIPA, above n. 13, ss. 3 and 4.) See, for example, R v. Sultan Al-Sayed [2009] EWCA Crim 1922, [2010] 1 Cr App R (S) 86 (in which a man used a mirror to look at a child in a leisure centre changing room). See also R v. Sippings [2008] EWCA Crim 46, [2008] 2 Cr App R (S) 58 (in which a man videoed his teenaged neighbour going about everyday activities in her bedroom over a ive-year period). See, for example, R v. IP [2004] EWCA Crim 2646, [2005] 1 Cr App R (S) 102 (in which a man videoed his adult stepdaughter in the shower) and R v. Hancock [2010] EWCA Crim 390 (in which a man videoed an adult female visitor using his toilet). See, for example, R v. Hodgson [2008] EWCA Crim 1180, [2009] 1 Cr App R (S) 27 (in which a man i lmed inside female toilets at his workplace). See, for example, R v. Henderson [2006] EWCA Crim 3264 (in which a man i lmed people using a department store toilet); R v. Hancock [2010] EWCA Crim 390 (in which a man i lmed women using toilets at the Glastonbury music festival); and R v. Turner [2006] EWCA Crim 63, [2006] 2 Cr App R (S) 51 (in which a sports centre manager i lmed female customers in the shower). R v. Swyer [2007] EWCA Crim 204 (in which a man i lmed female runners urinating in shrubbery before the start of a race). Sexual Ofences Act 2003 (UK) (SOA) s. 67. he sexual gratiication can either be one’s own (s. 67(1)) or, if the recording was made to facilitate another’s observation, someone else’s (ss. 67(2) and (3)). he ofence carries a i ne or maximum of two years’ imprisonment. It is also an ofence to operate, install or construct equipment or to adapt a structure to facilitate one’s own observation: SOA s. 67(4). ‘Equipment’ includes cameras: see R v. IP [2004] EWCA Crim 2646, [2005] 1 Cr App R (S) 102; and R v. Hodgson [2008] EWCA Crim 1180, [2009] 1 Cr App R (S) 27. SOA, s. 68(1).

146

N. A. Moreham

person must also have had his or her genitals, buttocks or breasts exposed (or covered only with underwear), have been using a lavatory, or been engaged in a sexual act that is ‘not of a kind ordinarily done in public’.27 Section 67 deters against a particularly ofensive type of surreptitious surveillance but it has its limitations. First, in order to secure a conviction, the prosecution must show that the ofender was motivated by a desire to obtain sexual gratiication by looking at the victim (or provide the same to someone else). An individual who undertook the surveillance out of spite, curiosity, artistic interest, suspicion of malpractice, or even a desire to blackmail, would not be guilty of an ofence.28 Further, the ofence will only be committed if the victim was using a toilet, engaged in sexual activity or had intimate body parts exposed. It would not be committed if, for example, a landlord ilmed his tenant going about her everyday activities in the living areas of her home or a man continuously videoed the daily activities of a young family in the house next door. Further, as with RIPA, even if an ofence is committed, the Act provides no mechanism for recovering damages for distress or harm. hese limitations mean that public order ofences could have continued relevance in surreptitious observation cases. In Vigon v. DPP (Vigon) the Divisional Court upheld the conviction of a man who installed a video camera in the changing cubicle of his market stall to ilm people trying on swimwear.29 he Court airmed the Magistrates’ conclusion that the word ‘insulting’ in s. 5 of the Sexual Ofences Act 2003 (POA) meant causing an afront to a person’s dignity or modesty and that ilming of customers in a changing cubicle did just that.30 It is not clear, however, what weight Vigon now carries. Parliament has recently removed the word ‘insulting’ from s. 5 of the POA and it is unclear whether courts will regard surreptitious ilming as ‘threatening’ or ‘abusive’ behaviour.31 Even if they do, s. 5 does not apply if ilming takes place inside a dwelling or cannot be seen by ‘a 27 28

29

30 31

Ibid. See R v. Henderson [2006] EWCA Crim 3264, [10] in which the defendant claimed, albeit unsuccessfully, that his admitted interest in women urinating was ‘visual’ rather than sexual. Vigon v. DPP [1997] EWHC Admin 947, [1998] Crim LR 289. When Vigon was decided, the Public Order Act 1986 (UK) (POA) provided that a person will be guilty of an ofence if he or she ‘uses threatening, abusive or insulting words or behaviour, or disorderly behaviour … within the hearing or sight of a person likely to be caused harassment, alarm or distress thereby’ (s. 5(1)) as long as he or she intends the words or behaviour to be ‘threatening, abusive or insulting’ or is ‘aware that it may be’ (s. 6(4)) and the defendant is unable to show, inter alia, ‘that his conduct was reasonable’ (s. 5(3)(c)). Vigon, [7]. Crime and Courts Act 2013 (UK) s. 57(2). See references and comments above n. 29.

Protection against intrusion in English legislation 147

person likely to be caused harassment, alarm or distress thereby’.32 hus, even if Vigon were followed, both a landlord ilming his tenant in her living areas and a neighbour ilming the family next door could still escape liability. Some incidental protection against i lming and surveillance is provided by the ‘doorstepping’ ofence in the Criminal Justice and Police Act 2001. It is an ofence under that Act for a group of people to gather around the entrance to a dwelling in the hope of, inter alia, photographing a person inside.33 Police are empowered to remove doorsteppers and to make orders to ensure they do not return.34 Photography or surveillance that forms part of a harassing course of conduct is also sanctioned by the Protection from Harassment Act 1997 (discussed below). However, neither Act plugs all of the gaps let by the SOA and, as a result, liability (either civil or criminal) for a one-of visual intrusion will be rare if the requirements of s. 67 are not met.

Unwanted access to personal documents and iles he third way an individual can interfere with physical privacy is by obtaining unauthorised access to a person’s private documents and i les either by riling through personal papers or hacking into personal computer data. As discussed above, s. 1 of RIPA makes it an ofence to intercept, intentionally and without lawful authority, any communication in the course of its transmission by means of a public postal service or telecommunication system.35 ‘Telecommunication system’ means any system facilitating the transmission of communications ‘by any means involving the use of electrical or electro-magnetic energy’.36 RIPA, therefore, prohibits the 32

33 34 36

POA, above n. 29, ss. 5(1) and (2). he common law ofence of outraging public decency will also be committed if the defendant did an act of such a lewd, obscene or disgusting character as to outrage public decency and the act was ‘public’ in the sense that it occurred in a place to which the public has access or where it was capable of public view, and there were two people actually present who could have seen it, even if they in fact did not. See, for example, R v. Hamilton [2007] EWCA Crim 2062, [2008] QB 224, [30] and [31] (man used a video recorder in a rucksack to i lm up the skirts of women in a supermarket); R v. Ching Choi [1999] EWCA Crim 1279 (man caught i lming women using the female lavatories in a Chinese supermarket); and R v. Tinsley [2003] EWCA Crim 3505 (sentencing appeal by a man who i lmed up the skirts of women and girls in shops and on the public pavement). Criminal Justice and Police Act 2001 (UK) (CJPA) s. 42A. Ibid., s. 42. 35 RIPA, above n. 13, s. 1. Ibid., s. 2(1). See further Morgans v. DPP [2000] UKHL 9, [2001] 1 AC 315, 333.

148

N. A. Moreham

interception of post, text messages, emails, and pager messages both during transmission and when they are waiting for collection at the point of delivery.37 he Computer Misuse Act 1990 (CMA) also sanctions unauthorised access to computer systems and the data and programmes stored thereon.38 hese sanctions guard against interference with material that is being stored on a computer or transmitted by post or the telecommunications network. However, unless they are in the post, neither RIPA nor the CMA protects the privacy of paper iles or other non-digital materials.39 Further, once again, neither Act creates civil liability nor any other mechanism for recovering compensation for breach.

Unwanted access to private space or belongings Outside of harassment and the ofences of thet and burglary, there is no legislative redress if a person obtains unwanted access to your home or belongings, for example by riling through your rubbish bags, hotel room cupboards, handbag or luggage. And a person will not necessarily commit an ofence even if he or she breaks into your house to install a listening device or simply to have a look around; there is no ofence in English law of breaking and entering, of general trespass or of installing a surveillance device.40 Limited protection against encroachment on the home is provided by doorstepping measures empowering police oicers to dispel groups gathered around the entrance in the hope of speaking with, photographing or 37

38

39

40

‘Transmission’ is taken to be continuing if the telecommunication system is being used to store the communication so that the intended recipient can collect or otherwise have access to it (RIPA, above n. 13, s 2(7)). It is also an ofence under the Postal Services Act 2000 (UK) ss. 83 and 84 to delay or open a postal packet in the course of its transmission by post. An ofence will be committed if a person ‘causes a computer to perform any function with intent to secure access to any programme or data held in any computer’ in circumstances where he or she knew that the intended access is ‘unauthorised’ and the perpetrator knows that to be the case (Computer Misuse Act 1990 (UK) (CMA) s. 1). A person secures ‘access’ to a programme or data held in a computer if, by causing the computer to perform any function, he or she alters or erases the programme or data, copies or moves it, uses it, or ‘has it output from the computer in which it is held’ (s. 17(2)). Although the CMA applies to documents stored on a computer, RIPA, above n. 13, has no application once material has been collected. Neither aggravated trespass nor burglary would be committed in these circumstances. See generally, LexisNexis, Halsbury’s Laws of England, vol. 97 (31 March 2010), 591 ‘Criminal Liability in Connection with Trespass to Land’; and A. P. Simester, J. R. Spencer, G. R. Sullivan and G. J. Virgo, Simester and Sullivan’s Criminal Law: heory and Doctrine, 4th edn (Oxford University Press, 2010), pp. 575–87 (especially p. 587).

Protection against intrusion in English legislation 149

otherwise contacting a person inside.41 Harassment legislation can also provide some incidental protection.42 In general, however, legislative protection against unwanted access to space and belongings is limited and, despite its many limitations,43 the tort of trespass remains an individual’s best weapon against such intrusions.

Harassment he Protection from Harassment Act 1997 (PHA) prohibits activities that form part of a harassing course of conduct. Breaches of physical privacy have oten been held to form part of such conduct. Harassing acts can include, for example, stalking and shadowing people,44 gaining access to their homes,45 rummaging through their rubbish bags,46 spying on them,47 doorstepping them48 and indicating to them that one is or will be following or watching them.49 Photographing50 or video recording51 someone can also contribute to a harassing course of conduct, even if it is undertaken in public.52 Celebrities are, therefore, increasingly relying on the PHA to rein in excessive paparazzi behaviour.53 It is an ofence under the PHA to pursue ‘a course of conduct’ that the perpetrator knows or ought to know amounts to harassment of another 41

42 43

44

45

46

47

48 49

50 51 52 53

CJPA, above n. 33, ss. 42 and 42A. See also the section on ‘Unwanted watching and/or visual recording’ above. See the section on ‘Harassment’ below. For example, the tort ofers no protection to visitors or family members without a proprietary interest in the land, to people using public facilities such as toilets or changing rooms, nor to those staying in hotels, hostels or hospitals (see A. M. Dugdale and M. A. Jones (eds.), Clerk & Lindsell on Torts, 20th edn (London: Sweet & Maxwell, 2010), [19.19]). homas v. News Group Newspapers Ltd [2001] EWCA Civ 1233, [2002] EMLR 4, [30] (see also [16]); and Howlett v. Holding [2006] EWHC 41 (QB), [24]. Since November 2012, ‘stalking’ has also been a speciic ofence (see Protection from Harassment Act 1997 (UK) (PHA) ss. 2A and 4). See DPP v. Ramsdale [2001] EWHC Admin 106; and Woolford v. DPP (Unreported, High Court of Justice Queen’s Bench Division, Lord Bingham and Silber J, 9 May 2000). King v. DPP (Unreported, Divisional Court, Kennedy LJ and Jackson J, 20 June 2000); [2001] ACD 7. See, for example, R v. Hayes [1999] 3 All ER 816; Crawford v. CPS [2008] EWHC 148 (Admin); and Howlett v. Holding, above n. 44. AM v. News Group Newspapers Ltd and Persons Unknown [2012] EWHC 308 (QB). See R v. Liddle [1999] 3 All ER 816; Crawford v. CPS [2008] EWHC 148 (Admin); Howlett v. Holding, above n. 44; and Woolford v. DPP, above n. 45. See, for example, Crawford v. CPS ibid. See King v. DPP, above n. 46; and Howlett v. Holding, above n. 44. Howlett v. Holding, above n. 44 [26]. See, for example, reference to litigation settled by the actress Sienna Miller in the Leveson Report, above n. 1, vol. II, p. 476, [2.19].

150

N. A. Moreham

and does in fact amount to such harassment.54 ‘Harassment’ is not deined by the Act but is speciically said to include ‘alarming the person or causing the person distress’.55 he victim of an actual or apprehended breach of the PHA can bring a civil action for damages (including damages for anxiety and inancial loss)56 or an injunction to restrain the harassing conduct, breach of which entitles the victim to apply for the issue of warrant for the defendant’s arrest.57 Perpetrators can also be punished with a ine, up to 6 months’ imprisonment and/or a restraining order.58 he PHA provides very efective protection against physical intrusion in some circumstances. A person who repeatedly spies on, follows, ilms, eavesdrops on, photographs or bugs another can be subject to signiicant civil and criminal sanction. A victim seeking to rely on the PHA does, however, have to clear some signiicant hurdles. First, and most importantly, the PHA will only protect against physical intrusions if they form part of a ‘course of conduct’, which means that the victim must sufer harassing conduct on at least two occasions.59 here will be no liability if there was just a single, but egregious, intrusion or a series of intrusions with insuicient nexus between them.60 One-of but continuing intrusions might also be beyond the Act’s reach. Courts would have to stretch the Act’s language to ind, for example, that the man who i lmed his neighbour’s children continuously for several days had engaged in harassing ‘conduct on more than two occasions’. Second, it is not clear whether photography or surveillance of which the target is unaware could be said to contribute to a harassing course of conduct. he High Court in King v. DPP said it was open to Magistrates to conclude that surreptitious conduct can contribute to harassment if the 54

55 58

59

60

PHA, above n 44, s. 1(1) provides: ‘(1) A person must not pursue a course of conduct – (a) which amounts to harassment of another, and (b) he knows or ought to know amounts to harassment of the other.’ A person who pursues such a course of conduct is guilty of an ofence (PHA, s. 2). Ibid., s. 7(2). 56 Ibid., s. 3(2). 57 Ibid., s. 3(3). See ibid., ss. 2 and 5 respectively. A person whose course of conduct causes another to fear, on at least two occasions, that violence will be used against him or her will be guilty of a separate ofence punishable by up to ive years’ imprisonment (PHA, s. 4). Ibid., ss. 1 and 7(3). See also homas v. News Group Newspapers Ltd, above n. 44, [30]; and Majrowski v. Guy’s and St homas’s NHS Trust [2005] EWCA Civ 251, [2005] QB 848, [82]. here must be ‘a consistent motive on a consistent course of conduct’ (see Tuppen and Singh v. Microsot Corporation Ltd (Unreported, Queen’s Bench Division, Douglas Brown J, 14 July 2000, 16) and some kind of nexus between the various harassing activities complained of (see R v. Hills (Unreported, Court of Appeal (Criminal Division), Otton LJ, Hidden J and Sir Richard Tucker, 4 December 2000) [27]; and Lau v. DPP [2000] EWHC QB 182, [2000] 1 FLR 799, 801–802).

Protection against intrusion in English legislation 151

requirement that the defendant ‘knew or ought to have known’ that the conduct amounted to harassment is met.61 It requires another strain on the Act’s language, though, to say that a person is harassed by conduct of which he or she is entirely unaware and that the defendant knew or ought to have known that such conduct would have this efect. Whilst courts might be willing to reach such a conclusion, clearer liability would be desirable. Finally, the ECHR Article 10 right to freedom of expression has oten been relied on by defendants facing harassment charges for publicising their views about a person or issue.62 Although privacy interests have commonly outweighed freedom of expression interests in these cases,63 the defence could avail those, such as over-zealous reporters, who harass others whilst collecting information for publication.

Data Protection Act 1998 he Data Protection Act 1998 (DPA) focuses on the protection of personal information. However, because its key concept – ‘data’ – is deined by reference to the manner in which information is obtained and stored, it has the potential to protect against a wide range of intrusive activities. he scope of that protection is the subject of this inal section. ‘Data’ in the DPA includes information that ‘is being processed by means of equipment operating automatically in response to instructions given for that purpose’ (i.e. on a computer); is recorded with the intention that it should be processed by means of such equipment; or is recorded as part of a relevant i ling system or with the intention that it should form part of the same.64 ‘Personal data’ are those that relate to an identiiable 61

62

63

64

King v. DPP, above n. 46, [25] (the victim did not know the recording had taken place until police showed her the videos). Baroness Hale has also held, in a diferent context, that ‘conduct might be harassment even if no alarm or distress were in fact caused’ by it: Majrowski v. Guy’s and St homas’s NHS Trust, above n. 59, [66]. Surreptitious surveillance also contributed to a course of harassing conduct in Howlett v. Holding, above n. 44, but in that case the defendant told the claimant that she was being watched. See, for example, Howlett v. Holding ; homas v. News Group Newspapers Ltd; R v. Debnath [2005] EWCA Crim 3472, [2006] 2 AC 25; and Hipgrave v. Jones [2004] EWHC 2901 (QB), [2005] 2 FLR 174. See Hipgrave v. Jones, ibid.; Howlett v. Holding, above n. 44; homas v. News Group Newspapers Ltd, above n. 44; and R v. Debnath, ibid. here is also no liability under the Act in respect of a course of conduct pursued for the purpose of preventing or detecting crime, pursued pursuant to any enactment of rule of law, or the pursuit of which was reasonable (PHA, above n. 44, s. 1(3)). Data Protection Act 1998 (UK) (DPA) s. 1(1). According to this section, a ‘relevant i ling system’ means ‘any set of information relating to individuals to the extent that … the

152

N. A. Moreham

living individual.65 his means that the DPA applies to the use of any information about an identiiable person that is located on a computer or in a manual iling system, or obtained for the purposes of uploading to a computer or for iling. Clearly, in modern society this captures a huge amount of material, including personal i les stored on a computer and digitally obtained photographs, ilms or audio recordings.66 he DPA is, therefore, relevant to any intrusion which involves these kinds of devices. Numerous obligations are imposed on those who ‘process’ personal data. he concept of ‘processing’ includes organising, adapting or altering data; retrieving, consulting or using them; disclosing them; aligning, combining, blocking, erasing or destroying them.67 People intruding on physical privacy will oten be engaged in such processes. For example, a computer hacker will process any information he or she obtains from the target computer68 and a digital photographer processes the information in the photograph by taking it, uploading it, organising it, storing it, looking at it or deleting it. From the moment the computer is accessed or the image recorded on to the device, the hacker and photographer must, therefore, comply with the requirements of the DPA. In order to meet the requirements of the DPA, the data controller must (unless certain speciied exceptions apply) comply with the ‘data principles’.69 he irst, and most relevant, principle requires that personal data be processed ‘fairly and lawfully’. Whether the process is ‘fair’ will depend on the method by which the data were obtained and whether any person from whom they were obtained was deceived or misled as to the purposes

65

66

67 68

69

set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that speciic information relating to a particular individual is readily accessible’. Speciically, a living individual who can be identiied either from the data in question or from that data in combination with other information which is in, or is likely to come into, the possession of the data controller (ibid., s. 1(1)). In Douglas v. Hello! Ltd (No. 6) [2003] EWHC 786 (Ch), [2003] 3 All ER 996, Lindsay J held that the unauthorised photographs of the claimants’ wedding were ‘personal data’ for the purposes of this provision ([230]). See also Douglas v. Hello! Ltd [2000] EWCA Civ 353, [2001] QB 967, [55]–[56]. DPA, above n. 64 s. 1(1). See, for example, Tchenguiz v. Imerman [2010] EWCA Civ 908, [2011] 2 WLR 592, [95]–[97]. DPA, above n. 64, s. 4, which refers to DPA sch. 1 pts. I and II. he exemptions relate to national security (s. 28); the prevention of crime, prosecution of ofenders and collection of taxation (s. 29); health, education and social work (s. 30); regulatory activity (s. 31); journalism, literature and art (s. 32); research, history and statistics (s. 33); publicly available information (s. 34); disclosure required by law or made in connection with legal proceedings (s. 35); and domestic purposes (s. 36).

Protection against intrusion in English legislation 153

for which they were being processed.70 he data controller must also meet one of a number of conditions by establishing, for example, that the subject consented to the processing71 or that the processing was undertaken to further the ‘legitimate interests’ of the data controller, or a third party to whom the data was disclosed, and was not unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.72 Neither these, nor the other four conditions are likely to be met in intrusion situations.73 Further conditions apply if, as is oten the case, the processed information is deemed to be ‘sensitive’.74 Breach of the DPA gives rise to both civil and criminal liability. An ofence is committed (for which the defendant can be ined) if, without the consent of the data subject, a person knowingly or recklessly obtains (or discloses) personal data or information contained therein.75 Victims of a data breach can claim damages for damage76 or for distress (as long as there was also damage77 or on processing which was undertaken for journalism, artistic or literary purposes).78 Further, unless one of the exemptions applies, victims can require data controllers to cease or not to begin processing personal information about them, as long as they can show 70 72

73

74

75

76 78

See ibid., s. 4 and sch. 1 pt. I and II. 71 Ibid., sch. 2(1). Ibid., sch. 2(6). Courts have held that the business interests of a freelance photographer (Murray v. Express Newspapers Plc [2007] EWHC 1908 (Ch), [2007] EMLR 22, [76]) and the defendant’s interest in covering a particular celebrity wedding (in Douglas v. Hello! Ltd. (No. 6), above n. 66, [238]) could be regarded as ‘legitimate purposes’. However, in Douglas the defendant’s interest was outweighed by prejudice to the legal rights of the claimants (see [238]) and the conclusion in Murray that the claimant’s legitimate business interest prevailed was undermined by the Court of Appeal’s conclusion that Patten J had struck the wrong balance between the parties’ competing interests (see [62]). he other conditions in the DPA, ibid., sch. 2 relate to processing that is necessary for the performance of or entry into a contract with the data subject (sch. 2(2)); compliance with a legal obligation (sch. 2(3)); protection of vital interests of the data subject (sch. 2(4)); the administration of justice, the exercise of functions conferred under an enactment, or the exercise of other speciied public functions (sch. 2(5)). Ibid., sch. 1 pt. I para. (1)(b). ‘Sensitive personal data’ is dei ned in DPA, s. 2. hey include those revealing information about an individual’s racial or ethnic origins, political opinions, religious beliefs (or beliefs of a similar nature), trade union membership, physical or mental health, sexual life, or commission (actual or alleged) of a criminal ofence, including proceedings relating thereto. Ibid., ss. 55(1)(a) and (3). It is also an ofence to procure such disclosure (s. 55(1)(b)), to sell the data (s. 55(4)), or to ofer them for sale (s. 55(5)). However, various defences apply (see s. 55(2)). Ibid., s. 13(1). 77 Ibid., s. 13(2)(a). Ibid., s. 13(2)(b). Data controllers will have a defence to a claim for damages if they can prove that they ‘had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned’ (DPA s. 13(3)).

154

N. A. Moreham

that it is causing, or is likely to cause, them substantial and unwarranted damage or distress.79 At irst glance, then, the DPA gives signiicant rights of redress to victims of intrusion by means of hacking, digital i lming or bugging. here are, however, signiicant limitations on the Act’s scope. First, the Act provides no protection against surveillance or recording unless the intruder uses a digital device or intends to upload or manually to i le non-digital recordings. A person who i lms a private activity with a non-digital camera (and does not then scan or systematically i le the photograph or recording) will be beyond the Act’s reach even though his or her act is indistinguishable in terms of impact and culpability from that of a person using a digital device. Use of a peephole or other non-technological spying technique also falls outside the Act. Second, the DPA exempts those processing personal data for the ‘special purposes’ of journalism, art or literary purposes from, inter alia, the need to comply with the data principles80 and from provisions allowing victims to prevent data processing causing damage or distress.81 his exemption applies if the data processor intends to publish information contained in the data and reasonably believes that publication would be in the public interest (having particular regard to the public interest in freedom of expression),82 and, in all the circumstances, compliance with the provision in question would be incompatible with the special purposes.83 ‘Journalism’ has been held to involve the ‘communication of information or ideas to the public at large in the public interest’, meaning that ‘anyone 79

80

81

82 83

Ibid., s. 10(1), which refers to sch. 2(1)–(4). he exemptions apply if the data subject consented to the processing (sch. 2(1)); if the processing was necessary for compliance with or entry into a contract with the data subject (sch. 2(2)) or for compliance with another type of legal obligation (sch. 2(3)); or if the processing was necessary to protect the subject’s vital interests (sch. 2(4)). See also discussion of the ‘special purposes’ below. Except Principle 7, which relates to technical and organisational measures taken to protect the security of personal information. DPA, above n. 64, ss. 32(1) and (2). hey are also exempt from provisions relating to automated decision-making (s. 32(2)(d)) and to rectiication, blocking, erasure and destruction (s. 32(2)(e)). hose processing sensitive personal data for the special purposes can also meet the special conditions imposed on processors of such information (in sch. 1 pt. I, 1(b)) if they can show that the processing is in the substantial public interest, was in connection with certain speciied kinds of wrongdoing, and was made with a view to publication that the data controller reasonably believed to be in the public interest (see ibid., sch. 3(10) and the Data Protection (Processing of Sensitive Personal Data) Order 2000). Ibid., ss. 32(1)(a) and (b). Ibid., s. 32(1)(c). he Court of Appeal in Campbell v. MGN Ltd [2002] EWCA Civ 1373, [2003] QB 633 conirmed that this exemption applies to all stages of the publication process (at [107] and [128]).

Protection against intrusion in English legislation 155

with access to the internet’, not just those working for media organisations, can rely on the exception.84 hus, the Act’s most signiicant obligations will not extend to those who photograph, ilm or record the subject in order to obtain information that they reasonably believe is in the public interest and that they wish to publicise. Finally, and signiicantly, the Act does not apply to personal data that an individual processes solely for the purposes of his or her ‘personal, family or household afairs (including recreational purposes)’.85 It would, thus, have no application against many of the intruders discussed in this chapter, including the landlord who, for his own purposes, videos his tenant in her living room, the man who videos his neighbours’ children and the person who installs a bugging device in another’s car. It would also provide neither civil nor criminal sanction against the defendant in the New Zealand case C v. Holland, who videoed for his own purposes his latmate’s girlfriend in the shower, nor against the defendant in Jones v. Tsige who examined her partner’s former wife’s bank account records.86 he cumulative efect of these exemptions is that the DPA – and, indeed, English law in general – provides much less efective protection for physical privacy than irst appearances would suggest.

Conclusion What this survey reveals, then, is that although there is legislative protection against many types of intrusions into physical privacy, it is neither coherent nor comprehensive. Haphazard development has led to duplication in some areas and gaps in others. As a result, potentially serious interferences with physical privacy are beyond legislative reach: the aforementioned spying landlord, the man who ilms his neighbour’s children, the domestic housekeeper who installs a bugging device, or the hotel workman who goes through a guest’s private papers, could all escape legislative liability. Arbitrary distinctions also abound. Filming a person who is engaged in an intimate act or in a state of undress can be criminal, for example, but defendants will escape liability if their motive was not sexual unless they caused insult for the purposes of the POA (assuming that Vigon is followed). Perpetrators could also fall foul of the DPA, but not if they used a nondigital ilming device or made the ilm for their own domestic purposes. 84 85 86

Law Society v. Kordowski [2011] EWHC 3185 (QB), (2012) 109(1) LSG 13, [99]. DPA, above n. 64, s. 36. See C v. Holland, above n. 4; and Jones v. Tsige, above n. 4.

156

N. A. Moreham

he PHA will not apply if the i lming was a one-of event. Similarly, in the case of bugging and eavesdropping, there is criminal liability if private conversations are intercepted on the telecommunications network, but no liability if their conversations are bugged outside it, unless the bugging occurred on a private telephone network in which case there is a civil action under RIPA. In both situations the DPA might provide redress but, again, not if the interceptor is using a non-digital device or is collecting the information for ‘personal, household and family afairs’. here will be no harassment unless the interception occurs more than once. Even where criminal sanction exists, it is rare to ind corresponding civil liability. Except in the unusual case of a private prosecution, this means that vindication of physical privacy rights depends on police willingness to investigate and prosecute. he telephone hacking scandal has infamously shown that this is a process over which victims have little control. And even when convictions are secured, criminal sanction does not provide compensation for mental injury or other harm sufered as a result of the intrusion. No principled justiication for these distinctions emerges from the legislation: accident, not design, has dictated the scope of physical privacy protection. It follows that further legal development is needed if England and Wales are to protect physical privacy coherently. Enactment of comprehensive physical privacy protections, though, seems very unlikely. It is, therefore, to the common law that victims of intrusions should turn. How and why that protection should develop is a question for another day.

8 Privacy: common law or human right? Michael Tilbury

Introduction he enactment of the Human Rights Act 1998 (HRA) in the United Kingdom marked a turning point, ‘a shit of the centre of gravity’,1 in the protection of privacy in English law by requiring courts in the United Kingdom to give efect to the right of respect for private and family life contained in the European Convention for the Protection of Human Rights and Fundamental Freedoms.2 he shit has resulted in the development of an action or actions, however described, that prevent wrongful interference with an individual’s private information.3 A corpus of new case law, some of the highest authority, has emerged, as well as a large body of academic commentary. his is in sharp contrast to those common law jurisdictions, such as Canada,4 New Zealand5 and Hong Kong,6 that adopted constitutional guarantees of rights or bills of rights long before he author was the Commissioner-in-charge of the New South Wales Law Reform Commission’s inquiry into privacy law between 2006 and 2010. he opinions expressed in this chapter are those of the author alone. 1

2 3

4

5 6

See Campbell v. MGN Ltd [2004] UKHL 22, [2004] 2 AC 257 (Campbell ), [51] (Lord Hof mann) (attributing the emergence of the action for breach of conidence as the vehicle for the protection of privacy interests both to developments within the action itself and to the enactment of the Human Rights Act 1998 (UK) (HRA)). HRA, Sch. 1 Art. 8. Even putting aside the action for breach of conidence, there is, arguably, no single action, but one aimed at preventing the misuse of private information and another aimed at preventing wrongful access to private information: see N. McBride and R. Bagshaw, Tort Law, 4th edn (Harlow: Pearson, 2012), ch. 21. And see text to nn. 70–72. See Canadian Charter of Rights and Freedoms, which forms sch. B to the Constitution Act 1982 (Canada) and which came into force on 17 April 1982. See New Zealand Bill of Rights Act 1990 (NZ). See Hong Kong Bill of Rights Ordinance (Hong Kong) cap 383 (BORO), which entered into force on 8 June 1991; Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China (People’s Republic of China) National People’s Congress, Order 26, 1 July 1997, Chapter III (Basic Law).

157

158

Michael Tilbury

the HRA. hese instruments simply never had the same immediate and dramatic efect on privacy law in those jurisdictions as the HRA has had on English law. Part of the reason may be that some legislative instruments, such as the Canadian Charter of Rights and Freedoms and the New Zealand Bill of Rights, do not expressly refer to a right to privacy.7 Of course, common law jurisdictions, such as Australia, that have no bills of rights have never come under speciic constitutional or legislative pressure to develop the law of privacy, even though the force of human rights norms may otherwise be felt more generally in these jurisdictions.8 Most common law jurisdictions do have legislation aimed at data protection.9 Typically, this legislation regulates the circumstances in which private or personal information can be collected, stored, accessed, disclosed and destroyed. he boundaries of such legislation need to be borne in mind: it does not generally confer on individuals who claim that their privacy has been invaded a private right of action against an alleged intruder.10 hese regulatory regimes have not, therefore, diminished the demand for the more general protection of privacy interests in disputes between individuals, that is, in private law. hat demand has been felt in the case law of some jurisdictions, and has resulted, most strikingly, in the emergence of a tort of wrongful publication of private information in New Zealand,11 and of a tort of intrusion on seclusion in Ontario.12 Moreover, the High Court of Australia has let open the possibility of developing a tort of privacy or of expanding existing actions to give greater efect to privacy interests in private law.13 While the demand for greater privacy protection was being felt in the case law, the irst decade of the twenty-irst century saw law reform agencies 7

8

9

10

11 12 13

Compare Hong Kong, where BORO, Art. 14 reproduces the protection of ‘privacy, family, home, correspondence, honour and reputation’ found in the International Covenant on Civil and Political Rights (ICCPR) Art. 17, while the Basic Law retains, in Art. 39, the application of the ICCPR ‘as applied to Hong Kong’. See also Basic Law, Arts. 28, 29 and 30. Consider M. Kirby, ‘Protecting Human Rights in Australia Without a Charter’ (2011) 37 Commonwealth Law Bulletin 255. For the global reach of data protection laws, see G. Greenleaf, ‘Global Data Privacy Laws: 89 Countries and Accelerating’ (2012) 115 Privacy Laws & Business International Report Special Supplement. See Jones v. Tsige [2012] ONCA 32, [51] (Sharpe JA); Hosking v. Runting [2004] NZCA 34, [2005] 1 NZLR 1, [98]–[99] (Gault and Blanchard JJ). Hosking v. Runting, ibid. Jones v. Tsige, above n. 10. See Australian Broadcasting Corporation v. Lenah Game Meats Pty Ltd [2001] HCA 63, (2001) 208 CLR 199 (Lenah Game Meats), [39]–[43] (Gleeson CJ), [121]–[128] (Gummow and Hayne JJ), [185]–[189] (Kirby J dissenting), [313]–[336] (Callinan J dissenting).

Privacy: common law or human right?

159

in some common law jurisdictions devote signiicant resources to reviews of privacy law. In New Zealand, the Law Commission recommended that the protection of privacy in private law should continue through the development of the common law tort of wrongful publication of private information,14 which the Court of Appeal had endorsed in Hosking v. Runting.15 In Hong Kong, in the course of a comprehensive inquiry into privacy lasting some seventeen years, the Law Reform Commission recommended, among many other matters, the introduction of two new statutory torts: a tort of wrongful disclosure of private information and a tort of intrusion on seclusion, mirroring two of the privacy torts that exist in United States law.16 In Australia, the Australian and New South Wales Law Reform Commissions recommended the enactment of a statutory cause of action for invasion of privacy,17 while the Victorian Law Reform Commission recommended, in the context of misuse of surveillance in a public place, that there should be two statutory causes of action: the irst dealing with serious invasions of privacy by the misuse of private information; the second dealing with serious invasions of privacy by intrusion on seclusion.18 Following the News International phone-hacking scandal in the United Kingdom in 2011, the Australian government published a consultation paper dealing with the possible introduction of a statutory cause of action for invasion of privacy drawing on the work of the law reform agencies.19 he Australian law reform agencies’ recommendation for a statutory cause of action, rather than a statutory tort,20 is based on the view that, 14

15

16

17

18

19

20

New Zealand Law Commission, Invasion of Privacy: Penalties and Remedies, Report no. 113 (2010) Ch. 7. Hosking v. Runting, above n. 10. Compare Rogers v. Television New Zealand Ltd [2007] NZSC 91, [2008] 2 NZLR 78. Hong Kong Law Reform Commission, Civil Liability for Invasion of Privacy (2004) chs. 6 and 7. See, respectively, Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report no. 108 (2008), vol. 3, ch. 74; New South Wales Law Reform Commission, Invasion of Privacy, Report no. 120 (2009). Victorian Law Reform Commission, Surveillance in Public Places, Report no. 18 (2010), ch. 7. For an analysis of the proposals of the three Australian Law Reform Commissions, see N. Witzleb, ‘A Statutory Cause of Action for Privacy? A Critical Appraisal of h ree Recent Australian Law Reform Proposals’ (2011) 19 Torts Law Journal 104. Commonwealth of Australia, Department of Prime Minister and Cabinet, A Commonwealth Statutory Cause of Action for Serious Invasions of Privacy (Issues Paper, September 2011), www.dpmc.gov.au/privacy/causeofaction/docs/issues%20paper_cth_ stat_cause_action_serious_invasion_privacy.pdf (accessed 27 October 2013). For a description of statutory torts, see K. Stanton, P. Skidmore, M. Harris and J. Wright, Statutory Torts (London: homson Sweet & Maxwell, 2003), ch. 1.

160

Michael Tilbury

in the context of private law, reform of privacy law should be constrained neither by the methodology nor by the content of tort law.21 his chapter supports that assessment. It argues that greater privacy protection in common law jurisdictions is not optimally achieved through the development of the common law. here are many factors pointing in this direction. One of the most fundamental, explored in this chapter in respect of tort and of breach of conidence, is that the so-called ‘right to privacy’ is not the type of ‘right’ that is typically protected in private law. Consequently, it sits uneasily in the law of tort and in the law of conidentiality. he implication, which is not explored in this chapter but adopted from the progress of privacy law in England since the HRA, is that the recognition of privacy as a human right, developed in the context of human rights law, holds out the promise of a more coherent and dynamic privacy law.

Privacy as a right in tort he law of tort(s) is the most obvious branch of law for the development of greater privacy protection in private law in common law jurisdictions: it is primarily through tort law that civil liability is imposed on defendants for conduct that is legally ‘wrongful’.22 he fact that common law courts outside the United States have consistently refrained from developing a tort of invasion of privacy, notwithstanding clear opportunities to do so,23 suggests, at least, that there are serious diiculties, whether theoretical or practical, in doing so. hese diiculties are potentially present both in respect of the general protection of privacy in private law (where they are at their most acute) and in respect of the protection of speciic aspects of privacy.

Protecting privacy generally Modern privacy law begins with a famous article written in the Harvard Law Review in 1890 by Warren and Brandeis.24 Signiicantly, the article is entitled ‘he Right to Privacy’. In common law jurisdictions outside 21 22

23

24

See especially NSW Law Reform Commission, Invasion of Privacy, [5.54]–[5.57]. See especially P. Birks, ‘he Concept of a Civil Wrong’ in D. Owen (ed.), Philosophical Foundations of Tort Law (Oxford: Clarendon Press, 1995), ch. 1 (deining a legal wrong as a breach of duty, but pointing out (at 51) the limitations on the concept of civil wrong). Kaye v. Robertson [1991] FSR 62 (CA) and Wainwright v. Home Oice [2003] UKHL 53, [2004] 2 AC 406 (Wainwright) are particularly good examples. S. Warren and L. Brandeis, ‘he Right to Privacy’ (1890) 4 Harvard Law Review 193, 214–16.

Privacy: common law or human right?

161

the United States, the article’s fame is equalled only by its lack of impact. he most likely reason for this is that a ‘right to privacy’ simply does not belong in the law of torts. he incompatibility of such a right with tort law difers depending on the account of tort law. A recently emerging school of thought i nds the explanation of tort law in the delineation of the circumstances in which the defendant has wronged the plaintif by violating the plaintif ’s rights, and, in the event that the defendant has done so, in determining what remedies are available to the plaintif (the ‘rights-based model of tort law’).25 A ‘right to privacy’, if it exists, has particular resonance with, and would seem to ind instant justiication in, this explanation. he rights-based model of tort law is not, however, the only account of torts. It is, in fact, a reaction to an earlier and more widely held view that tort law is ‘concerned with the allocation of losses incident to man’s activities in modern society’ (the ‘loss allocation model of tort law’).26 On this view, tort law is essentially concerned with determining the circumstances in which a defendant will be held liable to compensate a plaintif for the injury or loss that the defendant has caused the plaintif, a determination that is heavily inluenced by relevant policy considerations, such as deterrence, individual responsibility, loss-spreading through insurance, and so on.27 Support for this view is found in judicial statements that identify the object of tort law as compensation.28 he two models identiied in the last paragraph are there presented as accounts of modern tort law at opposing extremes.29 So presented, the most obvious diference between them is that the rights-based model rejects the role of policy or of public policy in the determination of tortious liability, whereas the loss allocation model puts policy considerations at the forefront of the explanation of tortious liability. his is misleading 25

26

27 28

29

he leading exponent is R. Stevens, Torts and Rights (Oxford University Press, 2007). For judicial support, see Chester v. Afshar [2004] UKHL 41, [2005] 1 AC 134, [87] (Lord Hope). P. Vines, ‘Introduction’ in C. Sappideen and P. Vines (eds.), Fleming’s he Law of Torts, 10th edn (Sydney: Law Book Co., 2011), pp. 1, 5. Ibid., pp. 8–18. For example, Fairchild v. Glenhaven Funeral Services Ltd [2002] UKHL 22, [2003] 1 AC 32, [9] (Lord Bingham); Harriton v. Stephens [2006] HCA 15, (2006) 226 CLR 52, [56] (Crennan J). Of course, these are not the only possible accounts of tort law, though other accounts will tend to gravitate towards one or other of these explanations. Consider, for example, the close association of corrective justice accounts of tort law with the rights-based model: see D. Nolan and A. Robertson, ‘Rights and Private Law’ in D. Nolan and A. Robertson (eds.), Rights and Private Law (Oxford: Hart Publishing, 2012), pp. 1, 23–6.

162

Michael Tilbury

insofar as it implies that the adherents of either model speak with one voice. hey do not. An essentially rights-based theorist may allow some role for policy considerations in the determination of tortious liability,30 just as a loss allocation theorist may allow a role for rights in that determination.31 Moreover, it is always possible, in the context of a common law whose strength is found in the pragmatic solution of individual disputes, that no ordered account of tort law exists or can yet be given (the ‘anarchical view of tort law’). his is, for example, inherent in the response of Professor Tony Weir, a distinguished tort law scholar, to the question (posed by an American Law Dean): ‘What is your normative theory of tort?’ Weir’s robust response is: ‘Tort is what is in the tort books, and the only thing holding it together is their binding!’32 At their extremes, these various accounts of tort law could not be more diferent. Even so, whichever view is accepted, privacy remains problematic for inclusion in the category of ‘tort’. On the loss allocation model, this is because freedom from emotional distress, the compensation interest that typically responds to an invasion of privacy (however deined), is, arguably, too fragile an interest on which to found tortious liability.33 Its fragility relates both to the diiculty of adequately proving emotional distress standing alone34 and to the fact that emotional distress must sometimes be accepted as the inevitable consequence of living in a particular society. Lord Hofmann illustrates the latter point in Wainwright v. Home Oice with this example: In institutions and workplaces all over the country, people constantly do and say things with the intention of causing distress and humiliation to others. h is shows lack of consideration and appalling manners but I am not sure that the right way to deal with it is always by litigation. 35 30

31

32 33

34 35

Consider N. McBride, ‘Rights and the Basis of Tort Law’ in D. Nolan and A. Robertson (eds.), Rights and Private Law (Oxford: Hart Publishing, 2012), pp. 331, 339–41, 364–5, and literature there cited. Consider M. Jones (ed.), Clerk & Lindsell on Torts, 20th edn (London: Sweet & Maxwell, 2010), [1–11]–[1–24], and literature there cited. See also P. Cane, he Anatomy of Tort Law (Oxford: Hart Publishing, 1997). For a criticism of ‘mixed’ views of tort law, see R. Stevens, ‘he Conl ict of Rights’ in A. Robertson and Tang Hang Wu (eds.), he Goals of Private Law (Oxford: Hart Publishing, 2009), pp. 139, 140–1. T. Weir, An Introduction to Tort Law, 2nd edn (Oxford University Press, 2006), p. ix. See D. Réaume, ‘Indignities: Making a Place for Dignity in Modern Legal heory’ (2002) 28 Queen’s Law Journal 61, 75, 91. Cf. P. Handford, Mullany and Handford’s Tort Liability for Psychiatric Injury, 2nd edn (Sydney: Lawbook Co, 2006), [4.50]. Handford, Mullany and Handford’s Tort Liability for Psychiatric Injury, [2.40]. Wainwright, above n. 23, [46]. See also Lord Scott’s examples: ibid., at [62].

Privacy: common law or human right?

163

Except in the United States, freedom from emotional distress is not, therefore, generally recognised as a compensatable interest protected in tort law.36 As to the rights-based model of tort law, the irst task is to identify the ‘right’ that tort law enforces. Leading rights-based theorists deine ‘right’ as a ‘claim right’, a right in the strict Hohfeldian sense,37 which exists where one person (A) can insist that another person (B) does, or does not do, something because B is under a duty to A to do or to refrain from doing that thing.38 A general ‘right to privacy’ is not a right in this sense. As Professor Nicholas McBride has pointed out, a ‘right’ can be stated at such a level of generality that it does not ‘require anyone else to do anything in particular’.39 In other words, it fails to identify any person (in our example B) who is under a duty to respect the right. his contrasts with the speciicity that is typical of common law rights, for example, A’s right not to be run over negligently by B (that is, in breach of the duty of care that B owes A and that correlates with A’s right). It is true that general or ‘fundamental’ rights at common law are sometimes identiied at a higher level of generality (such as rights to personal security, to personal liberty, to private property, to assembly and to freedom of discussion). Indeed, this usage is variously hallowed by Blackstone,40 Dicey41 and high authority.42 he 36

37

38

39

40

41

42

See Handford, Mullany and Handford’s Tort Liability for Psychiatric Injury, ch. 4. he position probably difers in breach of conidence claims: see text to nn. 104–6. See W. N. Hohfeld, Fundamental Legal Conceptions as Applied in Judicial Reasoning, W. W. Cook (ed.) (New Haven: Yale University Press, 1919), pp. 36–8. See Stevens, ‘he Conl ict of Rights’, above n. 31, pp. 142–3; McBride, above n. 30, pp. 341–6, distinguishing ‘claim rights’ into ‘legal power rights’ and ‘coercive rights’, and making it clear that the rights-based model of tort law encompasses both. he distinction may be of relevance in identifying what factors are relevant in determining when tort law will impose duties on defendants and hence create (primary) rights in plaintifs, but it does not otherwise seem to afect the discussion in the text, which uses ‘claim right’ in both of McBride’s senses. Compare A. V. Dicey, An Introduction to the Study of the Law and the Constitution, 10th edn (London: Macmillan, 1967), pp. 196–202 (especially p. 199). Dicey famously remarked that the ‘inseparable connection between the means of enforcing a right and the right to be enforced which is the strength of judicial legislation’ was at least one reason why the common law had no need of formal bills of rights. McBride, ibid., p. 344. Compare Stevens, Torts and Rights, above n. 25, p. 4 (grouping claim rights). See W. Blackstone, Commentaries on the Law of England, 4th edn (Oxford: Clarendon Press, 1765) vol. I, p. 125. Dicey, An Introduction to the Study of the Law and the Constitution, above n. 38, chs. 5–7. See Allen v. Flood [1898] 1 AC 1, 29 (Cave J); R v. Home Secretary; Ex parte Pierson [1997] UKHL 37, [1998] AC 538, 587 (Lord Steyn); R v. Secretary of State for the Home Department; Ex parte Simms [1999] UKHL 33, [2000] 2 AC 115, 131 (Lord Hofmann).

164

Michael Tilbury

expression of rights in this way may serve particular purposes, such as the identiication of a premise for reasoning43 or the application of constructional principles.44 But rights expressed in this way only generate claim rights where they require defendants to act or refrain from acting in speciic ways that interfere with plaintifs’ rights (as where we can say that A’s general right to bodily security exists because of A’s claim right not to be run over negligently by B).45 Common law lawyers overwhelming understand ‘right’ in private law as a claim right, a residual right operating as a qualiication on the general assumption that everyone is free to do everything.46 Understood in the light of this rationale, claim rights are necessarily narrowly drawn so as not to conlict with one another.47 So drawn, they are prima facie entitlements.48 hat, ater all, must be the basic reason for describing them as ‘rights’, and separating them from related concepts, such as ‘interests’. A general ‘right to privacy’ obviously cannot it into this understanding of right, nor, consequently into a rights-based account of the law of tort that understands the law of tort as concerned with claim rights in the Hohfeldian sense of the word. Turning to the anarchical view of tort law, the diiculty of admitting a general right of privacy into the law of torts is the notorious one of determining what such a tort should encompass.49 United States courts, following the taxonomy of Prosser,50 have found it necessary to restate Warren and Brandeis’ ‘right to privacy’ in private law as four speciic torts. he reach of these torts is wide, covering: unreasonable publicity given to the plaintif ’s private life; unreasonable intrusion on the plaintif ’s seclusion; appropriation of the plaintif ’s name and likeness; and publicity that unreasonably places the plaintif in a false light before the public.51 Privacy’s reach is, potentially, even more extensive in public law challenges to the actions of governments or governmental instrumentalities where it 43 44

45 46

47 48 49 50 51

See Stevens, ‘he Conl ict of Rights’, above n. 31, pp. 143–4. See Minister for Immigration and Citizenship v. Haneef [2007] FCAFC 203, (2007) 163 FCR 414, [105]–[113] (Black CJ, French and Weinberg JJ). Consider McBride, above n. 30, p. 344. On the diference between the articulation of general rights and their residual status in the common law, see especially Attorney-General v. Guardian Newspapers Ltd (No. 2) [1990] 1 AC 109 (Spycatcher), 283 (Lord Gof ). Accord Stevens, ‘he Conl ict of Rights’, above n. 31, pp. 143–4. See further text to below nn. 86–90, 107–12. See especially D. Solove, Understanding Privacy (Boston: Harvard University Press, 2008). W. Prosser, ‘Privacy’ (1960) 48 California Law Review 383. American Law Institute, Restatement of the Law (Second), Torts (1977) §§ 652B-652E.

Privacy: common law or human right?

165

is alleged that laws impacting on particular groups invade the privacy of members of those groups. hus, in the United States privacy has become ‘a forum for contesting … the rights of women (especially in respect of abortion), the use of contraceptives, the freedom of homosexuals and lesbians, the right to obscene or pornographic publications, the problems generated by AIDS’.52 his points to the danger of privacy as a legal concept: it can be seen to be about everything and therefore of no use as a legal right, interest, concept or principle.53 Its indeterminate core means that it could not clearly deine its relationship to other legal rights, interests, concepts or principles, let alone operate as a prima facie entitlement. In Wainwright v. Home Oice Lord Hof mann, with the concurrence of the whole House, therefore rejected the argument that relevant case law did, or could, support the existence of a general cause of action for invasion of privacy in English law. His Lordship regarded ‘invasion of privacy’ as a ‘high-level generalization’, a ‘value’ underlying rules of law, rather than a principle of law deinable with the precision from which it is possible to deduce the rule to be applied in a concrete case.54 While this reasoning can be seen as directed to the development of a new general cause of action for invasion of privacy in English law, it also efectively precludes the expansion of existing tortious actions to provide general protection against invasion of privacy. Potentially, there are really only two such actions:55 negligence and the tort of intentional inliction of distress founded on the old decision of Wright J in Wilkinson v. Downton.56 Neither action is, in any event, suitable as a vehicle for the development of a general action for invasion of privacy. Negligence is not suitable because it is not focused on the intentional conduct that is typically the subject of a privacy complaint; and because mental distress, standing alone, would not qualify as damage to support the action. And the intentional inliction of distress is not suitable because it requires the same sort of damage 52

53 54 55

56

R. Wacks, ‘Why here Never Will Be an English Common Law Privacy Tort’ in A. T. Kenyon and M. Richardson (eds.), New Dimensions in Privacy Law: International and Comparative Perspectives (Cambridge University Press, 2006), pp. 154, 175–6. See Solove, above n. 49, p. 7. Wainwright, above n. 23, especially [18], [31]. he more limited attempt to expand nuisance to protect privacy in certain circumstances has been unsuccessful in England (Hunter v. Canary Wharf Ltd [1997] UKHL 14, [2004] AC 655, overruling Khorasandjian v. Bush [1993] QB 727 (CA)) and Australia (Victoria Park Racing and Recreation Grounds Co Ltd v. Taylor (1937) 58 CLR 479). See M. Tilbury, ‘Privacy and Private Law: Developing the Common Law of Australia’ in E. Bant and M. Harding (eds.), Exploring Private Law (Cambridge University Press, 2010), pp. 86, 87–98. Wilkinson v. Downton [1897] 2 QB 57.

166

Michael Tilbury

that would support an action in negligence (which, in this context, would at least be psychiatric injury); and because it would only reach deliberate conduct of a particular sort – that is, conduct that was actually intended to cause the harm sufered.57 here are, moreover, serious questions about the meaning and status of Wilkinson v. Downton in modern law, centred on whether or not it has been subsumed in negligence.58

Protecting speciic aspects of privacy he perceived impossibility of developing a general cause of action for invasion of privacy at common law leaves open the possibility of developing a narrower cause of action, or causes of action, that target the protection of various aspects of privacy. h is is what has happened in New Zealand with the development of a tort of wrongful publication of private information, and in Ontario with the emergence of the tort of intrusion on seclusion.59 A version(s) of the New Zealand tort also exists in English law, although it usually masquerades as a species of breach of conidence.60 What is important to note here is that these jurisdictions have found it possible to develop common law actions for certain types of privacy invasion and, hence, to develop an understanding of what privacy means and why it is being protected in those contexts. he actions mirror two of the torts in Prosser’s taxonomy (unreasonable publicity given to the plaintif ’s private life and unreasonable intrusion on seclusion).61 he two torts have been cherry-picked from that taxonomy for the probable reason that they get closest to protecting what privacy ought to protect in private law actions between individuals, namely ‘the fundamental value of personal autonomy’.62 his must be because making public a person’s private life 57 58

59 60 62

See Wainwright, above n. 23, [36]–[47] (Lord Hof mann). Especially ibid, [41], [44] (Lord Hof mann); Giller v. Procopets [2008] VSCA 236, (2008) 24 VR 1 (Giller) (Ashley and Neave JJA, contra Maxwell P). See further M. Tilbury, ‘Coherence, Non-Pecuniary Loss and the Construction of Privacy’ in J. Berryman and R. Bigwood (eds.), he Law of Remedies: New Directions in the Common Law (Toronto: Irwin Law, 2010), pp. 127, 154–5. Cf. Malcolmson v. Mehta [2001] SGHC 208, [2001] 4 SLR 454, where Wilkinson v. Downton played a major role in the development of a tort of harassment in Singapore. See above nn. 11 and 12 respectively. See text to nn. 64–9. 61 See text to nn. 50–1. See Douglas v. Hello! Ltd [2000] EWCA Civ 353, [2001] QB 967 (Douglas), [126] (Sedley LJ); Lenah Game Meats, above n 13, [125] (Gummow and Hayne JJ). Reference is also sometimes made to the underlying value of human dignity (e.g. Campbell, above n 1, [50]; Lenah Game Meats, ibid., [43] (Gleeson CJ)), but, like liberty, this would seem to be no more in this context than an aspect of autonomy. hese values feature prominently in

Privacy: common law or human right?

167

without that person’s consent, or simply intruding unreasonably on a person’s private life, robs that person of their individuality. It is an attack on what Warren and Brandeis called their ‘inviolate personality’.63 h is approach of creating speciic causes of action that give efect to identiied values underlying privacy in the context of those actions looks like a sensible, indeed traditional, way of developing the common law through the creation of new, and very speciic, claim rights. However, there are both practical and theoretical considerations that argue against Balkanising the Warren and Brandeis tort in the manner pioneered by Prosser. In particular, it is diicult to deine the boundaries of the individual torts in such a way as to ensure that the torts accurately relect the values underlying privacy while, at the same time, allowing for the development of the tort to give efect to those values in a changing world. he irst diiculty, the identiication and description of each cause of action, is illustrated by comparing the way in which Prosser’s tort of unreasonable publicity given to the claimant’s private life has been adopted in New Zealand and England. In New Zealand, it has become the tort of ‘wrongful publication of private information’;64 in England, the tort of ‘misuse of private information’, at least according to Lord Nicholls.65 ‘Misuse’ is, of course, wider than ‘wrongful publication’. Both are capable of reaching the common case of a newspaper report that unreasonably reveals details of the plaintif ’s private life. But, as framed, neither seems able to encompass the case where a defendant has obtained access to private information without publishing or using it. Yet in Imerman v. Tchenguiz66 the English Court of Appeal ordered the defendants to return to the claimant hard copies of documents relating to the claimant’s inancial afairs that had been generated following unauthorised access to electronic iles on the server supporting the claimant’s computer system. he Court also granted injunctions restraining the defendants from communicating or disclosing to third parties the information contained in the documents, from copying them or from using them. he Court acknowledged the existence of a tort of misuse of private information,67 but obviously thought it inapplicable in

63 64 65

66

the Kantian view of the person as an end in themselves: see I. Kant, Groundwork of the Metaphysic of Morals, H. J. Paton (trans.) (London: Hutchinson, 1948), 90f. Warren and Brandeis, above n. 24, 205. Hosking v. Runting, above n. 11. Campbell, above n. 1 [14] (Lord Nicholls). See also McKennitt v. Ash [2006] EWCA Civ 1714, [2008] QB 73 [8]; Lord Browne of Madingley v. Associated Newspapers Ltd [2007] EWCA Civ 295, [2008] QB 103 [21]–[22]; Imerman v. Tchenguiz [2010] EWCA Civ 908, [2011] 1 Fam 116, [65]. Imerman v. Tchenguiz, ibid. 67 Ibid., [65].

168

Michael Tilbury

the circumstances of the case,68 preferring to ground recovery in the equitable action for breach of conidence. It is a breach of conidence, the Court held, intentionally and secretly to obtain information in respect of which the claimant must have appreciated that the claimant had an expectation of privacy.69 If the incoherence of the current law of conidentiality forces the English courts to retreat from the position that privacy interests are protected principally in the action for breach of conidence,70 a case like Imerman v. Tchenguiz may need to be recast as an action in tort. If so, the question immediately arises: will the tort of misuse of private information need to be reformulated so that it includes wrongful access, or will there now also be a separate tort of wrongfully obtaining access to private information? he answer depends on whether or not the ingredients of the two hypothetical causes of action are the same. If each cause of action has its own ‘considerations and rules’, then ‘confusion may arise from a failure to maintain appropriate analytic distinctions’.71 he requirement of ‘secrecy’ in Imerman v. Tchenguiz (which is not an ingredient of the misuse tort) suggests that there are, indeed, two torts with separate ingredients. It does not necessarily follow that there should be a tort of wrongful access to private information and a tort of misuse of private information. For if English law comes to recognise a tort of unreasonable intrusion on seclusion,72 wrongful access to private information would fall within that tort. In Jones v. Tsige73 the Ontario Court of Appeal recognised a tort of intrusion on seclusion, deining it in the words of the Restatement: One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private afairs or concerns, is subject to liability to the other for the invasion of his privacy, if the invasion would be highly ofensive to a reasonable person.74

Applying this test, a defendant bank employee who, without authorisation and for no legitimate reason, had accessed (but not published or otherwise used) the bank records of the plaintif, a fellow employee, over a period of time, was held liable in damages to the plaintif. his decision 68

69 71 72

73 74

It seems at least arguable that the act of copying the documents in this case was a ‘misuse’ of them. Imerman v. Tchenguiz, above n 65, [68]. 70 See text to nn. 113–18. Jones v. Tsige, above n. 10, [21] (Sharpe JA). Note that the conidentiality action only extends to the protection of private information: see text to n. 119. Jones v. Tsige, above n. 10, [70]–[71]. American Law Institute, Restatement (Second) of Torts (2010), §652B.

Privacy: common law or human right?

169

of the Ontario Court of Appeal is not relevantly distinguishable from that in Imerman v. Tchenguiz, where the defendants’ conduct also clearly falls within the tort of intrusion on seclusion. he creation of individual torts of great speciicity, like the hypothetical access tort, seems inherently undesirable. First, given the protean nature of privacy, and its tendency to be over-inclusive, where will the creation of speciic torts of privacy end? Prosser’s four torts could, at least theoretically, represent only the tip of the iceberg, capable of adding a multitude of privacy-related torts to the existing list of nominate torts. More importantly, if the speciic torts that emerge are actually uniied by principle, some justiication needs to be provided for their individual creation. In an important paper, published almost it y years ago, Professor Edward Bloustein,75 arguing from the premise that ‘the primary canon of all science [is] that a single principle of explanation is to be preferred over a congeries of discrete rules’,76 contended that Prosser’s four torts could all be seen as protecting ‘dignity’ or, in the language of Warren and Brandeis, ‘inviolate personality’. here was, Bloustein argued, no reason to disassemble privacy into four separate torts. Indeed, there is an increasingly strong argument not to do so. It is trite to observe that we are living in an era of fast-moving technological change that is constantly transforming our lives. In such an environment, the principled development of the law of privacy is particularly important if it is to keep abreast of that change. his development is not advanced by the emergence of speciic torts with detailed individual ingredients, where progress of the law is likely to proceed by analogy from an existing tort to determine either if that tort can be expanded or modiied to accommodate a new situation, or if a proposed new tort is suiciently similar to an existing tort to justify its creation. Reasoning of such a technical nature should not direct the development of the law if the individual torts are uniied by principle. hus, we do not need to create a tort of intentionally and secretly obtaining information in respect of which the claimant had an expectation of privacy if we can say, by appealing to the underlying principle, that the defendant’s intentional and secretive acquisition of the information is merely one manifestation of an invasion of privacy – just as the English Court of Appeal was able to say that such conduct is a breach of conidence where the defendant must have appreciated that the claimant had an expectation of privacy. 75

76

E. Bloustein, ‘Privacy as an Aspect of Human Dignity: An Answer to Dean Prosser’ (1964) 39 New York University Law Review 962. Ibid., 963.

170

Michael Tilbury

‘Conceptual unity’, as Bloustein put it, ‘is not only fuli lling in itself; it is also an instrument of legal development.’77 Acceptance of Professor Bloustein’s argument requires us to revisit the proposition that a general tort protecting privacy at common law is unattainable because of the impossibility of delineating the concept of privacy with suicient precision. Bloustein’s argument assumes that by exposing the values, concepts or interests underlying privacy, suicient precision is injected into the notion of privacy to direct the development of a tort of privacy at common law. Bloustein identiies those values, concepts or interests as ‘dignity’ and ‘inviolate personality’; modern authority would add to, or replace these with ‘autonomy’.78 Whatever the exact meaning of these concepts, and whatever diferences exist between them, all three are, obviously, drawn at a higher level of generality than privacy itself. It is for this reason that they inform the meaning of privacy. And it is in this sense that courts in some common law jurisdictions have thought that an appeal to ‘autonomy’ is capable of providing guidance on the reach of a tort of privacy. For example, a concept of privacy informed by the value of autonomy justiies the conclusion that ‘privacy’ is something that belongs to individuals, so that a corporation cannot bring a claim for invasion of privacy.79 Again, ‘autonomy’ may suggest that privacy is naturally concerned with Prosser’s torts of unreasonable publicity given to the plaintif ’s private life and of unreasonable intrusion on the plaintif ’s seclusion.80 Two points should be made about this. First, the assumption that autonomy or some other concept can be identiied that gives suicient precision to privacy to allow the development of a tort of privacy at common law, means that privacy itself becomes, contrary to Lord Hof mann’s view,81 a concept or principle from which it is possible to deduce the rule to be applied in a concrete case. Second, while concepts of autonomy and dignity may themselves seem hopelessly vague, their invocation in support of a legal principle or rule is not limited to the context under discussion. hus, in Rees v. Darlington Memorial Hospital NHS Trust82 a majority of 77 79

80 81 82

Ibid., 1004. 78 See authorities in above n. 62. Lenah Game Meats, above n. 13, [126]–[132], [126] (Gummow and Hayne JJ, Gaudron J agreeing). Cf. [328] (Callinan J dissenting). Compare R v. Broadcasting Standards Commission, Ex Parte BBC [2000] EWCA Civ 116, [2001] QB 885 (where a contrary conclusion was justiied by the wording of the statute in question). Lenah Game Meats, above n. 13, [125] (Gummow and Hayne JJ, Gaudron J agreeing). See above n. 54. Rees v. Darlington Memorial Hospital NHS Trust [2003] UKHL 52, [2004] 1 AC 309 (Rees). Cf. Chester v. Afshar [2004] UKHL 41, [2005] 1 AC 134, [18] (Lord Steyn).

Privacy: common law or human right?

171

the House of Lords held that a conventional award of £15,000 in a wrongful birth case could be justiied by reference to ‘the denial of an important aspect of personal autonomy, viz the right to limit the size of [one’s] family’. Autonomy, Lord Millett explained, is ‘an important aspect of human dignity, which is increasingly being regarded as an important human right which should be protected by law’. 83 In an era of human rights, it is hardly surprising that concepts, values or principles that, like privacy, promote or are associated with such rights, are found to have suicient precision for the foundation and development of rules of law even if, in a diferent era, they would have been regarded as too imprecise for this purpose. For the reasons given above,84 this does not, however, mean that such a development would be consistent with the understanding of claim rights in tort law. Its justiication would have to be sought elsewhere, presumptively in human rights law. We can conclude from the above that, while the creation at common law of discrete privacy torts, of more or less speciicity, is possible, it is nevertheless undesirable. Moreover, there is a further consideration that argues against developing a general tort of invasion of privacy or speciic torts protecting aspects of privacy. Again, this consideration, to which we now turn, is related to the nature of common law rights.

Accommodating competing considerations An important factor in the creation of a tort of privacy (whether general or dealing with a speciic aspect of privacy) is the necessity to dei ne its relationship to competing considerations, whether described as ‘rights’, ‘interests’ or ‘values’.85 his is because, as Warren and Brandeis recognised86 and as human rights law now teaches us,87 the force to be accorded to privacy by way of legal protection is, in many cases, frequently and necessarily dependent on the countervailing force, in all the circumstances of the case, of such competing considerations, of which the most prominent is freedom of expression or freedom of speech (since invasion of privacy frequently involves the publication of matter). For example, where a media organisation publishes details of the private life 83 85

86 87

Rees, above n. 82, [123] (Lord Millett). 84 See above nn. 37–45. In Hohfeldian terminology, ‘interests’ is more appropriate here: consider Lenah Game Meats, above n. 13, [41] (Gleeson CJ). Warren and Brandeis, above n. 24, pp. 214–16. See generally R. Clayton and H. Tomlinson, he Law of Human Rights, 2nd edn (Oxford University Press, 2009), ch. 12. And consider HRA, above n. 1, sch. 1 Art. 8(2) (limits on

172

Michael Tilbury

of a celebrity, the extent to which the celebrity can complain about the media’s intrusion on his or her privacy is only capable of being answered if regard is had to the protection that all the circumstances of the particular case demand be given to freedom of expression. In such cases, tort law adjusts the relationship between privacy and other considerations such as freedom of expression.88 It subjects defendants, as a constraint on their general liberty, to a duty not to invade anyone else’s privacy in the circumstances that the tort speciies; and, in the event of such invasion, the victim has a right to such remedy against the defendant as the law prescribes. he right, being residual, is narrowly drawn. But once drawn, it is prima facie enforceable. However, the right is subject to any defences that the law makes available to defendants in the circumstances. his mirrors the situation in other torts, for example the tort of defamation, in which the plaintif ’s right not to be defamed is prima facie protected, subject, among others, to the defences of fair comment and privilege in which such weight as is appropriate in the circumstances is given to freedom of expression. hus, having speciied the ingredients of the tort of wrongful publication of private information,89 the New Zealand Court of Appeal proceeded to hold that the tort was subject to the defence of legitimate public concern, a defence that accommodated (among other matters) the ‘signiicant value to be accorded [to] freedom of expression’.90 In New Zealand law, then, the tort of wrongful publication joins the catalogue of individual actions that comprise the New Zealand law of tort, and, like other torts, is atomised into its essential ingredients and into the defences that may apply if the ingredients are made out. Mediating the clash between privacy and other considerations in this way is unsatisfactory. In the absence of any demonstrated societal consensus and in the absence of any constitutional constraints, there is no a priori reason to privilege privacy in all circumstances above other ‘public interest’ considerations. Yet this is the very privileging that is likely to occur if privacy is developed as a tort, for, as pointed out, once the ingredients of the tort have been made out, the claimant has a right to the prescribed remedy subject only to any defences (such as a defence of public interest). But why should privacy always deserve such prima facie protection? Indeed, why should it be protected at all if, in the circumstances, there are strong

88 89 90

the right to respect for privacy and family life); Art. 10(2) (limits on the right to freedom of expression). See also text to nn. 46–8. Hosking v. Runting, above n. 10, especially [117]–[128] (Gault and Blanchard JJ). Ibid., especially [129]–[135] (Gault and Blanchard JJ).

Privacy: common law or human right?

173

countervailing public interest considerations? A preferable approach, as the English jurisprudence under the HRA has demonstrated,91 is to put privacy on a level playing ield with these other interests. he public interest then becomes an essential consideration in determining whether or not there has been an invasion of privacy in the irst place, rather than a defence. No right or interest is presumptively protected at the expense of any other. Rather, the rights and interests take their respective force from the factual contexts in which they operate. hat factual context will sometimes determine that privacy is to be protected, sometimes not. In other words, the interests are put in the balance at the outset to determine which should be protected. his necessary balancing exercise provides the only methodology capable of giving equal and appropriate weight to legitimate competing interests in given factual circumstances. A claim in tort does not do this. his is reinforced by considering the incidence of the burden of proof in privacy cases that call competing rights and interests into play. In Hosking v. Runting Gault and Blanchard JJ held that where a public interest defence is raised in the tort of wrongful publication of private information, it is for the defendant to ‘provide evidence of the concern’.92 he signiicance of this statement is that, notwithstanding their Honours’ reference to the ‘conceptual soundness’ of treating ‘legitimate public concern’ as a defence in such cases, they do not expressly say that the (legal) burden of establishing the defence rests on the defendant, as general principle would suggest and as would normally be the case in tort law.93 It is true that human rights law accords with general principle by placing on defendants (particularly public authorities) the burden of establishing defences available in respect of rights that are not absolute, such as the defence that the defendant has acted in a manner ‘prescribed by law’ to achieve a legitimate aim that is ‘necessary in a democratic society’.94 However, particularly in disputes between private parties where competing human rights are in issue and a court has to determine their relative weight, it is for the courts, as an application of the doctrine of proportionality, to decide which right is to take precedence over the other(s).95 Each party must, of

91 92 93

94 95

See especially Clayton and Tomlinson, above n. 87, [12.21]–[12.77C]. See Hosking v. Runting, above n. 10, [129]. Compare Victorian Law Reform Commission, above n. 18, [7.176], which misses the subtlety of the New Zealand approach. Clayton and Tomlinson, above n. 87, [6.213]–[6.262]. Ibid., [6.104]–[6.106]. he same is true where a public authority raises a defence to a claim that calls into play disputes between competing rights: ibid ., [6.188]–[6.190].

174

Michael Tilbury

course, establish a prima facie interference with their respective right(s), as Gault and Blanchard JJ suggest. Once they have done so, the court must determine where the balance between the two rights lies, making any talk of the incidence of the burden of proof (in the sense of referring to the party who is at risk of losing if the court is not persuaded one way or the other) practically irrelevant.96

Privacy as a right in equity he law of tort is not the only branch of the law that is concerned with civil wrongs. Equity also has something to say about wrongful conduct. Equity has, for example, long provided remedies for breach of trust and of iduciary obligation. Equity also possesses a jurisdiction that protects conidentiality independently of contract. he action for breach of conidence prevents the disclosure of sensitive governmental information and commercial secrets. It also extends to the protection of conidential information acquired in the course of personal or intimate relationships.97 Supericially, then, the action can be seen as aimed, among other matters, at the protection of private or personal information, this being the very sort of interest protected in an action for invasion of privacy. It is perhaps hardly surprising, therefore, that, following the enactment of the HRA, the protection of privacy was ‘shoehorned’ into the action for breach of conidence so that the courts could give the measure of protection to privacy in English law that the European Convention on Human Rights (ECHR) demanded.98 What was shoehorned into the doctrine of conidentiality has at least modiied the traditional action for breach of conidence. It is commonly known as the ‘extended action’ for breach of conidence.99 Given the modiication to the traditional action that adoption of the extended action entails, it is surprising that, notwithstanding the absence of any constitutional or statutory requirement compelling this course, the High Court of Australia has hinted 96

97 98 99

Compare the view of the Victorian Law Reform Commission, which argues that requiring a court to consider the balance between privacy and public interest at the outset puts the burden of proving the absence of public interest on the plaintif: see Victorian Law Reform Commission, above n. 18, [7.178]–[7.181]. But requiring the production of evidence to establish a prima facie case is simply not the same as specifying the incidence of the (legal or evidential) burden of proof. For example, Argyll v. Argyll [1967] Ch 302; Giller, above n. 58. Douglas, above n. 62, [53] (Lord Phillips MR, Clarke and Neuberger LJJ). See T. Aplin, L. Bently, P. Johnson and S. Malynicz , Gurry on Breach of Conidence: he Protection of Conidential Information, 2nd edn (Oxford University Press, 2012), [1.25], [2.156]–[2.157].

Privacy: common law or human right?

175

that the development of the action for breach of conidence is a possible avenue for the further protection of privacy interests in Australian law,100 a view that the Victorian Court of Appeal has subsequently adopted.101 Subsuming privacy law into the action for breach of conidence seems, at irst blush, much more sensible than subsuming it into tort. First, the conidentiality action may not show the same resistance as tort to compensating emotional distress standing alone: the principal injury that is likely to be claimed in an action for invasion of privacy. Second, the conidentiality action may be an appropriate one in which privacy interests can be weighed against competing interests, including the all-important interest in freedom of expression, to determine if, in all the circumstances of the case, privacy should be protected. But while these two factors have proved to be true in English law now that the extended action for breach of conidence has ‘absorbed’102 the human rights values in the ECHR,103 they have not clearly manifested themselves in the traditional action for breach of conidence. First, the only clear authority that unequivocally supports an award of compensation (however described)104 for emotional distress in a traditional action for breach of conidence is a decision of the Victorian Court of Appeal, where the reasoning is largely assertion,105 drawing its support principally from the extended action for breach of conidence as developed in England ater the HRA.106 Second, the public interest is taken into account in the traditional action for breach of conidence by way of defence. his was originally a tightly conined defence of ‘iniquity’, but is now more generally regarded as a limiting factor (of more or less breadth) that qualiies the duty of conidentiality.107 Treating the public interest in this way seems to enforce the 100

101 102

103

104

105

106

107

See Lenah Game Meats, above n. 13, especially [55] (Gleeson CJ), [132] (Gummow and Hayne JJ, noting the possible role for ‘equitable wrongs’). Giller, above n. 58. See Campbell, above n. 1, [14], [17] (Lord Nicholls) (referring to the values in Art. 8 of the ECHR). Aplin et al., above n. 99, [19.30] (emotional distress); [16.58]–[16.129] (balancing); and authorities there cited. hat is as damages at common law, damages under Lord Cairns’s Act or equitable compensation: see ibid., [19.02]. See M. Tilbury, ‘Remedies for Breach of Conidence in Privacy Contexts’ (2010) 15 Media and Arts Law Review 290, 292–3. Giller, above n. 58, [154] (Ashley JA), [408]–[419] (Neave JA). here is also one unreported irst instance Australian decision that supports recovery of emotional distress in breach of conidence: Jane Doe v. Australian Broadcasting Commission [2007] VCC 281, [186]. See R. Toulson and C. Phipps, Conidentiality, 2nd edn (London: Sweet & Maxwell, 2006), ch. 6. See also Aplin et al., above n. 99, ch. 16.

176

Michael Tilbury

prima facie enforceability of the obligation of conidence, just as a defence of legitimate public concern does in a tort of wrongful publication of private information.108 Indeed, Lord Denning’s broader view of the defence in Woodward v. Hutchins109 – that in conidentiality cases the public interest in maintaining the conidence should be balanced in each case against the public interest in knowing the truth – is subject to the criticism that it fails to appreciate the prima facie enforceability of the obligation of conidence. In Gummow J’s trenchant criticism, it substitutes for a rule of law ‘an invitation to judicial idiosyncrasy by deciding each case on an ad hoc basis as to whether, on the facts overall, it is better to respect or to override the obligation of conidence’.110 he prima facie enforceability of the obligation of conidence that is implicit in this statement is reinforced by rejecting detriment as, invariably, a necessary ingredient of the action of conidentiality. As Gummow J put it: ‘he plaintif comes to equity to vindicate his right to observance of the obligation, not necessarily to recover loss or to restrain inliction of apprehended loss.’111 As in tort, the right is, therefore, prima facie enforceable. Whatever justiication this has in relation to the traditional action for breach of conidence, it potentially, and without warrant, privileges privacy at the expense of other interests when the action for breach of conidence is used to protect privacy.112 In truth, this points to the wider and basal diiculty of accommodating the protection of privacy in the traditional action for breach of conidence. Conidentiality and privacy are, simply, quite diferent things,113 as is relected in the difering objectives of the traditional and extended actions for breach of conidence. he traditional action advances the public interest in the preservation and maintenance of conidentiality by giving plaintifs a remedy against defendants who unconscionably reveal information that they have in their possession, where they have notice, or are held to have agreed, that the information is conidential.114 In contrast, private or personal information requires protection simply because it is 108 109 110

111 113

114

See text to nn. 92–6. Woodward v. Hutchins [1977] 1 WLR 760, 763–4. Smith Kline & French Laboratories (Australia) Ltd v. Department of Community Services and Health (1990) 22 FCR 73, 111. Ibid., 112. 112 See text to n. 92. A point forcefully made by Lord Mustill in R v. Broadcasting Standards Commission, Ex parte BBC [2000] EWCA Civ 116, [2001] QB 885, [49]. his attempts to combine the views of the action espoused by Lord Gof in Spycatcher, above n. 46, 281 (though he uses ‘unjustly’ rather than ‘unconscionably’), and by BrowneWilkinson VC in Stephens v. Avery [1988] Ch 449, 456. At one time, the requisite wrongful conduct would have been found in the ‘breach of trust’ involved in the disclosure of

Privacy: common law or human right?

177

private or personal – that is, because, in respect of it, the plaintif has a reasonable expectation of privacy – not because of the circumstances in which it is acquired or disclosed. he extended action for breach of conidence recognises this – even in respect of private information that would be protected under the traditional action.115 However, in doing so under the pretence of expounding, or being part of, a larger action for breach of conidence, it renders that action incoherent. It is now unclear how (if at all) the extended action is consistent with, or alters, the traditional action.116 he lack of conceptual clarity argues for a separation of the traditional and extended actions for breach of conidence.117 his would not only allow the traditional action to advance within a coherent framework of conidentiality, but would also recognise that the traditional action is now ‘largely of historical interest only’ to the development of a law of privacy.118 here is one i nal argument against the protection of privacy in the action for breach of conidence. However described, the action for breach of conidence has only ever protected claimants against the disclosure of conidential information. In this respect it is less appropriate than tort as a vehicle for the protection of privacy since it cannot protect claimants against an intrusion on their seclusion that involves no disclosure of information, something that, by general agreement, ought to be an objective of the law of privacy.119 If the protection of personal life

115

116

117

118

119

information acquired in the context of a pre-existing conidential relationship. Lord Gof ’s dictum in Spycatcher (which is generally followed without question: consider Lenah Game Meats, above n. 13, [34]–[37] (Gleeson CJ)) dispenses with this requirement, but not with the necessity of otherwise invoking the equitable basis of the action (Hosking v. Runting, above n. 10, [246] (Tipping J)), though ‘unconscionable’ may be replaced by ‘unjust’, and ‘notice’ may be restated in terms of ‘knowledge’: consider Lenah Game Meats, above n. 13, [39] (Gleeson CJ). Some commentators go further and question the correctness of Lord Gof ’s view of the basis of the doctrine of conidentiality: e.g. C. Hunt, ‘Rethinking Surreptitious Takings in the Law of Conidence’ (2011) 1 Intellectual Property Quarterly 66. See McKennitt v. Ash [2006] EWCA Civ 1714, [2008] QB 73, [11], an ‘old-fashioned breach of conidence’ case: ibid., [8] (Buxton LJ); Lord Browne of Madingley v. Associated Newspapers Ltd [2007] EWCA Civ 295, [2008] QB 103, [24] (Clarke MR). Compare Associated Newspapers Ltd v. HRH Prince of Wales [2006] EWCA Civ 1776, [2008] Ch 57 [27]–[30] (Lord Phillips CJ). See especially N. Moreham , ‘ Breach of Confidence and Misuse of Private Information: How Do the Two Actions Work Together? ’ (2010) 15 Media and Arts Law Review 265. Accord: OBG Ltd v. Allan [2007] UKHL 21, [2008] 1 AC 1, [255] (Lord Nicholls); Hosking v. Runting, above n. 10, [45] (Gault P and Blanchard J), [245]–[246] (Tipping J); Toulson and Phipps, above n. 107 [2–006]. See also Aplin et al., above n. 99, [3.41]. A v. B [2002] EWCA Civ 337, [2003] QB 195, [9] (Lord Woolf MR) (speaking of the relevance of the case law on the traditional action to the extended action). See text to nn. 62–3.

178

Michael Tilbury

in Article 8 of the ECHR requires the English courts to develop such an action,120 and if that is done by expansion of the extended action for breach of conidence, the new action that emerged would bear even less resemblance to the traditional action than it does now – in fact, no more resemblance than the tort of negligence now bears to the old action on the case.

Conclusion Lawyers have, consistently, referred to privacy as a ‘right’ ever since Warren and Brandeis’ 1890 article. hey oten do so to express regret at the lack of such a ‘right’ in the common law. his relects a belief that privacy is associated with something that is, or ought to be, a fundamental entitlement, borne out of the association of privacy with autonomy and dignity. It may also reveal an instinctive appreciation that the ‘right to privacy’ is not simply to be turned into a tort of privacy or a species of the conidentiality action because, as has been argued in this chapter, the ‘right to privacy’ difers in subtle ways from these rights that are normally embedded in, or enforced as part of, common law and equity. he diferences, especially the necessity to evaluate the force of competing interests in the circumstances of particular cases, mean that privacy is a weaker right than the residual, speciically drawn and prima enforceable rights of the common law. In short, privacy seems best regarded, conceptually, as simply a part of the law of human rights. In German law it took the airmation of respect for human dignity and the right to personal freedom in the Basic Law of 1949 to reinstate discarded principles and rules protecting rights in personality (including privacy) in private law.121 Over half a century later, it has taken the enactment of the HRA to propel the English courts into developing actions speciically aimed at protecting privacy in private law. By reason of the horizontal efect of the HRA,122 the rights to privacy and to freedom of expression in the ECHR are now the basis of the private law actions that aim to protect individuals against the misuse of their private 120

121

122

See Mosley v. News Group Newspapers Ltd [2008] EWHC 1777 (QB), [2008] EMLR 20, [17] (Eady J); Goodwin v. News Group Ltd [2011] EWHC 1437 (QB), [2011] EMLR 27, [85] (Tugendhat J). he fate of these principles and rules, derived from the old delictual actio iniuriarum of Roman law, was sealed with the introduction of the German Civil Code of 1900: see R. Zimmermann, he Law of Obligations: Roman Foundations of the Civilian Tradition (Cape Town: Juta & Co, 1990), pp. 1085–94. See Clayton and Tomlinson, above n. 87, [5.106]–[5.111].

Privacy: common law or human right?

179

information.123 his development comes at a cost. In so far as it refers to the extended action for breach of conidence, it results in confusion and incoherence in the law, particularly in deining the relationship between the extended and traditional actions for breach of conidence. In so far as it refers to the possible development of tort law, it holds out little prospect beyond the creation of new torts of some speciicity. If so, the protection of privacy in private law would remain patchy. No doubt these diiculties will all be overcome in time, but that may prove to be a long time. here is, however, an alternative that holds out the prospect of more efective, comprehensive and timely law reform: the creation of a statutory cause of action for invasion of privacy. A carefully drated statute would address at least four general matters of a structural nature. First, it would recognise privacy as a human right. Second, it would set the boundaries of the right in a way that allows for the future development of the law. hird, it would ensure that privacy is appropriately protected by recognising the force of competing interests on the weight to be attached to the interest in privacy in any particular case. Fourth, it would deine the relationship between the general statutory action for invasion of privacy, relevant human rights instruments and other statutory provisions regulating privacy in particular contexts (such as data protection and surveillance). In this way, a general cause of action for invasion of privacy in private law would contribute to developing a coherent law of privacy. In the United Kingdom, such a statute would also have the advantage of clarifying the uncertain relationship between the common law and the HRA.124 123

124

See especially Campbell, above n. 1, [17] (Lord Nicholls); McKennitt v. Ash [2006] EWCA Civ 1714, [2008] QB 73, [11] (Buxton LJ, with whom Latham and Longmore LJJ agreed). For a recent review and analysis of this issue, see G. Phillipson and A. Williams , ‘Horizontal Effect and the Constitutional Constraint ’ (2011) 74 Modern Law Review 878.

9 English privacy law in the light of the Leveson Report Eric Barendt Introduction he ‘Report of the Inquiry into the Culture, Practices and Ethics of the Press’ conducted by Lord Justice Leveson (the ‘Leveson Report’) was published at the end of November 2012.1 Set up in the wake of the scandal of the hacking by the News of the World of the mobile phone of a murdered schoolgirl, Millie Dowler, the Inquiry considered episodes in which a range of witnesses – celebrities and ordinary members of the public – gave evidence that their privacy had been violated by journalists or press photographers. he Report sets out in considerable detail the ways in which their privacy had been infringed, the impact of these infringements on their lives and those of their family and friends, and also the arguments made by editors and journalists to justify, or excuse, the press conduct in these cases. he evidence given by these witnesses suggested to Lord Justice Leveson ‘a culture of indiference to individual privacy and dignity, at least within parts of the press’, a inding that was supported by further evidence of phone hacking, email hacking, blagging,2 harassment and surveillance.3 What light does the Leveson Report throw on English privacy law? Does it show that the courts are now striking the right balance between individual privacy and freedom of the press? Or does it suggest that the balance should be shited in favour of greater protection for privacy? he Report, of course, was not an inquiry into the law of privacy. Unlike the Joint Committee of the House of Lords and House of Commons considering privacy law, sitting at much the same time,4 the Leveson Inquiry 1

2 3 4

Lord Justice Leveson, An Inquiry into the Culture, Practices and Ethics of the Press, House of Commons Paper no. 780 (London: he Stationery Oice, 2012) (the Leveson Report). he obtaining of information by impersonating someone entitled to obtain it. Leveson Report, above n. 1, pt. F, ch. 6, [2.54]. he Joint Committee on Privacy and Injunctions submitted its report, Privacy and Injunctions on 12 March 2012: Joint Committee on Privacy and Injunctions, Privacy and

180

English privacy law and the Leveson Report

181

did not hear evidence from leading judges and lawyers on how the law was working. Leveson was concerned with the culture and ethics of the press, rather than with legal rights. But it would be wrong in this context to draw a sharp distinction between ethical and legal questions. Both privacy and freedom of expression are guaranteed as important (human) rights, because they relect underlying moral and political arguments: for example, that the dignity and autonomy of individuals is dependent on respect for their privacy, and that they cannot participate in a liberal democracy without the exercise of free speech and some access to information. So it would be odd if the law failed to protect privacy, or protected it inadequately, when ethical arguments made a good case for strong protection. hat is why it is right to look at English privacy law in the light of the evidence given to the Inquiry and the conclusions in the Leveson Report. he main features of English privacy law are briely set out in the next section of this chapter. It has been developed entirely by the courts, though privacy is also protected by a number of statutes, notably the Protection from Harassment Act 1997 and the Data Protection Act 1998 (DPA). (he focus in this chapter is on the common law of privacy, or misuse of private information, which is the basis for the vast majority of proceedings in this context. Data protection law might provide an equally important basis for legal action against the press, if it did not enjoy a wide exemption from proceedings under the DPA, s. 32.) It might be thought surprising that the courts have been let without parliamentary intervention to formulate the shape of an important legal right that signiicantly curtails press freedom. However, the majority of legislative committees to have examined the matter have preferred to leave the development of the law to the courts. he House of Commons Culture, Media and Sport Committee in 2003 did recommend that the government should legislate to clarify the protection individuals can expect for their privacy, 5 but the Committee came out against legislation in its subsequent reports in 2007 and 2010.6 Most recently, the Joint Committee of the House of Lords and House of Commons reviewing privacy law and the grant of injunctions in that

5

6

Injunctions, House of Lords Paper no. 273, House of Commons Paper no. 1443, Session 2010–12 (2012). Culture, Media and Sport Committee, Privacy and Media Intrusion, House of Commons Paper no. 458–1, Session 2002–03 (2003), [111]. Culture, Media and Sport Committee, Self-Regulation of the Press, House of Commons Paper no. 375, Session 2006–07 (2007), [52]–[53]; Culture, Media and Sport Committee, Press Standards, Privacy and Libel, House of Commons Paper no. 362–1, Session 2009–10 (2010), [58]–[67].

182

Eric Barendt

context in 2012 rejected the introduction of a privacy law on the ground that a statutory deinition of privacy would be inlexible and lead to more litigation. It also dismissed the argument that judge-made privacy law lacked parliamentary authority, for this law was based on the incorporation by the Human Rights Act 1998 (HRA) of the right to respect for private and family life, guaranteed by Article 8 of the European Convention on Human Rights (ECHR or Convention).7 In its brief consideration of the civil law, the Leveson Report concluded in agreement with the Joint Committee that legislative intervention will not do much other than generate further litigation; it would be foolish to attempt to deine ‘privacy’ or the concept of the public interest, as a defence to privacy actions, in statute.8 Insofar as the Report does implicitly suggest some reconsideration of privacy law, that could be achieved as easily by judicial developments as it could by legislative reform.

he law of privacy As is well known, English privacy law developed from the equitable jurisdiction to protect conidential information. Since the landmark decision of the House of Lords in Campbell v. MGN Ltd,9 the tort has been known as ‘misuse of private information’, and it now provides a cause of action separate and distinct from breach of conidence.10 he action is based on the right to respect for private and family life, guaranteed by Article 8 of the ECHR, which English courts are bound to protect under the HRA. Against that right must be balanced the right to freedom of expression, guaranteed by Article 10 of the Convention. So as Buxton LJ said in a leading decision in the Court of Appeal, the Convention provisions are ‘the very content of the domestic tort that the English court has to enforce’.11 On this basis the courts have developed a two-stage test for determining whether a privacy action will succeed. At the irst stage the question is whether the claimant had a reasonable expectation of privacy, so as to engage her rights under Article 8. If she did have such an expectation, her privacy right must be balanced against the Article 10 rights of the press or other defendant; the courts must determine the comparative importance of the rights in the particular case, and decide whether it is proportionate 7 8 9 10 11

Joint Committee on Privacy and Injunctions, Privacy and Injunctions, above n. 4, [33]–[41]. Leveson Report, above n. 1, pt. J, ch. 3, [4.2]–[4.3]. Campbell v. MGN Ltd [2004] UKHL 22, [2004] 2 AC 457. Douglas v. Hello! Ltd (No. 3) [2007] UKHL 21, [2008] 1 AC 1, [255] per Lord Nicholls. McKennitt v. Ash [2006] EWCA Civ 1714, [2008] 1 QB 73, [11].

English privacy law and the Leveson Report

183

to limit one right in order to protect the other.12 So in the Campbell case the majority of the House considered it was a disproportionate interference with Naomi Campbell’s right to keep private her treatment at Narcotics Anonymous (NA) for addiction to drugs when the newspaper published details of this treatment, together with photographs of her outside the NA premises. In contrast, it was lawful for the newspaper to publish the bare story that Ms Campbell was receiving treatment for drug problems, a matter that she had previously denied. he impact on the claimant of publication of the details of the treatment would be considerable, as it might deter her from continuing with visits to NA. On the other side of the scales, it was not disproportionate to hold publication of the details and photographs an infringement of privacy, because they added nothing of substance to the legitimate publication of a story that Naomi Campbell was receiving treatment for her drugs problem.13 In the last few years the courts have developed a substantial body of privacy jurisprudence, to which it would be impossible to do justice in this chapter.14 here is space to highlight only a few points, which have been brought out in recent court judgments. he irst concerns the components of the right to privacy protected by Article 8 of the Convention. In the media context, the claimant’s primary concern is generally to keep information concerning, for example, her health or sexual relationships private, so it is not disclosed to the general public. his can be described as informational privacy, the irst component of the privacy right. But a second component is to stop unwanted access to, or intrusion into, her physical space.15 Oten this type of privacy infringement occurs outside the media context, where, for example, a voyeur takes photographs with a telephoto lens of a woman undressing in her home, or a stalker pursues her in the streets. But it can also be invoked in a media case, where a celebrity wants to stop journalists and press photographers from besieging her house or making constant telephone calls to her family. he distinction between these types of privacy infringement was recognised by Tugendhat J in Goodwin v. News Group Newspapers.16 In 12 13 14

15

16

See Campbell v. MGN Ltd, above n. 9, [140]–[141] per Lady Hale. Ibid., [144]–[158]. See M. Warby QC , A. Speker and D. Hirst in M. Warby, N. Moreham and I. Christie (eds.), Tugendhat and Christie’s Law of Privacy and the Media , 2nd edn (Oxford University Press, 2011), ch. 5 for a full discussion of this jurisprudence. See N. Moreham in Warby, N. Moreham and I. Christie (eds.), ibid., [2.07] and [2.16]–[2.23]. Goodwin v. News Group Newspapers, [2011] EWHC 1437 (QB), [2011] EMLR 27.

184

Eric Barendt

that case he held that VBN, a woman with whom the claimant, Sir Fred Goodwin, had conducted an afair while she was working at the Royal Bank of Scotland, of which he had been Chief Executive, had no reasonable expectation that the fact of the relationship, her position or her name could be kept conidential. Her position at work and her name were important parts of a story that Sir Fred Goodwin, a public igure, could not reasonably have expected to be kept private. It was a matter of public concern, moreover, when a igure of his prominence had a relationship with someone less senior at the same place of work. Finally, in view of her position at the Bank, her name could not be kept conidential once her status had been identiied. But the judge kept in place the injunction to prevent publication of VBN’s name (though not her position at the Bank) on the ground that her identiication would be, or lead to, a signiicant intrusion into her private and family life – in terms of inquiries from the media and from work colleagues. he same judge also applied the distinction between conidentiality and intrusion in keeping in place the injunction to preserve the anonymity of the claimant in CTB v. News Group Newspapers ater he had been identiied as Ryan Giggs, the Manchester United footballer, by a question in the House of Commons.17 he point is that a privacy injunction may be granted to prevent, or at any rate reduce, harassment and intrusion, even ater the information has entered the public domain, so that it can no longer be regarded as private or conidential. Another dimension of both the Fred Goodwin and the Ryan Giggs cases was that injunctions were granted to preserve anonymity, despite the fact that the persons concerned had been identiied, or would almost be certainly be identiied, on the Internet. Tugendhat J in Goodwin admitted that it would be pointless in these circumstances to grant an injunction to preserve conidentiality, but its grant would reduce the degree of intrusion. Many people would not bother to go online to discover the name of the anonymous party, so she would be less likely to be harassed by neighbours and work colleagues. In Goodwin, Tugendhat J suggested that in privacy law there had been some recognition of the concept of a ‘public igure’.18 However the term is deined, there was no doubt that Fred Goodwin (at that time Sir Fred Goodwin) was a public igure, given his status as a powerful banker. Sportsmen and celebrities did not come within the deinition of ‘public 17

18

CTB v. News Group Newspapers [2011] EWHC 1334 (QB). Also see the decision of Eady J refusing an earlier attempt to vary the injunction granting the claimant anonymity: CTB v. News Group Newspapers Ltd [2011] EWHC 1326 (QB), [24]–[26]. Goodwin v. News Group Newspapers, above n. 16, [64].

,

English privacy law and the Leveson Report

185

igure’, though their conduct could be a matter of public interest19 – relevant to the balancing of privacy and freedom of the press. However, in Spelman v. Express Newspapers20 the judge took a diferent approach, and may have expanded the public igure concept inappropriately. he claimant was a boy of seventeen who had played rugby for England at under-sixteen level and for the famous Harlequins Rugby Club. (He is also the son of a Conservative MP who was, at the time of the action, a member of the Cabinet.) hrough his parents, he applied for an interim injunction to prevent the publication of unspeciied private information, probably relating to his health and itness. Tugendhat J held that sportsmen have ‘no, or at best a low, expectation of privacy if an issue of health relates to the ability of the person to participate in the very public activity of national and international sport’, because participation in high-level sport means that the participant surrenders control over many aspects of private life (my emphasis). Further, these principles did not apply only to those achieving the highest level, but probably extended to those aiming for this level.21 he judge did not consider the age of the claimant particularly relevant, as he was nearly eighteen and, even if he had been younger, his status as an international player meant that discussion of his sporting life contributed ‘to a debate of general interest about a person who is to be regarded as exercising a public function’.22 An injunction was refused on the ground that the Court could not ind that the applicant was more likely than not (under HRA s. 12(3)) to establish at full trial that he had a reasonable expectation of privacy with regard to the information. Two points may be made in criticism of this judgment. First, it is surely wrong to regard a claimant as a public igure merely because he plays sport at international level, whether junior or senior. It is very doubtful whether much interest would have been taken in the story, had it not concerned the son of a (then) Cabinet Minister. Few members of the public would regard the claimant as a celebrity or akin to one, let alone a person about whom the public was entitled to information concerning his health or other aspects of his private life. Second, it seems much better to treat the status of a claimant – whether a public oicial, celebrity, sportsperson or ordinary member of the public – as one aspect of the balancing test considered at the second stage of a privacy case. he court can then consider the status of the claimant in conjunction with other factors that 19 20 21

Ibid., [103]. Spelman v. Express Newspapers [2012] EWHC 355 (QB). Ibid., [69]–[70]. 22 Ibid., [72].

,

186

Eric Barendt

are relevant to the balancing of privacy against freedom of expression: whether the story contributes to a debate on a matter of general public interest, the character of the information to be revealed and the impact of publication on the claimant and her family. Indeed, the status of a privacy claimant is surely relevant only because there may be a greater public interest in discussion of aspects of a public igure’s private life than there is in comparable revelations about an ordinary member of the public; the status of the claimant should not determine in isolation whether she has a reasonable expectation of privacy. he European Court of Human Rights took this better approach in its recent decision in Axel Springer AG v. Germany,23 when it considered the criteria to be taken into account in balancing the two Convention rights. It was also the approach of Lindblom J in another recent case, 24 when Steve McClaren, a former England football manager and a married man with three children, attempted, unsuccessfully, to obtain an interim order to stop the Sun publishing information and a photograph relating to his relationship with a woman he had met in Manchester. he judge held, following Spelman, that the claimant was a public igure, but that factor was considered together with others in balancing the claimant’s right to privacy and the newspaper’s rights under Article 10 of the Convention.25 Another diicult issue concerns the position of children, and the extent to which their expectation of privacy may be lost or diminished if one of their parents has put private information in the public domain or in some other way waived the children’s privacy interest. he question concerned the Joint Parliamentary Committee when it considered privacy law in 2011–12. It rejected the view that children become ‘fair game for the media’ merely because their parents expose them to some publicity. Only in exceptional circumstances could there be a public interest to publish information infringing the privacy of children.26 However, the courts do not seem to take this approach. In the leading case, Murray 23

24 25

26

Axel Springer AG v. Germany (Application no. 39954/08) [2012] ECHR 227, (2012) 55 EHRR 6 (GC), [90]–[91]. he decision was referred to by Tugendhat J in Spelman v. Express Newspapers, above n. 20, [49]–[50], but it provides no warrant for treating the status of the claimant in isolation from other factors when determining whether he had a reasonable expectation of privacy. McClaren v. News Group Newspapers Ltd [2012] EWHC 2466 (QB), [2012] EMLR 33. Ibid., [34]. Another factor persuading the judge not to grant an interim order was that the claimant had on another occasion discussed a previous afair, so to some extent perhaps waiving his privacy in that area of his private life. Joint Committee on Privacy and Injunctions, Privacy and Injunctions, above n 4, [81].

English privacy law and the Leveson Report

187

v. Express Newspapers Ltd,27 the Court of Appeal held the infant son of J. K. Rowling had an arguable case that he had a reasonable expectation of privacy, when a photograph was taken (and subsequently published) while he was out with his parents on an Edinburgh street. It approved a passage in the lower court’s judgment, where Patten J had said the reasonable expectation of a child must be determined on an objective basis, taking account of the reasonable expectations of the parents. he Court of Appeal added that if, unlike the parents in this case, they had courted publicity, its approach might be very diferent.28 he implication is that parents would have surrendered or waived the privacy to which a child would otherwise be entitled. his approach has been taken in a recent case by Nicola Davies J.29 he claimant, a young child, brought an action for privacy, through a litigation friend, claiming damages for the publication of a newspaper article speculating about the identity of her father, an elected politician, and for publication of her photograph, taken when she was less than one year old. It was accepted that the paternity of a young child engages her privacy rights under Article 8 of the Convention, but in deciding whether she had a reasonable expectation of privacy, account should be taken of her mother’s conversations with friends and a magazine interview, in which the mother had permitted speculation about the child’s paternity. ‘[T]he result has been to compromise the claimant’s reasonable expectation of privacy on the issue of her paternity.’30 Her expectation of privacy was entitled to less weight when it was balanced against the enormous public interest in the identity of her father and his itness for oice. But the judge took a diferent view of publication of the photograph, which could not be justiied by any ‘exceptional public interest’;31 the article provided all the necessary information. he claimant was awarded £15,000, a sum designed to serve as notice how seriously the courts take infringement of a child’s rights.32 he reasoning in these cases is open to question. If the privacy right of a young child is infringed by premature publication of her paternity, 27 28 29

30 31

32

Murray v. Express Newspapers Ltd [2008] EWCA Civ 446, [2009] 1 Ch 481. Ibid., [37]–[38]. AAA v. Associated Newspapers Ltd [2012] EWHC 2103 (QB), [2013] EMLR 2. he decision has been upheld by the Court of Appeal, which, in particular, approved Nicola Davies J’s reasoning on the claimant’s reasonable expectation of privacy: [2013] EWCA Civ 554, [21]–[37]. AAA v. Associated Newspapers Ltd [2012], ibid., [116]. ‘Exceptional public interest’ is required by the Press Complaints Commission Code cl. 6 (vi) to override the paramount interests of a child in the protection of their privacy. AAA v. Associated Newspapers Ltd, above n. 29, [2012], [127].

188

Eric Barendt

it is hard to see why the parent’s conduct should compromise that right. Admittedly, an adult may be able to waive her own privacy rights, though the position in English law is far from clear.33 Why should a mother be able to surrender, or compromise, her child’s right? he diiculty probably lies in the problematic concept of a ‘reasonable expectation of privacy’, which makes it plausible to argue that a child whose mother or father has given interviews about, say, its paternity or upbringing cannot reasonably expect to have that aspect of its privacy fully protected. But the idea of the ‘reasonable expectation’ of a very young child is of course bizarre, and it would surely be better to dispense with the concept in this context. he question is, what is objectively necessary to protect the privacy of a young child; disclosure of paternity in some circumstances may well lead to media intrusion, with potentially damaging consequences for her psychological welfare. he inal aspect of English privacy law to be explored briely in this section of the chapter concerns the level of damages. Compared to libel damages they have been assessed at a very modest level.34 he highest award of compensatory damages, £60,000, was given in the Mosley case to represent the unprecedented scale of distress and indignity sufered by the claimant ater the publication in a large circulation newspaper and its website of video images of him engaged in sado-masochistic sexual conduct. In the Campbell case, the trial judge awarded the supermodel £2,500 compensatory damages, and an additional £1,000 as aggravated damages for the post-publication conduct of the newspaper in belittling her for pursuing the privacy claims. he compensatory award is typical of the sums given to successful claimants. Exemplary damages are not awarded, and indeed in Mosley Eady J ruled that they were not available, in the absence of legislation or a decision of the Supreme Court.35 However, recently in Spelman, Tugendhat J suggested that damages should not be too low, if they are to be regarded as an adequate remedy for infringement of the privacy right; he drew attention to the reports of the relatively generous sums paid by News International to settle claims of phone hacking.36 Nicola Davies J shared this concern, when she awarded the child claimant £15,000 for three publications of her photograph. he relatively high award was designed to show the press how seriously the 33 34 35 36

Warby, Moreham and Christie, above n. 14, [12.24]–[12.33]. Ibid., [13.109]–[13.116]. Mosley v. News Group Newspapers Ltd [2008] EWHC 1777 (QB), [2008] EMLR 20, [176]–[186]. Spelman v. Express Newspapers, above n. 20, [114].

English privacy law and the Leveson Report

189

courts regard this sort of privacy infringement. he Joint Committee also considered the level of damages awarded in privacy cases too low to act as an efective deterrent; it recommended that courts should have the power to award exemplary damages, if necessary by legislation.37 As will be seen, the Leveson Report made the same recommendation and further concluded that the level of damages in privacy and other comparable actions should be reviewed.

he Leveson Report treatment of privacy he discussion of privacy issues is concentrated in Chapter 6 of Part F of the Report, though it also features in other chapters in Part F and in the short chapter of Part J, which is concerned with the civil law. Chapter 6 summarises the copious evidence revealing the number of ways used by sections of the press to obtain access to private information with a view to publication: phone hacking and email hacking, blagging, surveillance and obtaining conidential information from people under a duty not to disclose it, for example light attendants disclosing information about the movements of celebrities. he chapter also includes speciic sections on harassment, intrusion into the grief and shock sufered by bereaved relatives, and the treatment of children. he opening section of Chapter 6 of the Report begins with the evidence that ‘a cultural strand exists within the press betraying an unethical cultural indiference to the consequences of exposing private lives, and a failure to treat individuals with appropriate dignity and respect’ – in efect ‘an overarching complaint’ encompassing many of the speciic criticisms discussed later in the chapter.38 (he reference to dignity and respect captures the ethical foundations of the modern law of privacy, which is no longer rooted primarily in the traditional basis of honouring conidential relationships.39) he section, titled ‘Lack of respect for privacy and dignity’, chronicles the ways in which sections of the press, newspaper photographers and paparazzi infringe privacy, and the devastating impact the infringements may have not only on the complainant, but also on members of their family. For example, a press story concerned the parents of the well-known singer Charlotte Church; they were private people, whose lives were publicised purely because of their relationship 37 38 39

Joint Committee on Privacy and Injunctions, Privacy and Injunctions, above n. 4, [134]. Leveson Report, above n. 1, pt. F, ch. 6, [2.1]. See Campbell v. MGN Ltd, above n. 9, [50]–[51] per Lord Hof mann.

190

Eric Barendt

to the singer.40 Press intrusion had a signiicant impact on the children of J. K. Rowling; a journalist on one occasion arranged for a letter to the author to be placed in her ive-year-old daughter’s handbag.41 When the Court of Appeal lited the injunction that had been granted to a Premier League footballer, Gary Flitcrot, to stop he People publishing stories of two sexual afairs,42 the subsequent publication had a devastating impact on his family. His wife did not take their children to school in order to avoid journalists and photographers harassing her on the school run, while his father stopped going to football matches to avoid humiliating chants from the fans. According to Flitcrot, this aggravated his father’s depression. His father committed suicide a few years later, while the Flitcrots’ marriage ended in divorce.43 Understandably, the Report can be read as somewhat critical of the controversial Court of Appeal ruling that had permitted publication of a story of little or no real public interest.44 A last example concerns the partner of Hugh Grant; when Tingian Hong gave birth to their child, she experienced constant harassment, which caused her to fear for her safety. It continued until she obtained a High Court injunction under the Protection from Harassment Act 1997 to stop it.45 What emerges from this recital of egregious press conduct is that the real damage resulting from a privacy infringement may be the impact on the psychological welfare of the relatives and others associated with the celebrity. he harm is primarily occasioned not by the loss of informational privacy or conidentiality, but by the consequent intrusion into the lives of a celebrity’s partner, parents or neighbours. Leveson’s analysis supports the distinction recently drawn by the judiciary, notably Tugendhat J in Goodwin, between the conidentiality and the intrusion components of the privacy tort. he law is now well used to the ‘chilling efect’ argument that an interference with freedom of expression is deleterious not only because it infringes the speaker’s rights, but because it may deter others from speaking (or writing) freely. It should also take account of the conclusion, well supported in the Leveson Report, that a violation of personal privacy has consequences for others, as well as for the immediate victim. 40 42 43 45

Leveson Report, above n. 1, pt. F, ch. 6, [2.7]. 41 Ibid., [2.12]–[2.19]. A v. B plc [2002] EWCA Civ 337, [2003] QB 195. Leveson Report, above n. 1, pt. F, ch. 6, [2.33]–[2.36]. 44 Ibid., [2.30]. Ibid., [2.38] and [5.2]–[5.4]. See also the intrusion into grief and shock occasioned by the press surrounding the house of Anne Diamond, a well-known TV presenter, an hour ater her son’s death was reported. he family priest was too intimidated to enter the house: ibid., [6.7].

English privacy law and the Leveson Report

191

he Leveson Report considered the argument that celebrities are not entitled to the same degree of privacy as ordinary members of the public, largely because they court publicity by giving interviews to magazines and on radio and television. Broadly, it is sceptical of this argument. Even if Charlotte Church had appeared with her children in OK! and Hello! magazines, that did not ‘necessarily indicate a desire to expose her entire private life or the lives of her family to public view’.46 In the fullest discussion of this argument, Leveson found, in the context of the treatment of Hugh Grant, there were problems in the reasoning of Paul Dacre, the powerful Editor in Chief of the Daily Mail, to the efect that the press could investigate and report on the actor’s private life because he had made public disclosures of elements of that life. First, the evidence did not support the assumption that Hugh Grant had courted publicity. But even if he had, he would not as a result be ‘fair game’ for the press so that it could publish other details of his private life without his consent. Leveson appears to have accepted the force of Grant’s colourful argument that once the barter of a press interview was over, that should be the end of press publicity: ‘If I sell you a pint of milk for 50p, I would not expect you to come to me forever aterwards, saying, “You slut, you sold me milk once. I can now help myself to your milk forever.” I would think you were mad.’47 Finally, Hugh Grant’s status as a celebrity or public igure could not justify the harassment of, or intrusion into the lives of those close to him.48 A number of particular points in the Report should be noted briely. Like the courts, Leveson draws a distinction between the publication of information, which may be legitimate insofar as it relates to a story of public interest, and the publication of photographs, which are likely to do greater damage to personal privacy and which are unlikely to add to the information provided in a public interest story.49 he Report is rightly sceptical of a newspaper picture editor’s argument that celebrities have no reasonable expectation of privacy when they are photographed without their consent on a public street.50 In the context of the treatment of 46 48

49

50

Ibid., [2.10]. 47 Ibid., [2.39]–[2.43]. Ibid., [2.44]. Also see ibid ., [5.4]: whatever justiication there may be for publishing information about celebrities, there is no warrant for harassing those close to them. See the treatment of the story and photographs in the Sun depicting Prince Harry naked in Las Vegas: Leveson Report, above n. 1, pt. F, ch. 5, [8.9]–[8.12]. For court decisions on the special impact of photographs, see heakston v. MGN Ltd [2002] EWHC 137 (QB), [2002] EMLR 398, and Douglas v. Hello! Ltd [2205] EWCA Civ 595, [2006] QB 125, [84] per Lord Phillips MR. Leveson Report, above n. 1, pt. F, ch. 6, [5.21].

192

Eric Barendt

harassment, Leveson points out the weakness of the argument that the taking of a ‘single’ photograph of a celebrity while out in public could not amount to harassment; that fails to meet the point that the celebrity is complaining of the cumulative impact of a number of photographs taken over a period of weeks or months, which are understandably felt to be oppressive.51 It was the repeated infringement of Princess Caroline’s privacy through publication of innocuous photographs of her while she was out in public that may explain the European Court of Human Rights decision in the famous Von Hannover v. Germany (No. 1) case.52 A short section of Chapter 6 (in Part F of the Report) discusses the treatment of children. Although in theory they are strongly protected under the Editors’ Code applied by the Press Complaints Commission, a lot of evidence indicated that the Code has not always been observed by sections of the press. Celebrities such as Charlotte Church and J. K. Rowling told the Inquiry that their young children were repeatedly photographed and subject to media harassment. Most strikingly, Drs Kate and Gerry McCann reported that their two-year-old twins sufered (with their parents) from constant harassment by the press and paparazzi on their return to England ater their daughter Madeleine’s disappearance, and photographs of them were published in a number of papers without pixilation.53 Leveson concluded that the press is more respectful of children than of adults, but parts of it failed to comply with the Editors’ Code of Conduct, in particular the requirement in clause 6(v) that the fame of a parent must not be used as sole justiication for infringing the privacy of a child.54

he Report’s treatment of the press arguments Some of the speciic press arguments in privacy disputes have already been discussed in the previous section, notably its claim in some instances that the complainant is a public igure who has courted publicity. More generally, Leveson is critical of the reliance by newspapers on freedom of the press ‘as a mantra which conquers all’.55 he ‘hypocrisy’ argument is used 51 52

53

54 55

Ibid., [5.30]. Von Hannover v. Germany (No. 1) (Application no. 59320/00) [2004] ECHR 294, (2005) 40 EHRR 1. Leveson Report, above n. 1, pt. F, ch. 6, [7.3]. (Also see pt. F, ch. 5, s. 3 for a full discussion of the treatment of Kate and Gerry McCann.) Ibid ., [7.5]–[7.6]. Leveson Report, above n. 1, pt. F, ch. 1, [3.18].

English privacy law and the Leveson Report

193

indiscriminately to justify revelations about aspects of a celebrity’s life, even though she might have had good reason to keep silent about them or even, it may be argued, lie in the course of an interview.56 Further, newspaper editors sometimes contended that they were following general practice, and that other newspapers were publishing the same celebrity stories as they were. Leveson is rightly critical of this defence. It showed a worrying indiference to press ethics; a lack of respect for dignity and privacy could not be justiied on the argument that competitors adopted the same deplorable practices.57 Of greater relevance to the development of privacy law is Leveson’s treatment of two standard arguments for the publication of stories that infringe privacy. First, newspaper editors claim that the story is newsworthy and important to their readers.58 Second, the press now increasingly argue that the story is already circulating on the Internet, in particular in the social media, and that therefore it can no longer be regarded as private; in legal terminology, that it is in the public domain. In the introductory chapter in Part F of the Report, Leveson points out that the legitimate interests of the press do not give it a free hand to look everywhere; the public does not have an entitlement to know everything, for that entitlement is limited by a ‘correct appreciation of what the public truly has a right to know about’.59 Editors and journalists, however, frequently conlated matters of real public interest and stories that their readers found interesting. his ‘elision leaves little room for the protection of privacy if a readership is interested in reading about the private lives of others’.60 For example, the harassment of Ms Hong, Hugh Grant’s partner, and the publication of photographs of her, could not be justiied simply by stating that the story of the birth of her child was of great interest to readers.61 he press has an ethical obligation to consider the impact of its conduct in obtaining and publishing a story on the individuals afected; it is not enough to say that the story is a big one about a 56

57

58

59 60

61

Ibid. For a critique of this argument, see J. W. Devine, ‘Privacy and Hypocrisy’ (2011) 3 Journal of Media Law 169. See Leveson Report, above n. 1, pt. F, ch. 7, [2.69]–[2.74], discussing this argument in the context of the treatment of the McCanns. he story about Charlotte Church’s parents was justiied simply because it ‘interested the readership’ – evidence by Paul McMullan, a News of the World journalist: Leveson Report, above n. 1, pt. F, ch. 6, [2.8]. Leveson Report, above n. 1, pt. F, ch. 1, [3.16]. Leveson Report, above n. 1, pt. F, ch. 6, [2.63]: in commenting on the justiication given by the editor of the Daily Express for the publication of numerous intrusive stories about the McCanns. Ibid., [5.27].

194

Eric Barendt

celebrity. he distinction between a story of real public interest and one that is interesting to readers is of course very familiar in English privacy (and libel) law. So it is not surprising that the Report draws it so clearly. What is more revealing in the Report is the indiference of some editors and journalists to the ethical considerations attendant on any respect for individual privacy and dignity. When there is a very big story, as in the case of the McCanns, or where readers have an enormous interest in a celebrity, as apparently they do with Hugh Grant, ethical principles are simply put aside.62 he treatment in the Report of the second argument is perhaps more controversial. he press sometimes make the case that they should be free to publish private material once it is available on the Internet. It was used recently by the Sun to justify publishing pictures of Prince Harry naked in a Las Vegas apartment, to which apparently he had invited a number of people. he photographs showed him shielding and embracing a naked girl. hey had been published on an American website and also on the Guido Fawkes blog based in Ireland. But that did not, in Leveson’s view, justify their publication in the newspaper.63 If that argument were accepted, it would be too easy for the mass media to evade privacy considerations, for someone somewhere will always be prepared to publish celebrity photographs, so giving the press an excuse to publish them itself.64 he Sun’s case was ironically weakened by the refusal two months later of all the UK press to publish photographs of a topless Duchess of Cambridge, even though they were widely available in European jurisdictions. It took the view that there was no legitimate public interest in their publication; if that was so, equally it was not in the public interest to publish the Prince Harry pictures. he widespread availability of images on the Internet was not a trump card in either of these cases.65 he Report returns to this question towards the end of the concluding chapter in Part F.66 Leveson rejects the case for the uninhibited freedom of the press to publish material already revealed on the Internet for two reasons. he irst is that bloggers and website operators do not claim to be acting in accordance with ethical constraints, as newspapers (sometimes) do. here is no equivalent of the Press Complaints Commission or of the Editors’ Code to restrain speech on the Internet. Consequently, people place little reliance on communications on the Internet, and do 62 64

Ibid., [5.38]. Ibid., [8.47].

63 65

Leveson Report, above n 1, pt. F, ch. 5, [8.16]. Ibid., [8.48]. 66 Leveson Report, above n. 1, pt. F, ch. 7, s. 3.

English privacy law and the Leveson Report

195

not assume that they carry an assurance of accuracy.67 his inal observation may not be sound. Younger people in particular may have as much conidence, if not more, in the information they ind on the Internet as in newspaper stories. And the Leveson Report itself shows that the public is now entitled to place less conidence than they used to in the reliability of some newspapers. here is perhaps more to Leveson’s second reason for rejecting the press case. ‘here is a qualitative diference between photographs being available online and being displayed, or blazoned, on the front page of a newspaper such as he Sun.’68 he latter has much greater impact both in terms of loss of privacy or conidentiality, and in terms of the potential for consequent intrusion into the life of the victim and her family. he broadcasting media, for example, regularly review newspaper stories in their news programmes; they do not do the same for blogs and communications on the social media. Some people do not yet have access to the Internet, and many refrain from searching it for celebrity stories, but more or less everyone is exposed to newspaper headlines and to the content of the front page. he courts have accepted the same argument; publication on the Internet is less intrusive.69 Of course, this may change, and even now it may not hold for stories so widely circulated on the Internet that they have become common gossip. But with these qualiications, Leveson’s second argument for rejecting the press argument seems sound enough.

he Leveson Report on damages As already mentioned,70 the Report did not say anything about the substantive law of privacy (or defamation for that matter) beyond sharing the scepticism of the Joint Committee of the House of Lords and the House of Commons with regard to the case for statutory intervention to protect the right. But it does say something about the assessment of damages. Ater chronicling the low level of awards in privacy cases, Leveson was not satisied that their assessment is at the right level. An increase in 10 per cent of damages for non-pecuniary loss in tort cases will not compensate for the loss of Conditional Fee Agreements in privacy (and defamation) cases.71 67 69 70 71

Ibid., [3.3]. 68 Ibid., [3.4]. See Goodwin v. News Group Newspapers Ltd, above n. 16, [125] per Tugendhat J. See text at above n. 8. Leveson Report, above n. 1, pt. J, ch. 3, [5.3]–[5.6]. An increase of 10 per cent in damages for non-pecuniary loss was imposed by the Court of Appeal in Simmons v. Castle [2012] EWCA Civ 1039, following the recommendations in the Lord Justice Jackson, Review of

196

Eric Barendt

Leveson recognised that it was inappropriate for the inquiry to make speciic reform proposals, but it did recommend that there should be a review of damages generally available for privacy, breach of conidence, infringement of data protection principles and other media-related torts. he Report noted that there were no judicial guidelines for the award of damages in privacy or breach of conidence cases; this lack should be considered by the Civil Justice Council, which considers the accessibility and eiciency of the civil justice system.72 Four paragraphs are devoted to exemplary damages. Leveson understands the reluctance of judges to extend the ‘somewhat anomalous punitive jurisdiction’ to award these damages in privacy cases, but considers it right to point out that in many circumstances considered during the course of the inquiry privacy had been infringed (or a reputation besmirched) to make a proit by increasing readership and sales.73 In agreement with the Joint Committee on Privacy and Injunctions,74 Leveson had no doubt that the courts should be able to award exemplary damages in privacy cases, for breach of conidence, and in other media torts.75 his conclusion appears acceptable. What is harder to accept is the attempt in this section of the Report to connect this proposal with its more important recommendations to devise a scheme for a self-regulatory body for the press, in which all newspapers and magazines will participate.76 His proposal is that voluntary participation in the new scheme (to be recognised by statute) should be relevant to the award of exemplary damages; the clear implication is that a decision of a newspaper or magazine to remain outside it would provide evidence of an ‘outrageous disregard’ of ethical standards, as would the absence or failure of adequate procedures to audit the origin of a newspaper’s stories.77 Admittedly, all signiicant newspapers and other news publishers should be encouraged to participate in the new regulatory body. But a decision not to participate in it does not provide good grounds for an award of exemplary damages in a particular case. What is required for their award is evidence that the

72 74 75 76

77

Civil Litigation Costs: Final Report (London: he Stationery Oice, 2010), ch. 32 , that an increase should be made to compensate for the loss of success fees payable to a successful claimant under Conditional Fee Agreements. Leveson Report, ibid., above n 1, [5.7]. 73 Ibid., [5.9] and pt. F, ch. 6, [2.56]–[57]. Joint Committee on Privacy and Injunctions, Privacy and Injunctions, above n. 4. Leveson Report, above n. 1, pt. J, ch. 3, [5.12]. A major weakness of the existing scheme for self-regulation under the Press Complaints Commission is that the Express Group of newspapers and Private Eye are not subscribing members. Leveson Report, above n. 1, pt. J, ch. 3, [5.11].

English privacy law and the Leveson Report

197

defendant newspaper calculated that publication of a story would make proits for itself likely to exceed the compensatory damages payable to the claimant.78 Leveson’s proposal may have a laudable aim, but seems misconceived.

Implications of the Report for privacy law he Leveson Report might have an impact on privacy law in two ways. First, it might directly inluence the framing of the law or court decisions in particular cases. It will have that efect on the award of damages if its proposals for higher awards and for the availability of exemplary damages are taken up. What is much more likely is that it may have some looser impact on the way in which the law develops, for example on how arguments are shaped before the courts and how their decisions are considered by commentators. here are perhaps three aspects of privacy law on which, it is suggested, the Leveson Report might have efects of this much less precise kind. First, its emphasis on the impact of privacy intrusion may lead to greater concentration on this component of the tort. In this respect it would reinforce a trend that is already observed in recent court judgments. Further, in this context the Report reminds us that privacy infringements, particularly the intrusion component, afect third parties as well as the victim herself: neighbours and friends and, most strongly, the family of the victim of the intrusion, which may include young children or vulnerable parents, like the father of Gary Flitcrot. On the second aspect, the Leveson Report runs counter to the thrust of a few recent judgments: the treatment of public igures. It was unsympathetic to the press argument that celebrities and other public igures had less entitlement to privacy rights than ordinary members of the public;79 in contrast the judgments in Spelman80 and McClaren81 attached considerable signiicance to the status of the claimant. he Report strengthens the arguments that this judicial development is misconceived: the status of a claimant as a public igure should not itself be regarded as signiicant, but treated only as one factor to be considered, together with many others, when determining whether the publication of the story is in the public interest. he Report also discusses why public igures disclose aspects of 78

79 81

For the authoritative statement of the circumstances in which exemplary damages may be awarded in defamation cases, see Lord Bingham in John v. MGN Ltd [1997] QB 586, 616–17. See the text above at nn. 46–8. 80 Spelman v. Express Newspapers, above n. 20. McClaren v. News Group Newspapers Ltd, above n. 24.

198

Eric Barendt

their private life to the media and in doing so give rise to the oten specious argument that they have courted publicity and therefore have no reasonable expectation of privacy. As Hugh Grant explained,82 the initial disclosure may have been made purely to promote a ilm, or other project with which the celebrity is associated, and should not be taken as indicating any surrender of privacy. he third point is that the Report might encourage greater use of the Protection from Harassment Act 1997 to protect personal privacy. Under this legislation, civil proceedings may be taken to stop an actual or apprehended breach of the obligation not to pursue a course of conduct that amounts to harassment and that the defendant knows or ought to know amounts to harassment of another. It has been used in the last few years to stop media harassment, particularly by photographers who wait outside a celebrity’s home and pursue her when she leaves it.83 As Leveson points out, freelance photographers and photo agencies are not bound by the Editors’ Code of Conduct, so there is a regulatory gap with regard to their activity.84 Yet harassment constitutes one of the most egregious forms of privacy infringement, capable of rendering its victim’s life unbearable.85 Greater use of the 1997 legislation to prevent harassment by journalists and photographers should surely be welcomed by anyone reading the account in the Report of these episodes. Quite apart from these three particular aspects of privacy law, the Report sheds considerable light on the impact of media intrusion on its victims, on the arguments used by editors and journalists to justify their practices, and on the general culture of the press in this context. Most importantly, Leveson gave individuals – celebrities and ordinary people like the McCanns involved in personal tragedies – the opportunity to give their story and voice their grievances at how they had been treated. he Report provides an essential, though depressing, commentary on how English privacy law works, even if it does, all too oten, fail to work efectively. 82 83

84 85

Leveson Report, above n. 1, ch. 6, [2.41]–[2.42]. M. homson and N. McCann, ‘Harassment and the Media’ (2009) 1 Journal of Media Law 149. Leveson Report, above n 1, pt. F, ch. 6, [5.15]–[5.19]. See the claimant’s evidence in Hong v. XYX [2011] EWHC 2995 (QB), [4]–[8].

PA RT I V Privacy, surveillance and control

10 Surveillance in public places: the regulatory dilemma Moir a Paterson Introduction he multifaceted nature of privacy creates inevitable regulatory complexity. his is especially pronounced in relation to surveillance, particularly to the extent that it involves activities that have a public dimension. Surveillance is regulated to varying extents by constitutional or quasiconstitutional protections of privacy, statutory data protection regimes, civil law actions and laws that restrict telecommunications interceptions and various other speciic surveillance activities. hese regimes vary considerably as between jurisdictions due to cultural and constitutional diferences, including diferences in the nature and extent of any constitutional or human rights protection of privacy and the oten competing right to freedom of expression. his chapter focuses on the speciic issue of regulation of surveillance in public places and on three jurisdictions that typify some of the main diferences in regulatory approach: Australia, the United States and the United Kingdom. It explains the increasing signiicance of surveillance in public places as a policy issue and why it challenges key distinctions that currently underlie existing privacy regimes, provides a brief overview of the applicable regimes in the three countries surveyed and of the speciic policy issues raised by selected types of surveillance activities, including surveillance by media organisations.

he signiicance of surveillance in public places While the need for privacy protection against surveillance is not a new phenomenon, it has become more important in recent decades due to technological developments that have increased the prevalence of surveillance and the forms that it takes. he regulation of privacy in public places Developments discussed in this chapter are to 30 April 2013.

201

202

Moira Paterson

has become an important policy issue because technology-facilitated surveillance increasingly undermines anonymity in relation to public activities. he concept of ‘public places’ was explored by the Victorian Law Reform Commission (VLRC) in the context of its Surveillance in Public Places reference. he Commission found it most helpful to focus on the degree of accessibility of diferent places to members of the public1 and used a legislative deinition based on public access to physical places as the basis for its consideration of this issue.2 he Commission’s deinition relates to physical space, but it is arguable that the concept of public accessibility is equally applicable to cyberspace and to telecommunications more broadly. he negative implications of surveillance irst received detailed consideration in the context of the convergence of computer and telecommunications technologies and its impact on information privacy.3 hese analyses focused on issues of human autonomy and dignity, with an emphasis on the use of personal information as a basis for the exercise of power and the lack of dignity inherent in treating individuals as objects (i.e. as composites of their collated data).4 hey also emphasised the important social dimension of anonymity and its role in protecting processes of selfdeinition and individuation.5 he privacy issues raised by surveillance activities have traditionally been articulated with reference to two key metaphors: Orwell’s ‘Big Brother’6 and Bentham’s panopticon.7 he former represents a concept of 1

2

3

4

5

6

7

Victorian Law Reform Commission, Surveillance in Public Places, Consultation Paper no. 7 (2009) [1.19]. It described as useful the deinition in the Racial Discrimination Act 1975 (Cth) s. 18C(3), which states that ‘public place includes any place to which the public have access as of right or by invitation, whether express or implied and whether or not a charge is made for admission to the place’: see ibid., [1.20]. See, for example, M. Paterson, ‘Privacy Protection in Australia: he Need For an Efective Private Sector Regime’ (1988) 26 Federal Law Review 371. K. Foord , Deining Privacy, Victorian Law Reform Commission Occasional Paper (Melbourne: Victorian Law Reform Commission, 2002), p. 3. See J. A. Oravec, ‘he Transformation of Privacy and Anonymity: Beyond the Right to be Let Alone’ (2003) 39 Sociological Imagination 3. G. Orwell, Nineteen Eighty-Four (New York : Alfred A. Knopf, Inc. 1992). See, for example, J. A. Dillard, ‘Big Brother Is Watching: he Reality Show You Didn’t Audition For’ (2011) 63 Oklahoma Law Review 361. he implications of the panopticon concept as a mechanism for control were i rst highlighted by Foucault: M. Foucault , Discipline and Punish: he Birth of a Prison (Harmondsworth: Penguin, 1979). See further C. Slobogin, ‘Public Privacy: Camera Surveillance of Public Places and the Right to Anonymity’ (2002) 72 Mississippi Law Journal 213, 236–7.

Surveillance in public places

203

totalitarian government based on surveillance and total social control and initially surfaced in relation to concerns about the potential dangers of untrammelled governmental surveillance. he latter focuses instead on the behavioural inhibitions arising from constant and focused observation. What is in issue in each case is loss of anonymity; the inability to go about one’s activities without being identiied in relation to them and therefore remain ‘unremarked, part of the undiferentiated crowd’.8 Modern observational and information collection activities destroy public anonymity by making it diicult, if not impossible, to engage in any publicly observable activities free from identiication and surveillance. As explained by Slobogin, this is signiicant because: ‘Anonymity in public promotes freedom of action and an open society. Lack of public anonymity promotes conformity and an oppressive society.’9 Pervasive surveillance encourages blandness and conformity, leading to ‘a blunting and blurring of rough edges and sharp lines’, and dampens any aspirations towards eccentricity.10 Both the ‘Big Brother’ and panopticon metaphors suggest a stable ‘topdown’ system of scrutiny. However, surveillance is no longer solely the province of government; it is also widespread throughout the private sector. he signiicance of this development is captured by Haggerty and Ericson’s concept of the ‘surveillant assemblage’,11 a complex system that arises due to the converging interests of multiple public and private bodies in establishing credentials (for example, identity and other personal attributes) and surveillance systems to provide for ways to diferentiate among unknown strangers. he end result of this processing is the progressive ‘disappearance of disappearance’.12 An alternative metaphor suggested by Solove is Kaka’s he Trial, which highlights the issue of lack of control over information in a context where bureaucratic decisions are increasingly based on dehumanised information processing.13 his metaphor is useful in emphasising that surveillance 8

9 10

11

12 13

W. H. Rehnquist, ‘Is an Expanded Right of Privacy Consistent with Fair and Efective Law Enforcement? Or: Privacy, You’ve Come a Long Way, Baby’ (1974) 23 Kansas Law Review 1, 9. Slobogin, ‘Public Privacy’, 236. J. Cohen, ‘Examined Lives: Informational Privacy and the Subject as Object’ (2000) 52 Stanford Law Review 1373, 1426. K. Haggerty and R. Ericson, ‘he Surveillant Assemblage’ (2000) 51 British Journal of Sociology 605. Ibid., 619. D. Solove, he Digital Person: Technology and Privacy in the Information Age (New York University Press, 2004), pp. 36–9.

204

Moira Paterson

can be dangerous and oppressive, even where the intentions that underlie it are inherently benign. he danger lies in the use of surveillance as a basis for automated decision-making and the oppressiveness that this can create in contexts where the individual is unaware of what is being collected and of the potential consequences that might follow. In a similar vein, Phillips refers to emerging social realities that include ‘a new kind of knowledge of the physical landscape which is re-ordered, codiied and made legible to rational, algorithmic understanding and a new kind of knowledge of populations within that landscape’.14 his knowledge acquisition creates ‘an ability not only to deine “normal” behaviour, but to spot “abnormal” behaviour through proiling techniques’.15 A key focus to date has been on the use of closed circuit television (CCTV) and other audio-visual devices to observe and, increasingly, to eavesdrop on activities conducted in public places, including shopping centres, sporting and recreation grounds and city streets. While these practices were initially only minimally invasive due to the poor quality of any footage captured and the diiculty of identifying random passers-by, the quality of sound and image recording continues to improve dramatically and it is increasingly possible to identify people directly, via the use of face recognition technology,16 and indirectly, via automatic number plate recognition (ANPR) and radio frequency identiication (RFID)17 technologies that link people to objects and allow individuals to be identiied. Another aspect of modern surveillance that has received comparatively little attention to date is geolocation surveillance based on tracking devices that provide information about the location over time of a person or an object associated with an individual person. Originally the sole province of the military, and more recently of the police, this technology is now commonly used in a range of contexts and products, including the ubiquitous mobile phone and the many devices that make use of global positional system (GPS) and RFID technologies.18 14

15 16

17

18

D. Phillips , ‘Beyond Privacy: Confronting Locational Surveillance in Wireless Communication’ (2003) 8 Communications Law and Policy 1, 18. Ibid. See D. Svantesson, ‘Face-to-data – the Ultimate Privacy Violation?’ (2012) 118 Privacy Laws & Business 21, 21–4; B. Buckley and M. Hunter, ‘Say Cheese! Privacy and Facial Recognition’ (2011) 27 Computer Law & Security Review 637; A. Senior and S. Pankanti, ‘Privacy Protection and Face Recognition’ in S. Li and A. Jain (eds.), Handbook of Face Recognitions, 2nd edn (London: Springer-Verlag, 2011). See M. Ohkubo, K. Suzuki and S. Kinoshita , ‘RFID Privacy Issues and Technical Challenges’ (2005) 48 Communications of the ACM 66. See, for example, the discussion of location position in S. Nouwt, ‘Reasonable Expectations of Geo-privacy?’ (2008) 5 ScriptEd 376, 380–2.

Surveillance in public places

205

Mobile phones operate by communicating with surrounding base stations to make and receive calls and other forms of communication and therefore can efectively identify the general location of a user every few minutes for the period during which the phone is turned on and within range of base stations.19 hey also now typically contain both GPS hardware and wireless Internet (WiFi) functionality. he former allows for highly accurate pinpointing of location, while the latter allows for less battery-intensive determination of approximate location using WiFi connection data.20 his in turn has led to the development of a range of applications that utilise a phone’s location to provide the user with a range of location-based services.21 hese include applications that allow users to ind the current location of their children or other family members,22 ind and choose nearby restaurants based on photographs and ratings of dishes that they serve,23 ind friends and parties located nearby24 and ind nearby taxi companies.25 Location data has traditionally been regarded as less controversial than audio/visual data, as demonstrated, for example, by the fact that the use of tracking devices for enforcement purposes requires a lower order of authorisation under Australian surveillance devices legislation than that required for other forms of surveillance devices.26 However, it is arguable that recent developments, particularly in relation to mobile phones, require a reassessment of their signiicance, especially in relation to reasonable expectations of privacy and content and transactional data distinctions (for example, the distinction between the content of email messages and details about their recipients and the times and dates when they were sent). 19

20 21

22

23

24

25

26

See S. Peli and C Soghoian, ‘Can You See Me Now? Toward Reasonable Standards for Law Enforcement Access to Location Data that Congress Could Enact’ (2012) 27 Berkeley Technology Law Journal 117, 126–8. Ibid., 128–31. See, for example, C. Levis, ‘Smartphone, Dumb Regulations: Mixed Signals in Mobile Privacy’ (2011) 22 Intellectual Property, Media and Entertainment Law Journal 191. See, for example, the Family application: DroidOmics, ‘Family Features’, www.droidomics.com/family_features.html (accessed 28 October 2013). See, for example the Foodspotting application at www.foodspotting.com/ (accessed 28 October 2013). See, for example, the Loopt application: D. Lions, ‘What Is Loopt?’ About.Com – Web Trends, http://webtrends.about.com/od/proi les/fr/What-is-Loopt.htm (accessed 28 October 2013). See, for example, the Rocket Taxi application: Rocket Taxi, iPhone Apps Finder, www. iphoneappsinder.com/productivity-apps/rocket-taxi/ (accessed 28 October 2013). For example, in the case of the Surveillance Devices Act 1999 (Vic), a magistrate may issue a warrant that authorises the use of a tracking device, whereas warrants authorising the use of other forms of surveillance devices can be issued only by a Supreme Court judge: see s. 14.

206

Moira Paterson

he diiculty of regulating public place surveillance Public place surveillance is diicult to regulate because it transcends the distinctions that have traditionally demarcated privacy regulation. here are four distinctions that are worth highlighting. First, current and emerging surveillance practices afect a broader range of communications than receive protection under telecommunications regimes. his produces the anomalous situation whereby a communication receives extensive protection while in the course of a telecommunications transmission, but lesser protection if it is intercepted at the point of receipt (for example, via a listening device installed close to the handset), and no protection at all if it takes place aurally and is intercepted via the use of a long lens camera and lip-reading. Second, the creation of information that is oten indeterminate as to its identiiability poses challenges for data protection laws that inherently rely on some distinction between data that is and is not identiiable. For example, persons depicted on CCTV footage may not be immediately identiiable, but some may be made so via the use of face recognition technology and comparison with tagged photographs available via the Internet. he extent to which identiication is possible will vary according to the clarity of the images and the power of the technology available to perform this task. However, data protection laws impose restrictions and obligations that require making immediate assessments and then applying all of the relevant principles, based on that assessment. hird, modern surveillance practices create conceptual diiculties in interpreting common law and statutory tests that are based on reasonable expectations of privacy and the distinctions between public and private activities because they undermine the assumptions that have framed the development of rules about reasonable expectations of privacy. hose assumptions are usefully encapsulated in Westin’s description of a hypothetical American male back in 1967: He may be riding a subway, attending a ball game, or walking the streets; he is among people and knows that he is being observed; but unless he is a well-known celebrity, he does not expect to be personally identiied and held to the full rules of behavior and role that would operate if he were known to those observing him.27 27

A. Westin, Privacy and Freedom (New York : Atheneum, 1967), p. 31.

Surveillance in public places

207

It could also be added that this hypothetical man would not have expected to be observed systematically by persons outside his ield of sight or overheard by persons who were not located within earshot. Finally, there has been an associated assumption that public acts that are temporary or leeting will not be subject to permanent capture. As explained by Reiman, ‘privacy results not only from locked doors and closed curtains but also from the way our publicly observable activities are dispersed over space and time’.28 Drawing again on Westin’s hypothetical man, he would have known that he might be observed by random strangers, but would have been secure in the knowledge that these observations were leeting in nature and would not be captured and potentially interlinked for systematic analysis by unknown individuals and organisations with an interest in his activities. hese issues will now be further explored in the speciic context of the regulation of surveillance in public places. h is analysis is coni ned to non-oicial surveillance activities (i.e. activities that do not involve authorised surveillance by police and national security bodies). Constitutional protections that are directly applicable only to law enforcement and other state-sponsored uses of surveillance are therefore generally irrelevant. Accordingly, laws that provide such protections are beyond the scope of this chapter, although they raise similar issues concerning the appropriateness of rules based on distinctions between public and private places and activities, and may afect individuals’ ability to sue at common law to the extent that those laws provide protection for privacy in public places.

Laws that regulate surveillance activities Non-oicial uses of surveillance are generally regulated in three ways: by prohibitions contained in telecommunications interception and surveillance devices laws, by data protection laws that impose limitations on the ways in which personal information can be collected, and by sui generis rules that deal exclusively with speciic types of device. hey may also be subject to regulation by causes of action for invasion of privacy. 28

J. Reiman, ‘Driving to the Panopticon: a Philosophical Exploration of the Risks to Privacy Posed by the Highway Technology of the Future’ (1995) 11 Computer and High Technology Law Journal 27, 29.

208

Moira Paterson

Australia here are two main sets of Australian laws designed to regulate surveillance activities per se: the Telecommunications (Interception and Access) Act 1979 (Cth), which operates throughout Australia, and surveillance devices laws (including laws conined to listening devices) that operate in individual states and territories.29 hese operate by imposing general prohibitions supported by serious criminal sanctions and provisions authorising speciic activities by national security/law enforcement bodies, generally based on court-issued warrants. he Telecommunications (Interception and Access) Act focuses speciically on surveillance involving the content of telecommunications while they are passing over, or stored within, a telecommunications system. It prohibits: intercepting a ‘real-time’ communication passing over the telecommunications system;30 accessing a communication such as an email, SMS and voicemail message while it is stored on a telecommunications carrier’s (including an Internet Service Provider’s) equipment;31 and communicating or otherwise dealing with illegally intercepted information.32 he Act deines ‘interception’ as listening to or recording a conversation by any means without the knowledge of the person making the communication.33 he laws that regulate other forms of surveillance focus on the installation and use of devices and vary in their coverage. Originally, they only regulated the use of listening devices, but, as technology developed, most were amended to include other forms of devices. One example is the Surveillance Devices Act 1999 (Vic), which was considered by the VLRC in the context of a detailed review of surveillance in public places.34 he Surveillance Devices Act was enacted to repeal and replace the pre-existing Listening Devices Act 1999 (Vic), primarily due to concerns about the 29

30 31

32 34

See Listening Devices Act 1992 (ACT); Surveillance Devices Act 2007 (NSW); Surveillance Devices Act 2000 (NT); Invasion of Privacy Act 1971 (Qld); Listening Devices Act 1991 (Tas); Surveillance Devices Act 1999 (Vic) (SDA); Surveillance Devices Act 1998 (WA). Telecommunications (Interception and Access) Act 1979 (Cth) (TIAA), ss. 7(1) and 105. his prohibition applies in circumstances where that message cannot be accessed on that equipment by a person who is not a party to the communication, without the assistance of an employee of the carrier. TIAA, above n. 30, ss. 5(1) (‘stored communication’) and 108. TIAA, above n. 30, ss. 63 and 108(1). 33 TIAA, above n. 30, s. 6(1) (‘interception’). he i ndings of this inquiry are reported in Victorian Law Reform Commission, Surveillance in Public Places: Final Report, Report no. 18 (2010). he author was a consultant and adviser to the Victorian Law Reform Commission in relation to its surveillance in public places reference.

Surveillance in public places

209

use of video cameras. An incident that preceded it, which was referred to in the then Shadow Attorney-General’s speech in the Bill’s Second Reading debate, involved the non-consensual taping of sexual activity involving a well-known Australian personality and the subsequent sale of the tape by her ex-boyfriend.35 he new legislation was described by the then Attorney-General as designed ‘to bring the regulation of optical surveillance devices into line with the regulation of listening devices’ and to provide ‘stringent safeguards for the protection of privacy’.36 It extends protection to surveillance by cameras and other types of optical surveillance devices and devices used to track the location of people,37 either directly or indirectly via items closely associated with them such as their cars. It also imposes limitations on the way law enforcement oicers use devices that monitor the electronic inputs and outputs to computers.38 he extension to tracking devices was explained on the basis that tracking devices were virtually unknown in 1969 when the Listening Devices Act was irst enacted, but are now commonly used by law enforcement agencies and other persons and organisations in the community. 39 Nevertheless, these were regarded as less intrusive than other categories of surveillance devices, which explains the legislative decision to allow a warrant to track a person or object to be issued by the Magistrates’ Court (as opposed to the Supreme Court).40 Limitations in the Surveillance Devices Act identiied in the VLRC’s report include: that the listening device prohibition is limited by reference to a test based on reasonable expectation of being overheard;41 that the optical surveillance prohibition is limited in its application to surveillance of indoor activities and by reference to a test based on reasonable expectation of being seen;42 and that the deinition of tracking device is limited to devices designed solely for tracking.43 As explained above, these tests 35 36

37

38 39 40

41 42 43

Victoria, Parliamentary Debates, Legislative Assembly, 22 April 1999, 548 (Mr Perton). Victoria, Parliamentary Debates, Legislative Assembly, 25 March 1999, 192 (Mrs Wade, Attorney-General). hese prohibitions on uses of diferent surveillance devices are contained in SDA, above n. 29, ss. 6–9. SDA, above n 29, s. 9. Victoria, Parliamentary Debates, Legislative Council, 11 May 1999, 525 (Mr Bowden). Victoria, Parliamentary Debates, Legislative Assembly, 25 March 1999, 192 (Mrs Wade, Attorney-General). SDA, above n. 29, ss. 6(1) and 3(1) (deinition of ‘private conversation’). Ibid., ss. 7(1) and 3(1) (deinition of ‘private activity’). Ibid., s. 3(1) (deinition of ‘tracking device’).

210

Moira Paterson

are arguably based on assumptions that are no longer appropriate due to technological developments. For example, the fact that one might reasonably expect to be seen by a random passer-by does not mean that one should expect to be photographed by a distant camera equipped with face recognition technology. Nor does the fact that a device, such as a mobile phone, is not designed primarily for tracking afect the potential privacyinvasiveness of its extensive tracking capabilities. At the same time, there is no clear rationale for distinguishing between optical surveillance that takes place inside and outside buildings. Arguably, activities conducted in an enclosed private backyard warrant more protection than those that occur, for example, in an indoor shopping mall. Apart from these two sets of laws, there is also some indirect protection available via information privacy laws, to the extent that surveillance data is recorded and qualiies as personal information. he Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) apply to most federal public sector agencies and to some private sector organisations.44 However, the operation of the Privacy Act is subject to a number of important exemptions. For example, it does not apply to individuals acting in a personal capacity in relation to their personal, family or household afairs.45 hat means that it does not regulate the surveillance activities of individuals conducted for their own personal purposes, even where those activities result in the widespread dissemination of personal information (for example, via uploading to Internet sites such as YouTube). hey are also subject to a broad media exemption that applies to activities of media organisations conducted ‘in the course of journalism’.46 his exemption is subject to the media organisation subscribing to published privacy standards but does not require any form of public interest test, which means that the APPs do not apply to paparazzi activities. he APPs include a collection limitation principle that precludes the collection of personal information unless it is reasonably necessary for one or more of the functions or activities of the organisation collecting it.47 his principle requires, in addition, that personal information must be 44

45

See Privacy Act 1988 (Cth) (PA) s. 6C (deinition of ‘organisation’) and s. 6D (deinition of ‘small business operator’). Subject to a number of exceptions, the small business operator exception excludes from the operation of the Act businesses with a gross annual turnover of less than $A3 million. he APPs were enacted by the Privacy Amendment (Enhancing Privacy Reform) Act 2012 (Cth) and replace the pre-existing Information Privacy Principles in s. 14 and the National Privacy Principles in Schedule 3, and commenced operation in March 2014. Ibid., s. 66E. 46 Ibid., s. 7B(4). 47 Ibid., sch. 1 APP 3.2.

Surveillance in public places

211

collected fairly and legally.48 Organisations that collect personal information are also subject to a number of further principles designed to ensure that personal information is handled fairly and transparently. hese include requirements relating to open and transparent management,49 notiication of the collection of personal information,50 limitations on use and disclosure,51 requirements to maintain security52 and integrity53 and obligations to provide access to information subjects.54 he APPs apply to ‘personal information’, which is deined as information or an opinion about an identiied individual, or an individual who is reasonably identiiable.55 his test has been amended56 consistently with a recommendation by the Australian Law Reform Commission, which understood it to require ‘a consideration of the cost, diiculty, practicality and likelihood that the information will be linked in such a way as to identify [the individual]’.57 It follows, therefore, that unless records of surveillance contain images or other data that allows for recognition of the individuals to which they relate, they will not constitute personal information. he position will, however, be diferent if the context is such that the collecting organisation can readily link them to other data that identiies an individual. he Privacy Act is supplemented by laws that operate in a similar way in relation to most government agencies in most states and the Northern Territory.58 Australia difers from the United States and the United Kingdom in that it lacks both a constitutional bill of rights and a nationwide human rights law. In addition, it still lacks any privacy-based common law right of action, although the High Court has cleared the way for such a 48 50 52 54 56 57

58

Ibid., sch. 1, APP 3.5. 49 Ibid., sch. 1, APP 1. Ibid., sch. 1, APP 5. 51 Ibid., sch. 1, APP 6. Ibid., sch. 1, APP 10. 53 Ibid., sch. 1, APP 11. Ibid., sch. 1, APP 12. 55 Ibid., s. 6(1). It was amended by the Privacy Amendment (Enhancing Privacy Reform) Act 2012 (Cth). Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report no. 108 (2008) [6.57]. hat approach is consistent with that taken by the Victorian Civil and Administrative Tribunal in interpreting a similar (but not identical) provision in the Information Privacy Act 2000 (Vic): see WL v. La Trobe University [2005] VCAT 2592. For a further discussion of the Australian provisions, see M. Burdon and P. Telford, ‘ he Conceptual Basis of Personal Information in Australian Privacy Law’ (2010) 17(1) eLaw Journal: Murdoch University Electronic Journal of Law 1. Privacy and Personal Information Protection Act 1998 (NSW); Information Act 2000 (NT); Information Privacy Act 2009 (Qld); Personal Information Protection Act 2004 (Tas); Information Privacy Act 2000 (Vic). Government agencies in the ACT are bound by the PA, above n. 44.

212

Moira Paterson

development59 and the traditional action for breach of conidence has since been expanded to allow for mental distress damages.60 In this context there have been proposals by three diferent law reform commissions for the enactment of a statutory cause of action to protect privacy.61 More recently, the Australian government published a consultation paper62 canvassing feedback concerning the desirability of enacting a statutory cause of action for serious invasion of privacy. Moreover, the paper examined the relative merits of the diferent formulations suggested in each of these law reform commission reports. However, the issue now seems to be on the back-burner.63 In summary, Australia provides strong privacy protection for communications while in transit through, or stored within, telecommunications systems and some protection in relation to surveillance involving the use of listening, optical surveillance and tracking devices. Australian data protection laws also provide for some limited protection against the collection and use of personal information obtained through surveillance activities, to the extent they are conducted by those government agencies and private sector organisations that are required to comply with these laws.

he United States There are two main sets of United States laws that regulate surveillance activities per se: the Electronic Communications Privacy 59

60

61

62

63

ABC v. Lenah Game Meats Pty Ltd [2001] HCA 63, (2001) 208 CLR 199. For a further discussion, see D. Lindsay, ‘Playing Possum? Privacy, Freedom of Speech and the Media Following ABC v. Lenah Game Meats Pty Ltd; Part II: he Future of Australian Privacy and Free Speech Law, and Implications for the Media’ (2002) 7 Media & Arts Law Review 161. Giller v. Procopets [2008] VSCA 236, (2008) 24 VR 1. See N. Witzleb, ‘Giller v. Procopets: Australia’s Privacy Protection Shows Signs of Improvement’ (2009) 17 Tort Law Review 16. Australian Law Reform Commission, above n. 57, ch. 74 and recs. 74–1 to 74–7; New South Wales Law Reform Commission, Invasion of Privacy, Report no. 120 (2009); Victorian Law Reform Commission, above n. 34, ch. 7. For a discussion of the proposals, see N. Witzleb, ‘A Statutory Cause of Action for Privacy? A Critical Appraisal of h ree Recent Australian Law Reform Proposals’ (2011) 19 Torts Law Journal 104. Commonwealth of Australia, Department of Prime Minister and Cabinet, A Commonwealth Statutory Cause of Action for Serious Invasions of Privacy (Issues Paper, September 2011). In the meantime the ALRC has been given a reference to consider the issue of prevention of and remedies for serious invasions of privacy in the digital era: see www.alrc.gov.au/ publications/serious-invasions-privacy-digital-era-ip-43/terms-reference (accessed 9 January 2014).

Surveillance in public places

213

Act 1986,64 which regulates wiretapping and electronic eavesdropping, and the Stored Communications Act 1986,65 which regulates access to email, voice mail, and other electronic communications while they are stored within a telecommunications system. Similarly to the Australian telecommunications regime outlined above, these provisions impose general prohibitions supported by serious criminal sanctions and authorise speciic activities by national security/national defence bodies. hese two federal laws are supplemented by state wiretap laws that are mostly directed at telephone and data interceptions, although some extend to surveillance of private conversations.66 he Electronic Communications Privacy Act makes it a federal crime for any person to intentionally intercept (or endeavour to intercept) wire, oral or electronic communications by using an electronic, mechanical or other device.67 It deines ‘interception’ as the aural or other acquisition of the contents of various kinds of communications by means of ‘electronic, mechanical or other devices’.68 he term ‘electronic communications’ encompasses most radio and data transmissions and includes any communication from a tracking device.69 Despite its name, the Act is not conined to electronic communications; it also applies to ‘oral communications’, which are deined to include any face-to-face conversations for 64

65

66

67 68 69

Electronic Communications Privacy Act 1986 18 USC §§ 2510–2522 (2006). his legislation, which was passed in 1986, amended the federal privacy protections in the Omnibus Crime Control and Safe Streets Act of 1968, 42 USC § 3711 (1970) in the light of changes in computer and telecommunications technology. Stored Communications Act 1986, 18 USC §§ 2701–2711 (2000). h is was enacted in 1986 as part of the Electronic Communications Privacy Act 1986. See further: O. Kerr, ‘A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It’ (2004) 72 he George Washington Law Review 1701. A number of states impose varying restrictions on the taping of telephone conversations or private conversations more generally. For example, it is illegal in California to record or eavesdrop on any conidential communication, including a private conversation or telephone call, without the consent of all parties to the conversation: California Penal Code § 632. he Citizen Media Law Project provides some selected summaries of state recording laws: State Law: Recording (2 March 2008) Citizen Media Law Project, www. citmedialaw.org/legal-guide/state-law-recording (accessed 28 October 2013). here is also a full list of state wiretap laws on the website of the National Conference for State Legislatures at: Electronic Surveillance Laws (23 March 2012) National Conference of State Legislatures, www.ncsl.org/issues-research/telecom/electronic-surveillance-laws. aspx (accessed 28 October 2013). Electronic Communications Privacy Act 1986 18 USC § 2511(1) (2006). Ibid. ‘Tracking Device’ is dei ned in § 3117(b) as ‘an electronic or mechanical device which permits the tracking of the movement of a person or object’.

214

Moira Paterson

which the speakers have a justiiable expectation of privacy.70 In that sense it is much wider than its Australian equivalent. ‘Wire communications’ are limited to those that at some point involve voice communications.71 he prohibition against wiretapping and electronic eavesdropping is subject to a number of exceptions, including an exception for consent. hese activities are permissible by anyone with the consent of at least one party to the conversation and consent may be given either explicitly or implicitly. he Stored Communications Act makes it a federal crime to intentionally access without authorisation (or to exceed an authorisation to access) a facility through which an electronic communication service is provided and thereby obtain, alter or prevent authorised access to a wire or electronic communication while it is in electronic storage in such a facility.72 here is no across-the-board regulation of purely visual surveillance or surveillance in the form of tracking (except to the limited extent that the Privacy Act 1974,73 which applies only to federal government agencies, imposes limitations on the collection of personal data74). However, a small number of states impose restrictions on visual surveillance.75 For example, the Georgian Penal Code makes it an ofence ‘to observe, photograph, or record the activities of another which occur in any private place and out of public view’.76 Individuals who are subjected to unwanted surveillance may, however, be able to sue in tort. he United States common law, as set out in the Restatement (Second) of Torts, recognises four separate privacy torts, including the torts of intrusion into seclusion and public disclosure of private facts.77 A person is liable for intrusion if he or she intentionally intrudes, physically or otherwise, upon the solitude or seclusion of 70

71 72 73 74

75

76

77

18 USC § 2510(2) (2006). he meaning of ‘oral communications’ is discussed in United States v. Larios, 593 F 3d 82, 92 (1st Cir 2010). 18 USC § 2510(1) (2006). Stored Communications Act 1986, 18 USC § 2701(a) (2006). Privacy Act 1974 5 USC § 552a (2006). he PA contains a Code of Fair Information Practice that applies to personally identiiable information about individuals that is maintained in systems of records by federal agencies. he Code imposes limitations on the collection, use and dissemination of this information. National Conference for State Legislatures, Electronic Surveillance Laws, above n. 66, contains details of state laws that impose restrictions on visual surveillance. Ga Code Ann § 16–11–62. h is prohibition is subject to a number of exceptions set out in paras. (A)–(C). he other two are the tort of appropriation of name or likeness and the tort of publicity that places a person in a false light in the public eye: see §§ 652C and 652E.

Surveillance in public places

215

another, or that person’s private afairs or concern, ‘if the intrusion would be highly ofensive to a reasonable person’.78 Similarly, liability for public disclosure of private facts requires giving publicity to a matter concerning the private life of another if it is of a kind that is not of legitimate concern to the public and would be highly ofensive to a reasonable person.79 It is arguable that the intrusion tort is more obviously directed to the regulation of surveillance, as it focuses on the invasion of the private sphere rather than on any subsequent publication of personal data collected via surveillance activities,80 although it has been argued that the public disclosure tort may provide a better it in relation to surveillance of online activities.81 However, both of these torts have been interpreted narrowly and in ways that do not facilitate their use in relation to surveillance in public places.82 he private facts tort is problematic for a number of reasons.83 First, since it is concerned with the dissemination of information, the ofensiveness criterion relates to the information disseminated, as opposed to the method by which it was obtained. Second, the requirement that information must not be of legitimate public concern has been interpreted using a generous approach to the concept of newsworthiness.84 hird, and most signiicantly, the tort runs into direct conlict with the constitutional protection of free speech in the First Amendment of the US Constitution.85 he extent to which the First Amendment right trumps privacy interests is apparent in the approach taken by the Florida Supreme Court, in a case in which the Court acknowledged the signiicance of the privacy interests of rape victims but nevertheless concluded that a state law which prohibited the publication of their names was unconstitutional.86 78 79 80

81

82 83

84 85

86

American Law Institute, Restatement (Second) of Torts (1977) § 657B. Ibid ., § 652D. See A. Tutaj, ‘Intrusion Upon Seclusion: Bringing an “Otherwise” Valid Tort into the 21st Century’ (1999) 82 Marquette Law Review 665. See P. Abril, ‘Recasting Privacy Torts in a Spaceless World’ (2007) 21 Harvard Journal of Law and Technology 1. See the two paragraphs that follow and materials referenced in notes 77–82. See L. Lidsky, ‘Prying, Spying, and Lying: Intrusive Newsgathering and What the Law Should Do About It’ (1998–1999) 73 Tulane Law Review 173, 199. his issue is discussed further below at p. 216. A key decision that has narrowed the operation of this tort is Florida Star v. BJE 491 US 524, 550 (1989). Ibid. See further P. Gielniak, ‘Comment: Tipping the Scales: Courts Struggle to Strike a Balance Between the Public Disclosure of Private Facts Tort and the First Amendment’ (1999) Santa Clara Law Review 1217; P. McNulty ‘Public Disclosure of Private Facts: here Is Life Ater Florida Star’ (2001–2002) 50 Drake Law Review 93.

216

Moira Paterson

he intrusion tort creates less direct conl ict with the First Amendment because ‘it speciically attacks newsgathering tactics rather than the news itself ’;87 nevertheless, it has also been narrowly construed.88 It is generally unavailable for intrusions that occur in public places.89 Although the First Amendment is not directly applicable, given that this tort is not concerned with publication, this distinction has not prevented the courts from applying a newsworthiness privilege to the intrusion tort.90 On the other hand, there have been a small number of cases in which courts have been willing to acknowledge the possibility that the tort might extend in exceptional cases to surveillance conducted in public places.91 US courts have also considered the issue of reasonable expectations of privacy in the context of the Fourth Amendment protection in respect of unlawful search and seizure (a protection which is restricted in its application to oicial surveillance activities).92 Cases concerning law enforcement surveillance involving location tracking have provided some useful discussion of reasonable expectations of privacy in relation to one’s movements over time. Of particular signiicance is a decision concerning police use of a vehicle-mounted GPS device to monitor a suspect’s movements over a 28-day period. he United States Court of Appeals in United States v. Maynard93 held that the police action was unconstitutional on the basis of the volume of the data collected by the police. As explained by Judge Ginsberg, ‘[r]epeated visits to a church, a gym, a bar or a bookie tell a story

87

88

89

90

91

92

93

C. Crisci, ‘All the World Is not a Stage: Finding a Right to Privacy in Existing and Proposed Legislation’ (2002) 6 Legislation and Public Policy 207, 227. See A. McClurg , ‘Bringing Privacy Law Out of the Closet: A heory of Liability for Intrusions in Public Places’ (1994 –1995) 73 North Carolina Law Review 990 and the cases cited at footnotes 6–13. See Dempsey v. National Enquirer 702 F Supp 927, 930–31 (D Me 1988). For further examples see Lidsky, above n. 83, 209, note 187. See, for example, the approach taken in Costlow v. Cusimano 311 NYS 2d 92, 95 (App Div 1970). See, for example, Wolfson v. Lewis 924 F Supp 1413, 1433–35 (ED Pa 1996). See further Crisci, above n. 87, 228–30. Surveillance will amount to an unconstitutional search where the subject of the surveillance has some objectively reasonable expectation of privacy: see Katz v. United States 389 US 347, 353–56, 360 (1967). For a useful discussion of Fourth Amendment issues that arise in relation to law enforcement surveillance using face recognition technology, see D. Fretty, ‘Face-recognition Surveillance: A Moment of Truth for Fourth Amendment Rights in Public Places’ (2011) 16 Virginia Journal of Law and Technology 430. 615 F 3d 544 (D.C. Cir. 2010).

Surveillance in public places

217

not told by any single visit, as does one’s not visiting any of those places in the course of a month.’94 On appeal, this decision was upheld by the US Supreme Court in United States v. Jones95 but on a diferent basis, namely that the mounting of the device on the vehicle itself amounted to a search. Justice Scalia, who was part of the majority, let open the possibility that ‘achieving the same result through electronic means, without an accompanying trespass, might also be an unconstitutional invasion of privacy’, although he found no need to decide on this basis.96 Justice Sotomayor, who also reached her decision on the narrower basis, likewise agreed that physical intrusion might now be ‘unnecessary to many forms of surveillance’ and further commented that it might be necessary to ‘reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties’.97 In summary, the USA provides strong privacy protection for communications while in transit through, or stored within, telecommunications systems and some protection in respect of surveillance involving the use of listening, optical surveillance and tracking devices, although the latter protection is generally more limited in its application than in Australia. Moreover, the regulation provided by data protection laws is limited to federal agencies. While the US common law has long recognised causes of action for invasion of privacy, these are narrowly interpreted and provide minimal protection in relation to public places.

he United Kingdom he main UK law that is speciically directed at surveillance activities is the Regulation of Investigatory Powers Act 2000 (UK). his Act makes it illegal to intercept any communication in the course of its transmission by a public postal service or a public telecommunication system.98 It also prohibits interception of communications in the course of transmission via private telecommunication systems other than by or with the consent of a person with a right to control the operation or the use of the system.99 For the purposes of the Act, an activity will constitute interception of a 94

95 98 99

Ibid., 573. Ginsberg J relied for support on earlier cases that had recognised the invasiveness of prolonged monitoring of an individual’s movements, including two cases directly concerned with GPS monitoring: People v. Weaver 12 NY 3d 433 (2009); State v. Jackson 150 Wash 2d 251 (2003). 565 US 10 (2012). 96 Ibid., 11. 97 Ibid., 2. Regulation of Investigatory Powers Act 2000 (UK) s. 1(1). Ibid., ss. 1(2) and 1(6).

218

Moira Paterson

communication in the course of its transmission by means of a telecommunications system if it involves modiication to or interference with the system or its operation, monitoring transmissions made by means of the system or monitoring transmissions made by wireless telegraphy to or from apparatus comprised in the system.100 As in Australia and the USA, these prohibitions are subject to exceptions that allow for lawful interceptions for law enforcement/national security purposes.101 Surveillance activities are also regulated indirectly by the Data Protection Act 1998 (UK), to the extent that they qualify as the processing of personal data. he Data Protection Act is designed to give efect to the European Data Protection Directive (the Directive),102 although there are some aspects of its interpretation that seem to difer from the requirements of the Directive as interpreted in Europe. he Act requires data controllers who determine the purposes for, and the manner in which, any personal data are processed to comply with a set of eight data protection principles. Like the Privacy Act 1988 (Cth), it contains domestic purposes and journalistic exemptions.103 However, an important diference is that the latter is narrower in its operation due to the inclusion of a public interest test.104 ‘Personal data’ is deined as data that relates to a living individual who can be identiied from that data, or from that data and other information that is in the possession of, or is likely to come into the possession of, the data controller.105 his difers from the Australian deinition of ‘personal information’ in two important ways: it requires that the data must ‘relate to’ the individual in question, and it makes explicit the information from which identiiability is to be determined, including the fact that it includes information likely to come into the possession of the data controller at some subsequent point in time. However, the requirement that the data must relate to an individual was interpreted restrictively by the Court of Appeal in Durant v. Financial Services Authority (Durant)106 as requiring an assessment of relevance or proximity to an individual. he Court suggested two tests that might assist in making this determination: 100 102

103 104 106

Ibid., s. 2(2). 101 See ibid., s. 4. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, [1995] OJ L 281. Data Protection Act 1998 (UK) ss. 3(a) (deinition of ‘special purposes’), 32(1)(a) and 36. Ibid., s. 32(1)(b). 105 Ibid., s. 1(1). Durant v. Financial Services Authority [2003] EWCA Civ 1746, [2004] FSR 28.

Surveillance in public places

219

whether the information is ‘biographical in a signiicant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations’;107 and whether it has ‘the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have igured or have had an interest’.108 Soon ater the Court of Appeal had handed down its decision in Durant, the Oice of the Information Commissioner (ICO) issued a Guidance concerning its efect in relation to CCTV footage.109 his takes the approach that: if a simple CCTV system is not intended to (or is not physically able to) ‘focus’ on any given individual, nor is intended to provide speciic intelligence of a ‘biographical’ nature about a particular person (for example, follow a suspect employee around) then it is not collecting ‘personal data relating to’ any person at all, despite the fact that images of living identiiable persons are, in fact, captured.110

Furthermore, even in the case of a more sophisticated system, images collected incidentally, and without focus on the individual, will still not be regarded as ‘personal data’ and would only become so at some later stage if there were some focus on them. An example suggested by Edwards is where an image of a celebrity is recognised and it is proposed to make it available to a newspaper.111 he Durant decision has been criticised on the basis that it is contrary to the underlying rationale of information privacy regimes, namely that the privacy of the data subject is threatened by the processing of any information that identiies the data subject, or is capable of identifying the data subject, regardless of the nature of the information.112 It is also problematic 107 108

109

110 111 112

Ibid., [28]. Ibid. See further: L. Edwards, ‘ Taking the “Personal” Out of Personal Data: Durant v. FSA and its Impact on the Legal Regulation of CCTV’ (2004) 192 ScriptEd 346. h is was most recently revised in the Information Commissioner’s Oice, CCTV Code of Practice (2008), www.ico.gov.uk/for_organisations/data_protection/topic_guides/~/ media/documents/library/Data_Protection/Detailed_specialist_guides/ICO_ CCTVFINAL_2301.ashx (accessed 28 October 2013). Edwards, above n. 108, 346 (original emphasis). Ibid., 348. Hong Kong Legislative Council, Scope of ‘Personal Data’ Under the Personal Data (Privacy) Ordinance (Cap. 486) and Related Issues, Paper No. LS21/05/06 (2007) [6], citing D. Lindsay, ‘Misunderstanding “Personal Information”: Durant v. Financial Services Authority ’ (2004) Privacy Law and Policy Reporter 13.

220

Moira Paterson

due to inconsistency with the requirements of the Directive. he Article 29 Data Protection Working Party (WP29), which was set up under the Directive as an independent European advisory body on data protection and privacy, has adopted a much wider approach to the deinition of ‘personal data’. his focuses not just on whether or not information is about a person, but also on whether it will be used to determine or inluence the way in which a person is treated or evaluated. WP29’s approach also considers whether the information is likely to have an impact on an individual’s rights or interests (including where the individual may be treated diferently from other persons as a result of the processing of the data).113 It has also emphasised that these three elements ‘must be considered as alternative conditions, and not as cumulative ones’.114 In an attempt to reconcile the two approaches, the ICO issued a further Guidance in 2007115 that attempts to amalgamate key elements of the test in Durant with the approach taken by WP29 using a low chart based on eight questions. It has been suggested that the two approaches are irreconcilable and that the new Guidance in fact adopts a position ‘closer in both form and substance to that promoted by the Working Party’.116 In 2007 the High Court in Ezsias v. Welsh Ministers117 found against a whistle-blower who had sought to access material generated by his complaint (on the basis that it was his personal data) for the reason that ‘information … generated by the complaint is not personal data for the reasons given in Durant, and access to that material could not possibly be necessary for or even relevant to any protection of the complainer’s privacy’. he Information Tribunal also adopted a narrow approach in Hardcup v. Information Commissioner and Yorkshire Forward118 where it concluded that lists of names of individuals who attended hospitality events were not personal data. In arriving at its 113

114 115

116

117 118

Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data (WP 136, adopted 20 June 2007), pp. 100–11. Ibid., 11. Information Commissioner’s Oice, Data Protection Technical Guidance: Determining What Is Personal Data (21 October 2007), www.ico.gov.uk/upload/documents/library/ data_protection/detailed_specialist_guides/personal_data_lowchart_v1_with_preface001.pdf (accessed 28 October 2013). C. Millard and H. Kuan, ‘Dei ning “Personal Data” in e-social Science’ (2012) 15 Information, Communication and Society 6. h is article contains a useful summary of both the Guidance and the cases that have postdated it. Ezsias v. Welsh Ministers [2007] EWHC B15 (QB), [2007] All ER 65. Hardcup v. Information Commissioner and Yorkshire Forward [2008] UKIT EA/2007/0058. See Millard and Kuan, above n. 116.

Surveillance in public places

221

decision, the Tribunal commented that it found diiculty in reconciling the approach in the Guidance with that in Durant.119 However, in he Department for Business, Enterprise and Regulatory Reform v. Information Commissioner and Friends of the Earth120 the Tribunal adopted a less restrictive approach, more consistent with the Guidance. It concluded that minutes detailing the names of individuals attending a meeting with a government department, together with the names of their employers, and where and when the meeting took place, qualiied as personal data because the information about each of them constituted information of personal career or business signiicance. In the limited situations in which it is applicable, the irst data protection principle requires that data be processed fairly and lawfully.121 In the case of a CCTV system this requires, among other things, that it must be operated for a ‘legitimate reason’.122 here is also some limited protection available via the common law. Common law protection for privacy in the UK has developed via extension of the traditional action for breach of conidence as inluenced by the Human Rights Act 1998 (UK). As summarised by Eady J in Mosley v. News Group Newspapers Ltd:123 he law now afords protection to information in respect of which there is a reasonable expectation of privacy, even in circumstances where there is no pre-existing relationship giving rise of itself to an enforceable duty of conidence. If the irst hurdle can be overcome … the court is required to carry out the next step of weighing the relevant competing Convention rights in the light of an ‘intense focus’ upon the individual facts of the case … and recognising that no one Convention right takes automatic precedence over another.124

Eady J’s judgment contains an extensive analysis of the signiicance that has been attached by UK and European judges to the privacy invasiveness of visual images. his issue received early recognition by the Court of Appeal in Douglas v. Hello! Ltd (No. 3), in which the Court emphasised

119 120

121 122 123 124

Hardcup v. Information Commissioner and Yorkshire Forward, ibid., [20]. h e Department for Business, Enterprise and Regulatory Reform v. Information Commissioner and Friends of the Earth [2008] UKIT EA/2007/0072. Data Protection Act 1998 (UK) sch. 1, cl. 1. Ibid., sch. 2, cl. 6. Mosley v. News Group Newspapers Ltd [2008] EWHC 1777 (QB), [2008] EMLR 20. Ibid., [10].

222

Moira Paterson

that photographs constituted a particularly intrusive means of invading privacy and commented that: hey are not merely a method of conveying information that is an alternative to verbal description. hey enable the person viewing the photograph to act as a spectator, in some circumstances voyeur would be the more appropriate noun, of whatever it is that the photograph depicts.125

Of direct relevance to surveillance in public places is the seminal decision of the House of Lords in Campbell v. MGN Ltd,126 in which the Court gave its imprimatur to an extended action for breach of conidence. What was especially signiicant in that case was that the photographs in issue – photographs of the model Naomi Campbell leaving a meeting place of Narcotics Anonymous – related to activities conducted in a public place. Another important decision is Murray v. Big Pictures,127 which concerned photographs taken via long lens of J. K. Rowling’s infant son being pushed in a pram down a street in Edinburgh. In that case the Court of Appeal overturned a ruling by a lower court that had struck out the infant claimant’s claim as disclosing no reasonable cause of action. In so doing it commented that determining whether there was a reasonable expectation of privacy required consideration of all the circumstances of the case, including: the attributes of the claimant, the nature of the activity in which the claimant was engaged, the place at which it was happening, the nature and purpose of the intrusion, the absence of consent and whether it was known or could be inferred, the efect on the claimant and the circumstances in which and the purposes for which the information came into the hands of the publisher.128

Applying this test, the Court concluded that it was ‘at least arguable’ that the child had a reasonable expectation of privacy.129 he approach taken by the UK courts in these cases is consistent with that adopted by the European Court of Human Rights in Peck v. United Kingdom130 in relation to the publication of CCTV footage, without taking appropriate steps to mask his face, of a man who had attempted to commit suicide, and in Von Hannover v. Germany (No. 1)131 in relation to 125 126 127 128 130

131

Douglas v. Hello! Ltd (No. 3) [2003] EWHC 55 (Ch), [2006] QB 125, [84]. Campbell v. MGN Ltd [2004] UKHL 24, [2004] 2 AC 457. Murray v. Big Pictures [2008] EWCA Civ 446, [2009] 1 Ch 481. Ibid., [36]. 129 Ibid., [45]. Peck v. United Kingdom (Application no. 44647/98) [2003] ECHR 44, (2003) 36 EHRR 41. Von Hannover v. Germany (No. 1), above n 52.

Surveillance in public places

223

the publication of photographs of Princess Caroline of Monaco engaging in various routine personal activities, including shopping. In the latter case, the Court concluded that there had been a breach of the applicant’s privacy right and pointed out that the publication was not concerned with ideas but with ‘images containing very personal or even intimate “information”’.132 Although the Court adopted a narrower stance in Von Hannover v. Germany (No. 2),133 in relation to photographs of Princess Caroline out walking with her husband in St Moritz that accompanied an article that discussed the failing health of her father, Prince Rainier, it did not resile from its approach that individuals can have privacy rights in relation to activities conducted in public. he extended action for breach of conidence is directed to the same category of harm as the US public disclosure tort, but is much wider in its operation due to the fact that it allows for an equal balancing of privacy and freedom of expression and lacks any equivalent of the ofensiveness test. However, as currently formulated, it does not provide for any equivalent protection in relation to activities that are intrusive but do not involve publication. On the other hand, in its recent decision in Imerman v. Tchenguiz134 the Court of Appeal was willing to apply a modiied test in relation to the traditional action for breach of conidence in circumstances involving unauthorised access to the plaintif ’s personal information for use in the context of ongoing divorce proceedings. Signiicantly, the Court’s reasoning involved using the test of reasonable expectation of privacy as a basis for deciding whether or not the information was conidential. It is possible, therefore, that this reasoning may pave the way for recognising conidentiality obligations in circumstances involving public place surveillance. In summary, the UK provides strong privacy protection for communications while in transit through, or stored within telecommunications systems, but there is no equivalent protection to that in Australia or the USA in respect of surveillance involving the use of speciic types of surveillance devices. However, common law protection via the extended action for breach of conidence provides superior protection to that available via the common law in the United States in respect of surveillance in public places.135

132 133

134 135

Ibid., [59]. Von Hannover v. Germany (No. 2) (Application no. 40660/08) [2012] ECHR 228, (2012) 55 EHRR 15 (GC). Imerman v. Tchenguiz [2010] EWCA Civ 908, [2011] 1 Fam 116. See also the Protection from Harassment Act 1997 (UK), which provides a right of protection against stalking and harassment.

224

Moira Paterson

Analysis of speciic policy issues relating to various surveillance activities Surveillance involving media organisations he majority of lawsuits relating to surveillance have concerned surveillance conducted by or on behalf of media organisations. However, privacy protection in relation to media activities creates especially diicult policy issues because of the special role of the media as the Fourth Estate. What is in issue, therefore, is not simply freedom of expression, but also one of the underpinnings of liberal democracy. As noted by Mill back in the eighteenth century, press freedom plays an important role in subjecting to public scrutiny those who ‘wield the powers of government’.136 However, the protection of freedom of the press based on democratic imperatives arguably calls for some nexus between the activities for which protection is sought and providing the information necessary to allow members of the public to exercise more efectively their democratic rights. It is therefore open to question as to what extent, if any, these imperatives exist in the context of surveillance activities that do not amount to serious investigative journalism, especially those that fall at the ‘infotainment’ end of the spectrum. he approach that prevails in the USA is that it is inappropriate for the courts to make judgments about such issues and that all media publications should be treated as newsworthy. As outlined by the VLRC, justiications for this approach include: the diiculty of distinguishing between speech of a ‘public interest’ nature and that which is not; the fact that there may never be consensus on what constitutes the public interest; the fact that information about celebrities’ lives could serve a social function, because people can model their lives on the choices celebrities make; and i nally, if there is no consensus on what constitutes the public interest, who should be assigned the task of deciding what it is?137

In contrast, the approach that has generally found favour in the UK,138 and to some extent in Australia,139 is that satisfying mere curiosity should not 136

137 138

139

J. Mill, ‘Liberty of the Press’ in James Mill’s Articles in the Supplement to the Encyclopedia Britannica (London: J. Innes, 1825). Victorian Law Reform Commission, above n. 34, [7.184]. See for example, the approach taken in Mosley v. News Group Newspapers Ltd [2008] EWHC 1777 (QB), [2008] EMLR 20. See, for example the comments by Callinan J in ABC v. Lenah Game Meats Pty Ltd [2001] HCA 63, (2001) 208 CLR 199, [254].

Surveillance in public places

225

take precedence over legitimate privacy interests, although there may be a ine line between idle gossip and matters of legitimate public interest.140 To the extent that media surveillance activities are regulated in the three countries discussed, this occurs primarily via telecommunications legislation and, mainly in the UK, the common law. In the USA it is clear that the strength of the constitutional protection provided by the First Amendment substantially limits the scope of any statutory reforms. However, there would still seem to be some scope for expanding the seclusion tort to provide for better protections against more intrusive paparazzi activities. he UK Leveson report141 is discussed in Chapter 9 of this book, but it seems likely that the common law will continue to provide the main source of media regulation in the UK. he position in Australia remains in a state of lux. While the enactment of some form of statutory cause of action for invasion of privacy remains a possibility, it is more likely that regulation will occur in the longer term via judicial development of an expanded action for breach of conidence.

Speciic types of surveillance As far as the diferent types of surveillance are concerned, optical surveillance arguably creates practical diiculties because there has been a longstanding acceptance of the right of photographers to take photographs while out in public, including images of individuals taken without their express permission. here is therefore a practical diiculty in drawing a line between accepted practices and activities that involve an unreasonable invasion of privacy. While it is clearly possible to posit examples of optical surveillance that go too far (for example, an image taken with a long lens camera of intimate activities conducted on a secluded beach), it is diicult to devise a clear test that diferentiates what is and what is not acceptable and that is suiciently nuanced to allow for the balancing of competing interests, including freedom of speech. Even though CCTV is now increasingly commonplace and accepted, many unresolved issues remain, including how to determine the circumstances in which it becomes seriously privacy-invasive and how best to regulate it without 140

141

hat issue received detailed consideration by the Grand Chamber of the European Court of Human Rights in Von Hannover v. Germany (No. 2), above n. 133. For further discussion of this case, see R. C. Smith ‘From Von Hannover to Von Hannover and Axel Springer AG: Do Competing ECHR Proportionality Factors Ever Add Up to Certainty?’ (2012) 2 Queen Mary Journal of Intellectual Property 389, 389–93. Lord Justice Leveson, An Inquiry into the Culture, Practices and Ethics of the Press, House of Commons Paper no. 780 (London: he Stationery Oice, 2012).

226

Moira Paterson

imposing unreasonable constraints on the CCTV operator. It is arguable for this reason that CCTV surveillance is best suited to principles-based regulation of the type advocated by the VLRC. he regulation of aural surveillance creates less diiculty because there has been more acceptance of regulation of the recording of conversations, although that may have changed somewhat with the advent of video cameras that record sound. Communications privacy has traditionally received more extensive protection than other aspects of privacy (as evidenced by long-standing protection of telecommunications and postal communications), possibly for the reasons that communications are critical to personal relationships and also come closest to revealing what individuals actually think. However, Australia is the only one of the three countries surveyed that fully regulates listening devices.142 he issues relating to tracking devices are arguably more complex than those relating to optical surveillance devices and listening devices. It could be said that tracking is akin to visual surveillance since it is also possible to track someone’s movements by following and visually observing him or her. Yet there has not to date been any clear acceptance of electronic tracking practices. It is possible that attitudes to tracking may be changing in light of the prevalence of mobile phone applications, which rely on location tracking and the sharing of that information with others. However, it is generally the case that the privacy implications of emerging tracking devices are not well understood. Tracking devices currently receive very limited regulation beyond the realm of law enforcement activities and there would appear to be a growing case for reconsidering this position before such tracking practices become too entrenched.

Insights from regulatory theory he question of how best to regulate surveillance in public places was considered in detail by the VLRC in its report on Surveillance in Public Places. he Commission recommended a range of regulatory measures including the use of a set of overarching legislative principles to guide all users about responsible use of public place surveillance, codes of practice, improved surveillance devices legislation and the enactment of a 142

Listening devices are regulated in every state, via listening device or surveillance device laws: see above n. 29.

Surveillance in public places

227

new statutory obligation to refrain from committing a serious invasion of privacy.143 hese recommendations were speciically tailored to the state of Victoria and did not therefore extend to areas of Commonwealth regulation such as telecommunications interceptions. Signiicantly, the Commission advocated a multifaceted approach consistent with regulatory design principles. Responsive regulation emphasises the role of persuasion and cooperation in the irst instance with more coercive measures provided by way of back-up. he regulatory pyramid devised by Ayers and Braithwaite144 has warnings, persuasion and collaboration at its base, followed by civil sanctions and then criminal sanctions at its apex. his pyramid suggests that there is an important role for the measures typically used in data protection regimes whereby the regulator relies heavily on persuasion and mediation, with ines and other sanctions used only by way of last resort. his is reinforced by a compliance-based regulatory theory, which emphasises incentives and monitoring for non-compliance.145 One of the potential strengths of data protection regimes is that they involve the creation of a regulator that is in a position to perform a variety of roles, including educational activities, development of codes of practice and ongoing compliance monitoring, including auditing activities. his is an important consideration in the USA, which currently lacks a general privacy regulator with equivalent powers and functions to those exercised by the regulators in Australia and the UK.146 he pyramid suggests that criminal sanctions should be used only as a last resort and in respect of more egregious conduct. An important consideration is that criminal sanctions can be of limited usefulness, both because of the higher standard of proof required and because they rely on the police for enforcement. It was for that reason that the VLRC recommended that the current criminal sanctions in the Victorian Surveillance 143 144

145

146

Victorian Law Reform Commission, above n. 34, pp. 15–18. I. Ayres and J. Braithwaite, Responsive Regulation: Transcending the Deregulation Debate (Oxford University Press, 1992), pp. 35, 39, cited in Victorian Law Reform Commission, Surveillance in Public Places: Final Report, [4.104], n. 173. See, for example, C. Parker ‘Reinventing Regulation within the Corporation: Complianceoriented Regulatory Innovation’ (2000) 32 Administration and Society 529. Currently the Oice of Management and Budget has general oversight of the Privacy Act, while the Federal Trade Commission provides oversight of some privacy matters, including compliance with published privacy policies and with the US–EU Safe Harbor regime: for the further details about this regime, see the materials at ‘Welcome to the US–EU Safe Harbor’ (11 April 2012) Export.gov Website, http://export.gov/safeharbor/ eu/eg_main_018365.asp (accessed 28 October 2013).

228

Moira Paterson

Devices Act should be supplemented by civil sanctions to be enforced by a surveillance regulator.147 With the limited exception of surveillance device laws, surveillance activities currently attract criminal sanctions only to the extent they involve telecommunications interceptions. It is arguable that criminal sanctions serve an important denunciatory role in this context, although there may be merit in ensuring the additional availability of civil remedies. It is signiicant that the interceptions involved in the Murdoch media scandal in the UK have resulted in criminal sanctions only following public awareness and outcry. he ability to sue in the courts provides an important fall-back when criminal sanctions are not appropriate. While pursuing civil remedies is beyond the inancial reach of many ordinary individuals, the case law generated by celebrities and other wealthy plaintifs nevertheless creates a precedent, which serves as a valuable deterrent against overly invasive surveillance practices. It is arguable too that the independence of the courts makes them well suited to the task of balancing competing interests involving media organisations.

Conclusion Technological developments have increased the prevalence of surveillance activities, with adverse consequences for privacy in public places. hese practices have undermined a number of important assumptions and distinctions that underlie the design of existing privacy regimes. he complexity of current regulatory frameworks is relective of the multifaceted nature of privacy as a concept and of the surveillance activities that increasingly undermine anonymity. It is also afected by constitutional constraints, which difer between countries. It is arguable that the best way forward does not lie in a single ‘one size its all’ solution but, rather, in improving and extending existing regimes to ensure that they are informed in their redesign by the realities of modern surveillance practices. 147

Victorian Law Reform Commission, above n 34, rec. 21.

11 Privacy and young people: controlling anti-social behaviour through loss of anonymity Thomas Crofts Introduction Balanced against the fundamental principle that all judicial proceedings should take place in the open in order to foster justice, fairness and transparency, is the recognition that young people are especially vulnerable to harm from publicity. As a result, the ‘open justice’ principle – that anyone can attend court and is free to report on what they see and hear in the court1 – generally does not apply where the proceedings concern young people. Although there are variations in the legal detail, in the UK and most Australian jurisdictions there are legislative prohibitions on publication of anything that could identify that a young person has been involved in criminal proceedings;2 exceptions are only permitted when publication is considered to be in the public interest. While the rationale for these restrictions is rarely expressed in terms of protecting the privacy of young people, the concern to avert harm to the young person’s future development is ‘in efect, a speciic application of the general right to privacy’.3 Unless otherwise indicated, developments in this chapter are to 30 June 2013. 1

2

3

See for instance: International Covenant on Civil and Political Rights, opened for signature 16 December 1966, 99 UNTS 171 (entered into force 23 March 1976) Art. 14(1); Convention for the Protection of Human Rights and Fundamental Freedoms, opened for signature 4 November 1950, 213 UNTS 221 (entered into force 3 September 1953), now termed the European Convention on Human Rights (ECHR) Art. 6; P. Wright, ‘he Open Court: he Hallmark of Judicial Proceedings’, (1947) 25 Canadian Bar Review 721; J. Michael, ‘Open Justice: Publicity and the Judicial Process’ (1993) 46 Current Legal Problems 190; J. Jaconelli, Open Justice: A Critique of the Public Trial (Oxford University Press, 2002), pp. 2–3; Scott v. Scott [1913] AC 417. See for instance Children and Young Persons Act 1933 (UK) s. 49; Children (Criminal Proceedings) Act 1987 (NSW) ss. 15B–15F; Children’s Court of Western Australia Act 1988 (WA) ss. 35–6. An exception is the Northern Territory, where there is no automatic prohibition on the publishing of identifying information. Restrictions only apply if the court so orders: Youth Justice Act 2005 (NT) s. 50. J. Michael, ‘A Child’s Right to Privacy or Open Justice?’ in G. Douglas and L. Sebba (eds.), Children’s Rights and Traditional Values (Aldershot: Ashgate, 1998).

229

230

Thomas Crofts

In recent years, the anonymity that young people have traditionally enjoyed in relation to their involvement in legal proceedings has been diminished through the introduction of Anti-Social Behaviour Orders (ASBOs) in the UK in 1999 and Prohibited Behaviour Orders (PBOs) in Western Australia (WA) in 2010.4 his chapter aims to explore how such orders challenge the traditional protections that young people have enjoyed from publicity in relation to their involvement in legal proceedings. It will begin by discussing the background to ASBOs and PBOs and what these orders entail. It will then examine why, in the case of ASBOs and PBOs, it is thought appropriate to allow deviation from the principle that young people should be protected from publicity. his will include an evaluation of broader shits within the criminal justice system in order to assess whether these measures form part of a general trend of chipping away at youth anonymity. he chapter will conclude by commenting on the appropriateness of allowing publicity in such cases. It will demonstrate that, while the right to privacy (and thus protection from publicity) is not absolute and must be balanced against other interests, those interests do not justify a wholesale reversal of the prohibition on publication of identifying material in the case of ASBOs and PBOs against young people.

Background he concern to protect young people from the stigma associated with public trials can be traced to the broad reform eforts in the late nineteenth and early twentieth centuries to change the way that the state responded to juvenile crime. During this period reformers pushed for separate juvenile-speciic courts that were closed to the public and had less formal proceedings alongside the development of welfare-oriented sanctions aimed primarily at reform rather than punishment.5 Addressing the causes of criminal behaviour with welfare-oriented measures gradually became the central tenet of the juvenile justice systems in the English-speaking world for much of the twentieth century.6 However, from the mid 1970s there was ‘a rapid and remarkable shit 4

5

6

Crime and Disorder Act 1998 (UK) (CDA); Prohibited Behaviour Order Act 2010 (WA) (PBOA). See A. Platt, he Child Savers, 2nd edn (University of Chicago Press, 1977); L. Radzinowicz and R. Hood, A History of English Criminal Law and its Administration, vol. V (London: Stevens, 1986), pp. 629–33; J. Seymour, Dealing with Young Ofenders (North Ryde: Law Book Company, 1988). See for instance, Platt, he Child Savers; A. Rutherford, Growing Out of Crime: he New Era, 2nd edn (Winchester: Waterside Press, 1992).

Privacy and young people

231

in penal ideas and philosophy’,7 which can be traced to various factors. In the face of dramatic increases in the rate of reported crime from the 1960s onwards, faith in the rehabilitative ideal began to falter and fuel the feeling that ‘nothing works’.8 As a result, crime became accepted as a social reality that had to be managed.9 he period of economic crisis in the USA and UK in the late 1970s also led to increased interest in the costs of traditional methods of criminal justice. Governments in much of the English-speaking world began to acknowledge the limits of the state’s ability to control crime and to seek more cost-efective approaches to the management of crime. Rising crime rates also led to criticism of the ‘individualised treatment model’ at the core of penal welfarism and the idea that sentencing should and could serve to rehabilitate.10 Some argued that this paternalistic model was discriminatorily applied and allowed an overuse of imprisonment with insuicient due process controls.11 In contrast, neo-conservatives and neo-liberals argued that this approach had created a culture of excuse, leading to a failure to uphold law and order. here was a perception that modern criminal justice practice and policy was too focused on the offender at the expense of the victim, which fuelled calls for a refocusing of attention on the victim and the community. Criminologists identiied that in the post-Second World War period there had been a gradual loosening of the informal means of social control, which had traditionally kept crime and disorder in check.12 Neo-conservative and neo-liberal governments grasped onto aspects of these indings, calling for a return to traditional values alongside a refocusing of attention on individual responsibility and harsh retributive punishments. his punitive trend was continued by New Labour in the UK from the late 1990s onwards, albeit with a strong focus on the reinvigoration of communities as a key crime control strategy. It is therefore no surprise that, during this period, anti-social behaviour came squarely into focus. New Labour thought that a more systemic 7

8

9 10 11

12

D. Garland, he Culture of Control (University of Chicago Press, 2001), p. 53. For discussion of such changes in relation to juvenile justice, see Platt, he Child Savers, pp. 183–92. his phrase originated with R. Martinson, ‘What Works? – Questions and Answers about Prison Reform’ (1974) 35 he Public Interest 22. Garland, above n. 7, p. 106. Ibid., p. 55. Struggle for Justice: A Report on Crime and Punishment in America; Prepared for the American Friends Service Committee (New York: Hill and Wang, 1971). See, for instance, T. Hirschi, Causes of Delinquency (Berkeley: University of California Press, 1969), pp. 16–34.

232

Thomas Crofts

approach was necessary because the measures available did not address the whole picture of the harm caused by ongoing anti-social behaviour. Research undertaken by the Home Oice suggested that there were inadequate tools to prevent the occurrence of behaviour that was not a criminal ofence but amounted to ‘sub-criminal’ or ‘pre-criminal’ behaviour.13 Even where the behaviour amounted to an ofence, in isolation it was seen as such a low level of ofending that it either did not reach the courts or a light sentence was imposed.14 As Campbell comments: ‘It is the persistent nature of such behaviour that compounds the problem, but only single incidents are considered in court.’15 Importantly, research by the Policing and Reducing Crime Unit found that young people were a major cause of anti-social behaviour and yet there were few criminal sanctions that could be applied to them.16 Furthermore, drawing partly on ‘broken windows theory’,17 New Labour became concerned that anti-social behaviour needed to be tackled because it creates an environment that fosters more serious crime: he anti-social behaviour of a few, damages the lives of many. We should never underestimate its impact. We have seen the way communities spiral downwards once windows get broken and are not i xed, graiti spreads and stays there, cars are let abandoned, streets get grimier and dirtier, youths hang around street corners intimidating the elderly. he result: crime increases, fear goes up and people feel trapped. It’s time to stop thinking of anti-social behaviour as something that we can just ignore. 13

14

15 16

17

S. Campbell, ‘A Review of Anti-social Behavior Orders’ (Home Oice Research Study 236, United Kingdom Home Oice, February 2002), p. 2. Ibid . Similar comments were made in WA, see: Western Australia, Parliamentary Debates, Legislative Assembly, 24 June 2010, 4671 (Mr Porter, Attorney-General) (hereater C. Porter). Campbell, above n. 13, p. 2. See N. Bland and T. Read, ‘Policing Anti-social Behaviour’ (Police Research Series Paper no. 123, United Kingdom Home Oice, 2000), p. 30. h is research connects much antisocial behaviour to truancy and notes that until the CDA, above n. 4, the police had limited powers in relation to truancy: ibid ., p. 15. h is theory stems from an article by J. Wilson and G. Kelling, ‘Broken Windows’, he Atlantic Monthly (Boston, MA), March 1982, pp. 29–38. he article contains the example: ‘Consider a building with a few broken windows. If the windows are not repaired, the tendency is for vandals to break a few more windows. Eventually, they may even break into the building, and if it’s unoccupied, perhaps become squatters or light ires inside. Or consider a sidewalk. Some litter accumulates. Soon, more litter accumulates. Eventually, people even start leaving bags of trash from take-out restaurants there or even break into cars.’ According to the theory, if low level crime and disorder is not attended to within a short period of time, then it can be seen as a signal that no one cares. his can weaken community controls, which act as barriers to crime, and increase fear of crime, which can lead to an escalation in the problem.

Privacy and young people

233

Anti-social behaviour blights people’s lives, destroys families and ruins communities. It holds back the regeneration of our disadvantaged areas and creates the environment in which crime can take hold.18

Given that New Labour partly attributed anti-social behaviour to a breakdown in social relationships and lack of respect, it responded by shit ing the power and responsibility to ight crime and anti-social behaviour to local communities. he approach was designed to reinvigorate neighbourhoods by strengthening ‘moral norms and values around which citizens can restate their connections with each other and civil society’.19 his crime prevention agenda was crystallised in New Labour’s Respect agenda, whereby ‘[c]ommunities need to be empowered and everyone must play their part in setting and enforcing standards of behaviour’.20 A range of measures were therefore adopted to ight criminal and precriminal behaviour. he measures that are of concern here, because of the challenge that they pose to the traditional privacy protection aforded to young people, are ASBOs in the UK and PBOs in WA. Before examining how exactly ASBOs and PBOs afect the protection from publicity aforded to young people, the following section will explain the nature of the orders.

What are ASBOs and PBOs? Anti-Social Behaviour Orders were irst introduced in 1999 through the Crime and Disorder Act 1998 (UK) (CDA). he orders can be made against anyone aged 10 years and above21 who has displayed anti-social behaviour in the previous six months. Behaviour is deemed to be antisocial when it causes, or is likely to cause, harassment, alarm or distress to a person or persons not of the same household.22 ASBOs are preventive 18

19

20 21

22

D. Blunkett (United Kingdom Home Secretary), Respect and Responsibility – Taking a Stand Against Anti-Social Behaviour (Ministerial White Paper CM 5778, United Kingdom Home Oice, March 2003), pp. 4–5. J. Flint, ‘Return of the Governors: Citizenship and the New Governance of Neighbourhood Disorder in the UK’ (2002) 6 Citizenship Studies 245, 251. Blunkett, Respect and Responsibility, above n. 18, p. 17, para. [1.14]. CDA, above n. 4, s. 1(1). In Scotland, orders can only be made against a person aged 16 or over: CDA s. 19(1). For a discussion of some of the diferences between ASBOs in England and Wales and Scotland see: S. Macdonald and M. Telford, ‘he Use of ASBOs against Young People in England and Wales: Lessons from Scotland ’ (2007) 27 Legal Studies 604. Despite the civil nature of the order, these requirements must be proven to the criminal standard: Clingham v. Royal Borough of Kensington and Chelsea; R (McCann) v. Manchester Crown Court [2002] UKHL 39, [2003] 1 AC 787.

234

Thomas Crofts

orders, akin to an injunction, intended to protect the public from antisocial behaviour and have a minimum duration of two years. An application for an order can be made by ‘relevant authorities’,23 which includes local authorities, chief oicers of police, registered social landlords, housing action trusts or any person or body speciied by the Secretary of State. Once it is established that a person has displayed anti-social behaviour in the previous six months, the court has broad scope to restrict any otherwise lawful behaviour that it considers necessary to prevent further antisocial behaviour. While the orders are civil in nature, a breach without reasonable excuse is an ofence and can lead to imprisonment of up to six months and/or a ine if tried in summary proceedings, or imprisonment of up to ive years and/or a ine if tried on indictment.24 he orders can thus be characterised as individualised quasi-criminal law, with the behaviour to be prohibited tailored to the individual, backed up with the threat of a criminal sanction. In 2002 the Police Reform Act 2002 (UK) extended the power to make such orders by providing that they can be made following a conviction in criminal proceedings (hence they are oten referred to as ‘CrASBOs’) and allowing interim orders to be made before the irst court appearance. here is no diference in the nature of these orders: they are civil orders, regardless of the proceedings in which they are made. Where the order is made post-conviction, it is not designed to be an additional punishment for the ofence. A key feature of the ASBO scheme that undermines privacy protection is that there is an expectation that details of the orders will be made public, even in the case of a young person. his publicity may take varied forms; typically it involves a picture of the person subject to the order along with the details of the order being published on the webpage of the local police force.25 Such information may also be displayed on local authority webpages or contained in lealets distributed in areas afected by the anti-social behaviour.26 More extreme publicity involves police using advertising spaces on public transport to make the public aware of persons who are subjects of such orders.27 23 25

26

27

CDA, above n. 4, s. 1(1A). 24 CDA, above n. 4, s. 1(11). See, for example, Cleveland Police (UK), Anti-Social Behaviour Orders, www.cleveland.police.uk/advice-information/anti-social-behaviour-orders.aspx?r=0 (accessed 29 October 2013). See R (Stanley, Marshall and Kelly) v. Metropolitan Police Commissioner [2004] EWHC 2229, discussed below. See for example he Observer, ‘he Banned Play On’, Guardian (Online), 22 April 2007, www.guardian.co.uk/uk/2007/apr/22/ukcrime.society.

Privacy and young people

235

here has been much criticism of ASBOs aside from the attack that they pose to traditional privacy protections. Such concerns range from problems with the overly broad deinition of anti-social behaviour to the fact that the orders are negative in efect (i.e. contain only prohibitions), do not provide positive support to assist compliance, target the disadvantaged and lead to net-widening by allowing for a criminal conviction for a wide range of behaviour that would otherwise not be subject to a criminal sanction.28 Following the change in the UK government in 2010, the new Home Secretary, heresa May, announced that ASBOs would be abolished because they are inefective and criminalising.29 hey are considered inefective because the rate at which they are breached (over half) suggests that they are not well adapted to prevent anti-social behaviour and criminalising because around half of the breaches lead to a custodial order.30 he result is that: anti-social behaviour remains stubbornly high. In 2010/11, 3.2 million incidents of anti-social behaviour were recorded by the police – which is likely to still only be the tip of the iceberg as many incidents are reported to other agencies or not at all.31

he Conservative–Liberal Democrat Coalition Government therefore plans to replace ASBOs with what it claims will be more efective measures. In May 2012 it released a White Paper entitled ‘Putting Victims First: More Efective Responses to Anti-Social Behaviour’. 32 One proposal in the White Paper is to introduce a civil injunction, called a ‘Crime Prevention Injunction’, which appears to be a modiied version 28

29

30

31

See for example, A. Ashworth et al., ‘Neighbouring on the Oppressive: the Government’s “Anti-social Behaviour Order” Proposals’ (1998) 16 Criminal Justice 7; A. Ashworth, ‘Social Control and Anti-social Behaviour: the Subversion of Human Rights’ (2004) 120 Law Quarterly Review 263; P. Squires and D. Stephen, ‘Rethinking ASBOs’ (2005) 25 Critical Social Policy 517; S. Macdonald , ‘A Suicidal Woman, Roaming Pigs and a Noisy Trampolinist: Reining the ASBO’s Deinition of Anti-social Behaviour’ (2006) 69 Modern Law Review 183; T. Sagar, ‘Tackling On-street Sex Work’ (2007) 7 Criminology and Criminal Justice 153; A. Millie, ‘Anti-social Behaviour, Behavioural Expectations and an Urban Aesthetic’ (2008) 48 British Journal of Criminology 379; A. Crawford , ‘Governing though Anti-social Behaviour’ (2009) 49 British Journal of Criminology 810. In a WA context see T. Crots, ‘he Law and (Anti-social Behaviour) Order Campaign in Western Australia’ (2011) 22 Current Issues in Criminal Justice 399. BBC News, ‘Time to “Move Beyond” ASBOs, says Home Secretary May’, 28 July 2010, www.bbc.co.uk/news/uk-10784060 (accessed 29 October 2013). T. May (United Kingdom Home Secretary), Putting Victims First: More Ef ective Responses to Anti-Social Behaviour (Ministerial White Paper CM 8367, United Kingdom Home Oice, May 2012), p. 8. Ibid. 32 Ibid.

236

Thomas Crofts

of an ASBO. It is claimed that such orders should be quicker to use than an ASBO and breach of this order would amount to contempt of court, carrying the possibility of a custodial sentence.33 Unsurprisingly, some commentators have questioned whether the new measures will amount to much more than a rebranding of existing tools rather than a change in strategy.34 he White Paper is silent on whether the new measures will reverse the approach towards publicity and therefore there is no reason to expect a retreat from the ongoing assault on young people’s right to anonymity. It remains to be seen whether these recommendations will ind their way into legislation. Despite the criticisms in the UK, the ASBO model has recently found its way to Australia. he WA Government expressed conidence that the ASBO model could be adapted to ensure its efectiveness in WA and overcome the more problematic aspects identiied in the UK.35 In 2010 the Prohibited Behaviour Orders Act 2010 (WA) (PBOA) was passed, introducing orders based on the post-conviction version of ASBOs. Modiications were made to the UK model, which reduce, but do not eliminate, many of the concerns expressed about this model of crime and disorder prevention. Changes include that the orders are only available for young people aged 16 or over and require that the person is a repeat ofender. Accordingly, a PBO may be made on application by the prosecution or at the discretion of the court where a person aged 16 or over has a repeat conviction within three years for a ‘relevant ofence’ and the court decides that an order is necessary to prevent further relevant ofences. A ‘relevant ofence’ is one involving anti-social behaviour, which is deined in similar terms to the UK. hus it means ‘behaviour that causes or is likely to cause – harassment, alarm, distress, fear or intimidation to one or more persons; or damage to property’.36 To ensure that courts do not take a narrow view of what sort of ofences are thought to have an anti-social element, the Government has issued regulations containing a non-exhaustive list of a wide array of ofences that are presumed to have an anti-social element in the absence of proof to the contrary.37 33 34

35 37

Ibid., p. 24, para. [3.9]. A. Crawford and K. Evans, ‘Crime Prevention and Community Safety’ in M. Maguire, R. Morgan and R. Reiner (eds.), he Oxford Handbook of Criminology, 5th edn (Oxford University Press, 2012), pp. 769, 798. C. Porter, above n. 14 . 36 PBOA, above n. 4, s. 3. Prohibited Behaviour Order Regulations 2011 (WA). he schedule contains a startlingly broad list of ofences from a range of statutes including the Bushires Act 1954, Criminal Code, Criminal Investigation Act 2006, Liquor Control Act 1988, Misuse of Drugs Act

Privacy and young people

237

In determining whether to impose a PBO, the court must give primary consideration to the desirability of protecting people and property from relevant ofences, and must also consider the degree of hardship that a person subjected to a PBO may sufer.38 Under the PBOA, the court is given a relatively free hand, as in the UK, in determining the sort of otherwise lawful behaviour it should prohibit. he court can constrain the subject of the PBO from engaging in any activities that it considers will increase the likelihood of the person committing an ofence with an anti-social element.39 he PBOA includes a non-exhaustive list of behaviours that may be constrained, including: entering or remaining in a speciied premises, locality or place; approaching or communicating with a speciied person or possessing a certain thing.40 As in the UK, despite their civil character, breach of a PBO amounts to a criminal ofence with a maximum penalty of ive years and/or a ine if the order is made by the District or Supreme Court and two years and/or a ine if the order is made by the Magistrates’ Court or the Children’s Court.41 A key feature of the PBO scheme, as with ASBOs in the UK, is that publication of details of the orders is to be the norm. In WA, images of the person subject to a PBO, along with their name, suburb and details of the order, are published on a government webpage.42 Once this information is published, any person is free to republish it in any way they choose.43 he following will explore how this publicity erodes the traditional privacy protections aforded to young people involved in legal proceedings.

How do ASBOs and PBOs challenge the prohibition on publicity? Initially, diferent rules applied in relation to publicity depending on whether the proceedings concerned the application for an ASBO (until 2002 this could only be in civil proceedings) or criminal proceedings for breach of the ASBO. Where an application is made for an ASBO against a child or young person in civil proceedings, the matter will be heard by the Magistrates’ Court (because the Youth Court does not have civil jurisdiction). As a result, the proceedings are open to the general public and there

38 40 42

43

1981, Prostitution Act 2000, Public Transport Authority Act 2003, Road Traic Act 1974 and Weapons Act 1999. PBOA, above n. 4, ss. 9(1) and 9(2). 39 Ibid., s. 10(2). Ibid., s. 10(3). 41 Ibid., s. 35(1). Ibid., s. 34. Also, see Government of Western Australia, Prohibited Behaviour Orders, www.pbo.wa.gov.au/PBOWebSite/Home/Index (accessed 29 October 2013). PBOA, above n. 4, s. 34(8).

238

Thomas Crofts

are no reporting restrictions unless the court decides to impose a ban under s. 39 of the Children and Young Persons Act 1933 (UK) (CYPA). According to this section a court may, in relation to any proceedings, prohibit publication of any material that could identify a person under 18 as involved in legal proceedings (whether as the subject of those proceedings or as a witness). In contrast, until recently reporting restrictions applied to all criminal proceedings in the Youth Court under s. 49 of the CYPA. hese restrictions have, however, been progressively removed in relation to application proceedings following conviction for an ofence (but not in relation to the proceedings regarding the underlying ofence) and criminal proceedings for breach of an ASBO.44 his does not afect the general discretion that any court retains to make an anonymity order under s. 39 of the CYPA – for example, when a child would be at risk of harm if his or her details were made public. In efect, there is now a presumption in favour of publicity in relation to all ASBO proceedings (whether application or breach proceedings) and the courts have the responsibility of determining whether anonymity should be granted under s. 39 CYPA. his leaves the burden with the child or young person to show good cause to restrict publicity.45 In the case of ASBOs, it seems that courts may be reluctant to make an anonymity order to protect the privacy of the young person, as highlighted by R v. St Albans Crown Court, ex parte T.46 In this case, Elias J was guided by the seminal principles laid down by Simon Brown LJ in R v. Winchester Crown Court ex parte B47 regarding whether or not to make an order under s. 39 CYPA: (i) In deciding whether to impose or thereater to lit reporting restrictions, the court will consider whether there are good reasons for naming the defendant. (ii) In reaching that decision, the court will give considerable weight to the age of the ofender and the potential damage to any young person of public identiication as a criminal before the ofender has the beneit or burden of adulthood.

44

45 46 47

In relation to an application in criminal proceedings: CDA, above n. 4, s. 1C(9C(a)) as amended by s. 86(3) of the Anti-Social Behaviour Act 2003 (UK). In relation to breach proceedings: CDA, above n. 4, s. 1(10D) as amended by s. 141 of the Serious Organised Crime and Police Act 2005 (UK). R v. Central Criminal Court ex parte W, B and C [2001] 1 Cr App R 7 (DC). R v. St Albans Crown Court, ex parte T [2002] EWHC Admin 1129. R v. Winchester Crown Court ex parte B [2000] 1 Cr App R 11.

Privacy and young people

239

(iii) By virtue of section 44 of the 1933 Act, the Court must ‘have regard to the welfare of the child or young person’. (iv) he prospect of being named in court with the accompanying disgrace is a powerful deterrent and the naming of a defendant in the context of his punishment serves as a deterrent to others. hese deterrents are proper objectives for the court to seek. (v) here is strong public interest in open justice and in the public knowing as much as possible about what has happened in court, including the identity of those who have committed crime. (vi) he weight to be attributed to the diferent factors may shit at diferent stages of the proceedings, and, in particular, ater the defendant has been found, or pleads, guilty and is sentenced. It may then be appropriate to place greater weight on the interest of the public in knowing the identity of those who have committed crimes, particularly serious and detestable crimes. (vii) The fact that an appeal has been made may be a material consideration.48

Elias J held these principles to be applicable in the context of ASBOs. hus, a decision under s. 39 CYPA requires the court to balance the interests of the community with those of the young person against whom the order has been made. Elias J pointed out, however, that there are two reasons for a particularly strong ‘general public interest in the public disclosure of court proceedings’49 relating to applications for ASBOs: First, disclosure of the identity of the individuals may well assist in making an order eicacious. If persons in the community are aware that the order has been made against speciied individuals, then it must improve the prospect of that order being efectively enforced. Any subsequent breach is more likely to be reported back to the authorities. Second, the very purpose of these orders is to protect the public from individuals who have committed conduct or behaviour which is wholly unacceptable and of an anti-social nature. he public has a particular interest in knowing who in its midst has been responsible for such outrageous behaviour. 50

Another case involving ASBO proceedings shows that more weight is generally attached to community interests than the young person’s right to privacy. In R (Stanley, Marshall and Kelly) v. Metropolitan Police Commissioner51 residents had complained about (among other things) youths throwing stones at each other from balconies, causing damage to

48 51

Ibid., [13]. 49 Ibid., [22]. 50 Ibid. R (Stanley, Marshall and Kelly) v. Metropolitan Police Commissioner, above n. 26.

240

Thomas Crofts

windows and motor vehicles, playing loud music and having parties until the early hours of the morning, smoking drugs in communal areas, starting ires in the communal stairwell, and abusing and threatening residents and visitors to the building. Ater obtaining anti-social behaviour orders against the applicants, the respondents (the Metropolitan Police Commissioner and the London Borough of Brent) approved the creation and distribution of lealets in and around the area from which the claimants had been excluded. he lealets contained photographs of the subjects of the ASBOs, their names and ages under the heading ‘Keeping Crime of the Streets of Brent’. It also published details of the orders on its website and a report of the proceedings in a newsletter to its tenants. In judicial review proceedings, the applicants sought a ruling that the decision of the respondents to publicise such identifying material was unlawful and in violation of their right to privacy under Article 8 of the European Convention on Human Rights (ECHR). he Divisional Court recognised that the Metropolitan Police Commissioner’s decision engaged conl icting rights contained in the ECHR and that publicity in relation to an ASBO could violate the right to privacy under Article 8. However, the Court held that the ASBO subject’s right to privacy must be balanced against the right of the community to a private and family life undisturbed by anti-social behaviour. Other rights of members of the community conl icting with the ASBO subject’s rights were freedom to receive information (Article 10), freedom of assembly and association (Article 11) and the prohibition of abuse of rights (Article 17).52 Kennedy LJ dismissed the appeal on the basis that publicity would not violate the right to privacy where it was reasonable and proportionate to achieve the legitimate aims pursued.53 his is in line with Article 8(2) of the ECHR, which permits limitations on the right to privacy where they are ‘necessary in a democratic society … for the prevention of disorder or crime’. Kennedy LJ accepted that ‘whether publicity is intended to inform, to reassure, to assist in enforcing the existing orders by policing, to inhibit the behaviour of those against whom the orders have been made, or to deter others, it is unlikely to be efective unless it includes photographs, names and at least partial addresses’.54 Kennedy LJ also considered that the methods and extent of publicity chosen by the respondent, as well as the language used, were justiied in the circumstances to reach the intended audience and ensure the eicacy of the orders. 52

Ibid., [27].

53

Ibid., [40].

54

Ibid.

Privacy and young people

241

The principles espoused by Kennedy LJ in R (Stanley, Marshall and Kelly) v. Metropolitan Police Commissioner have since found ref lection in Home Office guidance on publicity in relation to ASBOs. 55 The guidance emphasises that publication of ASBOs and of the identities of those against whom they are made must not be intended to punish or embarrass them. Instead, its principal function is to safeguard the communities towards whom anti-social behaviour has been displayed. Following the UK approach, there is also a presumption in favour of publicity in relation to PBOs in WA. S. 34(2) of the PBOA requires that details of a constrained person (i.e. a person subject to a PBO) must be published on a government website, even in the case of a young person, unless a court orders otherwise. However, publication of any details that could identify an ofence that the constrained person was convicted of in the Children’s Court is prohibited.56 A court may order that some, or all, of the details of the constrained person are not published if it inds that there are suicient grounds to make such an order. In determining whether to make an order preventing publication in the case of a young person, the court is required to have regard to the ‘well-being of the young person’.57

Why is publicity considered necessary? he reasons identiied in R (Stanley, Marshall and Kelly) v. Metropolitan Police Commissioner for publicising details of people subject to ASBOs were expressly approved of, and replicated, in the guidelines on publicity issued by the Home Oice in 2005. 58 While noting that publicity should be the norm, the document also recommends a case-by-case approach and clearly acknowledges that the interest of the community in the prevention of anti-social behaviour needs to be balanced with the rights of the (young) person subject to the order. Decisions concerning publicity should therefore balance the human rights of the ASBO subject against those of the community as a whole, and there should be a correlation between the purpose of publicity and the necessity. 59 Given that the PBO model closely follows the UK approach, it is likely that such principles will also guide decisions concerning publicity in 55

56 58 59

Home Oice, Publicising Anti-Social Behaviour Orders (Home Oice Guidance, March 2005). PBOA, above n. 4, s. 34(3). 57 Ibid., s. 34(5). Home Oice, Publicising Anti-Social Behaviour Orders, above n. 55. Ibid., p. 3.

242

Thomas Crofts

relation to PBOs. However, a concern in the WA context is that there is no human rights instrument binding public authorities. h is leaves the courts with less guidance on how to perform the balancing exercise. he following briely explains the rationales for publicity in relation to ASBOs.

Aid enforcement As noted above, ASBOs are designed to tackle a vast array of pre-criminal and minor criminal behaviours. Because of this there is a relatively loose deinition of what amounts to anti-social behaviour and courts are given considerable freedom in determining what behaviour should be restricted by the orders. Some examples of prohibitions from the UK show how wide-ranging and intrusive these orders can be: being sarcastic, using the word ‘Taliban’, feeding birds in the garden, playing football in the street, riding a bike, wearing a hood and using the word ‘grass’.60 Given the vast array of behaviours that can be prohibited, intensive supervision is required if breaches are to be policed and reported. Police could not feasibly provide such extensive monitoring and therefore the community is co-opted as a tool of law enforcement. But, more fundamentally, this harnessing of the community was not just a by-product of practical necessity; it was a deliberate ideological shiting of power and responsibility for policing crime to the community. ‘Active citizenry’ formed part of New Labour’s strategy to ensure civil renewal.61 he fostering of stronger communities, where people know and trust each other, should therefore provide more opportunity for the re-establishing of controls on crime and anti-social behaviour.62 Publication is therefore designed to spread the message that the community is responsible for enforcement of the orders. Accordingly, as a matter of practicality and ideology, the community needs to be informed of the details of the orders if they are to efectively contribute to policing them. 60

61

62

M. Rowlands, he State of ASBO Britain – he Rise of Intolerance (ECLN Essays no. 9, European Civil Liberties Network, 2005), p. 3. Home Oice: Civil Renewal Unit , Together We Can (London: he Stationery Oice, 2005). D. Blunkett, Civil Renewal: A New Agenda (London: Her Majesty’s Stationery Oice, 2003), p. 26. For further discussion see for example, D. Faulkner, ‘Taking Citizenship Seriously: Social Capital and Criminal Justice in a Changing World’ (2003) 3 Criminal Justice 287; D. Prior, ‘Civil Renewal and Community Safety: Virtuous Policy Spiral or Dynamic of Exclusion?’ (2005) 4 Social Policy & Society 357.

Privacy and young people

243

Reassure and provide conidence Home Oice guidance on the CDA notes that: Fear of crime can oten be more debilitating than crime itself. It can prevent people from leading normal lives, and distort their perceptions as to the safety of the communities in which they live. here is a clear expectation on the part of the Government that the strategies should address fear of crime and disorder, as well as actual levels thereof.63

hus, a further aim of publication is to reassure the community about their safety and increase general conidence in public services. Indeed, it seems that local authorities might be interpreting this as the main aim of publication. As Cobb notes: [T]he representation that the government has sought to put forward is an image of a strong state apparatus, capable of efectively tackling the problem of anti-social behaviour, in order to reduce the fear of crime and, accordingly, reinforce its sovereign state by securing the political faith of the electorate.64

Publishing details of the orders is thus designed to indicate to the community that the authorities take anti-social behaviour seriously and are taking determined action to address it. his should then in turn reduce fear of crime and disorder.

Deter ASBO subject and others Publication of the details of the order and encouragement of the community to monitor compliance is expected to have a deterrent efect on the individual subject of an order because they are made aware that breaches are likely to be reported and prosecuted. he shame associated with publication is also expected to deter people from re-engaging in anti-social behaviour. his was openly acknowledged in R v. Winchester Crown Court, ex parte B, when Simon Brown LJ noted that ‘the prospect of being named in court with the accompanying disgrace is a powerful deterrent’.65 Publicity 63

64

65

Home Oice: Crime Prevention Agency, Guidance on Statutory Crime and Disorder Partnerships: Crime and Disorder Act 1998 (London: Home Oice Communication Directorate, 1998), [1.47]. N. Cobb, ‘Governance through Publicity: Anti-social Behaviour Orders, Young People and the Problematization of the Right to Anonymity’ (2007) 34 Journal of Law and Society 342 , 365. R v. Winchester Crown Court, ex parte B, above n. 47, 13; approved of by Elias J in R v. St Albans Crown Court, ex parte T, above n. 46, [22].

244

Thomas Crofts

is also intended to act as a warning to others, thus providing general deterrence. On an educative level, reinforcing community values should lead to the internalisation of these values and strengthen inhibitions against antisocial behaviour.

Why is there reduced concern to protect young people from publicity? Underlying this erosion of the protection of young people from publicity is the already noted broader shit in criminal justice policy away from a focus on welfare–rehabilitation towards a more punitive–retributive approach. his has entailed a prioritising of the protection and reassurance of the public at the expense of the rights of young ofenders, including their right to privacy. Until the late 1970s a welfare approach66 was taken in juvenile justice with neglect and social circumstances seen as primarily responsible for ofending behaviour. Anti-social and criminal behaviour, was oten regarded as a normal part of growing up and generally something that children grow out of. Under the welfarist approach, children in trouble with the law were seen as in need of care rather than deserving of punishment. Accordingly, children were protected from the full force of the criminal law, including being shielded from the full glare of publicity, because they were thought to be especially vulnerable to, and undeserving of, the harms associated with publicity.67 Under a welfare approach, there was a reluctance to judge and condemn for fear that this was inconsistent with or, indeed, could harm attempts at rehabilitation.68 Neo-conservatives identiied what they saw as a lack of moral nerve and unwillingness to condemn as contributing to the modern crime problem. he solution therefore became reasserting law, order and authority, and a return to traditional values, common sense and absolute moral standards.69 he ensuing resurgence of the justice approach to child ofending changed the emphasis of the (youth) criminal justice system. Penal-welfarism was pushed aside in a climate 66

67

68 69

M. Freeman describes the Children and Young Persons Act 1969 as the ‘statutory highwater mark of a philosophy which puts needs before rights and treatment before punishment’: M. Freeman, he Rights and Wrongs of Children (London: Frances Pinter, 1983), p. 69. J. Spencer, ‘Naming and Shaming Young Ofenders’ (2000) 59 Cambridge Law Journal 466, 466. See Garland, above n. 7, p. 184. Ibid. Pat O’Malley notes that much of this law and order push, which is attributed to neoliberalism, actually stems from neo-conservatism, which views ‘[a]llegiance and loyalty,

Privacy and young people

245

of increased punitiveness, with more focus on security and expressive justice.70 he move away from rehabilitation also reopened the door to an approach to crime control where ofenders are seen as ‘culpable, undeserving and somewhat dangerous individuals who must be carefully controlled for the protection of the public and the prevention of further ofending’.71 his led to a ‘declining respect for the rights of ofenders and the absolute priority given to public safety concerns [which] can be seen quite clearly in the growing practice of disclosure and notiication’.72 he decline in rehabilitation has also led to resurgence in the use of stigma, both as a form of punishment and as a means to alert the community to the danger that the ofender poses to it.73 New Labour continued this punitive approach, arguing that ‘[f]or too long we have assumed that young ofenders will grow out of their ofending if let to themselves. he research evidence shows this does not happen.’74 his ‘excuse culture’ is thought to be particularly damaging because it allows children ‘to go on wrecking their own lives as well as disrupting families and communities’.75 hus, anti-social behaviour is viewed as ‘the beginning of a persistent ofending career’ that needs ‘nipping in the bud’.76 With appeals to common sense, children are deemed to be capable of taking responsibility for their behaviour.77 As a result, such behaviour is viewed as an active rejection of society’s demand that the young person exercise their capacity to control their anti-social tendencies.78 Such positioning of anti-social behaviour as a free choice to reject society’s norms and values absolves the community from its welfarist obligations towards

70

71 72 73

74

75 76 77 78

and membership of traditional collectives such as the family and nation’ as paramount: P. O’Malley, ‘Volatile and Contradictory Punishment’ (1999) 2 heoretical Criminology 175, 186. Punishment performs the function of expressing and conirming social values by drawing ‘on the support of all those “healthy consciences” that are outraged by crime, a reaction that the ceremonial ritual of punishing helps to elicit as well as to express’. D. Garland, ‘Sociological Perspectives on Punishment’ (1991) 14 Crime and Justice 115, 123. Garland, above n. 7, p. 175. Garland calls this ‘the criminology of other’ (see p. 184). Ibid., p. 180. Ibid., p. 181. See also J. Pratt, ‘he Return of the Wheelbarrow Men; or, the Arrival of Postmodern Penalty?’ (2000) 40 British Journal of Criminology 127. J. Straw (United Kingdom Home Secretary), No More Excuses – A New Approach to Tackling Youth Crime in England and Wales (Ministerial White Paper CM 3809, United Kingdom Home Oice, 1997), preface. Ibid. N. Rose, ‘Government and Control’ (2000) 40 British Journal of Criminology 321, 337. Straw, No More Excuses, above n. 74, preface. Cobb, ‘Governance through Publicity’, above n. 64, 354.

246

Thomas Crofts

the young.79 As Cobb notes, ‘the successful contemporary reconstruction of the ASBO subject as a symbol of a depraved and dangerous youth underclass provides moral justiication for the punitive and exclusionary potential of the order’.80 his ‘deals a blow to altruistic arguments for their protection from the stigma associated with publicity by fostering a sense of justiied indignation at their apparent irresponsibility and disrespect’.81 he low-on efect on privacy protection is evident. he stigma, which is deemed to be part of the punishment and deserved in the case of an adult, is now also seen as a self-inlicted and appropriate response in the case of the young.82 Claims that the young should have a right to anonymity are swept away as being ‘sot’ on youth crime and part of the cause of the problem.

Why there is still reason to protect young people from publicity Despite the justiications advanced for reversing the presumption against publicity in the case of ASBOs and PBOs, there continue to be good reasons to protect young people’s anonymity. In R v. Aylesbury Crown Court, ex parte Y the need for protection of the young from publicity was explained: Because the defendant is a child or young person and not an adult, his or her future progress may well be assisted by restricting publication. Publication could well have a signiicant efect on the prospects and opportunities of the young person, and, therefore, on the likelihood of efective integration into society. Identifying a defendant in the media may constitute an additional and disproportionate punishment on the child or young person. In rare cases … the child or young person may be at serious personal risk if identiied.83

hese reasons are also a core concern for privacy protection. Harm to a person’s dignity and autonomy is likely to prejudice his or her future development as a law-abiding citizen. his inds relection in Article 40 of the UN Convention on the Rights of the Child:84 79

80 81 82 83

84

N. Rose, Powers of Freedom: Reframing Political hought (Cambridge University Press, 1999), p. 267. Cobb, above n. 64, 355. Ibid. See Spencer, above n. 67, 466. R v. Aylesbury Crown Court, ex parte Y [2012] EWHC 1140 (Admin), [2012] EMLR 26, [42]. United Nations Convention on the Rights of the Child, opened for signature 20 November 1989, 1577 UNTS 3 (entered into force 2 September 1990).

Privacy and young people

247

(1) States Parties recognize the right of every child alleged as, accused of, or recognized as having infringed the penal law to be treated in a manner consistent with the promotion of the child’s sense of dignity and worth, which reinforces the child’s respect for the human rights and fundamental freedoms of others and which takes into account the child’s age and the desirability of promoting the child’s re-integration and the child’s assuming a constructive role in society. (2) To this end … the States Parties shall, in particular, ensure that: … (b) Every child alleged as or accused of having infringed the penal law has at least the following guarantees: … (vii) To have his or her privacy fully respected at all stages of the proceedings.

his is reinforced by Rule 8 of the UN Standard Minimum Rules for the Administration of Juvenile Justice (Beijing Rules), which states that: he juvenile’s right to privacy shall be respected at all stages in order to avoid harm being caused to her or him by undue publicity or by the process of labelling. In principle, no information that may lead to the identiication of a juvenile ofender shall be published.

he oicial commentary on this Rule notes that: Rule 8 stresses the importance of the protection of the juvenile’s right to privacy. Young persons are particularly susceptible to stigmatization. Criminological research into labelling processes has provided evidence of the detrimental efects (of diferent kinds) resulting from the permanent identiication of young persons as ‘delinquent’ or ‘criminal’.

Recourse to the concept of privacy is useful to give a irm basis for challenging any erosion of protections. As noted in Re S (FC) (a child) (Appellant), ‘[t]he child has a right to protection from publicity which could damage his health and well-being and risk emotional and psychiatric harm’.85 Publicity can harm the young person’s sense of worth and dignity, which can entrench anti-social behaviour and hinder his or her development as an autonomous law-abiding individual. hus, publicity may actually ‘bring with it the very consequences which the court is seeking to avoid’.86 Labelling theory supports the reasons for privacy protection by directing attention to the fact that formal and informal classiications of the young as 85 86

Re S (FC) (a child) (Appellant) [2004] UKHL 47, [2005] 1 AC 593, [13]. R v. Aylesbury Crown Court, ex parte Y, above n. 83, [34].

248

Thomas Crofts

deviant have consequences for their self-perception and also for how they are viewed and treated by others.87 he public labelling of a young person as a problem or deviant can harm his or her development as an autonomous individual by restricting his or her future choices. It may harm his or her chances of rehabilitation by acting as a barrier to future jobs and to community integration. Research shows that having a criminal record can close of employment opportunities.88 As Naylor notes, having employment and accommodation are key factors in reducing recidivism.89 However, these are the very things that are likely to be denied if potential employers and accommodation providers have received publications identifying the young person as anti-social. Johnson, former Acting NSW Privacy Commissioner, also comments that publication is likely to double-punish ofenders: Publication of a child ofender’s name will efectively add to the sentence imposed by the court, doubly punishing child ofenders with lifelong stigmatisation – a constant fear that one day a future employer, or neighbour, or friend or colleague will trawl the internet or newspaper archives and ind out about the mistake they made as a 15 year old. heir chances of rehabilitation will be substantially reduced as a result.90

Publicity can also lead to shaming, which Cobb notes ‘is now viewed within certain political discourse as an appropriate technique for the governance not only of adults but children too’.91 Braithwaite notes that reintegrative shaming, which aims to bring the subject back within the community, can be an efective tool of social control.92 However, in the case of ASBOs and PBOs the publicity is not primarily designed to be reintegrative. As noted above, the main reasons for publicity, aside from individual deterrence, lie outside the subject of the order. Another aspect of labelling relates to secondary deviance, where the young person lives up to the role ‘stamped’ on them. As the irst labelling theorist, Frank Tannenbaum, stated in 1938, ‘[t]he person becomes the 87

88

89 90

91 92

P. Rock , ‘Sociological heories of Crime’ in M. Maguire , R. Morgan and R. Reiner (eds.), he Oxford Handbook of Criminology, 5th edn (Oxford University Press , 2012), pp. 65–8. B. Naylor, ‘Do Not Pass Go: the Impact of Criminal Record Checks on Employment in Australia’ (2005) 30 Alternative Law Journal 174, 174–5. Ibid. A. Johnston, he Privacy Commissioner’s Position on Child Ofenders and Privacy (Position Paper, Oice of the Privacy Commissioner (Australia), 23 July 2002), www. privacy.org.au/Papers/ChildOfenders2002.pdf (accessed 29 October 2013). Cobb, above n. 64, 360. J. Braithwaite, Crime, Shame and Reintegration (Cambridge University Press, 1989), pp. 84–97.

Privacy and young people

249

thing he is described as being’.93 Labelling a child as a deviant can cement anti-social behaviour because ‘a stigmatised youth, labelled and treated as a criminal, inds the path to further and more violent crimes inviting and oten lives up to the expectations of the label’.94 Publicity may therefore run counter to the aims of deterrence by undermining the young person’s sense of dignity and provoking an anti-social reaction. As Burney notes, it may result ‘in rejection of the ethical standpoint of the accuser’95 and so hinder ‘the subject’s natural capacity for ethical self-governance, or else undermining his or her efective reconstruction through social work’.96 Publicity may also cement anti-social behaviour because, as part of rejecting community values, it is turned into a badge of honour.97 So, rather than deterring further anti-social behaviour, ASBOs may in fact be amplifying it. Nonetheless, it cannot simply be said that giving publicity to a child’s ofending or anti-social behaviour is necessarily a breach of their right to privacy. First, it must be established whether a court order relating to a person’s anti-social behaviour is indeed an issue concerning that person’s private life. he Strasbourg Court,98 as well as UK courts, have held that an individual’s Article 8 right is engaged whenever the circumstances are such as to give rise to a reasonable expectation of privacy. In R (Stanley, Marshall and Kelly) v. Metropolitan Police Commissioner the Court appears to assume that ‘post ASBO publicity’ afects the ASBO subject’s Article 8 right,99 even though the court hearing occurred in public and the ASBO subject knew or ought to have known that publicity follows the making of an ASBO. his is in line with Re Guardian News and Media 93

94

95

96 97

98 99

F. Tannenbaum, Crime and the Community (New York : Columbia University Press, 1938), p. 20. J. Blustein, ‘Adolescence and Criminal Responsibility’ (1985) 2 International Journal of Applied Philosophy 1, 9. E. Burney, Making People Behave: Anti-social Behaviour, Politics and Policy (Gloucester: Willan Publishing, 2005), p. 97. Cobb, above n. 64, 352. A-R. Solanki, T. Bateman, G. Boswell and E. Hill, Antisocial Behaviour Orders for Young People (London: Youth Justice Board for England and Wales, 2006). Research by K. Brown casts doubt on claims that ASBOs are viewed as a badge of honour by young people. It should, however, be noted that this inding is based on in-depth interviews of only 6 youths aged under 18 in a city which had issued over 300 ASBOs to young people by 2009. K. Brown, ‘Beyond “Badges of Honour”: Young People’s Perceptions of their Anti-social Behavior Orders’ (2011) 5 People, Place & Policy Online 12 , http://extra.shu. ac.uk/ppp-online/beyond-badges-of-honour-young-peoples-perceptions-of-their-antisocial-behaviour-orders/ (accessed 8 November 2013). Halford v. UK (1997) 24 EHRR 523. R (Stanley, Marshall and Kelly) v. Metropolitan Police Commissioner, above n. 26, [29].

250

Thomas Crofts

Ltd; Her Majesty’s Treasury v. Ahmed,100 in which the Supreme Court also based the Article 8 claim of the appellant on the efect that publication of the identity would have on his private life. Second, the right to privacy is not absolute and must be balanced against other rights and interests, as noted in the cases discussed above. Privacy claims in judicial proceedings are generally weak because they conl ict with the principle of open justice contained in Article 6 of the ECHR. However, while Article 6(1) of the ECHR enshrines the right to a public hearing, it does speciically allow for the exclusion of publicity ‘where the interests of juveniles or the protection of the private life of the parties so require’. Speciic mention of the possibility of excluding publicity in the case of juveniles asserts that, while the principle of open justice is a strong one,101 it is not absolute. Moreover, Article 8(2) makes it clear that the right to privacy, and thus the exclusion of publicity, is also not absolute. Incursions into the privacy rights of a young person may be justiied under Article 8(2) when they are necessary and proportionate ‘for the prevention of disorder or crime’.102 In ASBO proceedings the case for an exception to the rule in favour of publicity is weakened by the various rationales ofered in support of publication. hus, publicity in relation to an ASBO may be acceptable if it is necessary to increase public safety, prevent crime and disorder or protect the rights and freedoms of others and is not disproportionate to those goals. he evidence that publicity achieves these aims is, however, scant.103 he rate at which ASBOs are breached suggests that there are serious questions about their efectiveness at preventing anti-social behaviour. Indeed, this is a key reason why the new Home Secretary plans to abolish ASBOs and replace them with more efective orders. Figures released in 2010 indicate that more than half of all ASBOs issued between June 2000 100

101

102 103

Re Guardian News and Media Ltd; Her Majesty’s Treasury v. Ahmed [2010] UKSC 1, [2010] 2 AC 697 (anonymity order relating to proceedings under anti-terrorism laws). In Diennet v. France (Application no. 18160/91) [1995] ECHR 91, (1995) 21 EHRR 554, [33], the reason for the strong rule in favour of open justice was explained: ‘h is public character protects litigants against the administration of justice in secret with no public scrutiny; it is also one of the means whereby conidence in the courts can be maintained. By rendering the administration of justice transparent, publicity contributes to the achievement of the aim of Art. 6(1), namely a fair trial, the guarantee of which is one of the fundamental principles of any democratic society.’ ECHR, above n. 1, Art. 8(2). he following refers mainly to the UK since there is little evidence available about the operation of PBOs in WA, which became operational only in 2011.

Privacy and young people

251

and December 2009 were breached.104 Signiicantly, for young people aged between 10 and 17, the breach rate was much higher, at 65 per cent.105 his high rate of breach calls into question whether the beneits lowing from publicity (e.g. lower levels of anti-social behaviour) are proportionate to the considerable harms that publicity potentially entails (e.g. entrenchment of anti-social behaviour). It is also questionable whether ASBOs and the ensuing publicity are efective ways of combating anti-social behaviour. As Burney notes: Quite obviously, given … that so many recipients are already well entrenched in crime, combined with the lack of any support system attached to the orders, breaches are fairly likely.106

here is little hard evidence to suggest that publication and shaming are actually efective and, therefore, necessary as a speciic or general deterrent in the case of the young. he young are in the process of maturing and do not have the same ability to reason as adults. Oten they lack the foresight and experience ‘to weigh the longer term against the shorter … [and] … to measure the probable against the possible’.107 herefore, the abstract future threat of negative efects of publicity may not provide them with suicient incentive to refrain from the prohibited behaviour. Further, it is well documented that young people have poor impulse control and are more readily subject to the inluence of others.108 Apart from lacking the maturity to 104

105 106

107 108

Ministry of Justice, Statistical Notice: Anti-social Behaviour Order (ASBO) Statistics England and Wales 2008 (London, 28 July 2010). See also United Kingdom, Parliamentary Debate, House of Commons, 10 November 2009, Written Answers: Columns 330w–332w, (Miss McIntosh and Messrs Campbell, Wilson, Baldry, Woolas and Gerrard). It must be noted, however, that the statistics do not give a totally reliable picture. Breach numbers are based on the year the breach was proven, which may be diferent to the year that the ASBO was ordered; also an ASBO may be breached more than once in a year. Ministry of Justice, Statistical Notice: Anti-social Behaviour Order (ASBO) Statistics, ibid. E. Burney, ‘Talking Tough, Acting Coy: What Happened to the Anti-social Behaviour Order?’ (2002) 41 Howard Journal of Criminal Justice 469, 478. Re S [1993] 2 FLR 437, 448. See for example, G. Williams , Criminal Law, he General Part, 2nd edn (London: Stevens & Sons , 1961), p. 817; R. White, he Abnormal Personality, 3rd edn (New York : Ronald Press Company, 1964), p. 357; Blustein, above n. 94; E. Cauf man and L. Steinberg , ‘(Im)maturity of Judgment in Adolescence: Why Adolescents May Be Less Culpable than Adults’ (2000) 18 Behavioral Sciences & the Law 741; C. Fried and N. Reppucci, ‘Criminal Decision Making: the Development of Adolescent Judgment, Criminal Responsibility, and Culpability’ (2001) 25 Law and Human Behavior 45; T. Crots, he Criminal Responsibility of Children and Young People (Aldershot: Ashgate, 2002); L. Steinberg and E. Scott, ‘Less Guilty by Reason of Adolescence: Developmental Immaturity, Diminished Responsibility, and the Juvenile Death Penalty’ (2003) 58 American Psychologist 1009; K. Monahan, L. Steinberg and E. Cauf man, ‘Ai liation

252

Thomas Crofts

resist the pull of anti-social behaviour, a young person may even welcome the publicity associated with an order if it helps them gain recognition within their peer group.109 A recent survey also suggests that the public do not believe that ASBOs are efective, with only 8 per cent of respondents believing that ASBOs have been successful in combating anti-social behaviour.110 Furthermore, 79 per cent of respondents felt that anti-social behaviour in the UK had become more frequent, normal and tolerated.111 Such low levels of conidence that ASBOs are efective carry the implication that publicity does not achieve its stated aim of reassuring the public of their safety. Indeed, it has been suggested that ASBOs and the publicity given to them have the potential to undermine feelings of safety.112 hus, rather than developing a feeling of security and trust that the state is in control of crime and disorder, publicity may actually have the opposite efect.113 Prior argues that the encouragement of ‘active citizenry’ to ight crime and anti-social behaviour can have the paradoxical result of increasing levels of suspicion in the community, which can contribute to the climate of fear of crime.114 Furthermore, there is evidence that publicity can actually hinder the ability of a young person to fully participate in legal proceedings. Research conducted by Chappell and Lincoln found that: because of potential embarrassment concerning the exposure of sensitive personal and family related information in a public courtroom setting, their ability to give full and frank instructions to their legal representatives is much afected.115

109 110

111 112 113 114 115

with Antisocial Peers, Susceptibility to Peer Inluence, and Antisocial Behavior During the Transition to Adulthood’ (2009) 45 Developmental Psychology 1520. he weight of research showing that young people lack maturity and a sense of responsibility compared to adults led to the majority of the US Supreme Court inding in Roper v. Simmons, 543 US 551 (2005) that it was unconstitutional to impose the death penalty on a person under 18. Solanki et al., above n. 97. Angus Reid, ‘Britons Remain Unconvinced By Anti-social Behaviour Orders’, (22 February 2012) Angus Reid Public Opinion, www.angus-reid.com/wp-content/ uploads/2012/02/2012.02.22_Asbos_BRI.pdf (accessed 29 October 2013). Ibid. Prior, above n. 62, 363. M. Lee, Inventing Fear of Crime (Gloucester: Willan, 2007). Prior, above n. 62, 360. D. Chappell and R. Lincoln, Naming and Shaming of Indigenous Youth in the Justice System: An Exploratory Study of the Impact in the Northern Territory (Australian Institute of Aboriginal and Torres Strait Islander Studies, 21 May 2012), p. 128.

Privacy and young people

253

here is therefore further potential for publicity to conlict with the right to a fair trial guaranteed in Article 6 of the ECHR. Taken together, these factors suggest that curtailing a young person’s privacy through publicising details of an ASBO or PBO may not be necessary or may be a disproportionate means to pursue the stated aims. In the absence of compelling evidence that publicity actually does encourage eicient control of ASBO and PBO subjects, that it deters anti-social behaviour, that it reassures the public and fosters faith in the state mechanisms of crime control, a cautionary use of publicity is advisable. he framework for accommodating privacy concerns is already contained in R (Stanley, Marshall and Kelly) v. Metropolitan Police Commissioner and the Home Oice Guidance; they both provide that the decision about whether to restrict publicity should be an individualised decision, based on the merits of the case and a balancing of competing human rights interests. here is much to suggest that there is not necessarily a conlict between the young person’s right to privacy and the aim of crime control. Respect for a person’s privacy and fostering a person’s autonomy and sense of dignity are compatible with crime prevention. Conversely, disrupting a young person’s sense of dignity and reducing their future choices through publicising their brushes with the law can hinder their future development into law-abiding citizens and thus lead to further anti-social and criminal behaviour. he available evidence (or lack thereof) on the efectiveness of ASBOs suggests that it is not appropriate to assume that ‘[p]ublicising should be the norm not the exception’.116 Rather, there should be a return to the presumption that publicity will be allowed only in exceptional circumstances.

Conclusion While criminology theory explains the harms that may low from publication of details of a young person’s encounter with the legal system, reference to the concept of privacy gives a solid foundation to challenge the presumption in favour of publicity in relation to ASBOs and PBOs. he concept of privacy reinforces concerns that, in a criminological context, are usually presented under the notion of labelling, that is that harm to a person’s dignity and autonomy are likely to prejudice their future development as law-abiding citizens. A key feature of both privacy protection generally, and the protection of the anonymity of young people involved 116

Home Oice, Publicising Anti-Social Behaviour Orders, above n. 55, p. 2.

254

Thomas Crofts

in criminal proceedings speciically, is the recognition that these values are not absolute; they need to be balanced against competing public interests. Focusing on the measures introduced in the UK and WA that are intended to counteract crime and anti-social behaviour, this chapter has demonstrated that the decline of welfarism and rehabilitation has created a climate where there is less concern directed towards protecting the privacy of young people. Ensuing harms from publicity are now regarded as acceptable collateral damage of the need to reassert law and order and reassure that the state is in control of crime. Indeed, some perceive publicity as a positive means of reducing anti-social and criminal behaviour. However, the privacy interests of young people are not diametrically opposed to the public interest in community safety and crime prevention. Indeed, respect for a young person’s privacy, and minimising their public exposure, can foster their development into law-abiding citizens. Conversely, publicity can seriously hinder a young person’s development and, rather than fostering rehabilitation, could lead to more anti-social behaviour, thwarting the very purpose of the orders. he fact that ASBOs are breached at a rate of around 50 per cent (65 per cent in the case of young people) suggests that the orders and ensuing publicity are not very efective measures in reducing anti-social behaviour. here is also empirical evidence that they fail to reassure the public. his is, of course, a reason for the present UK Government to suggest a move towards newer, more eicient measures. Just how diferent these new measures will be remains to be seen. here is, however, no suggestion that such new measures would entail a movement away from the use of publicity. In the case of ASBOs and PBOs, the presumption is that publicity is to be the norm but that courts retain discretion to order anonymity. However, Courts appear attuned to the purposes of ASBOs and appear reluctant to make an anonymity order to protect the privacy of the young person. In making decisions on publicity for ASBOs, courts in the UK also recognise that decisions on publication engage conlicting rights guaranteed under the ECHR. he right of an ASBO subject under Article 8 (privacy) needs to be balanced against the conlicting rights of members of the community who are the victims of anti-social behaviour. Express recourse to the privacy rights of young persons in ASBO proceedings signals that those restrictions on Article 8 rights need to be necessary for the prevention of crime and disorder, and be proportionate to the needs of the wider community. his requires that courts use their discretion in each case to make the order that is most appropriate to protect the conlicting rights, rather

Privacy and young people

255

than adopt a presumption in favour of publicity. While the absence of a similar human rights framework in WA means that privacy does not have the same legal signiicance for publicity decisions regarding PBOs, it would, nonetheless, be appropriate for WA authorities to have regard to the same considerations. In the absence of compelling evidence that publicity encourages eicient control of ASBO and PBO subjects, reassures the community and has a deterrent efect, there should be a cautionary use of publicity.

PA RT V Privacy and the Internet

12 Data privacy law and the Internet: policy challenges Lee A. Bygr ave

A repeat of the catch-up catechism? Data privacy law is a relatively young ield of regulation.1 It is also a child of modern information and communication technology (ICT).2 Remarkably, though, the bulk of codes making up its core were drated before the widespread adoption of one of the most important manifestations of modern ICT: the Internet. Data transmission networks based on the Transmission Control Protocol and Internet Protocol (TCP/IP)3 became established as a ubiquitous backbone for electronic transactions by the late 1990s. At that time, the basic tenets of data privacy law were already long in place. While some of the most recent legislation in the ield takes speciic account of the Internet and its virtual worlds,4 most of the ield’s seminal codes do Research for this chapter has been supported by EINS, the Network of Excellence in Internet Science (www.internet-science.eu), which is funded through the European Commission’s 7th Framework Programme under Communications Networks, Content and Technologies (Grant Agreement no. 288021). References to legal instruments are to their amended state as of 1 October 2013, and all websites were last accessed on that same date. 1

2

3

4

At the risk of spelling out the obvious, ‘data privacy law’ herein denotes a set of legal norms that speciically govern the processing of personal data (i.e. data relating to and enabling identiication of individual, physical/natural persons (and sometimes corporations and other legal persons)) in order to protect, at least partly, the privacy-related interests of the data subjects (i.e. the persons to whom the data relate). In Europe, such norms tend to be described as ‘data protection’. In Australia, Canada and the USA, they tend to be described in terms of protecting ‘privacy’, ‘information privacy’ or, increasingly, ‘data privacy’. On the origins of this area of law, see L. A. Bygrave, Data Protection Law: Approaching Its Rationale, Logic and Limits (he Hague: Kluwer Law International, 2002), ch. 6. he TCP/IP suite, developed by Vinton G. Cerf and Robert E. Kahn in the 1970s, currently provides the basic formats and rules for data transmission across the Internet, with TCP handling, inter alia, the packaging of data, and IP the routing of data. See further T. Socolofsky and C. Kale, Request for Comments (RFC) 1180: A TCP/IP Tutorial (January 1991) he Internet Engineering Task Force (IETF), www.ietf.org/rfc/rfc1180.txt. See e.g. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic

259

260

Lee A. Bygrave

not. he latter include the 1981 Council of Europe (CoE) Data Protection Convention5 and the 1995 EU Data Protection Directive,6 both of which have been highly inluential for regulatory policy in the ield, nationally and internationally.7 he Data Protection Directive is particularly noteworthy because the ive years of negotiations preceding its enactment8 coincided with the public emergence of the Internet from its academic chrysalis. One might have thought this development would be duly relected in the Data Protection Directive’s provisions, but little direct trace of it can be found therein. his is true of a rat of other EU Directives enacted during the 1990s with the aim of regulating various efects of ICT – for example, Directives on protection of databases, sotware and telecommunications privacy respectively.9

5

6

7

8

9

Communications Sector (Directive on Privacy and Electronic Communications) [2002] OJ L 201 (hereinater Electronic Communications Privacy Directive), p. 37. See also European Commission, Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (General Data Protection Regulation) (Brussels, 25 January 2012) 2012/0011(COD) (2012) (hereinater Commission Proposal), especially Arts. 3, 17 and 18. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, opened for signature 28 January 1981, CETS no. 108 (entered into force 1 October 1985) (hereinater Convention 108). Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data [1995] OJ L 281, p. 31 (hereinater Data Protection Directive). See further, G. Greenleaf, Chapter 6 (in this volume) and L. A. Bygrave, Data Privacy Law: An International Perspective (Oxford University Press, 2014), pp. 31–43, 53–64. European Commission, Proposal for a Council Directive Concerning the Protection of Individuals in Relation to the Processing of Personal Data (Brussels, 13 September 1990) COM(90) 314 i nal, followed by an amended proposal: European Commission, Amended Proposal for a Council Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (Brussels, 16 October 1992) COM(92) 422 i nal. Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the Legal Protection of Databases [1996] OJ L 77, p. 20; Directive 91/250/EEC of the European Parliament and of the Council of 14 May 1991 on the Legal Protection of Computer Programs [1991] OJ L 122, p. 42 (repealed and replaced by Directive 2009/24/EC of the European Parliament and of the Council of 23 April 2009 on the Legal Protection of Computer Programs [2009] OJ L 111, p. 16); Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 Concerning the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector [1998] OJ L24, p. 1 (repealed and replaced by Directive 2002/58/EC of the European Parliament and of the Council Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications) [2002] OJ L 201, p. 37).

Data privacy law and the Internet

261

Up until at least the mid 1990s, many governments showed little speciic concern for regulating the Internet. Leib notes, for example, that ‘[u]ntil the second half of the 1990s, the Internet was almost an irrelevant issue in the plans of the European Union’.10 his was partly due to the rapidness with which the Internet emerged as a global communications medium. he speed caught most governments by surprise. At the same time, the Internet presented a unique set of regulatory challenges – elaborated in the third section of this chapter – that, initially at least, confounded governments. On top of these challenges have come more generic problems, particularly the slow pace at which legislative processes usually occur and the customary diiculties of reaching meaningful intergovernmental agreement on the details of any international regulatory instrument. So, despite being a child of the computer age, data privacy law appears to conirm yet again the stereotype of law generally being caught on the back foot by runaway technology. I write ‘appears’ because part of this chapter’s remit is to discuss whether, and to what extent, data privacy law has indeed been outpaced by internet-related developments. he chapter further discusses the challenges involved in formulating data privacy law so that those developments do not unabatedly corrode the fragile bedrock of privacy and related interests in the digital environment. European law forms the main legal point of reference for the chapter, although much of the discussion is relevant for regulatory policy outside Europe too. In the following, I irst consider regulatory challenges that are essentially concerned with semantics – more speciically, the degree to which the terminological apparatus of data privacy law embraces the Internet. hereater I consider challenges of a deeper structural nature – more speciically, the degree to which the broad thrust of data privacy law is at loggerheads with the direction in which the Internet is being developed and used. My basic argument is that data privacy law makes a fairly good ist of the irst-mentioned set of challenges, although it struggles to provide adequate prescriptive guidance for behaviour in the online world. However, data privacy law struggles harder to meet the second-mentioned set of challenges. And it struggles to a degree that raises serious doubts over its ability to function as much more than symbolic legislation in respect of large swathes of internet usage. hat struggle, I argue, is complicated by the risk of regulatory overreaching. he latter term is used 10

V. Leib, ‘ICANN – EU Can’t: Internet Governance and Europe’s Role in the Formation of the Internet Corporation for Assigned Names and Numbers (ICANN)’ (2002) 19 Telematics and Informatics 159, 161.

262

Lee A. Bygrave

here to denote either of two situations: (i) a situation in which data privacy law unduly stiles internet ‘generativity’ – that is, the network’s ability to facilitate innovation11 – or other related societal values, such as freedom of expression; and (ii) a situation in which the law is given such broad application that it stands scant chance of enforcement. Both situations are likely to engender disrespect for the law.

Semantics and shiting digital sands A principal challenge for any efective regulatory policy is to ensure that its terminological apparatus is properly aligned with the object of regulation. Proper alignment is usually predicated on accurately understanding the object that one intends to regulate. Such understanding includes appreciating points of uncertainty over the nature of that object. To some extent, the Internet is an easily comprehensible object of regulation. Most of us use it frequently, are sensitive to its basic features and are familiar with considerable parts of the transactional dimensions it creates – its cyberspace. Yet the Internet is also a communications platform that is continually evolving along multiple planes. Its parameters are accordingly far from stable, thus defying ready, clearcut dei nition. In the mid 1990s the Internet was usually pegged speciically to the TCP/ IP suite and extensions of that suite. An example in point is the following deinition by the former US Federal Networking Council (FNC):12 ‘Internet’ refers to the global information system that (i) is logically linked together by a globally unique address space based on the Internet Protocol (IP) or its subsequent extensions/follow-ons; (ii) is able to support communications using the Transmission Control Protocol/Internet Protocol (TCP/IP) suite or its subsequent extensions/follow-ons, and/or other IP-compatible protocols; and (iii) provides, uses, or makes accessible, either publicly or privately, high level services layered on the communications and related infrastructure described herein.13 11

12

13

See e.g. J. Zittrain, ‘he Generative Internet’ (2006) 119 Harvard Law Review 1974, 1981 (‘Generativity is a function of a technology’s capacity for leverage across a range of tasks, adaptability to a range of diferent tasks, ease of mastery, and accessibility’). he Council was subsequently integrated into the Large Scale Networking Coordinating Group under the auspices of the US National Coordination Oice for Networking and Information Technology Research and Development (NITRD). FNC Resolution: Dei nition of ‘Internet’ of 24 October 1995 (30 October 1995) he Network and Information Technology Research and Development (NITRD) Program, www.nitrd.gov/fnc/Internet_res.aspx.

Data privacy law and the Internet

263

hese days, however, the Internet is oten perceived as synonymous with global online communications infrastructure generally. As Solum writes: In the broad sense, the Internet is a complex entity that includes the hardware and sot ware technical infrastructure, the applications, and the content that is communicated or generated using those applications. In the broad sense, the Internet includes millions of computers running a myriad of applications generating, manipulating, and retrieving a vast array of information. More concretely, the Internet in the broad sense includes the personal computer used to write this chapter, ibreoptic cable, routers, servers, web-browsers, Google, Yahoo, myspace, YouTube, the online edition of the New York Times, millions of weblogs, tens of millions of Internet-enabled mobile phones, and billions of email messages.14

Solum thus claims that ‘[t]he fundamental object of a study of Internet governance is the general type – the universal network of networks – and not the speciic token – the existing Internet, based on TCP/IP’.15 I agree. Indeed, the irst lesson for any regulatory policy dealing with the Internet is that such policy ought not to be exclusively tied to a notion of the Internet that is, in turn, exclusively tied to TCP/IP or any other speciic protocols. he propriety of this lesson is underlined by the Internet’s origins in a network that initially did not use the TCP/IP suite.16 We cannot assume that the suite (at least in its current form) will remain central to internet functionality in the long term. For the most part, the architects of data privacy law have learned that lesson – or, perhaps more accurately in some cases, incidentally implemented it – quite easily. With some exceptions, the provisions of data privacy law have tended to be pitched in relatively generic, technology-neutral terms. his relects not just a concern to insulate data privacy law from obsolescence in the face of technological developments but also uncertainty as to the precise direction of those developments. Much of the law has hence been formulated so that it may speak to a fairly open-ended range of platforms for data processing, including internet-based platforms, though not necessarily with sensible results. As noted, there have been exceptions. he Telecommunications Privacy Directive (97/66/EC) was 14

15 16

L. B. Solum, ‘Models of Internet Governance’ in L. A. Bygrave and J. Bing (eds.), Internet Governance: Infrastructure and Institutions (Oxford University Press, 2009), pp. 48, 49. Ibid., p. 50. he suite was only made mandatory from the early 1980s. See further J. Bing, ‘Building Cyberspace: A Brief History of Internet’ in L. A. Bygrave and J. Bing (eds.), Internet Governance: Infrastructure and Institutions (Oxford University Press, 2009), pp. 8, 27.

264

Lee A. Bygrave

one. Despite being aimed at regulating aspects of the then nascent market for digital telecommunications services – including interactive television and video-on-demand – its provisions bore the imprint of notions of traditional telephony. Its application to TCP/IP-based communication was concomitantly plagued by uncertainty. Hence, not long ater entering into force, this Directive had to be repealed and replaced by the Electronic Communications Privacy Directive (2002/58/EC),17 the provisions of which are more readily applicable to the Internet. Another exception is the focus of some of the older codes on regulating ‘i les’ or ‘registers’ of personal data. Convention 108 is a case in point.18 Such a focus its awkwardly with a world of distributed data networks, although the Convention’s Explanatory Report over-optimistically suggests otherwise.19 he Data Protection Directive avoids the problem altogether as its focus is on the processing of personal data, largely regardless of the way in which the data is organised – the register/ile notion persists only with respect to manually processed data.20 hese exceptions aside, the Internet has tended not to escape the ambit of data privacy law’s terminological apparatus. he courts have aided this capture. For instance, the European Court of Human Rights (ECtHR) has held that the (prima facie undeined) term ‘correspondence’ in Article 8(1) of the European Convention on Human Rights (ECHR),21 which provides for the right to respect for, inter alia, private life and correspondence, embraces electronic mail and ‘personal Internet usage’.22 Moreover, as shown further below, the Court of Justice of the EU (hereinater European Court of Justice or ECJ) has readily applied the provisions of the Data Protection Directive to internet-related activity, albeit where reasonable to do so. Of the nineteen decisions handed down by the 17 18 19

20 21

22

Above n. 4. See especially CoE Data Protection Convention, above n. 5, Arts. 7 and 8. Council of Europe, Explanatory Report on the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Strasbourg, 1981), [30] (stating that the notion of ‘i le’ in the Convention ‘covers not only data i les consisting of compact sets of data, but also sets of data which are geographically distributed and are brought together via computer links for purposes of processing’). Data Protection Directive, above n. 6, Art. 3(1). Convention for the Protection of Human Rights and Fundamental Freedoms, opened for signature 4 November 1950, 213 UNTS 222 (entered into force 3 September 1953). Copland v. UK (Application no. 62617/00) [2007] ECHR 253, (2007) 45 EHRR 37, [41]. his is in keeping with the Court’s ‘dynamic’ or ‘evolutive’ interpretative method which treats the ECHR as a ‘living instrument which … must be interpreted in the light of present-day conditions’: Tyrer v. UK (Application no. 5856/72) [1978] ECHR 2, (1978) 2 EHRR 1, [31].

Data privacy law and the Internet

265

ECJ that touch upon the Data Protection Directive, seven – that is over a third – concern internet-based processing of personal data. hat number will soon rise to eight as an important case on the applicability of the Data Protection Directive to internet search engines is pending.23 his is not to say that application of legal codes on data privacy to the Internet is free of problems. A signiicant drawback is that the terminological generality that facilitates (intentionally or incidentally) these codes’ application to the Internet detracts from their ability to provide practical ‘rules of the road’ in the shiting digital sands. Herein is the nub of a recurring regulatory dilemma: how to provide suicient prescriptive guidance without unduly compromising normative lexibility in the face of technological change and uncertainty over the direction of that change. he dilemma alicts numerous areas of regulatory policy, though is particularly acute in this ield. he paucity of prescriptive guidance that data privacy law provides for online behaviour is exacerbated by several factors. First, there is the above-noted fact that many of the seminal codes in the ield were drated with scant, if any, conscious account taken of the Internet or the digital environment more generally. hese codes accordingly fail to tackle key deinitional issues for their application in an online context. Examples are the scope of the term ‘personal data’ with respect to IP addresses and of the term ‘transfer’ (of personal data) with respect to hyperlinks and cloud computing.24 Even the Electronic Communications Privacy Directive, which was drated with the Internet speciically in mind, falls short in this regard. Although expressly covering some important and controversial aspects of the online world – for example use of cookie mechanisms and logging and use of traic data25 – the Electronic Communications Privacy Directive does not directly clarify the putative status of IP addresses as ‘personal data’. And its provisions on cookie usage have been rightly criticised for lacking both clarity and practicability.26 Such criticism is shared by both the companies that provide internet-based services and, occasionally, by the supervisory authorities (hereinater data privacy authorities 23

24

25 26

Reference for a Preliminary Ruling from the Audiencia Nacional (Spain) lodged on 9 March 2012 – Google Spain, S.L., Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González (Case C-131/12), [2012] OJ C 165, p. 11. See further e.g. S. Y. Esayas, ‘A Walk in the Cloud and Cloudy It Remains: the Challenges and Prospects of “Processing” and “Transferring” Personal Data’ (2012) 28 Computer Law & Security Review 662 and references cited therein. See Electronic Communications Privacy Directive, above n. 4, Arts. 5, 6 and 15. See e.g., D. Lee, ‘Web Sot ware Firm Taunts UK Data Regulator over Cookies’, BBC News (Online), 6 September 2012, www.bbc.co.uk/news/technology-19505835.

266

Lee A. Bygrave

or DPAs) that are speciically tasked with monitoring the implementation of data privacy rules.27 Case law, or the lack of it, compounds some of these problems. In many jurisdictions, court decisions that treat, in detail, the provisions of data privacy legislation, remain few and far between.28 Decisions considering these provisions in the digital context are even rarer. here are, though, an increasing number of decisions in the latter category. Yet they still leave numerous internet-related issues unanswered and they are, in some respects, inconsistent with each other. his is not so much the fault of the courts – rather, the cause is the inconsistency and ambiguity of the legislation the courts are called on to consider. Inconsistency and ambiguity have been especially salient over the vexed issue as to whether IP addresses may constitute ‘personal data’ – a threshold issue for the application of data privacy law to the processing of data that is primarily linked to such addresses. he criteria for determining what constitutes ‘personal data’ are complex and diicult enough to apply in an oline context, let alone in the online world.29 European DPAs have generally taken the view that IP addresses are personal data,30 while courts have been divided. his division partly relects diferences in statutory deinitions of ‘personal data’. For instance, the Irish High Court has ruled that, for the purposes of the Irish Data Protection Act 1988 (as amended), an IP address that is gathered on behalf of the holders of intellectual property rights (IPR) is not personal data in the hands of the latter when it is unlikely that they will attempt to ind the name and contact details of the person behind the address.31 he Act deines ‘personal data’ 27

28

29

30

31

See e.g. the criticism by the head of Norway’s Data Inspectorate (Datatilsynet) of the proposed Norwegian transposition of the cookies rules in the Electronic Communications Privacy Directive: B. E. hon, ‘Cookies: Regjeringen har valgt en dårlig løsning’ (5 March 2013) Personvernbloggen, www.personvernbloggen.no/2013/03/05/cookies-regjeringenhar-valgt-en-darlig-losningen. In Norway, for instance, the Supreme Court has only just recently handed down its irst decision in which it construes at length several provisions of the country’s central data privacy legislation, passed over a decade ago: see decision of 31 January 2013, reported in Norsk Retstidende (Norwegian Law Reports) 2013, p. 143. See further Bygrave, Data Privacy Law, above n. 2, pp. 129f. For recent detailed discussion of these criteria in relation to online data processing, see e.g. W. K. Hon, C. Millard and I. Walden, ‘he Problem of “Personal Data” in Cloud Computing: What Information is Regulated? – the Cloud of Unknowing’ (2011) 1 International Data Privacy Law 211; J.P. Moiny, ‘Are Internet Protocol Addresses Personal? he Fight Against Online Copyright Infringement’ (2011) 27 Computer Law & Security Review 348. See Article 29 Data Protection Working Party (WP29), Opinion 4/2007 on the Concept of Personal Data (WP 136, adopted on 20 June 2007), p. 16. EMI Records v. Eircom Ltd [2010] IEHC 108, [24]–[25]. Here, the IPR-holders were seeking injunctive relief from an Internet Service Provider (ISP) whereby the latter was being

Data privacy law and the Internet

267

as ‘[d]ata relating to a living individual who is or can be identiied either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller’ (s. 1); in other words, the controller (in this context, an IPR-holder) is the only legally relevant agent of identiication. his is in contrast to the equivalent deinition in the Data Protection Directive, which requires account to be taken of the means of identiication ‘likely reasonably to be used’ not just by the controller but by ‘any other person’ (recital 26 in the preamble; see too Article 2(a)). Some national courts applying the latter definition (or national legislation that faithfully transposes it) have regarded IP addresses in the hands of IPR-holders as ‘personal data’ if an internet service provider (ISP) can (without great efort) connect the addresses to particular persons.32 Other courts have not.33 he ECJ, however, has repeatedly held that IP addresses are personal data, but its decisions on point are cursory and fail to distinguish clearly the status of IP addresses vis-à-vis IPR-holders and their status vis-à-vis ISPs.34 he failure could imply that the ECJ considers the distinction legally irrelevant for the purposes of the Data Protection Directive, but we cannot be sure. Other instances of vexing internet-related questions that the ECJ has considered but failed to clarify, to a desirable degree, concern the meaning of ‘personal or household activity’ and the meaning of ‘transfer’ in, respectively, Articles 3(2) and 25 of the Data Protection Directive. he Court tackled both questions a decade ago in the case of Bodil Lindqvist.35

32

33

34

35

asked to restrict internet access for those of its customers who persistently infringe copyright. he judge noted that ‘the plaintifs have let behind what they reasonably regard as an expensive and futile pursuit of the identity of copyright tortfeasors in favour of injunctive relief that has been expressed … as a protocol to choke of the problem in a three stage process that never involves the identiication of any wrongdoer’ (see [24]). See e.g. Eidgenössischer Datenschutz- und Öfentlichkeitsbeautragter (EDÖB) v. Logistep, Bundesgericht [Federal Court], 1C-285/2009, 8 September 2010, (2010) BGE 136 II 508. See also the decision of 8 June 2007 by the Stockholm Administrative Court of Appeal (Kammarrättan) in Case 285/07; upheld by the decision of 16 June 2009 by the Swedish Supreme Administrative Court (Regeringsrätten) in Case 3978–07; both decisions available at http://arkiv.idg.se/it24/SthlmRRejpt_3978_07.pdf. See e.g. Cour d’appel de Paris [Paris Court of Appeal], Anthony G. v. Société Civile des Producteurs Phonographiques (SCPP) (27 April 2007), www.legalis.net/spip. php?page=jurisprudence-decision&id_article=1954 ; and Cour d’appel de Paris [Paris Court of Appeal] Henri S. v. SCPP (15 May 2007), www.legalis.net/spip. php?page=jurisprudence-decision&id_article=1955. See e.g. Productores de Mú sica de España (Promusicae) v. Telefónica de España SAU (C-275/06) [2008] ECR I-271, [45]; Scarlet Extended SA v. Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) (Case C-70/10) [2011] (Unreported), [41]; Bonnier Audio AB v. Perfect Communication Sweden AB (Case C-461/10) [2012] (Unreported), [52]. Bodil Lindqvist (Case C-101/01) [2003] ECR I-12971.

268

Lee A. Bygrave

his case attracted widespread public attention at the time it was decided, largely because of its relevance for the increasingly large number of people who, in an ostensibly private or semi-private capacity, were setting up personal internet ‘homepages’ from which information about other persons could be spread.36 It hails, though, from a time before Facebook and other online social networks (OSNs) gained massive popularity. Nonetheless, it is worthwhile considering in some detail as it remains the ‘Internet case’ par excellence in ECJ jurisprudence on data privacy. One of the questions considered in the case was whether the websitepublishing activity at issue fell within the exception to the ambit of the Data Protection Directive, provided for in the second indent of Article 3(2), which states that the Directive does not apply to data processing by a natural person ‘in the course of a purely personal or household activity’. he Court held that this exception ‘must … be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the Internet so that those data are made accessible to an indei nite number of people’.37 h is is a sensible result. Nonetheless, the Court otherwise provided little guidance as to when a webpage with personal data would be suiciently private to fall within the ambit of Article 3(2). More speciically, it gave no guidance as to when a lesser degree of accessibility (e.g. by a smaller and limited number of people) may make a website private for the purposes of Article 3(2) or as to what mechanisms might be suicient to limit accessibility and thereby make a website private – would, for instance, a password mechanism be suicient? hese questions are, to put it mildly, of more than theoretical interest in light of the explosion in OSN growth.38 Further questions arise with respect to that part of the Court’s judgment dealing with the applicability of Article 25 of the Data Protection Directive to website publishing. Article 25 restricts ‘transfer’ of personal data from EU member states to third countries lacking ‘adequate’ data 36

37 38

Lindqvist worked on a voluntary basis for her local parish church in Sweden, preparing parishioners for their coni rmation. In that role she posted information about some of her fellow parish workers on internet homepages that she had set up using her personal computer at home, without irst informing her colleagues or getting their consent. Bodil Lindqvist, above n. 35, [47]. In Norway, for example, there was disagreement between the Data Inspectorate and the Tribunal that handles appeals from decisions by the Inspectorate as to whether the country’s irst major OSN, Nettby (which at the height of its popularity had 750,000 registered

Data privacy law and the Internet

269

privacy regimes. he Court found that the publishing activity in dispute did not constitute a data ‘transfer’ for the purposes of Article 25, on three grounds. First, it held that the uploading of the data to the webpage did not lead to a direct transfer of the data to a person who might access the data from a third country; the transfer would instead occur ‘through the computer infrastructure of the hosting provider where the page is stored’.39 he second ground was that, in light of the state of technological development at the time the Data Protection Directive was drawn up, the Court could not presume a legislative intention that the provisions on transborder data low embrace website publishing: Given, irst, the state of development of the internet at the time [the Data Protection Directive] was drawn up and, second, the absence, in Chapter IV, of criteria applicable to use of the internet, one cannot presume that the Community legislature intended the expression ‘transfer [of data] to a third country’ to cover the loading, by an individual in Mrs Lindqvist’s position, of data onto an internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them.40

A third justiication was based on the consequence of concluding otherwise: If Article 25 of [the Data Protection Directive] were interpreted to mean that there is ‘[transfer data] to a third country’ every time that personal data are loaded onto an internet page, that transfer would necessarily be a transfer to all the third countries where there are the technical means needed to access the internet. he special regime provided for by Chapter IV of the [D]irective would thus necessarily become a regime of general application, as regards operations on the internet. hus, if the Commission found, pursuant to Article 25(4) of [the Data Protection Directive], that even one third country did not ensure adequate protection, the Member States would be obliged to prevent any personal data being placed on the internet.41

39

members but closed down in the face of competition from Facebook), was a private space falling within the exception under Norwegian law that equates with Art. 3(2) of the Data Protection Directive. he Inspectorate took the view that the exception applies with respect to those elements of the OSN that were only accessible to registered members, even though the membership size was extremely large. he Tribunal disagreed, arguing that the size of membership took the OSN beyond what could properly be deemed a ‘private’ space. See further Personvernnemnda [Privacy Tribunal], Klage på Datatilsynets vedtak om sletting av personopplysninger som stammer fra det nedlagte nettsamfunnet Nettby (23 October 2013), www.personvernnemnda.no/vedtak/2012_03.htm. I i nd the Tribunal’s line more persuasive than the Inspectorate’s. Bodil Lindqvist, above n. 35, [61]. 40 Ibid., [68]. 41 Ibid., [69].

270

Lee A. Bygrave

he irst- and second-mentioned justiications are not especially convincing. As Svantesson aptly comments regarding the irst: While it is true that Lindqvist could not transfer the content of her website to an Internet user that was not connected to the Internet at the time, or who did not wish to take the steps necessary to visit her website, that is no diferent to the fact that a TV station cannot provide TV programs to somebody who does not turn on their TV, or who does not choose the TV station’s particular channel.42

As for the second ground, one may more convincingly argue that the Data Protection Directive’s technology-neutral language bespeaks a legislative intention that its provisions may apply to a variety of data-processing platforms, including the Internet, unless there is clear indication otherwise (which there is not).43 Moreover, it was disingenuous of the Court to suggest that the Data Protection Directive predates the stage of internet development at which website publishing of the kind in dispute was possible – such publishing was being done by 1995, albeit not on the scale that it later reached.44 he third-mentioned justiication, though, is convincing. Svantesson correctly observes that the justiication builds implicitly on a test of reasonableness that ensures compatibility of the law with the technology.45 Yet one can also see it as concerned with hindering either of the two situations of regulatory overreaching that are outlined above. he need to tackle regulatory overreaching is elaborated on in the ensuing sections. Returning to the issue of prescriptive guidance, the Court’s reasoning in Lindqvist let unclear the status, under the rules on transborder data transfer, of several parameters by which data is actually disseminated via the World Wide Web and related platforms. One such parameter is the location of the server(s) of the hosting provider – does that location matter? Another is the kind of access to hosted data that persons in third countries are given – for example, may we properly speak of a transborder transfer of such data when the access is intentionally provided by the uploader and restricted to predeined persons or organisations? We ind considerable disagreement amongst scholars over the legal signiicance of various permutations of these parameters.46 Again, these uncertainties are unfortunate given the immense development of OSNs and cloud 42

43 44 45 46

D. J. B. Svantesson, ‘Privacy, Internet and Transborder Data Flows: An Australian Perspective’ (2010) 4 Masaryk University Journal of Law and Technology 1, 15. Ibid. Ibid.; C. Reed, Making Laws for Cyberspace (Oxford University Press, 2012), p. 159. Svantesson, ‘Privacy, Internet and Transborder Data Flows’, above n. 42 p. 16. See e.g. Esayas, above n. 24, pp. 668–9 and references cited therein.

Data privacy law and the Internet

271

computing services in the decade since the Lindqvist decision was handed down. And in light of that development, it is especially unfortunate that the Commission’s proposal for a new Data Protection Regulation – which basically follows the Data Protection Directive’s regime on transborder data low (Chapter V of the proposal) – does not deine ‘transfer’! Admittedly, though, these uncertainties have not held back that development in any signiicant way. Nor have they been the subject of high-proi le litigation. he latter fact is somewhat ominous from a privacy protection perspective as it could suggest that transborder data low occurs over the Internet largely regardless of the restrictions data privacy law attempts to impose. Indeed, any sober look at the almost stupendous scale of internet-based data dissemination will see that those restrictions are seriously struggling to gain traction. his takes us from the regulatory challenges of semantics and prescriptive guidance over to deeper structural challenges for data privacy law.

Sand in the machinery From the very beginnings of its use as a publicly available communications infrastructure, the Internet has presented unique regulatory challenges, particularly for the application of statutory controls. As Mueller points out, one set of challenges stems from the global ambit of internet communication and the ‘quantum jump’ in its scale.47 Another challenge stems from the Internet’s distribution and disaggregation of control: ‘[d]ecision-making authority over standards and critical Internet resources rests in the hands of a transnational network of actors that emerged organically alongside the Internet, outside of the nationstate system’.48 Moreover, the Internet ‘changes the polity’ by facilitating ‘radical changes in collective action possibilities’.49 On top of this, it is important to highlight the growing complexity of the Internet’s governance structure since 2000, particularly with its morphing into a complex congeries of intranets, many of which operate, in efect, as walled gardens with their own rules, procedures and cultures. All up, the Internet’s pervasiveness, combined with its multifaceted yet loose governance structure, means that it transcends ready capture by any single established regulatory model.50 47

48 50

M. L. Mueller, Networks and States: the Global Politics of Internet Governance (Cambridge, MA: MIT Press, 2010), p. 5. Ibid. 49 Ibid. See also Solum, above n. 14.

272

Lee A. Bygrave

Additionally, the Internet creates special challenges for the realisation of data privacy interests. he most obvious of these is its core raison d ’ être, which is not about containment but communication of data, personal or otherwise. One of the Internet’s overarching efects has been to greatly enhance a broad societal trend of electronic interpenetration of previously separate spheres of activity by enabling greater dissemination, use and reuse of data across traditional organisational boundaries and other contextual borders. Part and parcel of this is the Internet’s facility for preserving and replicating data in multiple digital arenas – oten long past the ‘use-by’ date set by data privacy law. Furthermore, the ability to quickly locate, track and consolidate data across these arenas is being improved through a variety of evermore-sophisticated sot ware applications (search engines, persistent third-party cookies, metadata tagging, etc.). Increasingly rei ned algorithms and methods of data analytics are improving the ability to draw meaningful correlations between the resultant data sets, and between the latter and other sets. As the data sets under analysis grow – the stuf of ‘big data’ – so too do the possibilities for inding links between them and individual persons; in other words, the possibilities for achieving real data anonymisation shrink.51 he ability to build up proi les of data subjects is being enhanced, not just through the tracking of online behaviour but also the gradual convergence of the online and oline worlds. hat convergence is partly engendered by the integration of the Internet’s connectivity into mobile devices with geolocation capabilities and into an expanding range of other ‘things’. Yet it is also engendered by new business arrangements.52 All of these patterns create serious stress points for data privacy law. hey run directly counter to many of the law’s core principles – at least as expounded in European codes – especially the principle of minimality (i.e. the amount of personal data collected should be limited to what is necessary to achieve the purposes for which the data is gathered and further processed, and the data should be deleted when no longer necessary 51

52

See further e.g. A. Narayanan and V. Shmatikov, ‘Robust De-anonymization of Large Sparse Datasets’ in SP ’08 Proceedings of the 2008 IEEE Symposium on Security and Privacy (IEEE Computer Society, 2008), pp. 111–25; A. Narayanan and V. Shmatikov, ‘De-anonymizing Social Networks’ in SP ’09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy (IEEE Computer Society, 2009), pp. 173–87. A case in point being Facebook’s recent partnership with Datalogix, which specialises in monitoring the ol ine shopping behaviour of some 70 million North Americans with respect to over 1,000 retailers. See further G. Nasri, ‘How Facebook Will Track your Ol ine Life with Datalogix’, (16 October 2012) Digital Trends, www.digitaltrends.com/ social-media/b-datalogix/.

Data privacy law and the Internet

273

for those purposes),53 the principle of purpose limitation or inality (i.e. personal data should be collected for speciied, legitimate purposes, and not used in ways that are incompatible with those purposes)54 and the principle of data subject inluence (i.e. data processing should be transparent to, and capable of being inluenced by, the data subject).55 As intimated at the end of the previous section, they also run counter to the rules that attempt to restrict transborder data low. I am not suggesting that these norms are always or uniformly breached by the above developments or that those responsible for the latter never or rarely attempt to comply with them. But, for Europe at least, there is a fundamental collision between the basic thrust of the norms and the underlying logic of the developments. his means at the very least that data privacy law and DPAs have their work cut out if they are meaningfully to safeguard privacy in the internet environment. Within the US legal system, the collision is not as profound because data privacy law there is more lax than European law. he coverage it ofers, particularly with respect to private sector bodies’ processing of personal data, is haphazard and riddled with gaps. For example, legislative safeguards refrain from imposing a stringent form of the principle of purpose limitation – indeed, the principle is largely absent from the core codes on point. hey permit a considerable degree of contractual override of data subjects’ privacy interests. hey do not impose privacy-related restrictions on export of personal data to other countries. Monitoring and enforcement schemes for data privacy are also far less developed than in Europe. here is no federal regulatory authority with the mandate and powers of European DPAs.56 All of this does not lessen the burden of providing meaningful privacy protection in the internet environment but adds to it. At the same time, the track record of European data privacy law does not inspire conidence. Fairly extensive evidence indicates weak levels of enforcement, compliance and awareness with respect to many of the European national laws in the ield. his is particularly disturbing given that European regimes are oten held up as providing strong levels of data privacy in the global context. Some of this evidence came to light during the European Commission’s irst study on the implementation of the 53 54 55 56

See e.g. Data Protection Directive, above n. 6, Arts. 6(1)(c), 6(1)(e), 7 and 8. See e.g. ibid., Art. 6(1)(b). See e.g. ibid., Arts. 10–12, 14–15. See further generally D. J. Solove and P. M. Schwartz, Information Privacy Law, 4th edn (New York : Wolters Kluwer Law & Business, 2011).

274

Lee A. Bygrave

Data Protection Directive, undertaken a decade ago.57 More recent studies have backed up its indings.58 Taken together, the studies show that DPAs in Europe are generally under-resourced, leading in turn to underresourcing of enforcement eforts. Compliance by data controllers is oten patchy, though they are generally supportive of the aims of data privacy law. A substantial amount of transborder data low is not being subjected to regulation at all. Signiicantly, the Commission itself recognises the regulatory challenges posed by the internet-related developments outlined above, referring to the ‘data explosion’ they cause, and adding: his ‘data explosion’ inevitably raises the question whether legislation can fully cope with some of these challenges, especially traditional legislation which has a limited geographical ield of application, with physical frontiers which the Internet is rapidly rendering increasingly irrelevant.59

hese challenges are compounded by the potentially broad reach of the law, particularly in light of its liberal conception of ‘personal data’. As noted above, in the era of ‘big data’, more and more data that appears to be anonymous is not; thus, more and more data that once may have fallen outside the ambit of data privacy law is, in principal, subject to it. In one sense this is ine, but it increases the risk of regulatory overreaching. On this point, the amendments initially suggested by the European Parliament’s lead rapporteur on the proposal for a new Data Protection Regulation strike out in two directions. One direction arguably augments the reach of the rules by providing, inter alia, that a data subject is not just a person who can be ‘identiied’ from data but alternatively can be ‘singled out … alone or in combination with other data’.60 I am not 57

58

59

60

European Commission, First Report on the Implementation of the Data Protection Directive (95/46/EC) (Brussels, 15 May 2003) (COM(2003) 265 i nal). See e.g. EU Agency for Fundamental Rights, Data Protection in the European Union: the Role of National Data Protection Authorities (Luxembourg: Publications Oice of the EU, 2010); LRDP KANTOR Ltd and Centre for Public Reform for the European Commission, Comparative Study on Diferent Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments: Final Report (20 January 2010), http://ec.europa. eu/justice/policies/privacy/docs/studies/new_privacy_challenges/i nal_report_en.pdf. For supportive Norwegian evidence on point, see I.-A. Ravlum, Behandling av personopplysninger i norske virksomheter (Oslo: Transportøkonomisk Institutt, 2006). European Commission, First Report on the Implementation of the Data Protection Directive (95/46/EC), above n. 57, p. 4. European Parliament, Committee on Civil Liberties, Justice and Home Afairs (Rapporteur: J. P. Albrecht), Drat Report on the Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) (Brussels, 16 January 2013) (COM(2012)0011 – C7–0025/2012–2012/0011(COD))

Data privacy law and the Internet

275

entirely convinced that the ‘singling out’ criterion substantially adds to the ‘identiiability’ criterion; the essence of identiication is, ater all, the possibility of distinguishing one person from another.61 Yet it seems to be regarded as a substantive addition in relation to the status of IP addresses. According to the Albrecht Report, such addresses will constitute personal data since they ‘leave traces and can be used to single out natural persons’, though this will not be the case ‘for the IP addresses used by companies’.62 he Commission proposal, on the other hand, seems to indicate that IP addresses will only constitute personal data if ‘used to create proi les of the individuals and identify them’.63 In the other direction, however, the Albrecht Report proposes subjecting pseudonymous data to slightly less stringent rules for processing.64 his is to be commended, and could be followed through to an even greater extent than the rapporteur suggests. he potential for regulatory overreaching looms otherwise large in respect of the jurisdictional reach of the law, more speciically its claims to extraterritorial efect. he Data Protection Directive has attracted a great deal of criticism on this point, mainly on account of Article 4(1) (c). his provides that the data protection law of an EU state may apply outside the EU in certain circumstances, most notably if a data controller, based outside the EU, utilises ‘equipment’ located in the state to process personal data for purposes other than merely transmitting the data through that state. he formal rationale for the provision is to prevent circumvention of EU data privacy norms by data controllers based in third countries, but it gives an impression that the EU is, in efect, legislating for the world. And its potential ‘grab’ is enhanced in the online environment where, for example, routine use of cookies mechanisms by website operators in third countries may involve utilisation of ‘equipment’ (browser programs on the devices used by the visitors to access the Web) in an EU state (assuming that the cookies are properly classiied as personal data).65 It has been argued that the ‘equipment’ being utilised

61

62 63 64 65

(hereinafter Albrecht Report), Amendment 84, www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/924/924343/924343en.pdf. See too Bygrave, Data Protection Law, above n. 2, p. 43; Bygrave, Data Privacy Law, above n. 7, p. 130. Albrecht Report, above n. 60, Amendment 15. Commission Proposal, above n. 4, Recital 24. Albrecht Report, above n. 60, Amendments 85 and 105. See further e.g. L. A. Bygrave, ‘Determining Applicable Law Pursuant to European Data Protection Legislation’ (2000) 16 Computer Law & Security Report 252. For general discussion of the pros and cons of this line, see C. Kuner, European Data Protection Law: Corporate Compliance and Regulation, 2nd edn (Oxford University Press, 2007), pp. 120–7.

276

Lee A. Bygrave

must be under the control of the controller and that this control does not pertain when an EU-based data subject accesses a website using his/her own computer.66 However, control of a computer will oten be shared; a website operator can induce the ‘visiting’ computer to carry out certain processing operations beyond the knowledge or preferences of the computer owner. And the ‘controller’ role is dei ned in terms of exercising partial rather than absolute control.67 he extraterritorial reach of the proposed Regulation is also potentially expansive in the online context. he Commission Proposal stipulates that the Regulation shall apply to controllers outside the EU when they process personal data on data subjects ‘residing in the Union’ and the ‘processing activities are related to (a) the ofering of goods or services to … data subjects in the Union; or (b) the monitoring of their behaviour’ (Article 3(2)). hese are very liberal criteria for extraterritorial reach, particularly in the online world. hey ache for clariication and justiication, yet, remarkably, the Commission Proposal provides neither!68 he Albrecht Report suggests several modiications that serve to liberalise them further – most notably that the goods and services on ofer need not be paid for and that monitoring need not be of data subjects’ behaviour but of the data subjects themselves.69 As Svantesson observes: [W]hichever version is i nally entering into force, this provision seems likely to bring all providers of Internet services such as websites, social networking services and app providers under the scope of the EU Regulation as soon as they interact with data subjects residing in the European Union. While this can be said to be the case already under the current EU approach to extraterritoriality, it is submitted that the new approach, as found in the proposed Regulation, goes even further, or at a minimum, more clearly emphasises the signiicant extraterritorial dimension of the data privacy law.70 66

67

68

69 70

See e.g. U. Dammann and S. Simitis, EG-Datenschutzrichtlinie (Baden-Baden: Nomos Verlagsgesellschat, 1997), p. 129; L. Moerel, ‘he Long Arm of EU Data Protection Law: Does the Data Protection Directive Apply to Processing of Personal Data of EU Citizens by Websites Worldwide?’ (2011) 1 International Data Privacy Law 23, 33. See Data Protection Directive, above n. 6, Art. 2(d): ‘“controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data’ (emphasis added). One glaring issue is whether the requirement that the data subject be ‘in the Union’ – present in Art. 3(2)(a) of the Commission Proposal – is also to be read into the monitoring criterion in Art. 3(2)(b). See further D. J. B. Svantesson, Extraterritoriality in Data Privacy Law (Copenhagen: Ex Tuto Publishing, 2013), pp. 107–110. Albrecht Report, above n. 60, Amendments 82 and 83. Svantesson, Extraterritoriality in Data Privacy Law, above n. 68, p. 107.

Data privacy law and the Internet

277

Such a dimension is not a problem as such. It can help actors join battle for the goals that the law seeks to uphold. hus, Article 4(1)(c) of the Commission Proposal has augmented the ability of the Article 29 Data Protection Working Party (WP29) to lock horns with US-based corporations over the data privacy rules that are to be observed for online transactions involving data subjects in the EU. But I am sceptical of giving law an extraterritorial dimension that remains dormant. It could be argued, however, that giving law an extraterritorial reach that is not followed up by practical enforcement is still valuable as a demarcation of jurisdictional lines.71 One could make a similar claim for other aspects of data privacy law that have little chance of being enforced – in other words, that the symbolism inherent in the simple demarcation of values and ideals is praiseworthy, regardless of their actual realisation. Demarcation of values and ideals is an integral element of all law. In the long run, however, posturing without punch or even potential punch tends to be counterproductive to the general respect for those values, particularly if the posturing pretends that it can pack a punch (analogous to the ‘emperor with no clothes’) and the values are not otherwise widely respected in practice. he values that data privacy law formally seeks to uphold belong to the latter group. While oten viewed as important in the abstract, they are in practice second-order concerns easily trumped or compromised by other interests72 – a point that I consider further below. he Internet’s US origins pose yet another special challenge for data privacy. US attitudes to internet governance have traditionally enjoyed a privileged position due to the fact that the Internet and its precursor, the Advanced Research Projects Agency Network (ARPANET) were developed in the USA with US government funding.73 While this position is slowly eroding, it is still evident. It helped stamp an initially light-touch regulatory 71

72

73

Svantesson describes such demarcation in terms of ‘bark jurisdiction’ as opposed to ‘bite jurisdiction’, arguing that the former need not be a regulatory problem in itself: ‘here may well be solid reasons why a state may wish to make clear its standpoint on a particular issue by legislating against it even though the efective enforcement of the law in question may be diicult, cumbersome or, indeed, unlikely … [hus], jurisdictional claims that can also be seen as “bite less bark” serve a function. Perhaps it could be said that “bark jurisdiction” signals a perceived right to regulate a particular matter while acknowledging the lacking ability to regulate that matter.’ At the same time, Svantesson acknowledges that ‘we must necessarily separate those situations in which the claim is intended to be “bark jurisdiction” from situations representing a failed “bite jurisdiction” claim’: ibid., pp. 69, 71. See further e.g. Bygrave, Data Protection Law, above n. 2, pp. 100–1 and references cited therein. See generally Bing, above n. 16.

278

Lee A. Bygrave

framework on the emerging Internet, summed up in the Clinton–Gore Administration’s inluential policy paper from 1997, ‘A Framework for Global Electronic Commerce’.74 In that paper, the Administration stated that ‘governments should establish a predictable and simple legal environment based on a decentralised, contractual model of law rather than one based on top-down regulation’. It further endorsed ‘support for industrydeveloped solutions to privacy problems and for market driven mechanisms to assure customer satisfaction about how private data is handled’. While the international inluence of US government policy on data privacy has signiicantly waned since 2000 – the overwhelming bulk of countries with data privacy laws having preferred to follow the EU model as manifested in the Data Protection Directive75 – it still has bite regarding the Internet. We see this, for example, in relation to the ‘Whois’ service managed under the auspices of the Internet Corporation for Assigned Names and Numbers (ICANN). he latter, incorporated in California, is charged by the US government with overall responsibility for the operation of the internet domain name system and continues to operate under formal US government oversight. he ‘Whois’ service basically allows interested parties to ind information about domain name registrants. A protracted struggle has gone on between IPR-holders, their representatives and law enforcement agencies on the one side and DPAs and other privacy advocates on the other over the amount of Whois data that is to be registered and the criteria for its disclosure.76 hat struggle has so far resulted in a stalemate over Whois policy development. However, the current agreement between the US government and ICANN locks Whois policy broadly in favour of liberal registration and disclosure requirements that it awkwardly with EU data privacy law (but remain insuiciently liberal for many IPR-holder groups and law enforcement agencies on both sides of the Atlantic).77 74

75

76

77

US White House, A Framework for Global Electronic Commerce (Washington DC: Government Printing Oice, 1997) (also available at http://clinton4.nara.gov/WH/New/ Commerce). See further e.g. Greenleaf, Chapter 6 (in this volume). For an extended analysis of the reasons for this development, see e.g. A. L. Newman, Protectors of Privacy: Regulating Personal Data in the Global Economy (Ithaca, NY: Cornell University Press, 2008). Further on the functions, regulatory framework and principal policy issues associated with the service, see M. Mueller and M. Chango, ‘Disrupting Global Governance: the Whois Service, ICANN and Privacy’ (2008) 5 Journal of Information Technology & Politics 303; D. I. Cojocarasu, Legal Issues Regarding WHOIS Databases (Oslo: Unipub/ Norwegian Research Center for Computers and Law, 2009). See Airmation of Commitments by the United States Department of Commerce and the Internet Corporation for Assigned Names and Numbers (30 September 2009) Internet

Data privacy law and the Internet

279

More generally speaking, US policy preferences have greater purchase through their manifestation in the culture of the powerful US-based corporations that continue to shape much of internet development. hat culture tends not to accord data privacy nearly the same degree of priority as European regulators profess to do, and it relects the fairly deep cleavage between US and European data privacy regimes.78 At the same time, it sets many of the default standards for the routine processing of data on internet end-users. For a huge proportion of the latter, the Internet has become largely a Google-, Apple- and Facebook-mediated experience. he data privacy law with the greatest practical impact on that experience is constituted by the contractual terms and conditions (T&Cs) governing the services ofered by such organisations. he data privacy norms therein, which are typically ofered on a ‘take-it-or-leave-it’ basis, are notorious for their nebulous and frequently shiting character, along with the great latitude they aford for processing personal data in the corporations’ respective interests. hose interests embrace a business model that is fuelled by, and premised on, persons supplying data about themselves (wittingly or unwittingly) in exchange for otherwise ostensibly free online services. It is a business model generating enormous revenue. Accordingly, the corporations go to great lengths to embed and expand it. his is relected in multiple ways. he default data collection settings for OSNs, like Facebook, are typically pitched to maximise collection. he industry-set ‘opt-outs’ for end-users tend not to stop collection of data on web-suring patterns. Exercising the ‘opt-out’ ofered, for instance, by the US Network Advertising Initiative only limits the feeding of advertisements to end-user browsers.79 We also see industry players derailing or otherwise undermining work on technical standards that threaten to impinge on their monetisation of monitoring – as is currently happening in respect of the attempted development

78

79

Corporation for Assigned Names and Numbers (ICANN), www.icann.org/en/about/ agreements/aoc/airmation-of-commitments-30sep09-en.htm, whereby ICANN ‘commits to enforcing its existing policy relating to WHOIS, subject to applicable laws … [and] implement measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information’ (s. 9.3.1). Further on this divergence, see generally Bygrave, Data Privacy Law, above n. 7, pp. 107–116. A. C. Madrigal, ‘I’m Being Followed: How Google – and 104 Other Companies – Are Tracking Me on the Web’, he Atlantic (Online), 29 February 2012, www.theatlantic. com/technology/archive/2012/02/im-being-followed-how-google-151-and-104-othercompanies-151-are-tracking-me-on-the-web/253758/.

280

Lee A. Bygrave

of ‘Do Not Track’ standards within the auspices of the World Wide Web Consortium – and pouring money into lobbying campaigns to head of the introduction of more stringent data privacy legislation. hese campaigns are usually successful in the USA. he most recent instance, from May 2013, ended in the defeat of a bill introduced into the Californian legislature that would have given consumers a right to gain insight into their personal proiles compiled by online data brokers.80 However, the Silicon Valley giants cannot realistically expect to lex their inancial and lobbying muscle with the same degree of success in Europe as they do in the USA. hey are currently engaged in a long-term power struggle with European DPAs and their umbrella body, WP29, over the setting of data privacy standards for internet-based services. he outcome of this struggle is still diicult to predict. Facebook and Google have conceded some ground, but reluctantly.81 Much of the struggle is now focused on the content of the proposed Data Protection Regulation, which is more detailed and stringent than the current Data Protection Directive in many respects, and which, unlike the latter, has been drated with the Internet very much in mind. he proposed Regulation evidences an ofensive determination to prevent data privacy interests being lost in cyberspace. We see this especially in the provisions dealing with the right of data subjects ‘to be forgotten’ (that is demand erasure of data held on them),82 the introduction of a new right to ‘data portability’ (that is a right of data subjects to transfer data about them from one information system to another)83 and new provisions requiring ‘data protection by design and by default’ (that is to hardwire, as it were, data privacy norms into information systems development).84 At the same time, the proposed Regulation signals a refusal to dispense substantially with many of the aspects of the Data Protection Directive that are most cumbersome to apply in an online environment. For instance, although the proposal introduces more lexibility to the current regime for regulating low of personal data from European countries to third countries,85 it still imposes ex ante 80

81

82 84

J. Guynn and M. Lifsher, ‘Silicon Valley Uses Growing Clout to Kill a Digital Privacy Bill’, Los Angeles Times (online), 3 May 2013, http://articles.latimes.com/2013/may/03/ business/la-i-digital-privacy-20130503. See e.g. WP29, Opinion G29: Google: he Beginnings of a Dialog (16 September 2008), http://ec.europa.eu/justice/policies/privacy/news/docs/pr_16_09_08_ en.pdf ; L. Essers, ‘Facebook to Delete All European Facial Identiication Data’, (21 September 2012) Computerworld, www.computerworld.com/s/article/9231566/ Facebook_to_delete_all_European_facial_recognition_data. Commission Proposal, above n. 4, Art. 17. 83 Ibid., Art. 18. Ibid., Art. 23. 85 See ibid., Chapter V.

Data privacy law and the Internet

281

restrictions on such low by using an adequacy test as a point of departure.86 And, as noted above, its provisions on extraterritorial application follow the thrust of those in the Data Protection Directive. Not surprisingly, US government oicials, as well as US businesses, are paying close attention to the progress of the legislative proposal and they are making extensive eforts to blunt its bite – as happened during the drating of the Data Protection Directive.87 he ‘right to be forgotten’ in Article 17 has attracted the most controversy and has been accused, in efect, of giving undue priority to data privacy at the expense of freedom of expression and related interests. In my view, some of these accusations are disingenuous – the provisions of Article 17 make abundantly clear that the erasure right is to be duly balanced with freedom of expression,88 including the needs of journalism and artistic and literary expression,89 along with a large number of other legitimate interests.90 Further, the term ‘journalistic purposes’ in Article 80(1) is to be construed liberally in light of ECJ case law concerning the same term under Article 9 of the current Data Protection Directive. According to the Court, the term covers ‘disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them’ and is ‘not limited to media undertakings and may be undertaken for proit-making purposes’.91 Nonetheless, a US diplomat was recently cited as warning of a new trade war in the event that the erasure right in the proposed Regulation is not watered down further.92 Yet eforts are also being made to dampen open conlict. At a conference arranged in Brussels shortly ater the Commission issued its legislative proposal, Viviane Reding (European Commission Vice-President) and John Bryson (US Secretary of Commerce) issued a joint statement stressing collaboration and conciliation at the intergovernmental level.93 All up, the result of the reform eforts remains far from 86 87

88 89 91

92

93

Ibid., Art. 41. P. M. Regan, ‘American Business and the European Data Protection Directive: Lobbying Strategies and Tactics’ in C. J. Bennett and Rebecca Grant (eds.), Visions of Privacy. Policy Choices for the Digital Age (University of Toronto Press, 1999), pp. 199–216. Commission Proposal, above n. 4, Art. 7(3)(a). Ibid., Art. 80(1). 90 Ibid., Art. 17(3)(b)–(d) and (4). Tietosuojavaltuutettu v. Satakunnan Markkinapörssi Oy, Satamedia Oy (Case C-73/07) [2008] ECR I-09831, [61]. M. Dautlich and K. Wynn, ‘US Diplomat Warns of “Trade War” if “Right to be Forgotten” Proposals are Followed hrough’, (4 February 2013) Pisent Masons: Out-Law.com, www. out-law.com/en/articles/2013/february/us-diplomat-warns-of-trade-war-if-right-to-beforgotten-proposals-are-followed-through/. V. Reding and J. Bryson, ‘EU–US Joint Statement on Data Protection by European Commission Vice-President Viviane Reding and US Secretary of Commerce John

282

Lee A. Bygrave

clear. It will take quite a while before the dust has settled around the legislative process. he most important advocates for maintaining strong data privacy standards during that process are likely to be WP29, the European Data Protection Supervisor and factions of the European Parliament. he Commission’s track record in this area of policy shows it is more amenable than these bodies to reaching compromise deals with the USA, in order to ensure that transatlantic low of data continues largely uninterrupted.94 As for members of the general public, these bodies cannot be counted on to bring signiicant pressure to bear on internet service providers in the name of enhanced privacy. his is not because privacy is totally passé amongst the public, as prominent igures in the ICT industry have self-servingly opined.95 Privacy is still valued, even amongst the ‘digital natives’ who are commonly presumed to be less concerned about privacy than older generations.96 However, public concern for privacy generally is ickle and seldom translates into mass protest. It is rare, for instance, that the above-mentioned ‘monetary monitoring’ practices that fuel much of the internet economy are seriously confronted by large-scale end-user indignation. Undoubtedly, this is due, in part, to end-users’ ‘privacy myopia’ (Froomkin) – that is their inability to value properly the worth of their data in market terms97 – along with a degree of indiference on their part to the privacy interests at stake. Considerations of convenience and self-realisation undoubtedly play a role too and privacy advocates cannot easily dismiss such considerations; at the end of the day, they weigh signiicantly in the calculations of the ‘market’. Most people will

94 95

96

97

Bryson’ (Speech delivered at High Level Conference on Privacy and Protection of Personal Data, Brussels, 19 March 2012), http://europa.eu/rapid/press-release_MEMO12-192_en.htm. See further Bygrave, Data Privacy Law, above n. 7, pp. 195, 197 and references cited therein. See e.g. P. Sprenger, ‘Sun on Privacy: Get Over It’, (26 January 1999) Wired, www.wired. com/politics/law/news/1999/01/17538. See e.g. A. Lenhart and M. Madden, Teens, Privacy and Online Social Networks (18 April 2007) Pew Research Center, www.pewinternet.org/Reports/2007/Teens-Privacyand-Online-Social-Networks.aspx (presenting survey evidence indicating that many American teenagers care about their privacy and take a variety of measures to safeguard it in an online context). For a review of the most recent survey evidence on point, see the report by S. Passir and S. Wyatt (eds.), Overview of Online Privacy, Reputation, Trust, and Identity Mechanisms (30 January 2013) European Network of Excellence in Internet Science (EINS), ch. 3, www.internet-science.eu/sites/internet-science.eu/i les/biblio/ EINS_D5_1_1_inal_0.pdf. See further A. M. Froomkin, ‘he Death of Privacy?’ (2000) 52 Stanford Law Review 1461, 1501f.

Data privacy law and the Internet

283

not be galvanised into adopting a more aggressively pro-privacy stance unless they experience harm – for example in the form of identity thet or cyberstalking – that clearly undermines those considerations, or unless they can easily perceive the potential for such harm. A case in point is the controversial ‘Girls Around Me’ iPhone app that was available for a short time during 2012 but was removed from the Apple App Store due to market unrest over its intrusiveness and potential for abuse.98 Experience of the above sort of harm is still insuiciently pervasive to catalyse mass unrest going beyond vague disquiet. Considerations of convenience and self-realisation also bear on public perceptions of when regulatory authorities, including DPAs, are engaged in regulatory overreaching. he authorities have to tread a careful line between upholding privacy interests for the sake of the public good and not intruding (or being generally perceived as intruding) on the ‘digital lifestyle’ savoured by many internet end-users. In treading that line, DPAs and other privacy advocates cannot rely on the alienating efects of ICT to anywhere near the same degree as was the case thirty years ago.99 Transposition of the Data Protection Directive into Swedish law in the late 1990s provides early evidence of the challenges involved. he transposition was met by a highly vocal protest movement that rallied around the cry ‘Don’t touch my Internet!’. he movement was largely catalysed by a somewhat misguided perception that the Data Protection Directive and the national law implementing it threatened internet end-user freedoms.100

Privacy in the sand From the above, one can gain the impression that internet-related developments are, without exception, profoundly inimical to data privacy interests. But the impression is misleading; although much of the Internet’s evolution since 2000 has hardly been conducive to data privacy interests, both the architecture of the network and its attendant governance culture bear privacy-preserving features. 98

99

100

See e.g. I. Paul, ‘Girls Around Me App Voluntarily Pulled Ater Privacy Backlash’, (2 April 2012) PCWorld, www.pcworld.com/article/252996/girls_around_me_app_voluntarily_pulled_ater_privacy_backlash.html. Further on those efects, see Bygrave, Data Protection Law, above n. 2, p. 109 and references cited therein. P. Seipel, ‘Sweden’ in P. Blume (ed.), Nordic Data Protection Law (Copenhagen: DJØF Publishing, 2001), pp. 115, 126–7.

284

Lee A. Bygrave

he most fundamental of such features is the paucity of sophisticated identiication capabilities in the TCP/IP suite. h is relects the ‘end-toend’ (e2e) design principle that is central to the Internet’s current architecture. he principle posits that the medium for data transmission should be kept simple and focus solely on moving data packets eiciently; ‘intelligence’ should be provided at the network ‘endpoints’.101 he privacy-preserving efects of this ‘dumbness’ have been especially salient in the battle over digital piracy. IPR-holders’ combat eforts have been frustrated by the ability of putative pirates to ‘hide’ behind IP addresses inasmuch as the ISPs have resisted disclosing the identities of the relevant subscribers.102 While it is diicult to ind clear evidence directly linking development of the e2e principle to explicit privacy concerns, the early Requests for Comment (RFCs)103 show that those persons responsible for early internet standards did relect generally over privacy issues and attempt to provide for privacy safeguards.104 hey did so, it would seem, without recourse to clearly enunciated legal rules on point. Indeed, Braman inds that privacy was the most frequently discussed social policy issue in the RFCs issued between 1969 and 1979. She highlights three motivations for the privacy preferences of the standards’ developers: First, there was a desire to protect secrets (RFC 318). Second, relecting constitutional protections for anonymous speech under US law, there was also respect for the secrecy of authorship (e.g. RFC 282). It was expected that there would be anonymous users (e.g. RFC 450), and RFC 549 was authored anonymously. hird, the politics of the period fed privacy interests of RFC authors, as when one declared, ‘I’m afraid that I can’t work up much excitement about helping the CIA keep track of what anti-war demonstrations I attended in 1968 …’ (RFC 686: 1).105

We see, too, that the surveillance potential of particular internet-based platforms has not been realised to the degree once feared. h is is evident 101

102

103 104

105

For the seminal exposition of the principle, see J. H. Saltzer, D. P. Reed and D. D. Clark, ‘Endto-end Arguments in System Design’ (1984) 2 ACM Transactions on Computer Systems 277. See further e.g. G. F. Frosio, ‘Urban Guerrilla & Piracy Surveillance: Accidental Casualties in Fighting Piracy in P2P Networks in Europe’ (2011) 37 Rutgers Computer & Technology Law Journal 1; L. A. Bygrave, ‘Data Protection Versus Copyright’ in D. J. B. Svantesson and S. Greenstein (eds.), Internationalisation of Law in the Digital Information Society: Nordic Yearbook in Legal Informatics 2010–12 (Copenhagen: Ex Tuto Publishing, 2013), pp. 55–75. RFCs being the primary documentation of core internet standards and their rationale. S. Braman, ‘Privacy by Design: Networked Computing, 1969–1979’ (2012) 14 New Media & Society 798. Ibid., 804.

Data privacy law and the Internet

285

in relation to Digital Rights Management Systems (DRMS) deployed by IPR-holders to secure their rights in digital material to which copyright attaches.106 When these systems were irst developed in the late 1990s and early 2000s, many scholars and privacy advocates envisaged they would be deployed to monitor people’s information consumption habits in a signiicantly more ine-grained and pernicious way than was typical for ofline consumption of information.107 However, such systems – at least as originally envisaged – have not undermined privacy interests as much as conjectured. his is not to say that privacy interests have remained free of the DRM-related threat – recall, for instance, the Sony ‘rootkit’ scandal of 2005.108 Nonetheless, surveillance carried out as an integrated element of a discrete DRMS – that is where a particular digital distribution platform monitors usage of content that is purchased through it – has not been as commercially prevalent as some people predicted. Apple’s iTunes is a case in point: FairPlay, the main DRM technology for that platform, appears not to possess an ‘IP, Phone Home’ functionality akin to that sketched by Greenleaf;109 it just restricts copying and format-shiting. Such DRMbased surveillance will decrease if there continues to be reduction in use of DRMS generally. We have witnessed the music-recording industry scaling back technological controls for distribution of music. hat development is spurred partly by the emergence of commercially successful streaming services, such as Wimp and Spotify. It is also spurred by consumer resentment over the inconveniences caused by many DRM restrictions. Deployment of DRM controls in large-scale commercial 106

107

108

109

See generally E. Becker et al. (eds.), Digital Rights Management: Technological, Economic, Legal and Political Aspects (Berlin/Heidelberg: Springer, 2003). See e.g. J. E. Cohen, ‘A Right to Read Anonymously: a Closer Look at “Copyright Management” in Cyberspace’ (1996) 28 Connecticut Law Review 981; L. A. Bygrave and K. J. Koelman, ‘Privacy, Data Protection and Copyright: heir Interaction in the Context of Electronic Copyright Management Systems’ in P. B. Hugenholtz (ed.), Copyright and Electronic Commerce (he Hague: Kluwer Law International, 2000), pp. 59–124; G. Greenleaf, ‘“IP, Phone Home”: ECMS, ©-Tech, and Protecting Privacy against Surveillance by Digital Works’ (2002) 32 Hong Kong Law Journal 35. See further M. Geist, ‘Sony’s Long-term Rootkit CD Woes’ (21 November 2005) BBC News, http://news.bbc.co.uk/2/hi/technology/4456970.stm. he legal settlement in its wake ended with Sony BMG agreeing to institute data privacy measures for use of CDs with ‘Content Protection Sot ware’: In re SONY BMG CD Technologies Litigation, Settlement Agreement reached in the US District Court for the Southern District of New York (28 December 2005), para. IV.B, www.girardgibbs.com/docs/cases/129_sonysettlementagreement.pdf. his was no more than a minor win for privacy, as such CDs are increasingly consigned to the technology scrapyard. Greenleaf, ‘IP, Phone Home’, above n. 107.

286

Lee A. Bygrave

distribution of other forms of digital content, like video and e-books, may well be reduced as well.110 A key issue for the Internet’s surveillance capacity in the coming years concerns ISP deployment of ‘Deep Packet Inspection’ (DPI), which enables automated analysis of the content of data messages sent over the Internet.111 he technology is being applied but not to its full capacity and, apparently, it is not being used speciically to target particular end-users (e.g. those who are engaged in copyright infringement).112 his is due to a complex constellation of factors – some legal, some more concerned with the market. Especially important is the absence of any compelling commercial incentive for ISPs to conduct DPI for purposes other than management of their own network traic, combined with the disjuncture between most ISPs’ business interests and those of IPR-holders.113 Moreover, if ISPs use DPI in a manner that goes further than what is necessary for their own operational needs, they risk stripping themselves of their immunity from legal liabilities as intermediaries: as Marsden observes, DPI is ‘something of a Pandora’s box – if they [ISPs] look inside, all liabilities low to them, from child pornography to terrorism to copyright breaches to libel to privacy breaches’.114 Another signiicant factor is the ECJ’s Scarlet Extended judgment.115 his dealt with the lawfulness of a requirement, sought by IPR-holders, that an ISP introduce a DPI-based system for systematically monitoring and i ltering all of its customers’ internet usage, at its own expense and for an unlimited period of time, so that the ISP would be able to identify and block i le-sharing in breach of copyright. Applying a proportionality test, the Court held that the required system did not strike a fair balance 110

111

112

113 114

115

Further on the problems facing DRMS as a regulatory tool, see I. Brown and C. T. Marsden, Regulating Code: Good Governance and Better Regulation in the Information Age (Cambridge, MA: MIT Press, 2013), ch. 4. Further on the mechanics of DPI, particularly in the context of copyright enforcement, see M. Mueller, A. Kuehn and S. M. Santoso, ‘Policing the Network: Using DPI for Copyright Enforcement’ (2012) 93 Surveillance & Society 348, 350–1 and references cited therein. See e.g. Body of European Regulators for Electronic Communications (BEREC), ‘BEREC Preliminary Findings on Traic Management Practices in Europe Show that Blocking of VoIP and P2P Traic is Common, Other Practices Vary Widely’ (Press Release, 6 March 2012), http://berec.europa.eu/doc/2012/TMI_press_release.pdf. For further elaboration of these and related factors, see Mueller et al., above n. 111. C. T. Marsden, Net Neutrality: Towards a Co-Regulatory Solution (London: Bloomsbury Academic, 2010), p. 72. Scarlet Extended v. Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), above n. 30.

Data privacy law and the Internet

287

between the various rights concerned.116 hese rights included not just data privacy rights but, inter alia, the ISP’s freedom to conduct business (on account of the ISP having ‘to install a complicated, costly, permanent computer system at its own expense’).117 A subsequent case, which dealt with the imposition of a similar system on the provider of an online social networking service, ended with the same result.118 Some scholars proclaim that these two cases constitute ‘the death sentence for the extreme, inside-the-network approach to network surveillance for copyright enforcement’.119 he better view is that they are more a line in the sand. A less expansive scheme in which ISPs do not have to bear the costs might well jump that line; a fortiori were the scheme also speciically authorised by a statute with clear, transparent and predictable rules.120

Lessons and future agenda he preceding sections highlight the multifaceted dimensions of the Internet, particularly the complex interplay of its privacy-invasive and privacy-enhancing features. Regulators must appreciate this interplay and its oten-unpredictable transformations. hey must accordingly retain lexibility in data privacy law. hey must further appreciate that the law generally is only one of many factors afecting privacy outcomes; oten market mechanisms based on business proit margins, consumer preferences and the like will play a more profound role in determining those outcomes than law.121 Regulators must additionally address another aspect of the law’s limits, namely the extent to which it can be enforced. his is in order to minimise regulatory overreaching. In addressing this issue, regulators must thoroughly consider, on the one hand, the resources that can realistically be used to enforce the law and, on the other hand, the technology they are trying to regulate, along with the nature of the environment in which the technology operates. his means, in turn, engaging in close dialogue with the developers of the technology and considering the technology’s 116 117

118

119 120 121

For analysis, see Bygrave, ‘Data Protection Versus Copyright’, above n. 102, p. 71. Scarlet Extended v. Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), above n. 111, [48]. Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v. Netlog NV (C-360/10) [2012] (Unreported). Mueller et al., above n. 111, 356. See further Bygrave, ‘Data Protection Versus Copyright’, above n. 102, p. 72. See more generally Reed, above n. 44.

288

Lee A. Bygrave

various applications. As Braman states, ‘[f]or mandates regarding privacy protection techniques to make sense, law makers should be working together with those in the technical community rather than in isolation or in opposition.’122 hat cooperation is a prerequisite for realising one of the central goals of data privacy law: the preservation or improvement of the privacy-friendly features of internet architecture. Achieving this goal requires engagement in the forums that spawn or shape internet-related standards. It also requires legal incentives to develop privacy-enhancing technologies (PETs) and other methods of privacy ‘hardwiring’. Unfortunately, such incentives have been largely absent from data privacy law. heir development ought to be a key priority in coming years, but the task is challenging. It runs the risk of conl icting with current regulatory mores, such as the principle that legal rules should, where reasonable, be technology-neutral, not be tied too closely to particular market models and not distort marketplace competition. As I have stated before,123 these diiculties are surmountable if the rules on point simply stipulate the goals to be reached (such as allowance for anonymity or pseudonymity) and then specify the means for reaching these goals in fairly general terms (e.g. in terms of systems development). Accordingly, I do not agree with Braman when she states that ‘[t]o protect privacy in the digital network environment, legal and regulatory mandates must be more speciic in detailing the various sites and processes at which or during which privacy must be protected’.124 Detailed legislative speciication for privacy by design can easily end up creating an inlexible choke point. Fortunately, the proposed Data Protection Regulation shows clear signs of legislative readiness to develop a more ‘systemic’ approach to data privacy than the Data Protection Directive does.125 he basic drawback with the proposed provisions, though, is that they fail to provide incentives to hardwire privacy beyond the risk of incurring sanctions if the hardwiring does not occur – in other words, they fail to provide a carrot in addition to 122 123

124 125

Braman, above n. 104, 811. L. A. Bygrave, ‘Privacy-enhancing Technologies – Caught Between a Rock and a Hard Place’ (2002) 9 Privacy Law & Policy Reporter 135; Bygrave, Data Protection Law, above n. 2, p. 371. Braman, above n. 104, 811 (emphasis added). Contrast particularly Art. 23 of the Commission Proposal, above n. 4 (concerning ‘data protection by design and by default’) with Art. 17 of the Data Protection Directive, above n. 6, (dealing primarily with security safeguards).

Data privacy law and the Internet

289

a stick. And when the hardwiring-related goals are expressed in very general terms – as they are in the proposal – my hunch is that it will be quite diicult to employ a stick. Hence greater consideration ought to be given to how best to crat the carrots that can ensure the hardwiring-related goals become more than simply aspirational.

13 he ‘right to be forgotten’ in European data protection law David Lindsay Introduction In January 2012 the European Commission adopted proposals for a new EU framework for data protection1 that is designed to replace the existing European data protection regime, which is based on the 1995 Data Protection Directive (DPD).2 he proposed new framework includes a General Data Protection Regulation (GDPR),3 which is intended to update the 1995 regime and deal with the challenges posed by the increased collection and processing of personal data online, including the emergence of social networking services (SNS).4 he GDPR, unlike the DPD, will apply directly to EU member states, with the aim of addressing the considerable divergence between current national EU data protection laws.5 Unless otherwise indicated, developments in this chapter are to 30 April 2013. 1

2

3

4

5

European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century (Brussels, 25 January 2012) COM(2012)9Final. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, [1995] OJ L 281 (the DPD). European Commission, Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) (Brussels, 25 January 2012) 2012/0011(COD) (GDPR). he second element of the reform package is a proposed directive applying to the processing of personal data by law enforcement authorities: European Commission, Proposal for a Directive of the European Parliament and of the Council on the Protection of Individuals with regard to the Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Ofences or the Execution of Criminal Penalties, and the Free Movement of Such Data (Brussels, 25 January 2012) COM(2012)10Final. European Commission, Safeguarding Privacy in a Connected World, above n. 1, pp. 2–7; European Commission, GDPR, above n. 3, Explanatory Memorandum. European Commission, Safeguarding Privacy in a Connected World, above n. 1, pp. 7–9; European Data Protection Supervisor, Opinion of the European Data Protection Supervisor

290

The ‘right to be forgotten’

291

At the time of writing, the proposals were working their way through the European legislative process.6 In January 2013 a committee of the European Parliament released a drat report on the proposals (the Albrecht Report), which recommended substantive amendments to the text of the GDPR.7 While it is impossible, at this stage, to predict the inal shape of the reform package, this chapter will focus on the drat proposals for a GDPR and the amendments proposed in the Albrecht Report. An important component of the proposed GDPR is what has become known as the ‘right to be forgotten’, which the Commission has described as ‘the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes’.8 he proposed right, contained in Article 17 of the GDPR, has been the most controversial element of the new framework. Commentators, especially those based in the USA, have alleged that the right is an unprecedented form of online censorship. Rosen, for example, went so far as to claim that the right ‘represents the biggest threat to free speech on the

6

7

8

on the Data Protection Reform Package (Brussels, 7 March 2012), p. 4, [18]; L. Danagher, ‘An Assessment of the Drat Data Protection Regulation: Does It Efectively Protect Data?’ (2012) 3(3) European Journal of Law and Technology, http://ejlt.org//article/view/171 (accessed 3 November 2013); W. J. Maxwell, ‘Data Privacy: the European Commission Pushes for Total Harmonisation’ (2012) 18(6) Computer and Telecommunications Law Review 175. he constitutionality of the choice of a data protection regulation, as opposed to a directive, has been challenged under German law: M. Kuschewsky, ‘Sweeping Reform for EU Data Protection’ (2012) 112 European Lawyer 12 , 14. his issue is beyond the scope of this chapter. C. Kuner, ‘ he European Commission’s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law’ (2012) Bloomberg BNA Privacy and Security Law Report 1, 1–15. In late 2013 EU data protection reform was deferred until at least 2015, in part due to the impossibility of reaching agreement prior to the 2014 EU Parliamentary elections. European Parliament, Committee on Civil Liberties, Justice and Home Afairs (Rapporteur: J. P. Albrecht), Drat Report on the Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) (Brussels, 16 January 2013) (COM(2012)0011 – C7–0025/2012–2012/0011(COD)) (the Albrecht Report). he report was prepared by Jan Philipp Albrecht MEP, who has been selected as lead rapporteur for the EU Parliament: see C. Burton, C. Kuner and A. Pateraki, ‘he Proposed EU Data Protection Regulation One Year Later: he Albrecht Report’ (2013) Bloomberg BNA Privacy and Security Law Report 1, 1–7. his chapter does not discuss amendments subsequently proposed by other EU Parliament advisory committees. Nor does it discuss amendments proposed by the Council of the European Union. European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A Comprehensive Approach on Personal Data Protection in the European Union (Brussels, 4 November 2010) COM(2010)609Final, p. 8, [2.1.3]; European Commission, Safeguarding Privacy in a Connected World, above n. 1, p. 6.

292

David Lindsay

Internet in the coming decade’.9 he right has also been criticised on the ground that, given the technical obstacles to removing data from the Internet, it will be impossible to implement.10 While attention has focused on what is termed the right to be forgotten, the area is characterised by much terminological and conceptual confusion.11 To clarify the discussion, this chapter distinguishes between three related legal concepts, which are too oten conlated.12 First, this chapter uses the term ‘right to oblivion’ (or droit à l’oubli) to refer to the right recognised in many civil law jurisdictions to be free from one’s judicial or criminal past. Second, the term ‘right to erasure’ is used to refer to the right to remove or delete personal data under data protection law. hird, the term ‘right to be forgotten’ is reserved for a right to have online personal data removed, or to have access to that data restricted, especially in the context of user-generated applications such as SNS, and incorporates rights relating to the removal of data from search engine indexes and 9

10

11

12

J. Rosen, ‘he Right to Be Forgotten’ (2012) 64 Stanford Law Review Online 88. See also J. Yakowitz, ‘More Bad Ideas from the EU’, (25 January 2012) Forbes, www.forbes.com/sites/ kashmirhill/2012/01/25/more-bad-ideas-from-the-e-u/ (accessed 3 November 2013); A. h ierer, ‘Europe’s “Right to Be Forgotten”: Privacy as Internet Censorship’, (23 January 2012) he Technology Liberation Front, http://techliberation.com/?s=europe%27s+rig ht+to+be+forgotten (accessed 3 November 2013); K. Clarke MP, Lord Chancellor and Secretary of State for Justice, ‘Data Protection’ (Speech delivered at British Chamber of Commerce, Brussels, 26 May 2011), www.justice.gov.uk/downloads/about/moj/our-ministers-board/speeches/clarke-speech-data-protection-260511.doc (accessed 3 November 2013); C. Wolf, ‘he Problem with Europe’s Strict Privacy Laws’, (14 March 2012) Slate, www.slate.com/blogs/future_tense/2012/03/14/_right_to_be_forgotten_heinrich_ boere_and_the_eu_privacy_laws_.html (accessed 3 November 2013); P. Fleischer, ‘Book Burning, Updated for the Digital Age’, (14 November 2012) Peter Fleischer: Privacy …?, http://peterleischer.blogspot.com/2012/11/book-burning-updated-for-digital-age.html (accessed 3 November 2013). See P. Fleischer, ‘Foggy Thinking about the Right to Oblivion’, (8 March 2011) Peter Fleischer: Privacy …?, http://peterf leischer.blogspot.com/2011/03/foggy-thinkingabout-right-to-oblivion.html (accessed 3 November 2013); Clarke, above n. 9; R. McGarvey, ‘EU May Mandate the “Right to be Forgotten”’, (21 March 2011) Internet Evolut ion, w w w.i nternetevolut ion.com/aut hor.asp?sec t ion _ id= 852&doc _ id=204940 (accessed 3 November 2013); K. Fiveash, ‘Google Exec Questions Reding’s “Right to be Forgotten” Pledge’, (26 January 2012) The Register, www.theregister.co.uk/2012/01/26/google_exec_criticises_right_to_be_forgotten_proposal/ (accessed 3 November 2013). For example, the relevant Article in the GDPR refers to the ‘right to be forgotten and to erasure’: European Commission, GDPR, above n. 3, Art. 17. he distinction draws on that made by Terwangne: C. Terwangne, ‘Internet Privacy and the Right to be Forgotten/Right to Oblivion’ (2012) 13 Revista de Internet, Derecho y Politica 109, 109–21, http://idp.uoc.edu/ojs/index.php/idp/article/viewFile/n13-terwangne_esp/n13-terwangne_eng (accessed 3 November 2013).

The ‘right to be forgotten’

293

digital archives. he legal background and development of each of these distinct concepts is explained further below. While many of the criticisms of the proposed ‘right to be forgotten’ have been ill-informed, and based on misconceptions of the intended scope and purpose of the proposed right,13 implementation of the right poses signiicant political, legal and technical challenges. h is chapter aims to dispel some misconceptions, and clarify the policy issues, by explaining the right to be forgotten under the proposed GDPR and analysing the legal diiculties in implementing the right. First, the chapter explains the problems the proposed right seeks to address. Second, the chapter examines whether or not there is a case for a legal right to be forgotten. hird, the chapter identiies the diiculties of balancing privacy and freedom of expression online by reference to some recent and current disputes. Fourth, the chapter explains the origins and development of the right to be forgotten under European law, including the main jurisprudential sources of the proposed right. Fit h, the operation of the proposed right under the GDPR and the relevant recommendations of the Albrecht Report are explained. Sixth, the proposed limitations and exceptions to the right are identiied, with an emphasis on limitations aimed at protecting freedom of expression. Seventh, the chapter describes and analyses the main legal issues that arise in applying the proposed right to SNS. Finally, the chapter concludes with an explanation of how the proposed regime as a whole might apply in the context of SNS, and some observations of the policy issues that need to be resolved in implementing a right to be forgotten.

he problems of digital eternity he recent debates concerning the right to be forgotten have arisen from the storage of increasing amounts of personal data online, and their ready accessibility, especially in the context of the widespread sharing of personal data in SNS. In explaining the EU reform package, Viviane Reding, EU Justice Commissioner, put it this way: he Internet has an almost unlimited search and memory capacity. So even tiny scraps of personal information can have a huge impact, even 13

To similar efect see P. A. Bernal, ‘A Right to Delete?’ (2011) 2 European Journal of Law and Technology, http://ejlt.org//article/view/75/144 (accessed 3 November 2013); M. L. Ambrose and J. Ausloos, ‘he Right to Be Forgotten Across the Pond ’ (2012) 3 Journal of Information Policy 1; O. Pastukhov, ‘he Right to Oblivion: What’s in a Name?’ (2013) 19 Computer and Telecommunications Law Review 14.

294

David Lindsay years ater they were shared or made public. he right to be forgotten will build on already existing rules to better cope with privacy risks online.14

As these comments suggest, the accumulation and accessibility of large amounts of personal data, which in digital form persist over time, give rise to fundamental concerns about the future of individual self-determination and autonomy, as people face the threat of being trapped by their digital past. In the most inluential academic study of the issue to date, Mayer-Schönberger contrasted the unforgiving nature of persistent digital memory with the possibilities of forgiveness arising from human forgetfulness.15 In cataloguing the problems with persistent digital memory, he emphasised the dangers of surveillance over time and the obstacles to the ability of individuals to reinvent themselves.16 As peoples’ lives and interactions have migrated online, it has become clear that information posted in one context, such as an informal social context, may be accessed and used in another context, such as a professional or educational context, to form judgments detrimental to the individual concerned.17 he best way to understand the potentially harmful consequences of our persistent digital pasts is through practical examples of the adverse consequences. he case study irst presented as an object lesson by Mayer-Schönberger concerns Stacy Snyder, an American student who posted a relatively innocuous photograph of herself in a pirate’s hat and drinking from a plastic cup to her MySpace page, together with the caption, ‘drunken pirate’, only to be refused graduation for her 14

15

16

17

V. Reding, Vice-President of the European Commission, EU Justice Commissioner, ‘he EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age’ (Speech delivered at Innovation Conference Digital, Life, Design, Munich, 22 January 2012), p. 5, http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/12/26&format=PDF (accessed 3 November 2013). V. Mayer-Schönberger, Delete: he Virtue of Forgetting in the Digital Age (Princeton University Press, 2009). See also: M. L. Ambrose, N. Friess and J. V. Matre, ‘Seeking Digital Redemption: he Future of Forgiveness in the Internet Age’ (2013) 29 Santa Clara Computer and High Technology Law Journal 99; J. Rosen, ‘he End of Forgetting’, New York Times Magazine (New York), 25 July 2010, pp. 32–45. Mayer-Schönberger, ibid., especially pp. 197–8. For an analysis of the complex issues involving digital eternity and online identity in post-modern societies, see D. Lindsay, ‘he Emerging Right to be Forgotten in Data Protection Law: Some Conceptual and Legal Problems’ in A. Cerillo-i-Mart í nez et al. (eds.), Challenges and Opportunities of Online Entertainment. Proceedings of the 8th International Conference on Internet Law & Politics (Barcelona: UOC-Huygens Editorial, 2012), pp. 419–42. On the importance of context and the risks of decontextualisation, see H. Nissenbaum, ‘Privacy as Contextual Integrity’ (2004) 79 Washington Law Review 119.

The ‘right to be forgotten’

295

teaching degree when her college learned of the photograph.18 People may be legitimately concerned about their digital record even if the consequences are less obviously severe, but conined to embarrassment or humiliation. For example, Jessica Ewing, a Google search engineer, reportedly requested the Google search team to alter the irst search result for her name, which returned an ‘embarrassing’ photograph of her as a 13-year-old mathlete.19 his last example illustrates the perils associated with search engines when combined with perpetual digital data: the operation of search engine algorithms, such as Google’s PageRank, oten results in the most embarrassing or humiliating information about a person dominating returns.20 his can disturb even Google executives, such as Susan Wojcicki, who was alarmed to discover that the second return from a Google search was a blog posting falsely accusing her of taking credit for developing AdSense.21 In another example, Castellano points to the case of a deputy headmaster of a school in Spain, whose past conviction for public urination was the irst result returned by students conducting a Google search.22 he problem is exacerbated by developments such as social network search engines, including Facebook Graph Search,23 and evolving face recognition technologies.24 he surveillance implications of emerging sophisticated data analytics technologies, which compile and analyse large amounts of discrete data, are illustrated by reports of the RIOT 18

19

20

21 22

23

24

Mayer-Schönberger, above n. 15, pp. 1–2; Rosen, ‘he End of Forgetting’, above n. 15, p. 32. S. Levy, In the Plex: How Google hinks, Works, and Shapes Our Lives (New York : Simon & Schuster, 2011), p. 174. On the operation of Google’s PageRank, see ibid ., pp. 21–4; S. Vaidhyanathan, he Googlization of Everything (and Why We Should Worry) (Berkeley : University of California Press, 2011), pp. 60–4. Levy, above n. 19, p. 174. P. S. Castellano, ‘he Right to Be Forgotten under European Law: a Constitutional Debate’ (2012) 16 Lex Electronica 10, www.lex-electronica.org/docs/articles_300.pdf (accessed 4 November 2013). For examples of how Graph Search can reveal embarrassing information in response to queries such as ‘Single women who live nearby and who are interested in men and like getting drunk’, see the Tumblr blog, ‘Actual Facebook Graph Searches’, http://actualfacebookgraphsearches.tumblr.com/ (accessed 4 November 2013). Article 29 Data Protection Working Party (WP29), Opinion 2/2012 on Facial Recognition in Online and Mobile Services (WP 192, adopted 22 March 2012); X. Konarski, D. Karwala, H. Schulte-Nölke and S. Charlton, Reforming the Data Protection Package (Study prepared for European Parliament Directorate-General for Internal Afairs, 21 September 2012), pp. 19–20; Y. Welinder, ‘A Face Tells More than a housand Posts: Developing Face Recognition Privacy in Social Networks’ (2012) 26 Harvard Journal of Law & Technology 165.

296

David Lindsay

(Rapid Information Overlay Technology) sot ware developed by defence contractor, Raytheon.25 he sot ware comprehensively tracks users’ activities on social media – including Facebook, Twitter and Foursquare – to build sophisticated proiles, including GPS location data and social interactions, largely with a view to predicting future behaviour.

Is there a case for a legal right to be forgotten? While it is hard to dispute that our persistent digital pasts may cause harm, including reputational harm in the remote (and not so remote) future, it is sometimes suggested that the problems of digital eternity can be dealt with by extralegal means. Some, especially those with a commercial interest in the sharing of personal data, have claimed that social norms will simply adapt, as society becomes more tolerant of individual failings and foibles. For example, Mark Zuckerberg, Facebook’s founder, infamously claimed: [P]eople have gotten comfortable not only sharing more information and diferent kinds, but more openly and with more people. hat social norm is just something that has evolved over time.26

Yet while more and more personal data has become public, there are no indications that social attitudes are sotening. Indeed, as homas Nagel pointed out more than a decade ago, the increased revelation of personal information seems matched, if anything, by greater public intolerance of ‘deviant’ behaviour.27 here are, moreover, grounds for suspecting that those who champion online transparency are less convinced of the virtues of sharing their own personal data. In 2011 Mark Zuckerberg’s sister, Randi Zuckerberg, then Facebook’s marketing director, argued that ending online anonymity would reduce cyberbullying.28 In December 2012, however, she shared a photograph that showed her family using Poke, a Facebook mobile app that 25

26

27 28

R. Gallagher, ‘Sot ware that Tracks People on Social Media Created by Defence Firm’, Guardian (Online), 10 February 2013, www.guardian.co.uk/world/2013/feb/10/sot waretracks-social-media-defence (accessed 4 November 2013). B. Johnson, ‘Privacy No Longer a Social Norm, says Facebook Founder’, Guardian (Online), 11 January 2010, www.guardian.co.uk/technology/2010/jan/11/facebook-privacy (accessed 4 November 2013). T. Nagel, ‘Concealment and Exposure’ (1998) 27 Philosophy and Public Afairs 3. B. Bosker, ‘Facebook’s Randi Zuckerberg: Anonymity Online Has to Go’, (27 July 2011) he Hui ngton Post, www.hui ngtonpost.com/2011/07/27/randi-zuckerberganonymity-online_n_910892.html (accessed 4 November 2013).

The ‘right to be forgotten’

297

allows users to share material such as photographs and videos.29 When the photograph was posted on Twitter by a ‘friend’ of her sister’s, Zuckerberg sent a tweet expressing her displeasure and claiming that permission should always be asked before publishing someone else’s photograph.30 Facebook’s promotion of the Poke app, which was intended to be a competitor to the popular Snapchat app, which incorporates automatic erasure,31 is an illustration of the other main extralegal means suggested for dealing with the problems of digital eternity, namely technology-based solutions. Mayer-Schönberger, for example, famously advocated setting expiration dates for digital data.32 Similarly, Zittrain has supported a form of voluntary reputational bankruptcy to allow people to make a ‘fresh start’.33 he problems that persistent digital records already pose are clearly evidenced by the market for online reputation management services, such as Reputation.com, and erasure services, such as Snapchat and FaceWash.34 For example, Reputation.com, which has patents for technologies for locating sites hosting personal data about an individual, became prominent when it was hired to remove disturbing online ‘death’ photographs of Nikki Catsouris, who passed away in a car accident in 2006.35 29

30

31

32 33

34

35

On the launch of the Poke app, see J. Constine, ‘Facebook Launches Snapchat Competitor “Poke”, an iOS App for Sending Expiring Text, Photos, and Videos’, (21 December 2012) Tech Crunch, http://techcrunch.com/2012/12/21/facebook-poke-app/ (accessed 4 November 2013). S. Rodriguez, ‘Randi Zuckerberg Stung by Facebook Privacy Settings in Photo Flap’, he Age (Online), 27 December 2012, www.theage.com.au/technology/technology-news/ randi-zuckerberg-stung-by-facebook-privacy-settings-in-photo-lap-20121227–2bwv8. html (accessed 4 November 2013). See Constine, above n. 29; T. Fisher, ‘Snapchat and Poke Social Apps and Sexting, Marketing or the New Talking?’, (18 January 2013) Socialmedia Today, http://socialmediatoday.com/emoderation/1169241/snapchat-and-facebook-poke-sexting-marketingor-new-talking (accessed 4 November 2013). Mayer-Schönberger, above n. 15, pp. 169–95. See J. Zittrain, he Future of the Internet: and How to Stop It (London: Penguin Books, 2008), p. 229. For online reputation management services, see Paul Harris, ‘Mel Gibson, Lindsay Lohan … and You Too. Why Your Reputation Needs an Online Detox’, Guardian (Online), 1 August 2010, www.guardian.co.uk/technology/2010/aug/01/internet-reputation-managementdetox (accessed 4 November 2013). FaceWash, which was launched in January 2013, promises to ‘clean up’ your Facebook proile: see S. Rodriguez, ‘Need to Clean Up Your Facebook Proile? Get a FaceWash’, Sydney Morning Herald (Online), 25 January 2013, www.smh.com. au/digital-life/consumer-security/need-to-clean-up-your-facebook-proile-get-a-facewash20130125–2db6u.html. M. Callahan, ‘Untangling a Web of Lies’, New York Post (Online), 16 February 2007, http://nypost.com/2007/02/16/untangling-a-web-of-lies/ (accessed 4 November 2013).

298

David Lindsay

here are, nevertheless, considerable problems with proposals that rely solely on technology-based solutions. First, these approaches appear to assume that the current technological defaults, which favour openness and sharing over user control, are the source of the problem rather than a symptom of deeper social processes. As argued more fully elsewhere, anxieties over fragile identities in fragmented, post-modern societies tend to trap individuals in obsessive cycles of disclosure of personal information and embarrassment at the social consequences.36 Second, if an onus is placed on users to adopt technologies, such as expiry dates, this will likely be regarded as too onerous and will be ignored by most people. h ird, as it is impossible for technologies to completely delete or prevent access to digital data once it has been disseminated, technological solutions have the potential to give users a false sense of security. For example, although many photographs of Catsouris were removed from websites, Reputation.com admitted that it was impossible to remove all of the ofending photographs from the Internet.37 Similarly, security laws with the Snapchat app have led to warnings about relying on the services.38 In a November 2012 study of the technical measures to support the proposed EU right to be forgotten, the European Network and Information Security Agency (ENISA) unsurprisingly conirmed that, in an open system such as the Internet, all technical approaches to ensure deletion or erasure of personal data are inherently vulnerable to unauthorised copying and redissemination, ultimately concluding that ‘the right to be forgotten cannot be ensured using technical means alone’.39 he report was,

36

37

38

39

For a critique of the Reputation.com business model, see A. Bartow, ‘Internet Defamation as Proit Center: the Monetization of Online Harassment ’ (2009) 32 Harvard Journal of Law & Gender 383. See Lindsay, ‘he Emerging Right to Be Forgotten’, above n. 16, drawing on Z. Bauman, ‘Privacy, Secrecy, Intimacy, Human Bonds – and Other Collateral Casualties of Liquid Modernity’ (2011) he Hedgehog Review 20. C. Gofard, ‘Gruesome Death Photos are at the Forefront of an Internet Privacy Battle’, Los Angeles Times (Online), 15 May 2010, http://articles.latimes.com/2010/may/15/local/ la-me-death-photos-20100515 (accessed 4 November 2013). Z. Ferguson and G. Khaicy, ‘Safe Sexting Apps Criticised’, Sydney Morning Herald (Online), 24 January 2013, www.smh.com.au/digital-life/consumer-security/safe-sexting-apps-criticised-20130124-2d8t4.html (accessed 4 November 2013). European Network and Information Security Agency (ENISA), ‘he Right to be Forgotten – Between Expectations and Practice’, (20 November 2012) ENISA Oicial Website, p. 13, www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/ the-right-to-be-forgotten (accessed 4 November 2013).

The ‘right to be forgotten’

299

however, careful to point out that, despite the diiculties of deletion, it is possible to limit access to data by preventing its appearance in search engine results or iltering it from SNS.40 Over and above these problems, purely private or technical solutions are completely unable to distinguish information on the grounds of its importance to the public. As explained further below, such distinctions require careful balancing of the rights to privacy and self-determination against the right to freedom of expression. he failures and imperfections of extralegal measures, including technology-based ‘solutions’ and changing social norms, suggest an important role for new legal rights as part of a suite of measures to address the complex social issues arising from digital eternity.

Privacy and freedom of expression online Personal data is of varying degrees of sensitivity: a photograph of a group of people on a public street is obviously less sensitive than a sex tape. Likewise, there are degrees of public interest in diferent kinds of personal data: while the public interest in a photograph of me in fancy dress is, no matter how embarrassing, negligible, a video of a politician taking bribes is of an entirely diferent order. here are many cases, however, where the balance is more inely calibrated. Take, for example, the case of Argentine pop star Virginia Da Cunha, who brought an action, under Argentinian defamation law, to have all sites containing any sexually explicit references to her by name or photograph removed from Google and Yahoo! search returns for her name.41 While a lower court initially ordered the removal of the material, on appeal it was held that the companies would be liable only if they knew the content was defamatory and negligently failed to remove it.42 Celebrities, more than others, are caught in the cycles of publicity, scandals, innuendo and speculation that characterise the global rumour mill. While the balances are complex, with much depending upon the nature of 40

41

42

For example, ethical search engines do not list a site that uses the robots.txt i le: see ‘he Web Robots Page’, (3 January 2013) Get/Robots.txt, www.robotstxt.org/robotstxt.html (accessed 4 November 2013). Rosen, ‘he Right to Be Forgotten’, above n. 9. he pop star had evidently posed for ‘racy’ photographs when she was young. V. Sreeharsha, ‘Google and Yahoo Win Appeal in Argentine Case’, New York Times (Online), 19 August 2010, www.nytimes.com/2010/08/20/technology/internet/20google. html?_r=0 (accessed 4 November 2013).

300

David Lindsay

the information or allegations, it may be that a certain amount of inaccurate information is the price of celebrity in the internet age.43 he clearest diiculties in balancing privacy and freedom of expression online, however, arise from truthful information about a non-celebrity that is non-defamatory but, nevertheless, embarrassing. Digital eternity further complicates the position when there is a public interest in the material when it is irst published, but this interest declines over time. he gradations are illustrated by the facts in a large number of complaints made in 2011 to the Spanish Data Protection Agency (AEPD)44 seeking the removal of material from the Google search index.45 Most of the complaints concerned access to material published online in the Spanish Oicial Gazette or in online media, such as digital newspapers.46 In one case, two sisters objected to a photograph in an archive of a 1985 news story about the brother of the mayor of Barcelona, where they appeared in prison and were obviously sufering drug withdrawals.47 In another case, a plastic surgeon was concerned that searches returned results of an archived story from the El País newspaper of a 1991 malpractice suit brought against him, without any mention of his acquittal at trial.48 In yet another diicult case, a father who, in 1989, had been charged with sufocating his child but had successfully pleaded the defence of mental illness, sought removal of links to archived reports from the Google index.49 Relying on existing data protection principles, based on the DPD, in each of these cases the AEPD ordered Google to remove the relevant material 43

44 45

46

47 48

49

Celebrities also have greater resources to redress inaccuracies than are available to noncelebrities. Agencia Espa ñola de Protección de Datos (AEPD). S. Daley, ‘On Its Own, Europe Backs Web Privacy Rights’, New York Times (Online), 9 August 2011, www.nytimes.com/2011/08/10/world/europe/10spain.html?_ r=2&ref=todayspaper& (accessed 4 November 2013). On the operation of Google’s search index see Levy, above n. 19, pp. 41–3. A. R. Lombarte, ‘he Origins and Importance of the Right to Be Forgotten’ (Speech delivered at he ‘Right to be Forgotten’ and Beyond: Data Protection and Freedom of Expression in the Age of Web 2.0, Centre for Socio-Legal Studies, Oxford, 12 June 2012), www.csls.ox.ac.uk/conferences/oxpilsconference2012/Transcript-KeynoteontheOrigin sandImportanceot heRighttobeForgotten.php (accessed 4 November 2013). Ibid. C. Giles, ‘Spain Launches First “Right to be Forgotten” Case Against Google’, (20 April 2011) he Hui ngton Post, www.hui ngtonpost.com/2011/04/21/right-to-be-forgottengoogle-spain_n_851891.html (accessed 4 November 2013); K. Hill, ‘Plastic Surgeon’s Legal Quest to Facelit Google Search Results’, (3 July 2011) Forbes, www.forbes.com/ sites/kashmirhill/2011/03/07/plastic-surgeons-legal-quest-to-facelit-google-search-results/ (accessed 4 November 2013). Lombarte, above n. 46.

The ‘right to be forgotten’

301

from the search index. In the course of deciding these cases, the AEPD found an embryonic right to be forgotten in the existing principles, stating that: [I]t is blatantly legitimate that a citizen who is not under the obligation of submitting to the discipline of the exercise of [freedom of expression and information] … (because his personal data are not of public interest and, in consequence, knowledge thereof does not contribute to shaping a free public opinion as a basic pillar of a democratic State) must enjoy reactive mechanisms protected by Law (such as the right of cancellation of personal data) preventing the secular and universal conservation of his personal data on the Web.50

In expressly balancing the rights to data protection and freedom of expression, the AEPD was clearly drawing a distinction between permissible restrictions on freedom of expression, in cases in which there never was or no longer is a public interest in the material, and restrictions regarded as impermissible, where there is either a public interest in the material or there is prior restraint of publication. he signiicant immediate legal issues arising from the complaints, however, concern the applicability of the DPD to Google’s indexing and search activities. When Google appealed the AEPD orders to the Audiencia Nacional, the court referred nine key questions to the European Court of Justice (ECJ).51 he main issues before the ECJ concerned whether or not the territorial connecting factors for applicable law set out in Article 4 of the DPD are satisied, so that Spanish data protection law applies to Google and its activities and, if so, whether Google might be liable as a data controller.52 In addition, however, the ECJ was asked to determine whether the rights to erasure and to object under the DPD extend to requesting removal of data from a search engine index, thereby efectively ruling on the extent to which the DPD incorporates, at least to some extent, a right to be forgotten.53 On 25 June 2013 Advocate General Jääskinen delivered 50 51

52

53

Castellano, above n. 22, p. 12. Google Spain SL v. Agencia Española de Protección de Datos (AEPD), Nú mero de Identiicación Único: 28079 23 3 2010 0004781; C. Davenport, ‘Spain Refers Privacy Complaints to EU’s Top Court’, (2 March 2012) Reuters, www.reuters.com/ article/2012/03/02/us-eu-google-idUSTRE8211DP20120302 (accessed 4 November 2013); M. Peguera, ‘Spain asks the ECJ whether Google Must Delete Links to Personal Data’, (2 March 2012) ISP Liability, http://ispliability.wordpress.com (accessed 4 November 2013). Reference for a preliminary ruling from the Audiencia Nacional (Spain) lodged on 9 March 2012 – Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González, (C-131/12) [2012] OJ C 165/11. Ibid., 3.1.

302

David Lindsay

an Advisory Opinion in which he held that a search engine service provider, such as Google, is generally not a data controller and that the rights to erasure and to object under the DPD do not extend to search engine indexes.54 he reasoning applied by the Advocate General in reaching these conclusions is taken up in subsequent parts of this chapter.

he origins and development of the right to be forgotten As explained above, it is important to distinguish between three related, but conceptually and historically distinguished rights, which this chapter refers to as the right to oblivion, the right to erasure and the right to be forgotten. his section of the chapter explains the origins and development of each of these three rights.

he right to oblivion he right to oblivion, which is known in France as the droit à l’oubli55 and in Italy as dirrito all’oblio,56 is part of the complex civil law jurisprudential tradition of personality rights.57 Rosen has described the droit à l’oubli as ‘a right that allows a criminal who has served his time and been rehabilitated to object to the publication of the facts of his conviction and incarceration’.58 In most European civil law jurisdictions, people with convictions for certain crimes have a right to prevent their criminal records being accessed or used, commonly ater the expiry of a period of time which, in certain circumstances, may extend to the removal or expungement of 54

55

56

57

58

Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González (C-131/12), Opinion of Advocate General Jääskinen, delivered on 25 June 2013 (Opinion of Advocate General Jääskinen). N. N. G. de Andrade, ‘Oblivion: the Right to Be Diferent … from Oneself; Reproposing the Right to be Forgotten’ (2012) 13 Revista de Internet, Derecho y Politica 122 , http://idp. uoc.edu/ojs/index.php/idp/article/view/n13-andrade_esp/n13-andrade_eng (accessed 4 November 2013); Bernal, above n. 13. G. Pino, ‘he Right to Personal Identity in Italian Private Law: Constitutional Interpretation and Judge-Made Rights’, in M. Van Hoeke and F. Ost (eds.), he Harmonization of Private Law in Europe (Oxford: Hart Publishing, 2000), pp. 225–37. G. Br üggemeier, A. C. Ciacchi and P. O’Callaghan (eds.), Personality Rights in European Tort Law (Cambridge University Press, 2010); Ambrose and Ausloos, above n. 13; J. Neethling, ‘Personality Rights: a Comparative Overview’ (2005) 38 Comparative and International Journal of Southern Africa 210 ; K. Webb Bradley, ‘ he Court of Public Opinion: the Practice and Ethics of Trying Cases in the Media’ (2008) 71 Law and Contemporary Problems 31. Rosen, ‘he Right to Be Forgotten’, above n. 9, 88. In this respect, the droit à l’oubli is analogous to spent convictions laws in common law jurisdictions.

The ‘right to be forgotten’

303

some criminal records.59 It is, however, important to distinguish between general laws relating to restrictions on access to, or removal of, criminal records, on the one hand, and restrictions on media reports of past convictions, on the other. In most civil law jurisdictions, the retention and use of records of past convictions are dealt with by means of anti-discrimination provisions in the national constitution, criminal procedure codes or speciic legislation.60 For the purpose of this chapter, it is more relevant to review court decisions relating to restrictions on media reports of an individual’s judicial or criminal past. National versions of the right to oblivion have customarily been applied in the context of media references to past criminal convictions ater the person concerned has served their sentence.61 In these cases the civil law courts customarily engage in a fact-speciic balancing of the personality rights of the convicted person, on the one hand, and the public interest in freedom of expression, on the other. his is perhaps best illustrated by the way the issues have been dealt with under German law. he principal decision of the German Constitutional Court, Lebach I,62 concerned an application for an injunction against the showing of a television documentary about a robbery of an army munitions depot, which had resulted in the deaths of four soldiers. In that case, the Court, basing its decision on the rights to human dignity and autonomy in Articles 1 and 2 of the German Basic Law, held that the applicant, who had been convicted as an accessory, had a fundamental right to informational self-determination described as a right ‘exclusively [to] determine whether and to what extent others might be permitted to portray his life story in general, or certain events from his life’.63 In concluding that, on the facts of this case, this right prevailed over the broadcasters’ right to freedom of expression protected 59

60 61

62

63

Castellano, above n. 22, 15–16 (explaining access to criminal records under Spanish law); C. Morgenstern, ‘Judicial Rehabilitation in Germany – the Use of Criminal Records and the Removal of Recorded Convictions’ (2011) 3 European Journal of Probation 20 (explaining the restrictions on access to, and removal of, criminal records under German law). Ireland Law Reform Commission, Spent Convictions, Report No. 84 (2007), p. 10, [1.13]. H. Graux, J. Ausloos and P. Valcke, ‘he Right to Be Forgotten in the Internet Era’ (ICRI Working Paper 11, Interdisciplinary Centre for Law and ICT (ICRI), 12 November 2012), www.law.kuleuven.be/icri/ (accessed 4 November 2013). Bundesverfassungsgericht [German Constitutional Court], 1 BvR 536/72, 5 June 1973 reported in (1973) 35 BVerfGE 202 (Lebach I ). For an English translation, see D. P. Kommers, he Constitutional Jurisprudence of the Federal Republic of Germany, 2nd edn (Durham, NC: Duke University Press, 1997), pp. 416–19. Lebach I, 220, as quoted in P. E. Quint , ‘Free Speech and Private Law in German Constitutional heory’ (1989) 48 Maryland Law Review 247, 299–300.

304

David Lindsay

under Article 5 of the Basic Law, the Court emphasised the importance of resocialisation of a prisoner ater release and, given that twenty-four years had elapsed since the ofence, pointed out that the public interest in reports of crime becomes less pressing with the elapse of time.64 Prominent recent German decisions have considered the issues raised by Lebach I in the online context. he cases concerned concerted attempts by Wolfgang Werlé and his half-brother, Manfred Lauber, who had been convicted of murdering the actor Walter Sedlmayr, to have references to their convictions removed from online archives and from Wikipedia. Most of the English-language commentary on the cases has focused on the attempt to have the names removed from Wikipedia, and German Wikipedia’s decision to remove the references from its German-language site in response to an unopposed decision of a irst instance court.65 While this focus its easily into a narrative that interprets any removal of online material as suppression of speech, it ignores the complex balancing of rights that is required under German law, and which is apparent from the court decisions relating to the archived material. While lower courts, essentially following Lebach I, ordered the removal of the archived material on the basis that online archives are equivalent to ongoing dissemination, the decisions were reversed on appeal to the Federal Court of Justice.66 In nuanced decisions, the Court distinguished between obviously outdated material and current reports, to efectively hold that there is no obligation on websites to continuously review their archives.67 As Siry and Schmitz explain the decisions: 64

65

66

67

For further discussion of the case, see: Morgenstern, above n. 59; Quint, ibid.; E. J. Eberle, ‘he German Idea of Freedom’ (2008) 10 Oregon Journal of International Law 1. J. Schwartz, ‘Two German Killers Demanding Anonymity Sue Wikipedia’s Parent’, New York Times (Online), 12 November 2009, www.nytimes.com/2009/11/13/us/13wiki. html?_r=0 (accessed 4 November 2013); C. Arthur, ‘Wikipedia Sued by German Killers in Privacy Claim’, Guardian (Online), 13 November 2009, www.guardian.co.uk/technology/2009/nov/13/wikipedia-sued-privacy-claim (accessed 4 November 2013); Rosen, ‘he Right to Be Forgotten’, above n. 9; C. Coutinho, ‘he Right to Be Forgotten?’ (2011) he Columbia Science and Technology Law Review, www.stlr.org/2011/04/the-right-tobe-forgotten/ (accessed 4 November 2013). It should be noted that the English language Wikipedia entries can still be accessed from Germany. Bundesgerichtshof [German Federal Court of Justice], Decision of 10 November 2009 – VI ZR 217/08 (rainbow.at); Decisions of 15 December 2009 – VI ZR 227/08 and 228/08 (Deutschlandradio); Decisions of 09 February 2010 – VI ZR 243/08 and 244/08 (Spiegel online); Decisions of 20 April 2010 – VI ZR 245/08 and 246/08 (morgenweb.de); J. Bruhn, ‘Does a Murderer Have a Right to Be Forgotten?’, (16 November 2012) Free Speech Debate, http://freespeechdebate.com/en/case/does-a-murderer-have-the-right-to-be-forgotten/. L. Siry and S. Schmidt, ‘A Right to Be Forgotten? – How Recent Developments in Germany May Afect Publishers in the US’ (2012) 3 European Journal of Law and Technology 1.

The ‘right to be forgotten’

305

he easy accessibility of old and oten out-dated news stories by search engines as such does not constitute suicient reason to eliminate our ‘historical memory’. Accordingly, where the articles are clearly marked as archived reports, the potential for infringement of the right to personality is limited.68

Consequently, while the German jurisprudence gives considerable weight to the rehabilitation of former criminals as part of protecting their personality rights, it is simply incorrect to claim that the sophisticated balancing exercise is a blunt form of censorship. Although some have claimed that the right to oblivion is derived from French jurisprudence,69 this is also a less than accurate analysis. According to Markesinis et al., the droit à l’oubli is doubtful under French law,70 with the Cour de cassation apparently rejecting the right,71 although commentary and some lower courts do apparently support a form of the right.72 Despite the equivocal position of the French courts, the jurisprudence relating to the droit à l’oubli inluenced France to take the lead in responding to the problem of digital eternity.73 In 2009 the French secretary of state for the digital economy, Kosciusko-Morizet, initiated a self-regulatory code of good practices on the right to be forgotten on social networks and search engines.74 In 2010 the code was signed by a few French companies, including Trombi.com and Microsot France, with Kosciusko-Morizet proposing that it could be the starting point for an international agreement.75 Both in the general sense of European cases dealing with the protection of personality rights in the online context, and in the more speciic sense of the French initiative, the right to oblivion may be regarded as forming an important background to the right to be forgotten in the GDPR.

68 69 70

71

72 73 74

75

Ibid., 5 (footnotes omitted). Pino, above n. 56. B. Markesinis, C. O’Cinneide, J. Fedtke and M. Hunter-Henin, ‘Concerns and Ideas about the Developing English Law of Privacy (and How Knowledge of Foreign Law Might Be of Help)’ (2004) 52 American Journal of Comparative Law 133, 169. Cour de cassation [French Court of Cassation], 1ère chambre civile, 89–12580, 20 November 1990. Br üggemeier et al., above n. 57, p. 203. Ambrose and Ausloos, above n. 13, 6. M. Kuschewsky, ‘ he Right to Be Forgotten – the Fog Finally Lit s’ (2012) 12 Privacy & Data Protection 10 ; Hunton & Williams LLP, ‘French Government Secures “Right to Be Forgotten” on the Internet’, (21 October 2010) Privacy and Information Security Law Blog, www.huntonprivacyblog.com/2010/10/articlers/french-government-securesright-to-be-forgotten-on-the-internet/ (accessed 4 November 2013). Ibid.

306

David Lindsay

he right to erasure While the above discussion of the right to oblivion focused on rights against the media, in general terms data protection law has exempted processing carried out by the media for journalistic purposes.76 Nevertheless, over time, a distinct right to erase personal data has developed within the context of general data protection law. Proposals for imposing obligations to erase personal data were made from the earliest stages in the development of data protection laws. Data protection principles can efectively be traced to the 1973 report of an Advisory Committee of the US Department of Health, Education and Welfare (the HEW Report).77 he HEW Report irst formulated a code of practice, known as the fair information practices (FIPs), to apply to the collection, storage, use and dissemination of personal information. While a right to erase personal data was not part of the FIPs, the report included proposed general safeguards to apply to automated data processing, which included the speciic requirement to ‘(e)liminate data from computer-accessible i les when the data are no longer timely’.78 he concerns expressed in the HEW Report did not, however, lead to the wholesale adoption of an erasure right in the USA. While the report did result in the Privacy Act of 1974 (USA),79 which applied the FIPs to federal government agencies, the Act incorporated access and correction rights, but no efective deletion rights. At the international level, the antecedents of data protection laws are found in two instruments developed in the mid 1980s: the Council of Europe’s Convention on Data Protection (the CoE Convention)80 and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (the OECD Guidelines).81 During the processes of developing both instruments, concerns were expressed about the potential 76

77

78 80

81

DPD, above n. 2, Art. 9. See L. A. Bygrave, Data Protection Law: Approaching its Rationale, Logic and Limits (Alphen aan den Rijn: Kluwer Law International, 2002), pp. 55–6 (noting ambiguity on what amounts to ‘journalistic purposes’). Secretary’s Advisory Committee on Automated Personal Data Systems, United States Department of Health, Education and Welfare, Records, Computers and the Rights of Citizens, (July 1973), http://epic.org/privacy/hew1973report/ (accessed 4 November 2013). Ibid. 79 5 USC §552(a) (2006). Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, opened for signature 28 January 1981, CETS no. 108 (entered into force 1 October 1985). Organisation for Economic Co-operation and Development (OECD), OECD Guidelines on the Protection of Privacy and Transborder Flows of Data (Paris, 23 September 1980). (OECD Guidelines).

The ‘right to be forgotten’

307

problems created by the relatively permanent storage of personal data. For example, an Annex to a Resolution adopted by the Council of Europe in 1973 provided that: Rules should be laid down to specify periods beyond which certain categories of information should no longer be kept or used.82

he Explanatory Report to the Resolution further suggested that the proposed rules could be implemented by computers being programmed to erase data ater a speciied terminal date. Similarly, an early drat of the OECD Guidelines included a ‘time limitation principle’, which provided that: Personal data in a form that permits identiication of the data subject should, once their purposes have expired, be destroyed, archived, or deidentiied.83

Despite the attention given to the issue, proposals to introduce a right to erasure were not fully implemented. As explained by Michael Kirby, who chaired the OECD Expert Group, the group decided to omit the time limitation principle on the basis that the security safeguards and use limitations principles provided suicient protection, ‘without imposing an expensive and possibly privacy-harmful obligation of culling and destroying personal information’.84 he right to erasure therefore does not appear as a principle in the OECD Guidelines, with the sole reference being conined to the following highly qualiied statement in the Explanatory Memorandum, in relation to the purpose speciication principle: [W]hen data no longer serve a purpose, and if it is practicable, it may be necessary to have them destroyed (erased) or given an anonymous form.85

he CoE Convention went further than the OECD Guidelines, with Article 5, the data quality principle, providing that personal data should be ‘preserved in a form which permits the identiication of the data 82

83

84 85

Council of Europe, Committee of Ministers, Resolution (73) 22 On the Protection of the Privacy of Individuals Vis-à-vis Electronic Data Banks in the Private Sector, Adopted by the Committee of Ministers on 26 September 1973 at the 224th meeting of the Ministers’ Deputies, Annex 4. M. Kirby, ‘ Transborder Data Flows and the “Basic Rules” of Data Privacy ’ (1980) 16 Stanford Journal of International Law 27, 58. Ibid., 58–9. OECD Guidelines, above n. 81, Explanatory Memorandum, [54].

308

David Lindsay

subjects for no longer than is required for the purpose for which those data are stored’. his is supported by Article 8(c), which provides a right to obtain rectiication or erasure of data where these have been processed contrary to laws implementing the data quality principle. However, these provisions, while envisioning the possibility of erasure, fall short of a fully-ledged right to erasure. Moreover, the subsequent development of data protection law in Europe tended to subsume any deletion rights within the use minimisation principle, thereby focusing attention more on controlling the uses to which personal data might be put rather than on the continued existence of the data.86 Nevertheless, as Pastukhov explains, establishing time limits on the retention of personal data gradually gained acceptance in the 1980s and early 1990s, especially in Europe.87 For example, a 1986 recommendation of the Committee of Ministers of the Council of Europe proposed that storage periods be set for personal data held by social security institutions, with the periods depending upon the category of beneit and the sensitivity of the personal data.88 While the right to be forgotten was already expressly referred to by the Privacy Commissioner for British Columbia, David Flaherty, in the mid 1990s,89 it is clear that the most important development was the introduction of the DPD in 1996. he DPD adopts a ‘holistic’ approach to data protection regulation,90 applying minimum principles to all stages of data processing, and generally not distinguishing between collection, storage, use or disclosure. In this respect, it applies the fundamental principle that data processing is permissible only in certain enumerated circumstances, such as where the data subject has given unambiguous consent, processing is necessary for performance of a contract to which the data subject is a party, or 86

87 88

89

90

J. Warner, ‘ he Right to Oblivion: Data Retention from Canada to Europe in h ree Backward Steps’ (2005) 2 University of Ottawa Law & Technology Journal 75, 86. Pastukhov, above n. 13, 16. Council of Europe, Committee of Ministers, Recommendation R(86)1 of the Committee of Ministers to Member States on the Protection of Personal Data used for Social Security Purposes, adopted by the Committee of Ministers on 23 January 1986 at the 392nd meeting of the Ministers’ Deputies, https://wcd.coe.int/ViewDoc.jsp?id=699153&Site=CM& BackColorInternet=C3C3C3&BackColorIntranet=EDB021&BackColorLogged=F5D38 3 (accessed 4 November 2013). D. H. Flaherty, ‘Controlling Surveillance: Can Privacy Protection Be Made Efective?’ in Philip E. Agre and Marc Rotenberg (eds.), Technology and Privacy: the New Landscape (Cambridge, MA: he MIT Press, 1997), pp. 167 and 172. V. Mayer-Schönberger, ‘Generational Development of Data Protection in Europe’ in Philip E. Agre and Marc Rotenberg (eds.), Technology and Privacy: the New Landscape (Cambridge, MA: MIT Press, 1997), pp. 232–5.

The ‘right to be forgotten’

309

processing is necessary for compliance with a legal obligation of the data controller.91 he DPD provides for the erasure of personal data in three distinct provisions. First, Article 6(1) requires Member States to include an obligation for personal data to be: kept in a form which permits identiication of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.92

While this obligation can be complied with by the deletion of data, it falls short of a right to erasure, as compliance may also be achieved by anonymisation. Moreover, while it imposes an obligation on data controllers, it fails to confer corresponding rights on data subjects. Second, Article 12, which provides for access and correction rights, requires Member States to give data subjects the right to obtain: as appropriate the rectiication, erasure or blocking of data the processing of which does not comply with the provisions of … [the DPD], in particular because of the incomplete or inaccurate nature of the data.93

Although this appears to give a right to apply for erasure of data, it is subject to two important qualiications. First, the right arises only where processing is contrary to the provisions of the DPD. Second, it is possible to interpret the clause beginning with ‘in particular’ as limiting the right to circumstances where the data are incomplete or inaccurate.94 In the absence of more speciic guidance, the extent to which Article 12 incorporates a right to erasure remains a matter for national implementation. hird, Article 14 of the DPD requires Member States to confer on a data subject the right: [T]o object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation.

As with the other two relevant Articles of the DPD, the extent to which the right to object incorporates a right to erasure is highly qualiied. First, it is conined to where processing is permitted as being necessary in the public interest, or for the legitimate interests of the data controller or 91 94

DPD, above n. 2, Art. 7. 92 Ibid., Art. 6(1)(e). 93 Ibid., Art. 12(b). B.-J. Koops, ‘Forgetting Footprints, Shunning Shadows. A Critical Analysis of the “Right to Be Forgotten” in Big Data Practice’ (2011) 8 SCRIPTed 229, 241; see also Ambrose and Ausloos, above n. 13, p. 9.

310

David Lindsay

another person.95 Second, the provision places the onus on the data subject to establish that there are ‘compelling legitimate grounds’ to object to the data processing. hird, it gives national legislatures a broad discretion to carve out exceptions to the right to object. Finally, by not speciically referring to erasure, it creates the possibility that the objection may be justiied for some forms of processing, such as use or disclosure, but not other forms, such as storage.96 he limitations of the rights conferred under the DPD were conirmed by the Opinion of the Advocate General in the Google Spain case, which raised questions concerning the application of the Article 12(b) rights to erasure and blocking and the Article 14(a) right to object to indexing performed by internet search engine operators. First, in relation to the Article 12(b) rights, the Advocate General seemed to conirm that the clause beginning with ‘in particular’ should be interpreted to coni ne the rights to incomplete or inaccurate data, which is clearly not the case in relation to either the websites identiied by Google’s search engine or the contents of Google’s cache. Accordingly, the Advocate General concluded that rights to erasure or blocking would only arise if Google’s data processing was otherwise incompatible with the DPD. Second, in relation to the Article 14(b) right to object, the Advocate General held that the subjective preference of the data subject does not, in itself, amount to a ‘compelling legitimate ground’ for objection to data processing. Rather, the Advocate General pointed out that the relevant inquiry under Article 14(b) requires an objective balancing of the purpose of processing and the interests served by it, on the one hand, and the interests of the data subject, on the other. Accordingly, a right to object would only arise if a search engine provider went beyond its functions as an intermediary and assumed responsibility for the material on the source web page. Analysis of the speciic provisions of the DPD that deal with the possibility of erasure therefore indicates that, although it goes beyond previous data protection instruments in creating the possibility for requiring personal data to be erased in certain circumstances, the degree to which it implements a fully-ledged right to erasure is ambiguous.97 his analysis is conirmed by the 95 96 97

Ambrose and Ausloos, above n. 13. Koops, above n. 94, 240. In this respect, the DPD may be compared with the Electronic Privacy Directive, which, in relation to traic data, provides that it ‘must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a Communication’: Council Directive 2002/58/EC of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications) [2002] OJ L 201, Art. 6(1).

The ‘right to be forgotten’

311

Advocate General’s Opinion in Google Spain that the relevant rights under the DPD fall some way short of conferring an enforceable right to be forgotten that could be exercised against search engine providers. Signiicantly, in reaching this conclusion, the Advocate General expressed the view that the proposed right to be forgotten in the GDPR ‘does not purport to represent a codiication of existing law, but an important legal innovation’.98 he limits to erasure rights under the DPD, which are conirmed by the Advocate General’s Opinion, suggest that, as with prior data protection instruments such as the OECD Guidelines and CoE Convention, concerns about the potential negative consequences of data retention were, to an extent, outweighed by concerns that retaining the information might be beneicial to data subjects and concerns about the costs that an obligation to delete data might impose on data controllers. Nevertheless, it is arguable that the proliferation of personal data generated by individuals in the context of Web 2.0 applications has altered this calculus, as it is much less likely that the relatively trivial information published on applications such as SNS will have long-term beneits for data subjects. However, while the limitations on the rights conferred by the DPD, as exposed in the Google Spain Opinion, make it abundantly clear that it does not incorporate a right to be forgotten, as explained in the next section of this chapter, the DPD rights clearly form the basis of the right to be forgotten in the GDPR.

he right to be forgotten In commenting on the EU data protection reform package, EU Commissioner Reding referred to proposals for ‘strengthening’ the right to be forgotten,99 thereby implying that the right exists, at least to some degree, under the DPD.100 Since the release of the drat GDPR, there has been considerable debate about the extent to which the express right to be forgotten in Article 17 of the proposed GDPR extends beyond the existing rights of data subjects under the DPD. For example, referring to erasure rights under the DPD, Maxwell suggests that, ‘(t)he “right to be forgotten” seems to be the same thing with a new label’.101 Similarly, in evidence

98 99

100 101

Opinion of Advocate General Jääskinen, above n. 54, [110]. V. Reding, ‘ he Upcoming Data Protection Reform for the European Union’ (2011) 1 International Data Privacy Law 3, 4. Koops, above n. 94, 232–3. Maxwell, above n. 5, 176. See also Kuner, above n. 6, 11, adding that ‘it is not clear why it was necessary to create a new right under a new name’.

312

David Lindsay

presented to the Justice Committee of the UK House of Commons, David Smith, the Deputy Information Commissioner, stated: When you unpick it, much of what is there of the right to be forgotten is just a restatement of existing provisions – data shan’t be kept for longer than is necessary; if it has been processed in breach of the legal requirements it should be deleted … What is … important is the new Article 19, and it is the right to object.102

Moreover, ater reviewing the evidence submitted on the proposed Article 17, the House of Commons Justice Committee concluded that: he right of citizens to secure the erasure of data about them which is wrongly or inappropriately held is very important, but it is misleading to refer to this as a ‘right to be forgotten’, and the use of such terminology could create unrealistic expectations, for example in relation to search engines and social media.103

Against this, in a study prepared for the European Parliament, Konarski et al. assert that the ‘right to be forgotten and to erasure do represent a strengthening of the rights of consumers’.104 Moreover, as explained above, in his Opinion in Google Spain Advocate General Jää skinen expressed the view that the proposed Article 17 right represented an important innovation, and was not merely a codiication of existing DPD rights. From its inception, a major justiication for the EU data protection reform package has been the need to address the privacy challenges of technological changes that had occurred since the introduction of the DPD, which, as explained above, have emerged especially in the context of SNS. For example, in its identiication of the challenges to data protection, the Commission’s 2010 Communication stated that: Today technology allows individuals to share information about their behaviour and preferences easily and make it publicly and globally available on an unprecedented scale. Social networking sites, with hundreds of millions of members spread across the globe, are perhaps the most obvious … example of this phenomenon.105 102

103 104 105

House of Commons Justice Committee, he Committee’s Opinion on the European Union Data Protection Framework Proposals, House of Commons Paper no. 572-I, Session 2012–13 (2012), pp. 26–7, para. 60. Ibid., para. 63, pp. 27–8. Konarski et al., above n. 60, p. 60. European Commission, A Comprehensive Approach on Personal Data Protection in the European Union, above n. 8, p. 2. For more precise analyses of the technological challenges

The ‘right to be forgotten’

313

Given this background, it is hardly surprising that the right to be forgotten, which is the element of the package that is most directly targeted at persistent personal data stored on SNS, was emphasised. he new challenges of dealing with the accessibility over time of online personal data, especially associated with SNS, explain the distinction between what this chapter refers to as the right to erasure and the right to be forgotten. As discussed above, the right to erasure refers to the right of data subjects to ensure that their personal data is stored and processed for no longer than is necessary, which is imperfectly protected by the DPD. he right to be forgotten, however, in the sense used in this chapter, is a right to remove personal data, or restrict access to such data, that is potentially available in perpetuity on the Internet, and incorporates rights against search engines and third-party republishers. In this sense, it is possible to interpret the right to be forgotten as an attempt to deal with the problems of digital eternity by extending the existing legal concept of the right to oblivion by means of an adaptation and extension of the right to erasure under data protection law so as to apply to persistent online data. he conclusions of the UK House of Commons Justice Committee referred to above direct attention to the importance of distinguishing the rhetoric associated with the proposed right to be forgotten from an analysis of the actual scope and efect of proposed Article 17. Despite the prominence given to the proposed right in the European Commission’s data reform programme, the objectives of the proposal have always been cautious and modest. For example, the Commission’s 2010 Communication, in the context of responding to the challenges of SNS, referred only to making the rights of data subjects ‘more explicit, clariied and possibly strengthened’.106 Moreover, the Explanatory Memorandum to the GDPR states that the proposed Article 17 ‘further elaborates and speciies the right of erasure provided for in Article 12(b) of Directive 95/46/EC’.107 An understanding of the degree to which the GDPR actually strengthens the rights of data subjects over online data is only possible ater an explanation of the relevant Articles, which is undertaken in the next section of this chapter.

106

107

see: Konarski et al., above n. 24, pp. 16–22; O. Tene, ‘Privacy: the New Generations’ (2011) 1 International Data Privacy Law 15. European Commission, A Comprehensive Approach on Personal Data Protection in the European Union, above n. 8, p. 7. European Commission, GDPR, above n. 3, p. 9.

314

David Lindsay

he DPD, the proposed GDPR and the Albrecht Report Like the DPD, the GDPR generally prohibits data processing that falls within the scope of the instrument, subject to certain enumerated circumstances. As set out in Article 6(1), these circumstances include that: the data subject has given consent; processing is necessary for the performance of a contract to which the data subject is a party; processing is necessary for compliance with a legal obligation of the data controller; processing is necessary to protect the vital interests of the data subject; and processing is necessary for the legitimate interests of the data processor. While this central element of the data protection regime is almost indistinguishable from the comparable provision in the DPD,108 the proposed GDPR is both more comprehensive and detailed. hree important areas in which this is the case relate to access and correction rights; rights to object to data processing; and obligations in relation to third-party processing. An appreciation of the proposed right to be forgotten requires an understanding of how these three areas of the GDPR difer from the analogous provisions of the DPD.

Access and correction As explained above, Article 12 of the DPD confers access and correction rights, but erasure rights are limited, and appear to be conined to where data is incomplete or inaccurate. he proposed GDPR deals with access and correction rights by creating separate rights to rectiication (in Article 16) and to be forgotten (in Article 17). he Article 16 right to rectiication, like Article 12 of the DPD, confers a right to obtain rectiication where processing does not comply with the data protection regime ‘in particular because of the incomplete and inaccurate nature of these personal data’. Rather than treating the possibility of erasure within the same provision, however, the GDPR introduces a distinct right to be forgotten in Article 17 that is subject to diferent limitations to those that apply to the rectiication right. Article 17(1) of the proposed GDPR provides that the data subject has a right to obtain erasure of personal data in the following four circumstances:

108

DPD, above n. 2, Art. 7.

The ‘right to be forgotten’

315

• where the data are no longer necessary for the purposes for which they were collected or processed; • where the legitimacy of the data processing is based on the consent of the data subject and that consent has been withdrawn; • where a storage period that has been consented to has expired; or • the processing of the data does not comply with the GDPR for other reasons. hese alternative bases for obtaining erasure go beyond the current rights under the DPD by incorporating a stronger form of the data quality principle (in Article 6(1)(e) of the DPD), and by speciically providing for deletion where consent is the basis for legitimate processing and that consent has been withdrawn. In addition, Article 17(1) makes it clear that deletion rights are especially relevant where the data subject made the data available when he or she was a child. he Albrecht Report, however, has sensibly recommended removing the speciic reference to the rights of children in Article 17(1) and the associated Recital (53) on the basis that this might imply that adults have less protection than children.109

he right to object As explained above, Article 14 of the DPD gives data subjects a right to object to the processing of personal data, but the right is qualiied. he proposed GDPR includes objection rights in Article 19, with Article 19(1) establishing a right to object ‘at any time’ to the processing of data where that processing is lawful only because it is necessary for: • the protection of the vital interests of the data subject; • the performance of a task carried out in the public interest or the exercise of oicial authority; or • the purposes of the legitimate interests of the data controller. he proposed objection rights in Article 19(1) deal with each of the limitations on objection rights under the DPD. First, the right to object is extended to where processing is justiied as necessary to protect the vital interests of the data subject. Second, instead of the data subject bearing the burden of establishing that there are ‘compelling legitimate grounds’ to object, the onus is placed on the data controller to establish that there 109

Albrecht Report, above n. 7, pp. 29, 97. See also Konarski et al., above n. 24 p. 59.

316

David Lindsay

are ‘compelling legitimate grounds’ for the processing that override the fundamental rights and freedoms of the data subject. hird, and signiicantly, the right to object is speciically related to the right to delete data, in that where the data subject successfully objects under Article 19, this triggers a right to have the data deleted under Article 17. In addition, proposed Article 19(2) provides that the exercise of the right shall be free of charge where the processing is for the purpose of direct marketing.

hird-party processing Under Article 12 of the DPD, where a right of rectiication or erasure applies, the data subject has a right to require the data controller to notify any third parties to whom the data have been disclosed of the rectiication or erasure ‘unless this proves impossible or involves a disproportionate efort’.110 he ease with which digital information published online may be copied and distributed obviously poses signiicant challenges for a right to be forgotten. Clearly, the removal of information from one digital source has limited efect if the information remains readily accessible from others. he proposed GDPR deals with this by imposing greater obligations on data controllers in relation to third-party processing than those imposed under the DPD. In this respect, Article 17(2) provides that, where a data subject has requested erasure and the data controller has made the personal data public, the data controller must: [T]ake all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.

his clearly goes beyond the current obligation in that it applies automatically where the right to erasure is exercised and it imposes liability for authorising third-party publications. here are, nevertheless, considerable uncertainties arising from the drating of the proposed GDPR, including what may constitute ‘reasonable steps’, what may be encompassed by ‘technical measures’ and what may amount to ‘authorising’ a publication. 110

DPD, above n. 2, Art. 12(c).

The ‘right to be forgotten’

317

Are rights strengthened under the GDPR? As explained above, in its opinion on the proposed data protection framework, the UK House of Commons Justice Committee was concerned that referring to the deletion right conferred by the proposed Article 17 as ‘a right to be forgotten’ may give rise to unrealistic expectations that users would have rights to remove material from search engines and SNS. Given the inherent limits of legal solutions to the problems of digital eternity, as well as the limits to the rights conferred under the proposed GDPR, there is some justiication for these concerns. Clearly, people should not be deterred from exercising restraint in the publication of their personal information by a false expectation of legal rights relating to subsequent erasure. Nevertheless, claims that the proposed right does no more than restate existing DPD rights underestimate the proposed changes. For instance, it is important to appreciate the link between the Article 19 right to object and Article 17. While, as noted above, Article 19 strengthens rights by placing the onus on the data controller to justify data processing, Article 17(1) (c) provides a deletion right where the data subject exercises the Article 19 objection right. Moreover, the obligations imposed on data controllers under Article 17(2) to notify third-party data processors of requests to erase personal data and, in appropriate cases, the responsibility for thirdparty publications, are much stronger than the third-party notiication rights under the DPD. Claims that the right to be forgotten under the proposed GDPR is illusory therefore misconstrue the efects of the strengthened rights under both Articles 17 and 19. hese strengthened rights must, however, be read in the context of limitations on the application of the rights to SNS and search engines which, as explained below, derive from other provisions of the GDPR. As explained, there is considerable uncertainty relating to these limitations, which casts some doubt on the practical efect of the strengthened rights. he extent to which the objection right and the notiication obligations represent a mere strengthening of the right to erasure under the DPD, or the introduction of a right to be forgotten, is best illustrated by an analysis of the relevant proposed amendments made in the Albrecht Report.

he Albrecht Report proposals he Albrecht Report recommended strengthening the right to object in a number of respects. First, where processing is justiied by the

318

David Lindsay

legitimate interests of the controller, proposed amendments to Article 6 would tighten what amounts to the legitimate interests of the controller and how these are to be balanced with the interests and fundamental rights of the data subject.111 Second, where this ground is relied upon, the controller must inform the data subject, publish the reasons for believing that its interests override the rights and interests of the data subject, and explicitly ofer a right to object.112 h ird, as a result of the proposed clariications to Article 6, the Report proposes strengthening the right so that it can no longer be overridden by the controller demonstrating legitimate grounds for the processing.113 Fourth, the Report recommends that the objection should always be free of charge, regardless of whether or not it is for the purpose of direct marketing.114 Fit h, the Report recommends removing an inconsistency between Articles 19 and 17 by providing that, when an objection is upheld, the data must be erased, and not merely that the processing should cease, as is the case under Article 19(3) of the Commission’s drat.115 he Albrecht Report proposals therefore not only recommend strengthening the right to object, but make the link between the rights to object and to be forgotten clearer. Since the release of the GDPR, possibly the most controversy concerning Article 17 has centred on whether or not the notiication obligation in Article 17(2) is practical or desirable, especially in the context of the open Internet where third parties may obviously link to the data, or make copies, without the permission or knowledge of the data controller.116 For example, in evidence to the UK House of Commons Justice Committee, David Clarke questioned the utility of the obligation in this context.117 hese objections, however, seem to overlook the object and nature of the obligation in the GDPR, which is not absolute but simply requires a data controller that has published personal data to take reasonable steps to inform third parties of a request to remove material.118 On the other hand, Konarski et al. contend that the obligation should be clariied and 111

112 113 116

117 118

Albrecht Report, above n. 7, pp. 72–5. he Report recommends that this ground only apply in ‘exceptional circumstances’: p. 20 (Proposed Recital (38)). Ibid., proposed Arts. 6(1a), 19(2). Ibid., p. 102. 114 Ibid., p. 103. 115 Ibid. See, for example, Rosen, ‘he Right to Be Forgotten’, above n. 9, 90–1; Ambrose and Ausloos, above n. 13, pp. 15–16. House of Commons Justice Committee, above n. 103, pp. 28–9. In this respect, the drat GDPR difers from an earlier version in which the data controller had an obligation to ensure the erasure of links or copies: Kuner, above n. 6, 11.

The ‘right to be forgotten’

319

extended so that, upon notiication of a request, the third party should automatically have an obligation to remove the material.119 In potentially the most signiicant proposed change to Article 17,120 the Albrecht Report has recommended amending Article 17(2) so that it would read as follows: Where the controller referred to in paragraph 1 has transferred or made the personal data public, without a justiication based on Article 6(1), it shall take all necessary steps to have the data erased, without prejudice to Article 77.

he Albrecht Report drat of Article 17(2) would make the following changes. First, the obligation would apply not only where the data controller has published the data but also where the data controller has transferred the data to third parties, such as for third-party proi ling.121 Second, the revised obligation would apply only where the publication or transfer of the personal data is not lawful under Article 6(1), such as where it has not been made with the consent of the data subject. his suggests that the obligation does not apply where the data subject has consented to the publication or transfer of personal data, but subsequently withdraws his or her consent. As explained in the Albrecht Report, any rights of the data subject would then arise only against third-party processors, and not against the data processor that published or transferred the data.122 hird, the obligation, where it applies, would not merely be to take reasonable steps to inform third parties, but to take all necessary steps to have the data removed. While, in some respects, the Albrecht Report drat strengthens the obligations of data controllers in relation to third-party processing, in the most important respect it represents a watering down of the obligations, especially in the context of social networking and republication on the Internet. In short, provided a publication or transfer is lawful under Article 6(1), such as where the data subject consented, the data controller has no obligations in relation to third-party processing or publication, even if the data subject subsequently withdraws consent. According to the Albrecht Report, the amended wording is justiied as ‘if a publication of personal data took place based on legal grounds as 119 120 121

122

Konarski et al., above n. 24, p. 60. See Burton et al., above n. 7, 4. For this criticism of the Commission drat, see Ambrose and Ausloos, above n. 13, p. 16; Graux et al., above n. 61, p. 14. Albrecht Report, above n. 7, p. 98.

320

David Lindsay

referred to in Article 6(1), a “right to be forgotten” is neither realistic nor legitimate’.123 But the Albrecht Report amendment to Article 17(2) also seems aimed at addressing claims that the obligations imposed by the Commission drat would have a ‘chilling efect’ on the Internet.124 hese claims are related to the diiculties facing data controllers who might be required to notify third parties under the Commission drat of the GDPR, including diiculties in deciding whether or not to notify a third party, and then determine what amounts to ‘reasonable steps’ to inform those parties. In addition, once notiied, third parties would likely respond by removing material, without any account being taken of rights to freedom of expression in the material. If the Albrecht Report amendments were accepted, thereby removing obligations for third-party publications unless the transfer is unlawful, this would certainly address concerns over data controllers being required to ‘police the Internet’. On the other hand, as the posting of data to SNS will usually comply with Article 6(1), this would place the burden for limiting third-party processing solely on the data subject, efectively rendering the Article 17 right much more like a strengthened erasure right than a right to be forgotten.125 Further issues relating to the interpretation of Article 17(2) are taken up in the conclusion to this chapter. Returning to the UK House of Commons Justice Committee’s concern that referring to the Article 17 right as a right to be forgotten may create a false impression, even if the Albrecht Report drat of Article 17(2) is not accepted, there remain considerable uncertainties and ambiguities relating to the proposed right. Some of these ambiguities and uncertainties relate to limitations on, and exceptions to, the proposed right, which are examined in the next section of this chapter.

Limitations and exceptions Like the DPD, the proposed GDPR is aimed at protecting the fundamental right to protection of personal data, as guaranteed in Article 8 of the Charter of Fundamental Rights of the EU. In accordance with the European human rights framework, however, the right is subject to 123 124

125

Ibid., p. 98. Rosen, ‘he Right to Be Forgotten’, above n. 9, 90–1; Ambrose and Ausloos, above n. 13, pp. 15–16. h is seems to be relected in the proposed amendment of references to the ‘right to be forgotten’ to the ‘right to erasure and to be forgotten’ in Recitals (53) and (54): Albrecht Report, above n. 7, pp. 28–9.

The ‘right to be forgotten’

321

the principle of proportionality. Accordingly, limitations are necessary to support other rights and freedoms, especially the right to freedom of expression. Consequently, although the proposed GDPR increases the rights of data subjects, it necessarily also incorporates safeguards for countervailing rights and interests. In relation to the right to be forgotten, these safeguards take the form of exceptions to, and potential derogations from, the proposed right. Article 17(3) of the GDPR provides that, where the right to be forgotten applies, the data must be erased without delay, unless retention is justiied by one of the enumerated exceptions. he exceptions permit the retention of data where this is necessary: • For exercising the right of freedom of expression as provided for under Article 80 of the GDPR. Proposed Article 80 of the GDPR requires Member States to establish derogations to protect the processing of personal data ‘carried out solely for journalistic purposes or the purpose of artistic or literary expression’; • For protecting the public interest in public health as provided for under Article 81. Article 81 requires the EU or member states to introduce measures to safeguard the legitimate interests of data subjects in the area of public health; • For historical, statistical or scientiic research purposes in accordance with Article 83. Article 83 essentially provides that personal data may be processed for these purposes only if they cannot be achieved by processing anonymised or de-identiied data; and • For compliance with a legal obligation to retain data under either EU or member state law. he Commission drat therefore intended for the permitted exceptions to be highly targeted. For example, in the drat the protection of freedom of expression is conined to processing for journalistic purposes or creative expression. he Albrecht Report, however, adopted a broader view of freedom of expression than either the Commission drat or the DPD, proposing to remove the limitation on Article 80 derogations so that they apply to all aspects of freedom of expression, and not just to the rights of journalists, artists and writers.126 his is reinforced in a proposed new Article 17(2a), which would speciically require that measures of erasure of published data shall respect the right to freedom of expression referred to in Article 126

Albrecht Report, above n. 7, p. 196.

322

David Lindsay

80.127 Although the precise efect of this proposed provision is unclear, it seems to suggest that the right to freedom of expression must be directly taken into account in exercising the right to be forgotten, rather than operating merely as an exception, as is the case in the Commission drat.128 Although this particular amendment potentially creates more uncertainty than the Commission drat, the Albrecht Report drat generally favours amendments that would reduce uncertainties in the implementation of the regulation. For example, while Article 17(9) of the GDPR empowers the Commission to adopt delegated acts on certain matters, the Albrecht Report drat requires this to be done only ater an opinion from the proposed European Data Protection Board (EDPB),129 and that any delegation under this Article must be adopted before the regulation enters into force.130 Apart from the speciic exceptions to the right to be forgotten, Article 21 of the GDPR authorises the EU and member states to restrict the scope of speciied rights and obligations established under the GDPR where it is a necessary and proportionate measure in a democratic society to safeguard speciic rights and interests, including public security, crime prevention, revenue protection and investigation of breaches of ethics in regulated professions. As the opinion of the European Data Protection Supervisor on the data reform package pointed out, however, there is an overlap between the general derogations permitted under national laws pursuant to Article 21 and the speciic exception established under Article 17(3)(d), which allows national laws to override the right to be forgotten provided the laws are in the public interest, respect the essence of the right to protection of personal data and are proportionate to the legitimate aim of the relevant law.131 While it is not absolutely clear, it seems that the Albrecht Report supports the deletion of Article 17(3) in its entirety, on the basis that ‘(t)he exceptions in paragraph 3 are only a duplication of the general limitations in Article 21 and do not add any value here’.132 However, this reasoning seems to ignore an important distinction between Article 17(3) and Article 21; while the exceptions in Article 17(3) operate as a limit on the right to be forgotten, Article 21 merely gives member states the power 127 128

129 131

132

Ibid., p. 98. he application of proposed new Art. 17(2a) is taken up in the conclusion to this chapter. Albrecht Report, above n. 7, p. 100. 130 Ibid., p. 210, proposed Art. 86(5a). European Data Protection Supervisor, above n. 5, [66]–[67], [149]. See also Konarski et al., above n. 24, p. 61. Albrecht Report, above n. 7, p. 101.

The ‘right to be forgotten’

323

to create limitations. Consequently, it may be beneicial to retain the speciic references to Articles 80, 81 and 83 in Article 17(3). Finally, in certain limited circumstances the data controller may be required to restrict the processing of personal data rather than erase it.133 Under proposed Article 17(4) the data may be retained for restricted processing for the following speciic purposes: verifying the accuracy of the data where this has been challenged by the data subject; where the controller needs the data for the purposes of proof; where the processing is unlawful and the data subject requests restricted processing instead of erasure; and to process the data for the purpose of transmitting it to another service pursuant to the right to data portability. he Albrecht Report drat proposes tightening the obligations on the data controller so that processing is restricted ‘in such a way that it is not subject to the normal data access and processing operations of the controller and can not be changed anymore’.134 Considerable uncertainties arise from the need to balance the rights to privacy and data protection with other rights, especially the right to freedom of expression. As noted in the earlier discussion of privacy and freedom of expression online, the balance may very much depend upon the speciic facts. On the one hand, the extension of Article 80 derogations beyond speciic purposes removes uncertainty relating, for example, to the dei nition of journalistic purposes.135 On the other hand, however, the proposed new Article 17(2)(a) appears to create uncertainty about the scope of the right to be forgotten, as well as leaving what might be regarded as the most important limitations on the right to the laws of member states, albeit within the framework of decisions of the European Court of Human Rights. Given the complexities, this is probably inevitable, but it does mean that to a considerable extent the scope of the proposed Article 17 right is necessarily indeterminate. As the next section of the chapter explains, even more uncertainties arise from the legal issues involved in applying Article 17 to SNS.

Article 17 and social media Although the history of the introduction of the right to be forgotten in the GDPR suggests that it was a response to the signiicant increase in 133 134 135

European Commission, GDPR, above n. 3, Art. 17(3)(e). Albrecht Report, above n. 7, p. 100. On the diiculties of determining ‘journalistic purposes’ see the ECHR decision in Steel and Morris v. UK (Application no. 68416/01) [2005] ECHR 103, (2005) 41 EHRR 22.

324

David Lindsay

user-generated content arising from Web 2.0 applications, and especially SNS, there are real questions about the extent to which the proposed Article 17 applies to SNS. Leaving aside jurisdictional issues,136 there are three main legal issues that arise in applying any data protection framework, including the proposed GDPR, to SNS: 1. he application of the regime to data processing for purely personal or domestic purposes, which is dealt with under EU data protection law by the ‘household exemption’; 2. he extent to which the regime applies to private individuals, which under the proposed GDPR depends upon whether or not a person is a ‘controller’; and 3. he application of any relevant exemptions from liability for internet intermediaries, which in the EU are established under the E-Commerce Directive (ECD).137

he household exemption Article 2(2)(d) of the proposed GDPR exempts from the scope of the regulation data processing ‘by a natural person without any gainful interest in the course of its own exclusively personal or household activity’. An important gloss on the meaning of the terms used in the exemption is provided by Recital (15), which states that: h is Regulation should not apply to the processing of personal data by a natural person, which are exclusively personal and domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity. he exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.

he diiculties in applying the household exemption to Web 2.0 applications, such as SNS, arises from the extent to which they blur the boundaries 136

137

he proposed GDPR would extend the jurisdiction of EU data protection law to apply to the processing of personal data of EU residents where the processing relates to ofering of goods or services to EU residents, or monitoring their behaviour: European Commission, GDPR, above n. 3, Art. 3(2). For further discussion of jurisdictional issues see Kuner, above n. 6, pp. 6–7. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in Particular Electronic Commerce, in the Internal Market (Directive on Electronic Commerce), [2000] OJ L 178 (ECD).

The ‘right to be forgotten’

325

between what is public and what is private, as well as what is commercial and what is non-commercial. hese diiculties led to concerns about the extent to which the exemption in the DPD, which is conined to processing ‘in the course of a purely personal or household activity’, would apply to SNS.138 It is clear from Recital (15) that the Commission drat of the exemption does not apply to those responsible for providing the means for processing data for personal or household activities, meaning that SNS providers, such as Facebook, are not entitled to the exemption. Problems arose, however, from the phrase ‘without any gainful interest’, which suggests that the exemption would not apply whenever the activities of a natural person had some commercial element, such as the sale of private possessions to other private persons on an auction site.139 Accordingly, the Albrecht Report proposed simplifying the exemption so that it applies to processing ‘by a natural person in the course of its own exclusively personal or household activity’.140 Even with this revised drating, however, there remains the problem of how the exemption might apply to individual users of SNS, which comes down to whether use of social media is an exclusively personal or household activity. Some assistance in answering this question may be obtained from the 2009 Opinion of the Article 29 Data Protection Working Party (WP29) on online social networking, which addressed the application of the DPD, including the household exemption, to SNS.141 he Working Party concluded that, while the household exemption would generally apply to individual use of SNS, in certain circumstances the exemption might not apply. First, WP29 concluded that the exemption would not apply where an individual user acts on behalf of a company or association, or uses SNS to advance commercial, political or charitable goals. Second, the Opinion concluded that, where access to proi le information extended beyond self-selected ‘friends’, such as to all members of an SNS, access would extend beyond the personal and domestic sphere, and the exemption would not apply. hird, the Working Party concluded that if users acquired a high number of third-party contacts, such as a 138

139

140 141

See WP29, he Future of Privacy; Joint Contribution to the Consultation of the European Commission on the Legal Framework for the Fundamental Right to Protection of Personal Data (WP 168, adopted 1 December 2009), p. 18, para. 71. UK Information Commissioner’s Oice, Initial Analysis of the European Commission’s Proposals for a Revised Data Protection Legislative Framework (27 February 2012), p. 4; Konarski et al., above n. 24, p. 33. Albrecht Report, above n. 7, p. 61. WP29, Opinion 5/2009 on Online Social Networking (WP 163, adopted 12 June 2009).

326

David Lindsay

high number of ‘friends’, this could be an indication that the household exemption does not apply. he conclusions of WP29 that some activities of individual social media users may not be entitled to the household exemption, and its emphasis on how accessible the information is, ind support in the decision of the European Court of Justice in the Bodil Lindqvist case,142 in which the Court held that publication of a church newsletter on the Internet, so that the data were accessible to an indeinite number of people, did not fall within the exemption. On the other hand, the drat ing history of the GDPR might suggest that, in contrast to the Working Party’s interpretation, unlimited accessibility may not necessarily mean that an individual’s activities fall outside the exemption. In particular, version 56 of the proposed GDPR, which was leaked in December 2011 and which formed the basis of consultations with the Directorates General, speciically provided that the household exemption would not apply where personal data is ‘made accessible to an indeinite number of individuals’.143 he Albrecht Report drat deals with the issue of when the activities of a private person are either too ‘commercial’ or too ‘public’ for the exemption to apply by accepting recommendations for these considerations to be referred to in the preamble rather than the text of the regulation.144 Consequently, the Albrecht Report recommended redrat ing Recital (15) to include the following: he exemption should not apply where the processing of personal data is done in pursuit of a professional or commercial objective. he nature of the personal data processed and whether it is available to a dei nite or indeinite number of persons shall be taken into account in determining whether the processing falls within the exemption.145

Regardless of the version of the household exemption that is adopted, it seems that the application of the exemption to the activities of private persons will not be dealt with in the text of the regulation, but will depend on an interpretation of the exemption by data protection authorities, potentially with the guidance of the proposed EDPB. 142 143

144 145

Bodil Lindqvist (C101/01) [2003] ECR I-12971. European Commission, Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (Version 56, 29 November 2011), Art. 2(5)(b), http://statewatch.org/news/2011/dec/eu-com-drat-dp-reg-inter-service-consultation. pdf (accessed 4 November 2013). See Konarski et al., above n. 24, p. 33. Albrecht Report, above n. 7, p. 11.

The ‘right to be forgotten’

327

Data controller he proposed GDPR imposes the most important regulatory obligations on ‘controllers’, with a ‘controller’ being deined by Article 4(5), in similar terms to the comparable deinition in the DPD, to mean: [T]he natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data.146

A 2010 WP29 Opinion on the concepts of ‘controller’ (which has an active role) and ‘processor’ (which has a passive role) under the DPD recognised that the deinition was diicult to apply in complex environments such as the use of SNS.147 In its 2009 Opinion on online social networking, the Working Party concluded that: • Social media providers that provide online platforms which enable individuals to publish and exchange information with other users are data controllers since they determine the purposes and means of the processing of such data; and • Individual users that upload third-party personal data are also data controllers, provided they are not entitled to the ‘household exemption’.148 hese conclusions would appear to apply equally to the deinition of ‘controller’ in the proposed GDPR. It therefore appears that, in practical terms, where an individual is not entitled to the household exemption, the SNS provider and the individual user will be regulated as joint controllers. he allocation of responsibilities between joint controllers is expressly addressed in Article 24 of the proposed GDPR, which requires the respective responsibilities of joint controllers to be determined by means of an arrangement between them. his efectively means that, where the household exemption does not apply, the respective responsibilities of SNS providers and individual users for deleting information must be determined by an agreement. However, where the household exemption does apply, the SNS provider will have sole responsibility for deleting information where the Article 17 right to be forgotten is exercised. he WP29 Opinions must, however, now be read in the light of the Opinion of the Advocate General in Google Spain, which expressed the 146 147

148

European Commission, GDPR, above n. 3, Art. 4(5). WP29, Opinion 1/2010 on the Concepts of ‘Controller’ and ‘Processor’ (WP 169, adopted 16 February 2010), p. 2. WP29, Opinion 5/2009 on Online Social Networking, above n. 142, pp. 5–6.

328

David Lindsay

view that, in general terms, a search engine provider is not a controller. In reaching this conclusion, the Advocate General, ater noting that the full implications of the Internet and search engines were not apparent when the DPD was adopted, applied the principle of proportionality to the definition of controller, ‘in order to avoid unreasonable and excessive legal consequences’,149 such as holding that all internet users are data controllers. Focusing on the deinition of a controller as the person who determines the purposes and means of data processing, the Advocate General stated that: In my opinion the general scheme of the Directive … and the individual obligations it imposes on the controller are based on the idea of responsibility of the controller over the personal data processed in the sense that the controller is aware of the existence of a certain deined category of information amounting to personal data and the controller processes this data with some intention which relates to their processing as personal data.150

Following from an analysis of the automated operation of search engines, the Advocate General concluded that, in general, a search engine service provider is not a controller of personal data on third-party source websites, as it is not aware of the existence of personal data ‘in any other sense than as a statistical fact web pages are likely to include personal data’.151 Regardless of this general conclusion, the Advocate General pointed out that a search engine service provider controls the index of a search engine, which links keywords to URLs, in the sense that it determines how the index is structured and whether or not exclusion codes, such as the robots.txt i le,152 are complied with. Nevertheless, given that the material in a search engine cache that appears as a result of a search is generated entirely automatically, the Advocate General held that a search engine service provider is not a controller in relation to search returns, unless the material in the cache fails to comply with exclusion codes. Accordingly, the Opinion expressed the view that the only circumstances in which the DPD could require a search engine service provider to remove personal data from its index is where the service provider does not comply with exclusion codes or where a request from a website operator to update a search cache memory is not complied with.153

149 150 152 153

Opinion of Advocate General Jääskinen, above n. 54, [30]. Ibid., [82]. 151 Ibid., [84]. See ‘he Web Robots Page’, above n. 40. Opinion of Advocate General Jääskinen, above n. 54, [99].

The ‘right to be forgotten’

329

At the time of writing, the implications of Advocate General Jääskinen’s Opinion for the future interpretation of the concept of a data controller are unclear. First, it must be borne in mind that an Opinion is advisory only and, while it is usually followed by the ECJ, the Court remains free to difer from it. Second, the introduction of a requirement of subjective awareness of the personal data being processed is novel and is clearly not grounded in the text of the DPD. For example, while the 2010 WP29 Opinion on the concept of ‘controller’ recommended applying a ‘pragmatic approach’ in determining which of various actors are data controllers, it emphasised the role of the actors in data processing and not their subjective awareness.154 Given the extent to which much data processing is entirely automated, and usually indiscriminately combines personal data and other data, the objective emphasis on the roles of entities involved in the processing makes perfect sense. h ird, the application of the principle of proportionality to essential dei nitions in the DPD, apparently to avoid consequences that were not envisaged at the time of drat ing, also has no basis in the text of the Directive. Fourth, the efect of the Opinion on debates surrounding the right to be forgotten in the GDPR is diicult to predict: on the one hand, the Opinion might be thought to support the views of those who oppose the introduction of a new right; on the other hand, it can be interpreted as conirming the need for a new data protection instrument that can be applied to current technologies. In any case, if a right to be forgotten is to be efectively implemented, the Opinion suggests that there is a need for further clariication of the concepts of ‘controller’ and ‘processor’ under the proposed GDPR, especially if the dei nitions under the DPD are narrowly interpreted. Nevertheless, despite concerns about the viability of the distinctions between data controllers and data processors in the context of new services and technologies, including cloud computing and Web 2.0 applications, which certainly pre-dated the Advocate General’s Opinion in Google Spain, the Albrecht Report did not recommend changing the deinitions of ‘controller’ and ‘processor’ in the GDPR.155 he Report does, however, propose tightening the arrangements that apply to joint controllers, by requiring the agreement between joint controllers to be in writing, and specifying that such controllers are jointly 154 155

WP29, Opinion 5/2009 on Online Social Networking, above n. 148, pp. 12–15. he report seems to further complicate matters by proposing a new category to be known as a data ‘producer’: Albrecht Report, above n. 7, p. 66; Burton et al., above n. 7, pp. 3–4.

330

David Lindsay

and severally liable for breaches of the regulation.156 In addition, the Report proposes requiring joint controllers to include an explanation of their respective roles and responsibilities in their privacy notices.157 In efect, this means that SNS operators falling within the proposed regulation would need to make complex determinations about whether or not users are entitled to the household exemption in order to comply with the obligations imposed on joint controllers. Together with the uncertainties generated by the Advocate General’s Opinion in Google Spain, this suggests that there is a need for greater attention to be given to the respective roles and responsibilities of entities involved in complex data processing, including social networking activities and search engine services, if the rights of data subjects are to be efectively protected in the proposed GDPR.

he E-Commerce Directive and internet intermediaries he ECD establishes a horizontal regime that limits the liability of internet intermediaries for the actions of end-users.158 Under the regime, provided intermediaries that engage in the relevant activities – transmitting or providing access (‘mere conduit’), caching or hosting – comply with certain conditions, their liability is limited to orders requiring the service provider to terminate or prevent infringements. For example, to be entitled to the limitation on liability, a content host must not have knowledge of illegal activity or information or must, upon obtaining knowledge, expeditiously take down or disable access to unlawful information.159 Whether or not the ECD’s liability regime applies to the DPD has been unclear.160 Given that Article 4(5) of the ECD speciically provides that it does not apply to questions relating to information society services covered by the DPD, it is more than arguable that the liability regime has no application. he issue would seem to be addressed by Article 2(3) of the GDPR, which provides that: 156 158

159 160

Albrecht Report, above n. 7, p. 113. 157 Ibid., p. 85. See, for example, R. Julia-Barcelo and K. J. Koelman, ‘Intermediary Liability in the E-Commerce Directive: So Far So Good, but It’s not Enough ’ (2000) 16 Computer Law and Security Report 231; P. A. Baistrocchi, ‘Liability of Intermediary Service Providers in the EU Directive on Electronic Commerce’ (2002) 19 Santa Clara Computer & High Technology Law Journal 111. ECD, above n. 137, Art. 14. G. Sartor, ‘Providers’ Liabilities in the New EU Data Protection Regulation: a hreat to Internet Freedoms?’ (2013) 3 International Data Privacy Law 3 (referring to the diferent

The ‘right to be forgotten’

331

his Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.161

he position is, however, complicated by Article 88, which would require references to the DPD to be construed as references to the GDPR, potentially including the reference in Article 4(5) of the ECD. For this reason, the Albrecht Report proposed clarifying the relationship between the GDPR and the ECD by amending Recital (17) to include the following explanation: h is Regulation establishes the rules for the processing of personal data while the Directive 2000/31/EC sets out the conditions by which an information service provider is liable for third party infringements of the law.162

If this interpretation were adopted, then the liability of intermediaries such as SNS providers under the proposed regulation would be determined by whether or not they are classiied as ‘controllers’ while, in relation to any potential liability for the actions of users, they would be entitled to the ECD liability regime. he inal important point to make regarding the application of the ECD liability regime is that it does not apply to providers of information location tools, including search engines. As a result, EU member states have developed difering rules, while courts addressing the issue have also differed.163 As is clear from the Advocate General’s Opinion in Google Spain, the liability of a search engine provider essentially hinges on whether or not its search activities render it a ‘controller’, which, at the time of writing, awaited a inal decision from the ECJ.

Conclusion his chapter has dealt with the intersection of two extraordinarily complex endeavours: the attempt to protect rights to privacy and data protection in the context of persistent, accessible online personal data and

161 162 163

approaches adopted by national judges and data protection authorities, and the reticence of WP29 to address this issue). See also European Commission, GDPR, above n. 3, Recital (17). Albrecht Report, above n. 7, p. 12. See T. Verbiest, G. Spindler, G. M. Riccio and A. Van der Perre, Study on the Liability of Internet Intermediaries (12 November 2007), pp. 17–19, http://ec.europa.eu/internal_ market/e-commerce/docs/study/liability/inal_report_en.pdf (accessed 4 November 2013).

332

David Lindsay

proposals for fundamental reform of EU data protection law. As the chapter has explained, the emergence of user-centred applications, especially SNS, coupled with virtually unlimited online storage capacity and powerful search functionality, creates signiicant challenges for individual autonomy and self-determination. he challenges posed by new applications and functionalities have resulted in attempts to apply existing European legal principles, namely the right to oblivion established under civilian personality law and the right to erasure established under EU data protection law, to restrict the availability of online personal data. In this context, and given legitimate concerns about the adverse individual and social implications of digital eternity, it is unsurprising that the right to be forgotten has assumed prominence in debates about the EU data reform package. his chapter has argued that, given the limitations of extralegal solutions, including potential new social norms or technology-based solutions, there is a case for establishing a legal right to be forgotten. hat said, crat ing legal solutions to the problems posed by digital eternity is extremely diicult. he European proposals discussed in this chapter purport to establish a right to be forgotten within a data protection framework. his would, in efect, reinforce the claims of the European data reform package to represent the next generation of data protection law and of the EU to be at the forefront of data protection innovations. Whereas previous generations of data protection laws responded to the mass processing of personal data irst by public authorities and then by the private sector, a right to be forgotten could be seen as responding to mass processing by Web 2.0 applications, including SNS.164 Given that data protection law was designed to protect data subjects by imposing limits on the large-scale collection and processing of personal data by governments and irms, and given the scale of the collection and processing of online data in applications such as SNS, the data protection model might be thought appropriate to apply in this new context. Yet just as the application of personality law, in the form of the right to oblivion, and existing data protection law, in the form of a right to erasure, to SNS and search engines pushes the boundaries of the existing laws, it is diicult to adapt the data protection framework to deal with rights relating to decentralised Web 2.0 applications. 164

On the generations of data protection law, see Mayer-Schönberger, ‘Generational Development of Data Protection in Europe’, above n. 90; D. Lindsay, ‘An Exploration of the Conceptual Basis of Privacy and Implications for the Future of Australian Privacy Law’ (2005) 29 Melbourne University Law Review 131.

The ‘right to be forgotten’

333

Past generations of data protection laws essentially applied to the processing of data by data controllers within closed systems, whether in the public or private sectors. In such contexts data controllers have a degree of control over access to, and disclosure of, personal data. In the open, decentralised context of internet-based applications, however, entities such as SNS providers and search engines have minimal control over end-user activities. his important distinction was clearly the key consideration underpinning the Advocate General’s Opinion in Google Spain: namely, that a search engine service provider is not a data controller. As explained above, this Opinion introduces its own set of problems. As explained in the ENISA report on the technical means to enforce the right to be forgotten, in open networks such as the Internet it is impossible to ensure the removal of all data, although it is possible to restrict access by, for example, removing data from search engine indexes.165 he limited control of intermediaries such as SNS providers over the activities of end-users, and the technical limitations over data in open systems, mean that a strong version of the right to be forgotten can never be fully implemented. To claim that this makes any legal rights inefective, however, is to miss the point. Regardless of some of the commentary, the right to be forgotten as proposed in the GDPR was never meant to provide a perfect solution to the problems of digital eternity, but merely to strengthen the rights of data subjects to have data removed when it is legitimate and possible to do so.166 As Commissioner Reding pointed out: he right to be forgotten is of course not an absolute right … It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.167

he two related issues at the centre of controversies over the strengthening of the rights of data subjects are, irst, the balance between those rights and freedom of expression and, second, the obligations of intermediaries, such as SNS providers and search engines. In the traditional data protection framework, the media are generally exempt from general data protection rules, with sector-speciic rules being applied to accommodate the importance of freedom of expression. User-generated social media, and widespread republication and linking, create considerably 165 166 167

ENISA, above n. 39. See, for example, Reding, ‘he Upcoming Data Protection Reform’, above n. 100. Reding, ‘he EU Data Protection Reform 2012’, above n. 14, p. 5.

334

David Lindsay

more complexity. On the one hand, even critics of the right to be forgotten agree that users should have the right to remove material that they post themselves, such as photographs or other data posted to an SNS.168 On the other hand, however, it is much more diicult to balance the rights of data subjects against the rights of those who have copied and republished material posted by the data subject, and against the rights of those who post new data, such as photographs featuring the data subject. Critics of the proposed right have claimed that, given the diiculties of deciding whether or not the rights of data subjects prevail over the expressive rights of others, intermediaries such as SNS providers will default on the removal of material rather than face the penalties imposed for breaching the regulation.169 In this debate, it is obviously important to unbundle the circumstances in which decisions must be made. First, if a person posts material, such as an embarrassing photograph, and later regrets doing this, then SNS providers should comply with requests to remove the material, and there seem to be no objections to this being mandated by a law such as the GDPR. Second, while individuals who have copied and reposted the material might be expected to comply with such requests, at least in the case of individual users who copy material to an SNS, the GDPR is unlikely to apply, as in many if not most cases the processing will fall within the household exemption.170 hird, diicult questions arise in relation to the obligations of an intermediary, such as an SNS provider, for material that is copied and posted by third parties, such as other SNS users. For example, a ‘friend’ who copies a photograph initially posted by the data subject may post it to their own site and refuse to take it down when requested by the data subject. To begin with, as explained above, it seems clear that, by providing a platform for users to publish and exchange information, SNS providers play an active (and not merely passive) role in the data processing of SNS users and therefore, even applying the reasoning of the Advocate General in Google Spain, they appear to be data controllers. If the Albrecht Report proposals were accepted, an SNS provider would need to determine whether a user who posts information is entitled to the household exemption as, if not, they would be deemed to be a joint controller and be required to come to an agreement with the user concerning respective responsibilities for 168 169 170

Rosen, ‘he Right to Be Forgotten’, above n. 9, 8; Fleischer, above n. 10. Ibid. In such circumstances, a complainant would need to resort to other legal avenues, such as civil actions for defamation or breaches of privacy.

The ‘right to be forgotten’

335

deleting information. If the user is not entitled to the household exemption, the SNS provider would seem to be required to remove the material, unless, pursuant to Article 17(3)(a), retention was justiied in accordance with derogations for exercising the right of freedom of expression under Article 80. If the Albrecht Report proposals were accepted, however, the proposed new Article 17(2a) appears to establish limits on any obligation to erase data by requiring, for example, the SNS provider to respect the right to freedom of expression of third parties who have copied and posted the data in taking measures to erase the data. he balance of the rights of data subjects who post material to an SNS and those who copy and repost the material depends greatly upon context, and there is so far little guidance from the courts, so making calls on the relative weight of its users’ rights in the numerous cases that are likely to arise would obviously place considerable demands on an SNS provider. As explained above, the Albrecht Report recommended amending Article 17(2) so that a data controller that has transferred or published personal data would have obligations in relation to third-party processing only where the transfer or publication is not justiied under Article 6(1). If the Albrecht Report amendment is accepted, a data controller such as an SNS provider would only have obligations in relation to third-party processing if, for example, the data subject did not consent to the publication of the data. As an SNS user will usually consent to publication, if data such as a photograph is copied and reposted, then the user will not be able to enlist the SNS provider in seeking to have the copied data erased, even if the user subsequently withdraws consent. As the SNS provider remains the data controller in relation to data posted to the SNS, however, provided that the publication is justiied under Article 6(1), it would seem that a data subject can request deletion of data that is copied and posted to the SNS by other SNS users. In that case, the SNS provider would be required to erase the material unless, as explained above, the rights of the data subject are trumped by the right to freedom of expression of thirdparty copiers. It follows that, if the Albrecht Report proposal to amend Recital (17) is accepted, the liability of the SNS provider for actions of SNS users would be determined in accordance with the ECD safe harbour, meaning that, as a content host, liability would be limited provided the operator expeditiously removes or restricts access to data required to be erased under Article 17(1) of the GDPR. Fourth, the obligations of SNS operators in relation to personal data, such as photographs, created and posted to the SNS by one user about another user would be dealt with in accordance with the same rules that

336

David Lindsay

apply to the copying and reposting of personal data. In that case, however, the balance between the rights of the data subject and the right to freedom of expression of the third-party user will involve diferent considerations, as the third party will likely have greater expressive rights. his explanation of how the proposed EU regime might apply to diferent circumstances associated with material posted to SNS illustrates the considerable uncertainties in predicting how the GDPR might apply in practice. In part, these uncertainties arise from an attempt to crat general rules that are diicult to apply to particular circumstances, such as SNS use. In part, however, the uncertainties also arise from the attempt to balance competing non-absolute rights – the rights to privacy and data protection, on the one hand, and the right to freedom of expression, on the other – where the balance cannot be established in the abstract, but is necessarily context-dependent. hat said, there are important policy decisions that must be made in designing a regulatory regime that, in the context of the proposed right to be forgotten, have not been taken at the time of writing. First, the extent to which individual users, including SNS users, are capable of mass data processing raises the question of whether individual users should be treated as data controllers. Under the proposed GDPR, this is essentially dealt with by whether or not an individual is entitled to the household exemption, which, especially in the context of SNS, is not at all clear. Second, accepting that in the open Internet it is impossible to completely prevent unauthorised copying and dissemination of data, such as photographs, the extent to which the proposed GDPR implements a right to be forgotten obviously depends upon the obligations of those involved with data processing, such as an SNS provider or a search engine service provider, in relation to third-party processing. While under the Commission proposal a data controller that has made personal data public would be required to take reasonable steps to inform third parties of a request to erase data, under the Albrecht Report proposal a controller would have no obligations if the data subject consented to a publication or transfer of personal data, even if that consent is subsequently withdrawn. his suggests that the Albrecht Report proposal is more like a traditional right to erasure than a right to be forgotten. And cutting across these considerations are the considerable uncertainties arising from the Advocate General’s Opinion in Google Spain concerning the proper scope and application of the concept of a data controller, whether under the DPD or the proposed GDPR.

The ‘right to be forgotten’

337

Finally, there remains the problem that any obligation to remove material, especially from SNS or the open Internet, may, in practice, infringe the right to freedom of expression of third parties. here can be no onesize-its-all solution to this problem, but it may be that consideration could be given to introducing measures for protecting freedom of expression, such as a counter-notiication regime.171 Again, some of the diiculties encountered in implementing a regime that protects the rights of data subjects in the context of Web 2.0 applications such as SNS seem to have arisen from insuicient account being taken of how a regime might in practice apply to particular contexts, such as where one SNS user copies and reposts material originally posted by another SNS user. Meanwhile, if individuals are to retain some control over their online identities, and if the rights of data subjects and the right to freedom of expression are to be appropriately balanced in the online context, there is no alternative but to work through the complex policy choices required to establish a workable regime. As this chapter has explained, much remains to be done in resolving how a right to be forgotten can be efectively implemented in European data protection law.

171

h is prospect was speciically referred to, and apparently rejected, in the context of a search engine service provider in the Opinion of Advocate General Jää skinen, above n. 54, [133].

14 Privacy online: reform beyond law reform Megan Richardson and ANDREW T. KEN YON

Introduction As Roland Barthes reminds us,1 a myth works not only to attach a meaning to a given sign (such as a word or visual symbol). It fashions a story around the sign with a larger political or cultural weight. We consider below one of the more enduring myths associated with privacy law reform – that a dedicated privacy cause of action will respond suiciently to individual and social desires for privacy. he idea of a privacy tort as a solution to individual and social problems of privacy was fostered by Warren and Brandeis’ classic article ‘he Right to Privacy’ published in the 1890 edition of the Harvard Law Review,2 although the century’s worth of privacy tort reform that followed the article has produced no privacy utopia in the United States.3 And it still appears to hold in the United Kingdom, bolstered by a post-war European Convention on Human Rights (ECHR)4 and the Human Rights Act 1998 (UK). Yet even before courts in England moved to embrace a ‘new’ tort of misuse Earlier versions of this chapter were presented at the conference ‘Emerging Challenges in Privacy Law: Australasian and EU Perspectives’, hosted by Monash University (Faculty of Law and the Monash Europe and EU Centre) in Melbourne in February 2012, a privacy law symposium at Clare College, Cambridge University in June 2012, and a faculty seminar at the Dickson Poon School of Law, King’s College London in October 2012. We are grateful to those who attended for helpful comments, to our colleagues Jason Bosland, Karin Clark and Arlen Duke for further helpful remarks and to Claire Richardson for meticulous research support. h is chapter has beneitted from research funding from the Australian Research Council, ‘Defamation and Privacy: Law, Media and Public Speech’ (Kenyon, DP0985337). 1 2 3

4

R. Barthes, Mythologies, translated by A. Lavers (New York : Hill and Wang, 1972), p. 109. S. Warren and L. Brandeis, ‘he Right to Privacy’ (1890) 193 Harvard Law Review 4. See N. Richards and D. Solove, ‘Prosser’s Privacy Law: A Mixed Legacy ’ (2010) 98 California Law Review 1887. Convention for the Protection of Human Rights and Fundamental Freedoms, opened for signature 4 November 1950, 213 UNTS 222 (entered into force 3 September 1953).

338

Privacy online

339

of private information, 5 the English doctrine of breach of conidence already ofered similar protection in many respects.6 We might now wonder how far a privacy tort or cause of action will go in dealing with the contemporary contexts of digital communications. In Continental Europe, where protection of privacy is well advanced, the ECHR’s Article 8 ‘right to private life’ is now being supplemented by an even more ambitious legal right, which appears to have been designed with the Internet in mind – the ‘right to data protection’ in Article 8 of the 2000 Charter of Fundamental Rights of the European Union (the Charter), now part of the Treaty of Lisbon (supplementing the Charter’s right to private life in Article 7).7 In recent cases,8 the European Court of Justice has ruled that court orders requiring monitoring of uses made of an internet service provider and social network platform for possible copyright infringements would entail a violation of the Charter’s right to data protection.9 Moreover, in January 2012 the European Commission launched a drat Data Protection Regulation, which will go further than the current EU Data Protection Directive of 1995 in protecting personal information in the online environment, citing Article 8 of the Charter as a motivation.10 Even in the USA there have been proposals for addressing problems of online consumer privacy.11 5

6

7

8

9

10

11

See T. Aplin, L. Bently, P. Johnson and S. Malynicz, Gurry on Breach of Conidence: he Protection of Conidential Information, 2nd edn (Oxford University Press, 2012), pp. 308–9. And see also Joint Committee on Privacy and Injunctions, Privacy and Injunctions, House of Lords Paper No. 273, House of Commons Paper No. 1443, Session 2010–12 (2012), suggesting that the courts can be let to continue to develop the law, without the need for a privacy statute. See M. Richardson, ‘Towards Legal Pragmatism: Breach of Conidence and the Right to Privacy’ in E. Bant and M. Harding (eds.), Exploring Private Law (Cambridge University Press, 2010), pp. 109–24. Treaty of Lisbon Amending the Treaty on European Union and the Treaty Establishing the European Community, signed 13 December 2007, [2007] OJ C 306/1 (entered into force 1 December 2009). Scarlet Extended SA v. Société Belge des Auteurs Compositeurs et Éditeurs (SABAM) (C-70/10) [2011] (Unreported); Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v. Netlog NV (C-360/10) [2012] (Unreported). See also the UK Supreme Court in Rugby Football Union v. Viagogo Ltd [2012] UKSC 55 (although the Norwich Pharmacal order was permitted in the circumstances of the case). See European Commission, Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (General Data Protection Regulation) (Brussels, 25 January 2012) 2012/0011(COD) (2012) (in substitution for Directive 95/46/ EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data [1995] OJ L 281 (EU Data Protection Directive)). See, e.g., h e White House, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital

340

Megan Richardson and Andrew T. KENYON

In other parts of the world, ideas have been slower to adapt to changed media and communications. For example, the Australian government appears i xed on the idea of privacy law reform through a dedicated cause of action for invasion of privacy. In 2011 it released an Issues Paper,12 inviting public comment on the question of a statutory cause of action for serious invasions of privacy as recommended by the Australian Law Reform Commission (ALRC) in 2008.13 A particular focus of the Issues Paper (unlike the ALRC’s earlier report) is the Internet and associated developments. So, ater outlining some of the transformations that have taken place over the last decade in Australia, as in many parts of the world, the Issues Paper asks whether ‘recent developments in technology mean that additional ways of protecting individuals’ privacy should be considered in Australia’. 14 And in March 2013 the Australian government announced that the issue would be referred again to the ALRC, with terms of reference announced in June 2013.15 In the discussion below, we ask whether a statutory cause of action geared to serious invasions of privacy would do much to address problems that many have come to associate with the Internet – in particular, the incursions on ‘privacy’ linked to practices of social networking websites designed to facilitate and encourage the sharing of personal information, and behavioural advertising practices that depend upon knowing precise, detailed and, at times, individuated information about the social and consumption preferences of internet users (a notable commercial aspect

12

13

14

15

Economy (Washington, 23 February 2012), www.whitehouse.gov/sites/default/i les/ privacy-i nal.pdf (accessed 2 November 2013); Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policymakers (2012), www.t c.gov/os/2012/03/120326privacyreport.pdf (accessed 2 November 2013). Commonwealth of Australia, Department of Prime Minister and Cabinet, ‘A Commonwealth Statutory Cause of Action for Serious Invasions of Privacy’ (Issues Paper, September 2011). Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No. 108 (2008). Commonwealth of Australia, Department of Prime Minister and Cabinet, ‘A Commonwealth Statutory Cause of Action for Serious Invasions of Privacy’, above n. 12, p. 12. See Senator Stephen Conroy, Minister for Broadband, Communications and the Digital Economy, ‘Government Response to Convergence Review and Finkelstein Inquiry’ (Media Release, 12 March 2013), http://pandora.nla.gov.au/pan/80090/20130918-1430/ www.minister.dbcde.gov.au/conroy/media/media_releases/2013/036.html (accessed 8 November 2013); and Mark Dreyfus QC, Attorney-General of Australia, ‘Terms of Reference: Serious Invasions of Privacy in the Digital Era’ (Media Release, 12 June 2013), www.alrc.gov.au/sites/default/i les/pdfs/terms_of_reference_privacy.pdf (accessed 2 November 2013).

Privacy online

341

of ‘big data’).16 Indeed, perhaps in part due to the inadequacy of a cause of action aimed at serious invasions of privacy to deal with ubiquitous intrusive practices online, the Issues Paper has not generated strong public pressure to bring this proposed reform into law. We suggest that the key to dealing with problematic practices in the online environment lies with Australia’s own data protection legislation (principally the Privacy Act 1988 (Cth)) and consumer protection law, although an appropriately worded statutory cause of action for invasion of privacy could still have beneits in protecting the interests of some individuals in more diverse situations.17

Online privacy law reform models The draft Data Protection Regulation unveiled by the European Commission in January 2012 relies on the Charter’s general right to data protection to specify rights (inter alia) to object to digital tracking, not to be subject to online proiling, to rectiication and erasure – the so-called ‘right to be forgotten’ – and to data portability.18 he potential penalties for breach of these standards are also substantial. All this reinforces the impression that, in Europe, data protection is seen as the most viable way to deal with issues of online privacy (and the handling of personal information more generally). In the USA the approach has been rather diferent although, even there, we can see a reform agenda. he White House pushed for an expanded ‘Consumer Privacy Bill of Rights’ in a blueprint issued in February 2012 while the Federal Trade Commission (FTC) issued its own report on ‘Protecting Consumer Privacy in an Era of Rapid Change’ the following month.19 he latter includes a plan to encourage internet companies to make ‘do not track’ options available to their customers. hese initiatives build on three ‘do not track’ legislative proposals

16

17

18 19

E.g., M. Andrejevic , iSpy: Surveillance and Power in the Interactive Era (Lawrence: University of Kansas Press, 2007); H. Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life (Palo Alto: Stanford Law Books, 2010); H. Nissenbaum, ‘A Contextual Approach to Privacy Online’ (2011) 140(4) Daedalus 32. he authors of this chapter were both members of a reference group for the New South Wales Law Reform Commission that has also recommended a statutory cause of action for invasion of privacy, in somewhat diferent terms from the ALRC’s proposed cause of action: see New South Wales Law Reform Commission, Invasion of Privacy, Report No. 120 (2008). European Commission, above n. 10. he White House, above n. 11; Federal Trade Commission, above n. 11.

342

Megan Richardson and Andrew T. KENYON

introduced in the 2011 Congressional session, including one for young people under 18,20 to complement the existing Children’s Online Privacy Protection Act of 1998, 21 and a more modest bipartisan Commercial Privacy Bill of Rights Act 2011 proposed by Senators Kerry and McCain (which did not include a speciic option not to be tracked online).22 While the proposed reforms may not come into being any time soon, and their inal shape remains unclear, the label of a consumer privacy law suggests that online privacy protection is, in the USA, seen within the rubric of consumer protection policy. his would it with the US market model, which presupposes meaningful consent on the part of consumers and more or less accepts that regulation may play a role in ensuring this can occur – with some credence being given to arguments from behavioural psychologists that deceptive practices can be subtle indeed.23 Such reforms would build on existing platforms. Already, there are national data protection laws in Europe (including the UK), their general standards prescribed by the EU Data Protection Directive.24 Moreover, there are existing consumer protection laws in the USA, most importantly the FTC’s powers to challenge unfair or deceptive trade practices under § 5 of the Federal Trade Commission Act of 1914.25 hese bases are being drawn on to attack some questionable practices of internet companies that seem designed to undermine or override the possibility of consent. For instance, in Germany, Facebook’s ‘i nd a friend’ function was the subject of a consumer data ruling in March 2012.26 And the FTC recently reached a settlement with Facebook ater conducting a full investigation into the social network company’s treatment of its 20

21

22 23

24 25

26

Do-Not-Track Online Act, S 913, 112th Congress (2011); Do Not Track Me Online Act, HR 654, 112th Congress (2011); Do Not Track Kids Act, HR 1895, 112th Congress (2011). Children‘s Online Privacy Protection Act of 1998, 15 USC §§ 6501–6506 (1998) (an Act limited to children under 13). Commercial Privacy Bill of Rights Act S 799, 112th Congress (2011). See generally, for some inluential literature in the ield of behavioural psychology and economics, R. haler and C. Sunstein, Nudge: Improving Decisions about Health, Wealth and Happiness (New Haven: Yale University Press, 2008); D. Kahneman, hinking Fast and Slow (New York : Farrar, Straus and Giroux, 2012). Above n. 10. Codiied as Federal Trade Commission Act of 1914, 15 USC §§ 45(a)(1) (‘unfair methods of competition in or afecting commerce, and unfair or deceptive acts or practices in or afecting commerce, are hereby declared unlawful’). Berlin Regional Court, Judgment of 6 March 2012, 16 O 551/10 (currently under appeal), as reported in C. Motejl, ‘Facebook’s Terms and Conditions Violate German Consumer Laws, says Court’ (7 March 2010) Datonomy: he Data Protection Blog, http://blogs. olswang.com/datonomy/2012/03/07/facebooks-terms-and-conditions-violate-germanconsumer-laws-says-court/ (accessed 8 November 2013).

Privacy online

343

consumer privacy settings.27 But it is Google that is currently the focus of much of the inquiry. For instance, in France and other European jurisdictions, Google’s new privacy policy of accumulating information across all of its services (including Gmail), with consent deemed to follow from the use of the service, has been challenged by a consortium of data protection commissioners led by the French Commission nationale de l’informatique et des libertés; and it appears Google is viewed as breaching the EU Data Protection Directive’s information processing standards.28 In the USA, the information collection practices associated with Google’s Street View project (speciically, the scooping up of household internet data) were the subject of a report by the Federal Communications Commission in April 2012, 29 with a modest i ne issued – following which some data protection authorities (including the Information Commissioner’s Oice in the UK) made further inquiries into Street View. More recently, the FTC conducted its own review of Google following the discovery of Google’s ‘clever trick’ in promoting the installation of third-party cookies into Apple’s mobile Safari browser that allowed the secret collection of private data from Apple users – and the FTC’s negotiated i ne (which a judge has approved) for this conduct is US$22.5 million: the largest ever FTC i ne to date.30 Once penalties reach this level, we may be talking about more than just an easily accommodated cost of business. Other jurisdictions that see themselves as information hubs are also looking at ways of dealing with online privacy, generally through data protection regimes. In the Asia-Paciic region, for instance, Canada and New Zealand already have relatively strong data protection laws that are deemed suiciently rigorous to comply with the standards prescribed 27

28

29

30

Federal Trade Commission, ‘FTC Approves Final Settlement with Facebook’ (Media Release, FTC File No. 092–3184, 10 August 2012), http://tc.gov/opa/2012/08/facebook. shtm (accessed 2 November 2013). See C. Arthur, ‘Google Privacy Policy Slammed by EU Data Protection Chiefs’, Guardian (online), 16 October 2012, www.guardian.co.uk/technology/2012/oct/16/google-privacy-policies-eu-data-protection (accessed 2 November 2013). Federal Communications Commission, ‘In the Matter of Google Inc.’ (Notice of Apparent Liability for Forfeiture, File No. EB-10-IH-4055, 13 April 2012), www.fcc.gov/document/ enforcement-bureau-issues-25000-nal-google-inc (accessed 2 November 2013). Federal Trade Commission, ‘Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented Privacy Assurances to Users of Apple’s Safari Internet Browser’ (Media Release, 9 August 2012), www.tc.gov/opa/2012/08/google.shtm (accessed 2 November 2013); C. Miley, ‘Federal Judge Approves $22.5 Million Fine for Google Privacy Violations’, (17 November 2012) Jurist, http://jurist.org/paperchase/2012/11/federal-judge-approves225-million-i ne-for-google-privacy-violations.php (accessed 2 November 2013).

344

Megan Richardson and Andrew T. KENYON

in the EU’s Data Protection Directive.31 In particular, the Canadian law appears to be working to provide efective protection of online privacy, as argued by Lisa Austin.32 While jurisdictions in Asia have in the past resisted passing laws dedicated to the protection of privacy,33 they are coming to see commercial value in having minimum standards of data protection that ofer incidental protection of online privacy. Hong Kong has a data protection ordinance modelled, to an extent, on the UK approach,34 which was designed to give efect to the EU Directive. Malaysia passed its own Personal Data Protection Act in 2010. And Singapore is currently in the process of implementing the new Personal Data Protection Act 2012, which, says Simon Chesterman of the National University of Singapore, was adopted ‘in order to increase [the] low [of personal data] by cementing Singapore’s position as a “trusted node”’35 (although it must be noted that public agencies in Singapore are excluded from the reach of the new law). Chesterman concludes that, notwithstanding the fact that the new law’s purpose is not to protect privacy, it ofers Singapore an opportunity to respond to transformations in the information economy, which necessarily include privacy-related developments.36 In Australia, a degree of protection is ofered to personal data under the data protection regime (principally, the Privacy Act 1988 (Cth)). However, there are a number of important constraints on the Act’s operation. For instance, in addition to the Act’s normal exception for individuals acting in a personal capacity,37 the specially crated ‘small business exception’ in s. 6C is suiciently large in having its cut-of at A$3 million annual turnover to place outside its scope smaller-sized internet companies, albeit not information behemoths such as Google and Facebook. Further, there is the uncertain scope of the Act’s journalism exception in s. 7B, which holds that a media organisation that subscribes to a media code of practice (a requirement of no great substance since the contents of such a code 31 32

33

34 35

36 37

EU Data Protection Directive, above n. 10. L. Austin, ‘Is Consent the Foundation of Fair Information Practices? Canada’s Experience under PIPEDA’ (2006) 56 University of Toronto Law Journal 181. See G. Greenleaf, ‘APEC’s Privacy Framework Sets a New Low Standard for the AsiaPaciic’ in A. T. Kenyon and M. Richardson (eds.), New Dimensions in Privacy Law: International and Comparative Perspectives (Cambridge University Press , 2006), pp. 91–120. Personal Data (Privacy) Ordinance 1995 (HK) cap. 486. S. Chesterman, ‘Ater Privacy: the Rise of Facebook, the Fall of Wikileaks, and the Future of Data Protection’ (2012) Singapore Journal of Legal Studies 391, 403. Ibid. Section 16E of the Privacy Act 1988 (Cth).

Privacy online

345

are not prescribed) is not subject to the Act so long as it is engaged in ‘journalism’. ‘Journalism’ itself is not deined, but ‘media organisation’ is deined broadly in s. 6 as being: an organisation whose activities consist of or include the collection, preparation for dissemination or dissemination of the following material for the purpose of making it available to the public: (a) material having the character of news, current afairs, information or a documentary; (b) material consisting of commentary or opinion on, or analysis of, news, current afairs, information or a documentary.

If the meaning of ‘journalism’ is deduced from this deinition of ‘media organisation’, that might signify that not only more straightforward journalism activities, such as Google News, might be encompassed by the exception but also a wider range of activities engaged in by new media organisations that are centred around the public sharing of information.38 he ALRC proposed some changes to the above provisions in its 2008 report on the Act (which also included the recommendation for a statutory cause of action for serious invasion of privacy), although not specifically with the Internet in mind. In particular, it was recommended that ‘journalism’ be speciied as encompassing news, current afairs or documentary material and associated commentary, with an additional category of other material where ‘the public interest in disclosure outweighs the public interest in maintaining … privacy’, and that the deinition of ‘media organisation’ should specify ‘an organisation whose activities consist of or include journalism’.39 In addition, a minimal standard of ‘appropriate’ privacy protection was proposed for a media code of practice.40 As to the Australian small business exception, the ALRC recommended this be removed to bring Australian law into line with European standards.41 But, so far, the government has not responded to these proposals, although other ALRC recommendations for improving aspects of the 38

39 40

As Flew says, new media can be dei ned broadly in terms of both their technologies and social attributes: T. Flew, New Media: An Introduction, 3rd edn (Oxford University Press, 2008), ‘Introduction’, pp. 2–4. Indeed, Creeber and Martin point out that new media can be characterised as any form of mediated communication that relies on digital technologies (including social networks, search engines, Wikipedia, etc., and perhaps even the Internet as a whole): G. Creeber and R. Martin, ‘Introduction’ in G. Creeber and R. Martin (eds.), Digital Cultures (Maidenhead: Open University Press, 2009), pp. 1–2. Australian Law Reform Commission, above n. 13, recs. 42–1, 42–2. Ibid., recs. 42–1 to 42–3. 41 Ibid., rec. 39–1.

346

Megan Richardson and Andrew T. KENYON

Privacy Act have been accepted and are being implemented in the Privacy Amendment (Enhancing Privacy Protection) 2012 (Cth) (the provisions of which are due to come into force on 12 March 2014). hey include, for instance, a requirement for direct marketers to provide a ‘simple means by which [individuals] might easily request not to receive direct marketing communications from the organisation’,42 an enlarged principle for correction of personal information43 and a new and possibly broader definition of ‘personal information’ (more in line with international standards) encompassing information ‘about an identiied individual, or an individual who is reasonably identiiable’.44 In 2010 a Senate Committee charged with reviewing the provisions of the Privacy Act for the online environment made a number of further recommendations, responding to those in the original ALRC report.45 he recommended reforms appear cautious when compared to reforms being contemplated in other jurisdictions and even some of the reforms proposed by the ALRC. hey included, for instance, limiting the small business exemption (although in rather more modest terms than the ALRC’s recommendation to do away with the exemption), spelling out the Act’s extraterritorial scope in a clearer fashion than in the current s. 5B of the Act, as proposed by the Australian Privacy Commissioner,46 and developing a ‘do not track’ option following consultation with 42

43

44

45

46

See Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch. 1 Australian Privacy Principle 7 (Direct Marketing). Speciically ibid ., Australian Privacy Principle 13, referring to the fact that information is ‘inaccurate, out-of-date, incomplete, irrelevant or misleading’ as grounds for correction. See ibid., sch. 1 item 36 inserting a new dei nition of ‘personal information’ in s. 6 of the Privacy Act 1988 (Cth). Commonwealth of Australia, Environment and Communications Reference Committee, he Adequacy of Protections for the Privacy of Australians Online (7 April 2011), www.aph.gov.au/Parliamentary_Business/Committees/Senate/Environment_ and_Communications/Completed%20inquiries/2010–13/onlineprivacy/report/index (accessed 8 November 2013). he Australian Privacy Commissioner questioned whether s. 5B(3) extends to conduct of international internet companies that collect information about persons located in Australia, given that it states that the information must be ‘collected or held by the organisation in Australia’ by a company ‘carrying on business in Australia’ and suggested that it would be better to say ‘collected … from’ than ‘collected … in’ to make the Act’s scope clearer: see Oice of the Privacy Commissioner, Submission No. 13 to Senate Environment and Communications References Committee, he Adequacy of Protections for the Privacy of Australians Online, August 2010, [30]–[31], www.oaic.gov.au/images/ documents/migrated/2010–09–06051859/Submission%20Online%20Privacy%20 Inquiry.pdf (accessed 8 November 2013).

Privacy online

347

stakeholders.47 he ALRC’s proposal for a statutory cause of action was also endorsed by the Senate Committee.48 he Australian government has generally responded positively to the Senate Committee report but has found little reason to make further amendments to the Act at the current stage,49 for instance suggesting in response to the ‘do not track’ option that this might be developed as a matter of a privacy code as provided for in the Act as currently amended. More particularly, in relation to the ALRC’s proposal for a statutory cause of action, endorsed by the Senate Committee, the government has (as noted earlier) returned the matter to the ALRC, which is yet to report.50 he Senate Committee also recommended that ‘the Australian government continue to work internationally, and particularly within our region, to develop strong privacy protections for Australians in the online context’.51 In its response to the report, the government indicated that it agreed with this recommendation and stated that ‘the Australian Government … will be continuing to work with appropriate international bodies including in particular regional bodies to further privacy protection’.52 Laudable as this aspiration may seem, Australia is arguably in a rather weak position to participate efectively in international debates about how to adapt current data protection standards for the internet environment (given its tentative approach to law reform), where privacy and, more broadly, informational self-determination are important values; although there are other important values to be considered as well, including freedom of speech and commercial interests.53 Indeed, it might be asked whether, without further legislative reform, Australian laws and legal institutions will be able to deal efectively with online informational

47

48 49

50

51

52 53

Commonwealth of Australia, Environment and Communications References Committee, he Adequacy of Protections for the Privacy of Australians Online, above n. 45, recs. 3–6. Ibid., rec. 8. Australian Government, Australian Government Response to the Senate Environment and Communications Reference Committee Report: he Adequacy of Protections for the Privacy of Australians Online (November 2012). he ALRC is due to report on its reference in June 2014: see www.alrc.gov.au/inquiries/ invasions-privacy. Commonwealth of Australia, Environment and Communications References Committee, The Adequacy of Protections for the Privacy of Australians Online , above n. 45, rec. 7. Australian Government, above n. 49, p. 7. See L. Levi, ‘Social Media and the Press’ (2012) 90 North Carolina Law Review 1531, 1580–2 , expressing concerns about the ‘unintended consequences’ of consumer online privacy developments in the USA for media free speech.

348

Megan Richardson and Andrew T. KENYON

interests. his brings us to the particular question of the future in the event of unreformed or minimally reformed data protection legislation in Australia.

Reform beyond law reform? In the past, as we have noted in other contexts, Australian legal doctrine has been quite efectively adapted to new situations and circumstances of invasion of privacy through a process of incremental development guided by the courts.54 And it can be argued that there is still scope for developing a reasonably efective approach to the protection of personal information online within the general rubric of the existing patchwork of laws in Australia. Previously, the ‘muddling through’55 – or in legal discourse ‘incremental lawmaking’ – largely took the shape of updating and extending traditional doctrines such as breach of conidence, defamation law (perhaps more so before the uniform Defamation Acts of 2005–06), copyright and torts such as harassment and intentional inliction of harm. Certainly, we can anticipate some further interesting developments of these doctrines, even without the beneit of a statutory cause of action.56 But now we might also add to the sphere of possible incremental development the role of the Privacy Commissioner and courts in interpreting and applying the Privacy Act to take into account the circumstances of the online environment.57 Already, some hints in this direction have been 54

55

56

57

See M. Richardson, above n. 6, and M. Richardson and A. T. Kenyon, ‘Fashioning Personality Rights in Australia’ in A. T. Kenyon, W. L. Ng-Loy and M. Richardson (eds.), he Law of Reputation and Brands in the Asia Paciic (Cambridge University Press, 2012), pp. 86–98. C. Lindblom, ‘ he Science of “Muddling h rough”’ (1959) 19 Public Administration Review 79. And here English decisions are worth noting as potentially inluential in Australia. For instance, a restrictive approach to a blogger’s claim of misuse of private information and breach of conidence was signalled in Author of A Blog v. Times Newspapers Ltd [2009] EWHC 1358 (QB), [2009] EMLR 22. In other cases, English courts have been quite responsive to privacy claims. See, for instance: Applause Stores & Firsht v. Raphael [2008] EWHC 1781 (where the altering of information on a Facebook proi le was held to entail misuse of private information and defamation) and Tchenguiz v. Imerman [2010] EWCA Civ 908, [2011] 1 Fam 116, a case involving unauthorised access to records stored on a computer, where the English Court of Appeal suggested that the modern breach of conidence doctrine extends broadly to ‘the examination, retention or supply to a third party of information which the defendant knew or ought to have appreciated to be conidential to the plaintif ’: [69]. While the court has limited jurisdiction under the Privacy Act 1988, see s. 98 (injunctions), s. 55 (enforcement of determinations) and s. 80W (civil penalty orders).

Privacy online

349

ofered in the Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill, which has lagged a broad interpretation of key provisions of the Privacy Act, including s. 5b (on territorial operation) and the general deinition of ‘personal information’.58 Similarly, it is possible that the Commissioner (or a court) will be prepared to construe the journalism exception as being concerned with only a subset of a media organisation’s activities, even without the speciic statutory definition of ‘journalism’ proposed by the ALRC.59 Also worth considering are the Australian Competition and Consumer Commission and court’s jurisdiction under the consumer protection provisions of the Australian Consumer Law (ACL) in sch. 2 of the Competition and Consumer Act 2010 (Cth). he latter may prove to be especially important, since s. 18 of the ACL, which proscribes misleading or deceptive conduct in trade, is a broadly equivalent provision to § 5 of the US Federal Trade Commission Act (the main plank of the FTC’s current online consumer protection powers). We can see how the ACL might apply to consumer online privacy practices ater the recent case of Google Inc. v. ACCC. he case hit the headlines when the Full Federal Court accepted the argument of the Australian Competition and Consumer Commission (ACCC) that Google’s ‘AdWords’ program, which allowed advertisers who had paid for the privilege to be ranked above the intended target of a consumer’s search inquiry, entailed misleading or deceptive conduct on the part of Google under s. 52 of the Trade Practices Act 1974 (Cth) (the immediate statutory precursor to s. 18 of the ACL).60 he decision was overturned on appeal to the High Court, on the basis that Google’s involvement in its customers’ choices of AdWords was too tenuous to amount to engaging in misleading or deceptive conduct, since Google merely passed on the information provided by its customers ‘for what it was worth’.61 But it was 58

59 60 61

As stated in the Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 sch. 4 item 6: ‘he collection of personal information “in Australia” under para. 5B(3)(c) includes the collection of personal information from an individual who is physically within the borders of Australia or an external territory, by an overseas entity’. With regard to the dei nition of ‘personal information’, the Explanatory Memorandum states that ‘[i]t is important that this key deinition be suiciently lexible and technology-neutral to encompass changes in the way that information that identiies an individual is collected and handled’ (p. 53). See Australian Law Reform Commission, above n. 13. ACCC v. Google Inc. [2012] FCAFC 49, (2012) FCR 503. Google Inc. v. ACCC [2013] HCA 1. here was no argument as to Google’s possible liability as ‘a person involved in [another party’s] contravention’ in terms of s. 75B of the

350

Megan Richardson and Andrew T. KENYON

accepted that there was misleading or deceptive conduct by Google’s customers in that case. hus, it is conceivable that the ACCC, an individual or a competitor (given the broad jurisdiction to bring actions under s. 18 of the ACL) might argue in respect of online privacy in Australia that, for instance, Google’s or Facebook’s privacy practices involving their own dealings with consumers are misleading or deceptive in some respect. In such circumstances, the ACL’s so-called media exemption in s. 19 of the ACL may ofer little respite, given its focus on ‘publication … in the course of carrying on a business of providing information’ and speciic carve-outs for publications in connection with the supply of goods and services and promotional activities.62 As said by one judge in Google Inc. v. ACCC, ‘this defence has limited application only’ (and it was thought unlikely it could apply in the circumstances of that case).63 Indeed, a quite feasible scenario for the future of privacy protection in Australia is a combination of the above strategies, with complainants selecting between available options for complaint and institutional forums, and sometimes combining these together, including in novel ways. Already, there are indications of this being the preferred approach of complainants, especially those with suicient legal capital to pursue multiple routes for their claims, including through the courts. Indeed, the case of Google Inc. v. ACCC may be an indicator of what is to come. he case began as a dispute between the ACCC, Google and Trading Post about misleading or deceptive conduct under the Trade Practices Act 1974 (Cth) (with the defendant Trading Post settling with the ACCC in the course of the proceedings). But, as was noted in passing, if private claimants had been involved, the case may well have proceeded as one of passing of as

62

63

previous Trade Practices Act 1974 (Cth). his may be attributable to the provision’s very limited purposes (being concerned with the award of monetary remedies and certain other orders) and courts have also construed the provision narrowly. However, perhaps the fact that under s. 246 of the ACL ‘involved’ parties can now be made subject to a great range of non-punitive orders will make a diference in future cases where arguments of accessorial liability are raised. hus the equivalent provision in s. 65A of the previous Trade Practices Act 1974 (Cth) has been held not to apply to misleading conduct in investigative journalism that was said to be insuiciently connected to a publication, nor to representations about the beneits of services ofered by ‘Wildly Wealthy Women Millionaire Mentoring Program’ on Channel Seven’s Today Tonight television programme: see TCN Channel Nine Pty Ltd v. Ilvariy Pty Ltd [2008] NSWCA 9, (2008) 71 NSWLR 323 and ACCC v. Channel Seven Brisbane [2009] HCA 19, (2009) 239 CLR 305. As pointed out in the latter case, ‘the purpose of the exemption in s. 65A … was to maintain a vigorous free press as well as to maintain an efective and enforceable [Trade Practices Act 1974]’: French CJ and Kiefel J, [42]. See Google Inc. v. ACCC, above n. 61, Heydon J, [161].

Privacy online

351

well as misleading or deceptive conduct.64 And here we can compare the class action proceeding in Angel Fraley v. Facebook in California. he plaintifs’ statement of claim about Facebook’s use of Sponsored Stories (deploying a member’s name, proi le picture and an assertion that the person ‘likes’ the advertiser, coupled with the advertiser’s logo on other members’ Facebook pages) cited not only California’s common law right of commercial misappropriation and the statutory remedy for commercial misappropriation under the California Civil Code § 3344, but also the consumer fraud provisions of California’s Unfair Competition Law (UCL) in the California Business and Professional Code § 17200 et seq. (proscribing unlawful, unfair, or fraudulent business acts or practices). In preliminary proceedings in December 2011, Judge Lucy Koh in the California District Court held that these claims were adequately alleged and could proceed.65 hat the case was subsequently settled suggests that potentially all (or at least some) of the claims might have been maintained.66 hus, while none of the claims may have perfectly captured the plaintifs’ particular concerns about the misuse of their personal data, there was enough in their combination to address the concerns – and one practical outcome of the settlement is that Facebook has to give all (US) users ‘additional information about and control over the use of their names and proi le pictures in Sponsored Stories’. As Kashmir Hill of Forbes says, ‘maybe that means Facebook will give you a better way to control [the use of names and proile pictures in Sponsored Stories] than currently exists’.67 In sum, even in the absence of full-scale reform to the data protection standards in the Australian Privacy Act, we can hope and even expect to see some developments towards greater protection of personal information in the online environment in that jurisdiction (as in others). And, although from a law reform perspective such ‘second-best’ solutions may seem less than satisfactory, their signiicance should not be underrated. 64

65

66

67

ACCC v. Trading Post Australia Pty Ltd [2011] FCA 1086, (2011) 197 FCR 498, Nicholas J, [89]. See Fraley v. Facebook Inc. 830 F Supp 2d 785 (ND. Cal. 2011). A general claim based on unjust enrichment was struck out. For details of the settlement, which received preliminary approval from Judge Richard Seeborg in December 2012, see: Fraley v. Facebook Inc, Overview of Proposed Settlement Agreement approved in the US District Court for the Northern District of California (2013) http://fraleyfacebooksettlement.com/ (accessed 2 November 2013). K. Hill, ‘Yes that Legal Notice You Got From Facebook Is Real’, Forbes (Online), 26 January 2013, www.forbes.com/sites/kashmirhill/2013/01/26/yes-that-legal-notice-yougot-from-facebook-is-real/ (accessed 2 November 2013).

352

Megan Richardson and Andrew T. KENYON

Concluding comments Our question has been whether, rather than relying on a statutory privacy cause of action as a general solution to online privacy concerns, reforming Australia’s data protection legislation (principally the Privacy Act 1988 (Cth)) could be a better approach, following the trend in other jurisdictions including in Europe. We have suggested that a reformed data protection law may be useful in dealing with a number of issues of online privacy (and the protection of personal information more generally) in the internet environment. Moreover, Australia might in the process contribute constructively to international debates about optimal protection of personal data, taking into account other important values. On the other hand, we have also suggested that, even without actual reform, a certain amount can be achieved in Australia through a careful interpretation of its current data protection and consumer protection provisions, coupled with traditional doctrines that may themselves be developed for the online environment. And a statutory cause of action for invasion of privacy (assuming it is enacted into law, although presently this seems unlikely) could provide a useful ancillary source of privacy protection in some cases. While there is a certain simple and even aesthetic appeal to the idea of a statutory cause of action as the solution to online privacy concerns, the current (and likely-to-continue) situation of a piecemeal collection of laws applying to diverse problematic aspects of online conduct perhaps relects the character of the digital domain as a dispersed and fragmented environment, which, in the words of Sean Cubitt, is ‘too vast to ever be seen as a whole’.68

68

S. Cubitt, ‘Case Study: Digital Aesthetics’ in G. Creeber and R. Martin (eds.), Digital Cultures (Maidenhead: Open University Press, 2009), p. 28.

15 Privacy protection and data clouds in Germany and the inluence of European law Dieter D ö rr and Eva Aernecke Introduction It is clear that the problems concerning privacy protection are increasing, not only in Germany, but also in Europe and globally. From the perspective of Germany and Europe, data protection is based on the fundamental human rights to privacy and data protection. In Germany, Article 1(1) in conjunction with Article 2(1) of the Constitution (Grundgesetz) requires the protection of personal data. In Europe there are two fundamental instruments that mandate the protection of privacy. First, Article 8(1) of the European Convention on Human Rights (ECHR) protects the right of each person ‘to respect for his private and family life, his home and his correspondence’. Second, Article 7 of the Charter of Fundamental Rights of the European Union (the Charter) protects this right in a similar manner, using nearly the same wording as Article 8 of the ECHR. Media convergence and the process of digitisation necessitate new rules for the protection of privacy.1 In the early stages of these developments, the European Union speciied minimum standards for the protection of privacy, most prominently in the Data Protection Directive,2 which all member states were required to implement. he Internet, however, gives rise to complex jurisdictional issues, exacerbating problems with transborder data lows, which create diiculties with the enforceability Unless otherwise indicated, developments discussed in this chapter are to 30 April 2013. In particular, the chapter does not deal with the Opinion of the Advocate General of the European Court of Justice of December 2013, opining that the Data Retention Directive is incompatible with Article 7 of the Charter of Fundamental Rights. 1

2

On convergence see, for example, C. Sarrocco and D. Tpsilanti (OECD Secretariat), Convergence and Next Generation Networks, OECD Ministerial Background Report (Seoul, Korea: 17–18 June 2008) DSTI/ICCP/CISP(2007)/i nal, www.oecd.org/sti/40761101.pdf (accessed 4 November 2013). Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, [1995] OJ L 281 (the DPD), p. 31.

353

354

Dieter Dörr and Eva Aernecke

of national laws.3 For example, in cases concerning the Internet there remains considerable uncertainty concerning what rules should apply: the rules of the country of origin or the rules of the state that is ‘targeted’ by web content. he advent of cloud computing creates signiicant new jurisdictional challenges. ‘Cloud computing’ is the use of computing resources that are delivered as a service over a network, such as the Internet.4 he term ‘the cloud’ ‘derives from computer network diagrams, which, because the individual computers that formed its components were too numerous to show individually, depicted the Internet as a vast cloud at the top of the network chain’.5 Cloud computing is deined by the National Institute of Standards and Technology – a federal agency of the US government – as a ‘model for enabling convenient, on-demand network access to a shared pool of conigurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management efort or service provider interaction’.6 In essence, cloud computing refers to the provision of computing resources such as sot ware applications over a network, with the resources being stored on centralised servers rather than on the user’s personal computer. he technology industry is turning from the personal computer model towards cloud computing because the latter ofers signiicant advantages over the former. For instance, the data is stored on a permanent basis and all i les are backed up regularly, so the risk of data loss is fairly low.7 Users of personal computers, on the other hand, need to maintain their 3

4

5 6

7

Concerning the question of ‘Internet jurisdiction’ in general, see: F. F. Wang, Internet Jurisdiction and Choice of Law: Legal Practices in the EU, US and China (Cambridge University Press, 2010); U. Kohl, Jurisdiction and the Internet: Regulatory Competence over Online Activity (Cambridge University Press, 2010); J. Oster, ‘Rethinking Shevill: Conceptualising the EU Private International Law of Internet Torts against Personality Rights’ (2012) 26 International Review of Law, Computers and Technology 113. Electronic Privacy Information Center, ‘Cloud Computing’, http://epic.org/privacy/ cloudcomputing/#introduction (accessed 4 November 2013); for further technical information, see M. Armbrust et al., Above the Clouds: a Berkeley View of Cloud Computing (Technical Report No. UCB/EECS-2009–28, Electrical Engineering and Computer Sciences, University of California at Berkeley, 10 February 2009), www.eecs.berkeley.edu/ Pubs/TechRpts/2009/EECS-2009-28.pdf (accessed 4 November 2013). Electronic Privacy Information Center, above n. 4. P. Mell and T. Grance, he NIST Deinition of Cloud Computing: Recommendations of the National Institute of Standards and Technology (Special Publication No. 800–145, National Institute of Standards and Technology, US Department of Commerce, September 2011), p. 2, http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf (accessed 4 November 2013). C. Soghoian, ‘Caught in the Cloud: Privacy, Encryption, and Government Back Door in the Web 2.0 Era’ (2010) 8 Journal on Telecommunication and High Technology Law 359, 366.

Privacy protection and data clouds in Germany

355

own storage space, which includes regular hardware updates or storage of data on external hard drives. he convenience of cloud computing also prompts business to increasingly shit from local to cloud computing for their day-to-day work. he ‘cloud’ can aggregate large volumes of data and reduces the need for users to invest in new IT infrastructure.8 Basic cloud computing services may oten be ofered free of charge, with services generating revenue through targeted advertising, based on information about consumer purchasing behaviour.9 Several Internet Service Providers (ISPs) ofer cloud computing services. Social networks, such as Facebook or XING, are in fact based on this model.10 In addition, users themselves can use this online storage space to store their own data. Moreover, if they store their data in a ‘cloud’, they can access the data anywhere in the world, provided they can connect to the Internet. Consequently, it is no longer necessary for internet users to take hard drives and other storage hardware with them when they move from location to location.11 However, if data are stored on a remote server, users necessarily must go online to access and manage their data. he ‘remote’ nature of cloud computing creates two main legal problems that need to be solved: irst, who ‘owns’ the content that is saved in the cloud; and second, which legal system applies to data stored in the cloud? his chapter focuses on the second question. A service that stores data in a cloud creates new problems for the protection of information privacy. he servers that store the data for these services may be located anywhere in the world; therefore, users of cloud computing may not know where their data is stored and, as a result, it is diicult to establish which legal system regulates its use and storage. Consequently, cloud computing poses a challenge to national data protection laws, which have a limited territorial reach – ordinarily, nations can only enforce data protection laws with respect to personal data that is located within their jurisdiction, and data that is processed by organisations subject to their jurisdiction. Hence, there is a clear need for international treaties, otherwise providers of cloud storage facilities might be 8

9

10 11

I. R. Kattan, ‘Cloudy Privacy Protections: Why the Stored Communications Act Fails to Protect the Privacy of Communications Stored in the Cloud ’ (2011) 13 Vanderbilt Journal of Entertainment and Technology Law 617, 622. See, generally: G. Yang, ‘Stop the Abuse of Gmail!’ (2005) 14 Duke Law & Technology Review, http://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=1134&context=dltr (accessed 4 November 2013). I. R. Kattan, above n. 8, 618. J. S. Bianco, ‘Social Networking and Cloud Computing: Precarious Afordances for the “Prosumer”’ (2009) 37 Women’s Studies Quarterly 303.

356

Dieter Dörr and Eva Aernecke

tempted to move, in a ‘race-to-the-bottom’, to locations with fewer regulatory restrictions. his could be particularly problematic for the countries in the European Union, which is widely regarded as having a relatively high (and costly) standard of data protection.12

he protection of information privacy in cloud computing under German law As mentioned above, a fundamental problem with cloud computing is the fact that users generally do not know where the servers on which their personal data are stored are located and, therefore, which jurisdiction’s privacy rules apply. For instance, data in a cloud must be protected from hacking by private actors. Ignorance of the location of the server also suggests that users may have insuicient information to adequately assess the risks of hacking. In Germany, the relevant rules regarding information privacy are contained in the Federal Telemedia Act (Telemediengesetz)13 and the Federal Data Protection Act (Bundesdatenschutzgesetz).14 Section 3 of the Telemedia Act enshrines the ‘country of origin’ principle. hat essentially means that service providers, such as cloud computing providers, who have their oices in Germany have to fuli l the requirements of the Telemedia Act even though they do not ofer their services in Germany or even Europe. his rule is a result of the implementation of the Electronic Commerce Directive.15 Pursuant to these instruments, cloud service providers are generally subject to onshore rules, even if they do not ofer their services within the European Union. In relation to the protection of privacy, however, an important qualiication is established by s. 3(3) para. 4 of the Telemedia Act, which states that special provisions of the Federal Data Protection Act take priority over the general rule. Following the European stipulations of the Data Protection Directive, s. 1(5) of the Federal Data Protection Act establishes 12

13

14

15

See, for example, F. H. Cate, ‘he Failure of Fair Information Practice Principles’ in Jane K. Winn (ed.), Consumer Protection in the Age of the ‘Information Economy’ (Aldershot: Ashgate, 2006), pp. 348, 351. Telemediengesetz [Federal Telemedia Act] (Germany) 26 February 2007, BGBl I, 2007, 179. Bundesdatenschutzgesetz [Federal Data Protection Act] (Germany) 14 August 2009, BGBl I, 2009, 2814. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in Particular Electronic Commerce, in the Internal Market (Directive on Electronic Commerce), [2000] OJ L 178, p. 1.

Privacy protection and data clouds in Germany

357

what is known as the ‘domicile principle’, which difers from the ‘country of origin’ principle that generally applies under the Telemedia Act.

European rules regarding the protection of privacy on the Internet To fully understand the position applicable under German law, it is necessary to irst focus on three European directives concerning the protection of privacy: the Data Protection Directive (DPD), the Privacy and Electronic Communications Directive (DPEC)16 and the Data Retention Directive (DRD).17 Taken together, these Directives suggest that the EU actually has an ambivalent attitude towards personal data. On the one hand, the EU regards the protection of privacy as being important, as is evident from the DPD and the DPEC. On the other hand, the DRD facilitates the collection of data, especially in the context of national security and criminal matters, such as anti-terrorism.

he Data Protection Directive he DPD aims at harmonising European national rules regarding protection provisions, when data is wholly or partly processed by automatic means.18 It covers written, spoken, electronic and internet-based data located in the EU.19 Article 4 of the DPD provides that each member state must apply its national data protection laws where: (a) the processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a 16

17

18

19

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications), [2002] OJ L 201 (DPEC), p. 37. Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, [2006] OJ L 105 (DRD) p. 54. W. Kuan Hon, C. Millard and I. Walden, ‘ he Problem of “Personal Data” in Cloud Computing: What Information is Regulated? – the Cloud of Unknowing’ (2011) 1 International Data Privacy Law 211. J. A. Bowen, ‘Cloud Computing: Issues in Data Privacy/Security and Commercial Considerations’ (2011) 28 he Computer & Internet Lawyer 1.

358

Dieter Dörr and Eva Aernecke

Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable. (c) the controller is not established on Community territory, and for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community. he following examples20 show how these criteria should be applied: • If a controller has an establishment in Germany and processes personal data there, the applicable law will be the laws of Germany. • If the same controller has an establishment in Germany and processes personal data collected in various countries, the applicable law will still be the laws of Germany since this is where the establishment is situated, regardless of the location of users or data. • If the same controller is established in Germany and outsources the processing of personal data to a processor in Hungary, the processing in Hungary is in the context of the activities of the controller in Germany. German law will still be applicable to the processing carried out by the processor in Hungary, because the instructions come from the German establishment. • If the same controller opens a representative (and long-term) oice in Italy, and the data processing activities by the Italian oice are conducted in the context of the activities of the Italian establishment, then Italian law would apply to those activities. In addition, Article 25 of the DPD provides that: 1. he Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing ater transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection. 20

he examples are taken from P. Dubois, ‘EU Applicable Law: Clariication on some Practical Issues Relating to Data Protection – from Article 29 Working Party’s Opinion 8/2010’ (2011) 17 Computer and Telecommunications Law Review 97, 97–8.

Privacy protection and data clouds in Germany

359

2. he adequacy of the level of protection aforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of inal destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country. h is means that the Directive also has an extraterritorial efect: data cannot leave the EU unless it is transferred to a country that ensures an adequate level of protection of privacy.21 Compliance with data protection rules is controlled by national authorities while the Article 29 Working Party (WP29) gives advice on the levels of protection in the EU and third countries.22 According to Article 30 of the DPD, WP29 shall: • examine any question covering the application of the national measures adopted under this Directive in order to contribute to the uniform application of such measures; • give the Commission an opinion on the level of protection in the Community and in third countries; • advise the Commission on any proposed amendment of this Directive, on any additional or speciic measures to safeguard the rights and freedoms of natural persons with regard to the processing of personal data and on any other proposed Community measures afecting such rights and freedoms. In 2012 WP29 gave an Opinion on Cloud Computing.23 In that Opinion it concluded that businesses and administrations wishing to use cloud computing need to balance risks and amenities. For example, the processing of sensitive data, such as medical data from doctors or hospitals, via cloud computing raises concerns calling for additional safeguards. WP29 identiied security, transparency and legal certainty as key factors for appropriate cloud computing arrangements. It also provided guidelines

21 22 23

Bowen, above n. 19, 4; Kuan Hon et al., above n. 18. DPD, above n. 2, Art. 29. Article 29 Working Party, Opinion 05/2012 on Cloud Computing (WP 196, adopted 1 July 2012).

360

Dieter Dörr and Eva Aernecke

on how to handle cloud computing between clients, who remain responsible as data controllers and as providers. In particular, the guidelines place considerable importance on the role of detailed contractual safeguards in ensuring data security and guaranteeing compliance with EU data protection legislation. he contractual guarantees include a speciic requirement that the cloud client, which has signiicant obligations as a controller, should verify whether the cloud provider is able to guarantee the lawfulness of any cross-border international data transfers in accordance with the DPD.

he Directive on Privacy and Electronic Communications he DPEC24 applies to the processing of personal data, especially traic and location data, in the provision of publicly available electronic communications services in public communications networks.25 Accordingly, it is relevant where such services are provided by means of cloud computing. And, as the WP29 Opinion on Cloud Computing pointed out, ‘[i]n cases where cloud computing providers act as providers of a publicly-available electronic communication service they will be subject to this regulation’.26 he DPEC applies to a number of key issues not speciically dealt with by the DPD, including the conidentiality of information, the treatment of traic data, spam and cookies. For example, Article 5 of the DPEC provides: 1. Member States shall ensure the conidentiality of communications and the related traic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). his paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of conidentiality. 2. Paragraph 1 shall not afect any legally authorised recording of communications and the related traic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication. 24 26

DPEC, above n 16. 25 Ibid., Art. 3(1). WP29, Opinion 05/2012 on Cloud Computing, above n. 23, p. 6, fn. 5.

Privacy protection and data clouds in Germany

361

3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is ofered the right to refuse such processing by the data controller. his shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user. he DPEC does not contain a speciic provision designating the applicable law. Nevertheless, as provided in Article 2 of the DPEC, the provisions of this Directive are intended to ‘particularise and complement’ the more general provisions of the DPD. his means that the DPEC is a lex specialis, whose provisions should apply in preference to the DPD where possible, whereas the DPD is a lex generalis, whose general provisions apply where the DPEC does not lay down speciic rules.27 Consequently, the applicable law of the DPEC is determined by reference to Article 4 of the DPD.

he Data Retention Directive he DRD requires EU-based Internet Service Providers (ISPs) and carriers to retain traic and location data for periods from six months up to two years. he precise subject matter and scope of the DRD is established by Article 1, which provides that: 1. h is Directive aims to harmonise Member States’ provisions concerning the obligations of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as deined by each Member State in its national law. 2. his Directive shall apply to traic and location data on both legal entities and natural persons and to the related data necessary to identify the subscriber or registered user. It shall not apply to the content 27

See, for example, O. Lynskey, ‘ Track[ing] Changes: an Examination of EU Regulation of Online Behavioural Advertising through a Data Protection Lens’ (2011) 36 European Law Review 874, 876–7.

362

Dieter Dörr and Eva Aernecke

of electronic communications, including information consulted using an electronic communications network.28 Accordingly, the DRD does not protect personal data but, to the contrary, provides for increased retention of traic and location data. In efect, the DRD may be regarded as a step in the direction of the ‘transparent citizen’ and it will enable more state interference in private lives, especially as it allows for the indiscriminate collection and retention of data without the need for any particular justiication. he retention of data is intended to provide an opportunity to gain access to data, especially by national law enforcement agencies. Accessible information includes ‘when’ the communication was held, ‘with whom’ and ‘for how long’ (see Article 5 of the DRD). his means that police and security organisations are able to request access to information such as IP addresses and the time of sending electronic communications such as emails, but not the content of such communications. he relationship between the DPEC and the DRD is complex. 29 Nevertheless, so far as cloud computing is concerned, it is clear that the DRD imposes regulatory obligations on providers of publicly available electronic communications services or public communications networks that are not imposed on other providers of cloud services.30 As the 2011 European Commission evaluation report on the DRD made clear, the leeway given to the adoption of data retention measures provided under Article 15(1) of the DPEC has resulted in the uneven transposition of the DRD into national laws.31 his means that operators subject to the DRD must navigate a thicket of potentially inconsistent national laws.

Proposal for a General Data Protection Regulation In early 2012 the European Commission presented a new proposal for a General Data Protection Regulation (the Regulation).32 his proposed Regulation, which is designed to address the challenges of newer forms 28 29

30

31 32

DRD, above n. 17, p. 54 (emphasis added). European Commission, Evaluation Report on the Data Retention Directive (Directive 2006/24/EC) (Brussels, 18 April 2011), p. 4. See M. Young and E. Steinhardt, ‘Data Retention, Law Enforcement Access, and the Cloud’, (2011) Bloomberg Law Reports, Technology Law, http://about.bloomberglaw. com/practitioner-contributions/data-retention-law-enforcement-access/ (accessed 4 November 2013). European Commission, Evaluation Report on the Data Retention Directive, above n. 29, p. 31. European Commission, Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such data (General Data Protection Regulation) (Brussels:

Privacy protection and data clouds in Germany

363

of communication, including mobile internet devices, user-generated content and social networking sites, is intended to replace the DPD.33 Although, in principle, a revision of the ‘old’ Directive is to be welcomed, some have queried whether the legal instrument of a regulation is desirable because, in contrast to a directive, it creates identical law in all EU member states. In particular, the Federal Council of Germany (the Upper House or Bundesrat) has expressed the opinion that the proposed Regulation conlicts with the European constitutional principle of subsidiarity.34 he principle of subsidiarity, as enshrined in Article 5(3) of the Treaty on European Union, provides that: [I]n areas which do not fall within its exclusive competence, the Union shall act only if and in so far as the objectives of the proposed action cannot be suiciently achieved by the Member States, either at central level or at regional and local level, but can rather, by reason of the scale or efects of the proposed action, be better achieved at Union level.

herefore, the EU has to choose the form of legislative action that is least invasive on the legislative competences of the member states. In response to the Bundesrat opinion, the European Commission released a statement claiming that: A Regulation is the instrument best suited to laying down rules on the protection of personal data because its direct applicability remedies the current legal fragmentation, thereby increasing legal certainty and the protection of fundamental rights throughout the European Union and improving the functioning of the single market.35

Nevertheless, there remains some uncertainty about whether or not the choice of a regulation complies with the principle of subsidiarity. Regardless of the legislative form, a revision of the DPD is necessary. Media convergence in sot ware and hardware underpins newer forms of communications that need to be protected from privacy infringements.

33

34

35

25 January 2012) COM(2012)11 Final (GDPR Proposal), http://ec.europa.eu/justice/dataprotection/document/review2012/com_2012_11_en.pdf (accessed 4 November 2013). V. Reding, ‘ he Upcoming Data Protection Reform for the European Union’ (2011) 1 International Data Privacy Law 3, 4. Federal Council of Germany [Bundesrat], Bundesrat Drucksache 52/12 (30 March 2012); European Parliament: Committee on Legal Afairs, Notice to Members: Reasoned Opinion of the German Bundesrat (26 April 2012) (0047/2012), www.europarl.europa.eu/meetdocs/2009_2014/documents/juri/cm/899/899454/899454en.pdf (accessed 4 November 2013). European Commission, Reply from the Commission (10 January 2013) C(2012)9638 (inal).

364

Dieter Dörr and Eva Aernecke

he proposed Regulation essentially retains the criterion of ‘establishment’ set out in Article 4 of the DPD as the basis for applicable law, but with one signiicant change. Whereas Article 4(c) of the DPD provides that national laws are also applicable where a controller is not established on Community territory but, instead, makes use of equipment situated on the territory of a Member State, Article 3(2) replaces this with two criteria that provide that the Regulation extends to data processing relating to: (a) the ofering of goods or services to data subjects in the European Union; or (b) the monitoring of the behaviour of such data subjects.36 As the proposed Regulation would create uniform EU law applying in all member states, in principle there seems no need for a provision dealing with applicable national law of member states. his means that Article 4 of the proposed Regulation only provides for the application of EU law. However, as explained in the European Data Protection Supervisor’s Opinion on the data reform package, because the Regulation speciically allows for the application of national law in some areas, the lack of any criterion for the application of applicable national law is a source of unnecessary legal uncertainty.37

he applicable law for cloud computing he application of the jurisdictional rules of the current DPD to cloud computing leads to the following situation: if a German cloud computing provider with its headquarters in Germany collects data, it has to comply with German data protection laws. If a provider wants to conduct business in the EU, or wants to collect data in a member state from a third country, it also has to keep the relevant domestic and European rules in mind. In its 2012 Opinion, WP29 acknowledged the data protection challenges posed by the emergence of cloud computing, including the complexities associated with determining the applicable law under the DPD.38 In its earlier Opinion on applicable law, WP29 emphasised the problems created by a lack of harmonisation in the laws of EU member states and called for ‘comprehensive harmonisation’ of national laws.39 he Opinion on applicable law also proposed amending the criteria for determining 36 37

38 39

European Commission, GDPR Proposal, above n. 32, Art. 3(2). European Data Protection Supervisor, Opinion of the European Data Protection Supervisor on the Data Protection Reform Package (Brussels: 7 March 2012), p. 17, [103]. WP29, Opinion 05/2012 on Cloud Computing, above n. 23, p. 7. WP29, Opinion 08/2010 on Applicable Law (WP 179, adopted on 16 December 2010), p. 31.

Privacy protection and data clouds in Germany

365

applicable law where a controller is established outside the EU by adopting a ‘service-oriented approach’ that applies where products or services are targeted at data subjects in the EU.40 In announcing the need for comprehensive reform of EU data protection law in 2010, the European Commission expressly referred to the complexity in determining the applicable law for cloud computing services, stating that: he Internet makes it much easier for data controllers established outside the European Economic Area (EEA) to provide services from a distance and to process personal data in the online environment; and it is oten diicult to determine the location of personal data and of equipment used at any given time (e.g., in ‘cloud computing’ applications and services).41

he proposed data protection Regulation essentially adopts WP29’s recommendations on applicable law by providing that, under Article 3(2), EU law applies where goods or services are ofered to data subjects in the EU and where the behaviour of EU data subjects is monitored. In the European Parliament’s drat report on the proposed Regulation (known as the Albrecht Report), which was released in January 2013, the only proposals for amending Article 3(2) were proposals to widen the criteria for applying EU law (e.g., by ensuring that the Regulation applies not only to the monitoring of the behaviour of EU residents, but also to the monitoring of such residents in and of themselves).42 Adoption of the proposed Regulation would therefore ensure that EU data protection law applies to cloud services, wherever located, if the service is targeted at EU residents. Nevertheless, as explained in this chapter, considerable uncertainties remain in regard to the application of the proposed Regulation. First, although the Regulation continues to allow for the application of national laws in important areas, there is no provision governing the applicability of national laws. Second, the issue of whether a regulation (as opposed to a 40 41

42

Ibid. European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A Comprehensive Approach on Personal Data Protection in the European Union (Brussels: 4 November 2010) COM(2010)609 Final, p. 11, [2.2.3]. European Parliament: Committee on Civil Liberties, Justice and Home Affairs (Rapporteur: J. P. Albrecht), Drat report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (Brussels, 16 January 2013) (COM(2012)0011 – C7–0025/2012–2012/0011(COD)), p. 63, Amendment 83, www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/ pr/924/924343/924343en.pdf (accessed 4 November 2013).

366

Dieter Dörr and Eva Aernecke

directive) complies with the principle of subsidiarity remains unresolved. hird, there remains considerable uncertainty concerning the precise relationship between the DPD and the two other European level instruments addressed in this chapter, the DPEC and the DRD. he proposed Regulation does not resolve the problems arising from the interaction between these instruments.43

Conclusion As seen in this chapter, there is no speciic legislation concerning the protection of data in the cloud, whether in Germany or in Europe. For the time being, the existing EU legislation (and in particular the DPD and the DPEC) needs to be interpreted and applied to services that were not envisaged when these instruments were introduced. As this chapter has explained, there are considerable legal uncertainties in determining the applicable law under the current legal instruments, especially when a service provider that is not established in the EU is, nonetheless, ‘acting’ in Europe. At present, each European national jurisdiction has its own regime to protect personal data (although these regimes are, to an extent, harmonised with one another). he existence of diferent national data protection laws causes few problems if there are clear jurisdictional rules determining which laws apply in a given case. he ubiquitous nature of the Internet, including cloud services provided over the Internet, represents considerable challenges to jurisdictional rules. In short, as is clear from the diiculties experienced as a result of inconsistencies in the implementation of the DPD in national laws, privacy on the Internet cannot be adequately protected at a national level. While the proposed data protection Regulation would create uniform law across the EU, as this chapter has explained, there are signiicant challenges that must be met before the proposed new regime is adopted. And a primary challenge is to determine whether the choice of a regulation complies with the principle of subsidiarity established by the Treaty on European Union. Moreover, even if these complex issues were resolved in the EU, problems remain 43

he Commission proposal for the new data protection framework simply stated that: ‘he substantive legal consequences of the new Regulation and of the new Directive for the e-Privacy Directive will be the object, in due course, of a review by the Commission, taking into account the result of the negotiations on the current proposals with the European Parliament and the Council’: European Commission, A Comprehensive Approach on Personal Data Protection in the European Union, above n. 41, p. 4, fn. 15.

Privacy protection and data clouds in Germany

367

with data processing outside of the EU. Ideally, the contemporary challenges, as illustrated by the challenges of cloud computing, require international treaties. As this chapter argues, in cloud computing matters, where the user does not know where the data is stored, a common set of uniform, transborder rules is required. he proposed EU data protection Regulation represents a step in this direction. A key consideration in devising an appropriate legal regime for cloud computing is the need to distinguish between personal data with and without encryption. Data with encryption does not necessarily identify a particular individual – it is ‘anonymous’ in the hands of a provider without the means of decryption (i.e. key access).44 his data clearly does not need the same protection as unencrypted data.45 Hence a fundamental principle is that new forms of electronic data storage need diferentiated rules. In this respect, the proposed EU General Data Protection Regulation, while not expressly addressing cloud computing, does represent a step towards the adoption of more diferentiated rules. For example, the data security principle embodied in Article 30 of the proposed Regulation states: 1. he controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation. 2. he controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data. Although the Article does not explicitly refer to encryption, whether or not data is encrypted is clearly an important consideration in determining if there has been a breach. Furthermore, Article 30(3) and (4) of the proposed Regulation provides for the Commission to expand upon these rules by adopting more detailed acts for specifying technical measures for speciic sectors. Provided it is possible to address the considerable 44 45

Kuan Hon et al., above n. 18, 221. Ibid.

368

Dieter Dörr and Eva Aernecke

uncertainties involved in establishing a new EU data protection framework, including the signiicant uncertainties identiied in this chapter that are associated with determining the applicable law for transborder cloud services, the process for developing a new data protection regime holds out the promise of more nuanced laws that may be adequate and appropriate for new and emerging services, including cloud computing. Nevertheless, at the time of writing much work remains to be done before this promise is realised.

PA RT V I Privacy, the courts and the media

16 Open justice, privacy and suppressing identity in legal proceedings: ‘what’s in a name?’ and would anonymity ‘smell as sweet’? Sharon Rodrick Introduction On occasions, courts order that persons who have become involved in legal proceedings, whether civil or criminal in nature, and whether as parties or witnesses, must not be identiied. Such orders might provide that a person is to be referred to in the courtroom by a letter or pseudonym1 rather than by their real name, or they might allow the person to be referred to by their real name in court but prohibit the publication of their name outside the courtroom.2 In either case, any published judgment would refer to that person by letter or pseudonym. It is also open to parliaments to enact legislation that prohibits the publication of the names and other identifying details of persons involved in certain types of legal proceedings. Anonymity orders are a regular occurrence in some Australian jurisdictions, particularly Victoria, and are frequently contentious. he United Kingdom Supreme Court has described the practice as having become Developments discussed in this chapter are to 30 April 2013. he quotes in the title of this chapter are taken from William Shakespeare, Romeo and Juliet (II, ii). 1

2

A court might assign a ictitious name to a person, rather than refer to them by initials, in order to humanise them: XVW and YZA v. Gravesend Grammar School for Girls [2012] EWHC 575 (QB), [1]. While it is clear that courts have an inherent or implied power to order that a person be referred to inside the courtroom by a letter or pseudonym, whether these powers support orders binding the public at large prohibiting the publication of a person’s name outside the courtroom is far from certain. Compare Independent Publishing v. Attorney-General of Trinidad & Tobago [2004] UKPC 26, [2005] 1 AC 190, which denies the existence of such a power at common law, with Siemer v. Solicitor-General [2012] NZCA 188, which coni rms the existence of such a power. he High Court of Australia is yet to provide a decisive answer to this question: Hogan v. Hinch [2011] HCA 4, (2011) 243 CLR 506, [88].

371

372

Sharon Rodrick

‘deeply ingrained’ in the UK, ater counsel for the media in Guardian News and Media Ltd in Her Majesty’s Treasury v. Ahmed (Guardian News) provocatively remarked to the Court that ‘your irst term docket reads like alphabet soup’.3 his chapter consists of three sections. he irst section investigates the extent, if any, to which deference to privacy underlies the making of anonymity orders by Australian courts, bearing in mind that Australia has no bill of rights protecting privacy and no common law or statutory cause of action for invasion of privacy. It also considers whether respect for privacy is the impetus for some of the more signiicant legislative prohibitions imposed by Australian parliaments. he second section compares the Australian position to that which prevails in the UK, where any request for an anonymity order falls to be resolved in light of Articles 6, 8 and 10 of the European Convention on Human Rights (ECHR),4 which respectively enshrine a right to a fair and public trial, respect for privacy and freedom of expression. Particular attention will be paid to anonymity orders that are sought in conjunction with an application for an interim injunction to restrain the misuse of private information, as there is now a signiicant body of case law governing this issue. he third section considers, in more theoretical terms, the pros and cons of naming persons who become involved in legal proceedings. he task of addressing these issues is made diicult by the notoriously ambiguous and protean nature of privacy. While there is general agreement that privacy rights are important for human dignity and autonomy, the concept is vague and lacks a ‘precise legal connotation’.5 h is has led Solove to contend that privacy is more appropriately treated as a set of related interests that the law protects, rather than an all-embracing concept.6 In the context of anonymity orders, this imprecision is likely to lead to semantic arguments as to whether what is being protected is ‘privacy’ or some other interest.

3

4

5

6

Guardian News and Media Ltd in Her Majesty’s Treasury v. Ahmed [2010] UKSC 1, [2010] 2 AC 697 (Guardian News), [1]. In [22], Lord Rodger also referred to the ‘recent elorescence of anonymity orders’. Convention for the Protection of Human Rights and Fundamental Freedoms, opened for signature 4 November 1950, 213 UNTS 221 (entered into force 3 September 1953). J. T. McCarthy, he Rights of Publicity and Privacy, 2nd edn (St Paul: homson/West, 2005), [5.59], as cited by Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No. 108 (2008), [1.41]. D. Solove, ‘Conceptualising Privacy’ (2002) 90 California Law Review 1087.

Open justice, privacy and suppressing identity

373

Privacy and anonymity in Australian judicial proceedings Anonymity orders made by courts In Australia, the extent to which anonymity orders can be made by courts out of deference to the privacy of a litigant or witness varies according to whether judges are asked to make such orders pursuant to their common law powers or pursuant to legislative power conferred on them by a parliament. Each of these contexts will be considered.

he common law position in Australia he common law position in Australia can be summed up succinctly: anonymity orders are the exception rather than the rule and are not made to protect the privacy of litigants and witnesses. hree factors combine to explain why a party or a witness who seeks to have their name suppressed is unlikely to succeed at common law. First, privacy remains underdeveloped and underprotected in Australia. Although privacy is recognised as a right under the International Covenant on Civil and Political Rights (ICCPR),7 to which Australia is a signatory, it is not embedded in a federal bill of rights. Nor has it spawned common law rights.8 It does, however, enjoy express recognition under the Australian Capital Territory (ACT)’s Human Rights Act 2004 and Victoria’s Charter of Human Rights and Responsibilities Act 2006.9 7

8

9

International Covenant on Civil and Political Rights, opened for signature 16 December 1966, [1980] ATS 23 (entered into force 23 March 1976). Article 17 provides, inter alia, that ‘No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence’ and that ‘Everyone has the right to the protection of the law against such interference’. In Australian Broadcasting Corporation v. Lenah Game Meats [2001] HCA 63, (2001) 208 CLR 199, the High Court paved the way for Australian courts to recognise and develop a common law right of privacy, but to date only two intermediate courts have accepted the challenge: Grosse v. Purvis [2003] QDC 151, (2003) Aust Torts Reports 81–706; Doe v. Australian Broadcasting Corporation [2007] VCC 281. he most recent attitude that can be gleaned from superior courts is that the development of a cause of action for invasion of privacy would require the resolution of diicult deinitional problems and is best let to parliament: Giller v. Procopets [2008] VSCA 236, (2008) 24 VR 1, [167], [451]–[452]. here are, however, many common law causes of action that can be used to protect interests that come under the rubric of privacy. Human Rights Act 2004 (ACT) s. 12; Charter of Human Rights and Responsibilities Act 2006 (Vic) s. 13. he Victorian Charter does not create a right of privacy; it simply provides for Victorian laws to be measured against the Charter. Laws that do not conform to Charter rights cannot be declared invalid by the courts.

374

Sharon Rodrick

he second reason why anonymity orders are unlikely to be made at common law is the overriding importance attached to the principle of open justice, which is the antithesis of privacy. Open justice is a principle, ‘not a freestanding right’.10 As such, it has a number of applications, which embrace a wide variety of activities. he three most fundamental manifestations of open justice are: that courts sit in public;11 that the evidence presented in court is presented publicly; and that what is seen and heard by those who attend can be reported to the world at large,12 including the names of the participants. Open justice is traditionally and primarily valued for its propensity to enhance the administration of justice by keeping the judges accountable for the way in which they exercise their power,13 by eliciting truthful testimony from witnesses and by encouraging unknown witnesses to come forward.14 his enhances both the conduct and the outcome of cases. he general public are also beneiciaries of the outcomes that open justice is considered to produce. he public have a valid interest in knowing how the legal system is working, whether or not they have a direct stake in the result of a particular case.15 his is because they have a legitimate interest in having an accountable third branch of government that delivers fair outcomes ater following a just and transparent process. In the event that open justice exposes deiciencies or inadequacies in the judicial system – and therefore does not secure community respect – the public’s awareness of these shortcomings means that they are well positioned to advocate for change. By contrast, secret courts sufer from a lack of transparency and accountability, and are regarded with misgiving as instruments of oppression. 10

11

12

13

14

15

John Fairfax Publications Pty Ltd v. Ryde Local Court [2005] NSWCA 101, (2005) 62 NSWLR 512, [29]. Indeed, it is an essential characteristic of a court that its doors are open and that people are entitled to enter and observe its proceedings: Russell v. Russell (1976) 134 CLR 495 (Russell ), 520. Attorney-General v. Leveller Magazine Ltd [1979] AC 440, 450; Raybos Australia Pty Ltd v. Jones [1985] 2 NSWLR 47, 55. Russell, above n. 11, 520; Attorney-General v. Leveller Magazine Ltd, above n. 12, 450; Richmond Newspapers Inc v. Virginia 448 US 555, 592, 596 (1980); Harman v. Secretary of State for the Home Department [1983] 1 AC 280 (HL), 303; David Syme & Co Ltd v. General Motors-Holden’s Ltd [1984] 2 NSWLR 294, 300; R v. Legal Aid Board ex parte Kaim Todner [1999] QB 966, 977; Named Person v. Vancouver Sun [2007] 3 SCR 253, 2007 SCC 43, [32]. J v. L & A Services Pty Ltd (No. 2) [1993] QCA 012, [1995] 2 Qd R 10 ( J v. L & A), 45; Witness v. Marsden [2000] NSWCA 52, (2000) 49 NSWLR 429, 461; West Australian Newspapers Ltd v. State of Western Australia [2010] WASCA 10 (West Australian Newspapers), [30]. Herald & Weekly Times Ltd v. Magistrates’ Court of Victoria [1999] VSC 136, [1999] 3 VR 231, [46]; Re S (A Child) (Identiication: Restrictions on Publication) [2004] UKHL 47, [2005] 1 AC 593 (Re S (A Child)), [30].

Open justice, privacy and suppressing identity

375

Given that the media are the primary vehicle by which information about the courts is conveyed to the public, they play a signiicant role in helping to secure the aforementioned beneits. Yet it is the reporting aspect of open justice that is most likely to compromise a person’s privacy. he third reason why anonymity orders are not usually made at common law is because, for the reasons given above, open justice is generally regarded as advantageous to litigants. his is relected in Article 14 of the ICCPR, which confers on litigants a right to a fair and public hearing, thereby indicating that open justice is regarded as a valuable attribute of a trial that will be prized by litigants. hese three factors collectively place the interests of the courts, the media, the public and the litigants on the same side of the ledger. In view of the fact that open justice is regarded as beneicial to those who become embroiled in legal proceedings, it may seem counterintuitive that parties and witnesses would seek anonymity orders. However, the very fact that applications for name suppression are made suggests that litigants and witnesses frequently perceive that they would be disadvantaged by publicity. his creates an interesting tension between theory and reality.

Exceptions to the common law position While in the vast majority of cases open justice is regarded as enhancing the administration of justice, there are occasions where it ‘crosses the loor’ and moves to the other side of the ledger. Where this is the case, courts have always taken the view that the administration of justice must prevail and have been prepared to make derogations to open justice accordingly.16 In extreme cases, the derogation might consist of closing the court. However, it is far more likely that a court will remain open and issue an order prohibiting the publication of certain information about the case, including names, since this is a less drastic measure than sitting in camera. he touchstone of the common law has always been that derogations are made only to the extent that they are necessary to secure the proper administration of justice, either in the particular case or as a continuing process.17 While the concept of ‘necessity’ has some malleability,18 it has 16 17

18

Scott v. Scott [1913] AC 417, 437–8. For an explanation of the importance of protecting and preserving the court’s ability to administer justice in future cases see: Moevao v. Department of Labour [1980] 1 NZLR 464, 481. In Fairfax Digital Australia & New Zealand Pty Ltd v. Ibrahim [2012] NSWCCA 125, (2012) 293 ALR 384 ‘necessity’ was described as having a lexible scale of meaning that varies with the context in which it is used: [46].

376

Sharon Rodrick

overtones of something that is essential or imperative, and courts have generally adopted this strict approach.19 But essential or imperative to achieve what particular purpose? Clearly, open justice will be curtailed where this is necessary to enable the case to be properly tried or to ensure that the court’s decision is not rendered futile or to prevent prejudice to a related trial or to future trials and so on. However, some judges regard restrictions on open justice as ‘necessary’ if their imposition would avoid consequences that the court considers unacceptable because they are unjust.20 In the context of name suppression orders, the concept of ‘necessity’ has been applied in a fairly narrow set of circumstances. he only point of disagreement among judges is whether these categories are rigid or whether they are simply examples of the ‘necessity’ principle that can be employed in new scenarios, as and when the need arises. Circumstances where courts will ordinarily accede to requests for anonymity include: • Where an accused person is facing more than one trial on separate charges or where there are linked trials involving diferent accused. Suppression of names might be necessary to protect the fairness of these trials, especially if juries are involved.21 • Where anonymity is necessary to protect and preserve the subject matter of the action; that is, where disclosure of a person’s identity would destroy the very thing the action is designed to protect or defend. In Australia this is likely to be the case where the cause of action is breach of conidence and the conidential information is a person’s name.22 Should invasion of privacy become a recognised cause of action in Australia, the issue of whether open justice (in the form of naming) would frustrate the purpose of the proceeding will undoubtedly become a more signiicant issue.23 19

20

21

22

23

Hogan v. Australian Crime Commission [2010] HCA 21, (2010) 240 CLR 651, [30] (‘necessity’ was discussed in this case in the context of s. 50 of the Federal Court of Australia Act 1976 (Cth)). John Fairfax Group Pty Ltd (Receivers and Managers Appointed) v. Local Court of New South Wales (1991) 26 NSWLR 131 (Fairfax v. Local Court of NSW ), 161 per Mahoney JA. Suppression orders made in this context may extend beyond names to other aspects of the case. See, e.g., G v. Day [1982] 1 NSWLR 24; Australian Football League v. he Age [2006] VSC 308, (2006) 15 VR 419. See also Venables v. News Group Newspapers Limited [2001] EWHC 32 (QB), (2001) 1 All ER 908. h is is the case in the UK. See: Report of the Committee on Super-Injunctions, SuperInjunctions, Anonymised Injunctions and Open Justice (2011), [1.20]–[1.21].

Open justice, privacy and suppressing identity

377

• he names of complainants in blackmail cases. Courts have been quick to point out that this is not done to protect the blackmailee’s privacy, as he or she has usually done something reprehensible that has provided the occasion for the blackmail. Rather, it is done to encourage present and future victims of blackmail to report the crime. his is perceived as being necessary to protect the administration of justice as a continuing process.24 • Police informers or undercover police operatives.25 Anonymity orders are made to protect the particular informer or operative’s safety and/or to encourage the future low of intelligence from potential informers. his is said to represent ‘a broader conception of the administration of justice’.26 • Cases involving national security.27 Protecting national security may or may not have a link with the administration of justice; in some cases it may be more accurately described as constituting an ‘analogous exception to the requirement of open justice’.28 One circumstance that remains rather nebulous as an operating cause of an anonymity order is where a party (or putative party) argues that if their names are not suppressed, they will not commence a proceeding or will not defend a proceeding brought against them. If that party adduces evidence that this is in fact the case,29 a court may regard the order as necessary on the basis that if the courts are not utilised, the administration of justice is compromised. In reality, the applicant’s quest for anonymity may be motivated purely by a desire to protect their privacy, but if a court was so inclined, it could ind the necessary link with the administration of 24

25

26

27

28 29

R v. Socialist Worker Printers and Publishers Ltd; Ex parte Attorney-General [1975] 1 QB 637; Fairfax Digital Australia & New Zealand Pty Ltd v. Ibrahim, above n. 18, [48]. he same reasoning was less convincingly extended to victims of extortion in Fairfax v. Local Court of NSW above n. 20. R v. Savvas (1989) 43 A Crim R 331; Jarvie v. Magistrates’ Court of Victoria [1995] 1 VR 84. he courts’ power to derogate from open justice in such cases is to be distinguished from ‘rules of evidence which confer an immunity against disclosure in court of certain communications made in the public interest’: Hogan v. Hinch, above n. 2, [88]. he latter was in issue in Cain v. Glass (No. 2) (1985) 3 NSWLR 230. J. Bannister, ‘he Paradox of Public Disclosure: Hogan v Australian Crime Commission’ (2010) 32 Sydney Law Review 159, 162. R v. Governor of Lewes Prison; ex parte Doyle [1917] 2 KB 254; Taylor v. Attorney-General (NZ) [1975] 2 NZLR 675; Attorney-General v. Leveller Magazine Ltd, above n. 12; A v. Hayden (1984) 156 CLR 532; Re a Former Oicer of the Australian Security Intelligence Organisation [1987] VR 875. J v. L & A, above n. 14, 44. It may be diicult for a court to make an assessment of the deterrent efect of publicity.

378

Sharon Rodrick

justice. Courts are divided on whether anonymity orders should be made on such grounds,30 but their willingness to do so appears to be increasing. For example, in a number of cases in the Victorian Supreme Court, victims of sexual abuse have successfully argued that they will not bring a civil action for compensation against the perpetrator unless they are assured of anonymity.31 While there may be other interests that compete with open justice, including privacy and reputation, courts exercising common law powers are generally not willing to accommodate them because they do not possess the necessary link with the administration of justice. In fact, Australian courts have held that information is not to be withheld from the public merely to save a party or witness from ‘loss of privacy, embarrassment, distress, inancial harm or other “collateral disadvantage”’.32 his has led Australian courts to refuse to make anonymity orders in the following circumstances: • To protect a person’s professional reputation from the harm that publicity would be likely to inlict;33 • To protect a married couple who had contracted the human immunodeiciency virus through their employment and who argued that if their medical condition became known to the public, they would be 30

31

32

33

In Scott v. Scott, above n. 16, most judges considered that this did not constitute a valid ground for closing the court and sitting in camera: at 484–5, although Earl Loreburn suggested to the contrary: at 446. Similar reservations were expressed in R v. Tait (1979) 46 FLR 386, 404. However, courts are more amenable to making non-publication orders on this ground: TK v. Australian Red Cross Society (1989) 1 WAR 335, 341; Johnston v. Cameron [2002] FCAFC 251, (2002) 124 FCR 300, 319; Herald & Weekly Times Ltd v. Gregory Williams (formerly identiied as VAI) [2003] FCAFC 217, (2003) 130 FCR 435, 444–6; P v. Australian Crime Commission [2008] FCA 1336, (2008) 250 ALR 66, [54]; AX v. Stern [2008] VSC 400. But see contra, J v. L & A, above n. 14, where Fitzgerald P and Lee J stated that the ‘permitted exceptions to the requirement of open justice are not based upon the premise that parties would be reasonably deterred from bringing court proceedings by an apprehension that public access or publicity would deprive the proceeding of practical utility, but upon the actual loss of utility which would occur, and the exceptions do not extend to proceedings which parties would be reasonably deterred from bringing if the utility of the proceedings would not be afected’: at 44. See, e.g., BK v. ADB [2003] VSC 129; ABC v. D1; Ex parte Herald & Weekly Times Ltd [2007] VSC 480; ANN v. ABC & XYZ [2006] VSC 348; Anon 2 v. XYZ [2008] VSC 466; ESB v. State of Victoria [2010] VSC 479; PPP v. QQQ as Representative for the Estate of RRR [2011] VSC 186. J v. L & A, above n. 14, 45. See also: Raybos Australia Pty Ltd v. Jones, above n. 12, 55; Fairfax v. Local Court of NSW, above n. 20, 142–3; West Australian Newspapers, above n. 14, [22]; Rinehart v. Welker [2011] NSWCA 403, [54]; Lew v. Priester (No. 2) [2012] VSC 153, [21]; AA v. BB [2013] VSC 120, [181]. Raybos Australia Pty Ltd v. Jones, above n. 12.

Open justice, privacy and suppressing identity

379

ostracised and discriminated against within the community and would sufer stress that would exacerbate their medical condition.34 • To enable a person to avoid intense media scrutiny that publication of their identity would attract.35 Moreover, accused persons, other than minors, generally cannot expect their identities to be concealed, either before or ater a verdict.36 While it has been noted above that some judges have been prepared to stretch the concept of necessity to cover scenarios that smack of privacy on the basis that the concept extends to avoiding unacceptable outcomes,37 for the most part privacy is regarded by judges as a regrettable casualty of open justice unless it has a demonstrable impact on the administration of justice. Accordingly, in the context of anonymity or pseudonymity orders made by judges pursuant to their common law powers, privacy tends to be a consequence rather than a cause. In other words, anonymity orders are not made because the parties have a right to privacy that they can come to court and successfully assert. Rather, the argument for concealment of one’s identity must be based on some other compelling reason that relates to the administration of justice. However, if a court does make a nonpublication order suppressing the name of a litigant or a witness, the efect is to protect privacy.

Courts exercising powers conferred by legislation Parliaments can, and oten do, imbue courts with statutory power to make anonymity orders. his raises the question: to what extent have parliaments adjusted the common law position out of deference to privacy? he answer varies according to the legislation in question. Sometimes legislation simply codiies the common law position, requiring the court to be satisied that an order suppressing identity is necessary in the interests of the administration of justice. However, in some cases, the power is not so 34 35 36

37

J v. L & A, above n. 14. O’Shane v. Burwood Local Court [2007] NSWSC 1300. See Vickery v. Nova Scotia Supreme Court (1991) 64 CCC (3rd) 65, 94; R v. Mahanga [2001] NZLR 641, 648 as discussed in New Zealand Law Commission, Suppressing Names and Evidence, Report no. 109 (2009), [3.57] and in J. Barrett, ‘Open Justice or Open Season? Developments in Judicial Engagement with the New Media’ (2011) 1 QUT Law and Justice Journal 1, 9. For arguments to the contrary see: G v. he Queen [1984] 35 SASR 349, where King CJ held that the presumption of innocence was a basic consideration in decisions on name suppression: at 351; R. Munday, ‘Name Suppression: an Adjunct to the Presumption of Innocence and to Mitigation of Sentence (Part One)’ (1991) Criminal Law Review 680; (Part Two) (1991) Criminal Law Review 753. See, e.g., Fairfax v. Local Court of NSW, above n. 20, 161 per Mahoney JA; J v. L & A, above n. 14, 49 per Pincus JA.

380

Sharon Rodrick

conined,38 although there is no legislation that explicitly allows identity to be suppressed on the grounds of privacy per se. A common legislative approach is to empower a court to make a non-publication order where it is satisied that ‘it is in the interests of justice to do so’. he Western Australia Court of Appeal has held that the ‘interests of justice’ is a broad concept, which should not be conined to mean ‘in the interests of the administration of justice’.39 Rather, it ‘accommodates a wide range of considerations’, including ‘where appropriate and with signiicant limitations, the personal interests of those involved in judicial proceedings’.40 he widest powers to make orders suppressing names are conferred in South Australia, Victoria and New South Wales. In South Australia, s. 69A of the Evidence Act 1929 (SA) empowers a court to make a suppression order41 in two circumstances: irst, if it is satisied that an order should be made to prevent prejudice to the proper administration of justice or, second, to prevent undue hardship to an alleged victim of crime, to a witness or potential witness in civil or criminal proceedings who is not a party, or to a child.42 If a court is considering whether to make a suppression order, it is directed to recognise that a primary objective in the administration of justice is to safeguard the public interest in open justice and the consequential right of the news media to publish information relating to court proceedings, and is permitted to make the order only if satisied that special circumstances exist giving rise to a suiciently serious threat of prejudice to the proper administration of justice, or undue hardship, to justify the making of the order.43 hese qualiications to the exercise of the power render it highly unlikely 38

39

40 41

42

Courts have been admonished to be cautious when contemplating the exercise of a power to preclude publication which is not founded on the need to avoid prejudice to the administration of justice: Re Application by Commissioner of Police [2004] VSCA 3, [2004] 9 VR 275, [30]. West Australian Newspapers, above n. 14, [31]. h is harks back to the discussion in J v. L & A, above n. 14, where the majority stressed the need to demonstrate that the proceedings in question would be deprived of practical utility unless the public was excluded or publicity forbidden, whereas Pincus J considered that many cases could be explained on the basis that in the absence of a restriction on publicity, damage would be caused to the public interest, to a class of persons or to individuals ‘to such an extent and of such a kind as absolutely to require some relief, in the interests of justice’: at 49. West Australian Newspapers Ltd, above n. 14, [31]. A suppression order is deined to mean an order forbidding the publication of speciied evidence or of any account or report thereof or forbidding the publication of the name of a party or witness or a person alluded to in the course of proceedings before the court and of any other material tending to identify such person: s. 68. Evidence Act 1929 (SA) s. 69A(1). 43 Ibid., s. 69A(2).

Open justice, privacy and suppressing identity

381

that a person could successfully argue for an order suppressing their identity simply because they want to protect their privacy. he benchmark of ‘undue hardship’ would require an applicant for an anonymity order to demonstrate that unduly harsh consequences would follow if they were identiied. Perhaps a serious invasion of privacy would suice, but a mere desire to retain control of what is published about oneself would not. Victorian judges and magistrates are empowered to make an order, inter alia, prohibiting the publication of a report of the whole or any part of a proceeding or of any information derived from a proceeding (which would include a name) if, in its opinion, it is necessary to do so in order not to: (a) (b) (c) (d) (e)

endanger the national or international security of Australia; prejudice the administration of justice; endanger the physical safety of any person; ofend public decency or morality; cause undue distress or embarrassment to the complainant in a proceeding that relates, wholly or partly, to a charge for a sexual ofence; or (f) cause undue distress or embarrassment to a witness under examination in a proceeding that relates, wholly or partly, to a charge for a sexual ofence.44 Although ‘necessity’ is the benchmark of each of these grounds, the concept is only tied to the administration of justice in paragraph (b). As noted earlier, Victorian courts have shown an inclination to protect victims of sexual abuse who wish to bring civil proceedings against the alleged perpetrators.45 Such orders have oten been made on the basis that publication of the plaintif ’s identity would be likely to defeat the paramount object of the court of doing justice according to law, because the court is satisied that the plaintif would be reasonably deterred from bringing the proceeding unless public disclosure of his or her identity is prohibited. hus the order is considered ‘necessary’ in order not to prejudice the administration of justice. Persons seeking such orders are also likely to adduce medical evidence that disclosure of their identity would exacerbate a psychiatric or psychological condition or afect their ongoing treatment. In 44

45

County Court Act 1958 (Vic) ss. 80, 80AA; Magistrates’ Court Act 1989 (Vic) s. 126; Supreme Court Act 1986 (Vic) ss. 18, 19. Ground (d) does not appear in the Magistrates’ Court Act 1989. he identities of the victims in criminal proceedings for sexual ofences are automatically suppressed by the Judicial Proceedings Reports Act 1958 (Vic) s. 4.

382

Sharon Rodrick

Victoria, this has enabled courts to make orders pursuant to paragraph (c).46 While one might take the view that this is just a cloak for protecting privacy, courts are adamant that this is not the case. Rather, such orders are aimed at procuring speciic outcomes – the preservation of the proceeding and the avoidance of harm to the applicant – that disclosure of identity would potentially jeopardise. For example, in ABC v. D1; Ex parte Herald & Weekly Times Ltd Forrest J contrasted ‘mere’ invasion of privacy with cases where mental or physical harm would result from the disclosure of one’s identity, emphasising that in the latter case the person must generally adduce cogent evidence to that efect.47 In 2010 New South Wales enacted the Court Suppression and NonPublication Orders Act 2010. his legislation was originally developed by the Standing Committee of Attorneys-General as model legislation, which was intended to be a blueprint for the other Australian jurisdictions to follow. To date, the Commonwealth is the only other jurisdiction that has enacted similar legislation. he Access to Justice (Federal Jurisdiction) Amendment Act 2012 (Cth) implements the model legislation for all federal courts.48 he Court Suppression and Non-Publication Orders Act 2010 (NSW) stipulates ive grounds on which a court may ‘prohibit or restrict the publication or other disclosure’ of ‘information tending to reveal the identity of or otherwise concerning any party to or witness in proceedings before the court’ or any related or associated person.49 he irst four grounds are similar to paragraphs (a), (b), (c), (e) and (f) of the Victorian legislation. he ith ground permits an order to be made where it is ‘otherwise necessary in the public interest for the order to be made and that public interest signiicantly outweighs the public interest in open justice’.50 Whether courts 46

47

48

49 50

ANN v. ABC & XYZ , above n. 31; ABC v. D1; Ex parte Herald and Weekly Times Ltd, above n. 31; Anon 2 v. XYZ, above n. 31; PPP v. QQQ as Representative for the Estate of RRR, above n. 31; cf. J v. L & A, above n. 14, where no such legislation was in existence. [2007] VSC 480, [42], [71]. hese interests might be argued to fall under the rubric of privacy in so far as they are outcomes that publicity might be expected to produce. he New Zealand Law Commission noted that when the term ‘privacy’ is pressed as a factor in name suppression, it is ‘oten being used to describe other underlying interests requiring protection’, such as reputation, mental or physical well-being, secrecy and conidentiality: New Zealand Law Commission, Suppressing Names and Evidence, above n. 36, [3.53]. Interestingly, the Commission did not recommend that privacy be included as an independent ground for name suppression. he federal courts are the High Court, the Federal Court, the Family Court and the Federal Magistrates’ Court. he Act also applies to all courts exercising jurisdiction under the Family Law Act 1975 (Cth). Court Suppression and Non-publication Orders Act 2010 (NSW) ss. 7, 8. Ibid., s. 8(e).

Open justice, privacy and suppressing identity

383

could use this ground to support an order designed to protect the privacy of a party or a witness will depend on whether protecting a person’s privacy can be appropriately described as a matter of public interest. Even if it can, it is hard to see how concern for the privacy of a party or witness could outweigh the public interest in open justice unless certain consequences would follow from the revelation of the person’s identity, in which case these consequences are probably picked up by the other paragraphs. here are recent indications that the courts will prioritise open justice over privacy when determining applications under that Act.51 Interestingly, the ith ground does not appear in the Access to Justice (Federal Jurisdiction) Amendment Act 2012 (Cth).

Legislative prohibitions on naming/identiication Sometimes, parliaments enact legislation that prohibits the publication of the identities of persons involved in certain types of judicial proceedings. Such provisions are self-executing and do not require any action on the part of the courts. Privacy tends to feature more prominently as the basis for such identity restrictions, although the concession to anonymity may be made to secure more tangible outcomes than privacy simpliciter.52 here are four circumstances where identities are routinely suppressed. First, children who are involved in proceedings in the Children’s Court generally cannot be named or otherwise identiied.53 his special 51

52

53

See, e.g., Rinehart v. Welker [2011] NSWCA 403; Rinehart v. Welker [2012] HCATrans 7; Rinehart v. Welker [2012] HCATrans 57. In Ashton v. Pratt [2011] NSWSC 1092, Hitchcock, a person who was neither a litigant nor a witness in a case, but who was referred to in the aidavit evidence in scandalous terms, intervened to make an application for, inter alia, an order under this Act that her name be suppressed on the ground that its publication would occasion detriment to herself and her daughter. he court dismissed the application on the basis that the applicant was unable to bring herself within any of the grounds. See also: State of New South Wales v. Plaintif A [2012] NSWCA 248. Since these legislative prohibitions on the publication of identity are automatic, the rationale for their existence must be found in parliamentary materials, such as second reading speeches and explanatory memoranda. If no rationale is articulated in these materials, it is largely a matter of inference as to whether or not a particular prohibition was enacted out of a concern to protect privacy. See, e.g., Crimes Act 1914 (Cth) s. 20C(1); Criminal Code 2002 (ACT) s. 712A; Children (Criminal Proceedings) Act 1987 (NSW) ss. 4, 15A–15G; Young Ofenders Act 1997 (NSW) s. 65; Youth Justice Act (NT) s. 50; Youth Justice Act 1992 (Qld) s. 301; Young Ofenders Act 1993 (SA) ss. 13, 63C; Magistrates’ Court (Children’s Division) Act 1998 (Tas) s. 12; Youth Justice Act 1997 (Tas) ss. 22, 31, 45, 108; Children Youth and Families Act 2005 (Vic) s. 534; Children’s Court of Western Australia Act 1988 (WA) ss. 35, 36, 36A; Young Ofenders Act 1994 (WA) s. 40.

384

Sharon Rodrick

provision for children is made in view of their peculiar vulnerability, their reduced degree of culpability for their actions and the overwhelming importance of their rehabilitation, which takes precedence over punishment and deterrence.54 Anonymity is regarded as more conducive than publicity to securing their rehabilitation, although this proposition is not uncontested.55 While the prohibition on naming children is directed to procuring these particular ends, it clearly has privacy overtones. Second, all jurisdictions have legislation that prohibits victims of sex ofences from being named or identiied, at least without their consent.56 he object of the prohibition is twofold: to encourage the reporting and prosecution of sexual ofences (this objective has a clear link with the administration of justice) and to minimise the trauma, stress, humiliation and embarrassment for the complainant (at common law, this second consideration is probably not weighty enough to displace open justice, since it lacks the requisite connection with the administration of justice). hird, each jurisdiction has enacted legislation that prohibits the publication of the identities of those involved in adoption proceedings.57 Clearly, the objective is to protect the privacy of all those involved in an adoption procedure. Finally, s. 121 of the Family Law Act 1975 (Cth) prohibits the publication of an account of proceedings under that Act that identiies a party, a person who is related to or associated with a party, or a witness. Anonymity is conferred because family law proceedings concern areas of people’s lives over which they have a reasonable expectation of privacy, including their inances, sexual conduct, family life, parenting, health and so on.58 54

55 56

57

58

hese justiications are discussed in detail in S. Rodrick, ‘Open Justice, the Media and Identifying Children Involved in Criminal Proceedings’ (2010) 15 Media and Arts Law Review 409. Ibid. See, e.g., Crimes Act 1914 (Cth) s. 15YR; Evidence (Miscellaneous Provisions) Act 1991 (ACT) s. 40; Crimes Act 1900 (NSW) s. 578A; Sexual Ofences (Evidence and Procedure) Act (NT) ss. 6–13; Criminal Law (Sexual Ofences) Act 1978 (Qld) Pt. 3; Evidence Act 1929 (SA) s. 71A; Evidence Act 2001 (Tas) ss. 194K, 194L; County Court Act 1958 (Vic) ss. 80, 80AA; Magistrates’ Court Act 1989 (Vic) s. 126; Supreme Court Act 1986 (Vic) ss. 18, 19; Judicial Proceedings Reports Act 1958 (Vic) s. 4. Where the accused and victim are related and identifying the former would identify the latter, it may be necessary to anonymise the accused. Adoption Act 1993 (ACT) s. 97; Adoption Act 2000 (NSW) s. 180; Adoption of Children Act (NT) s. 71; Adoption Act 2009 (Qld) ss. 307Q, 315; Adoption Act 1988 (SA) ss. 31, 32; Adoption Act 1988 (Tas) ss. 99, 109; Adoption Act 1984 (Vic) s. 121; Adoption Act 1994 (WA) s. 124. he notion that family cases stand apart from other cases in terms of the participants’ need for privacy is discussed in Russell, above n. 11, 536, 555; Re W: Publication Application

Open justice, privacy and suppressing identity

385

Identity restrictions may also be imposed in other contexts. For example, there is usually a prohibition on publishing the identity of persons who appear before mental health tribunals or courts.59 In the immigration context, federal courts are prohibited from publishing the name of an applicant for a protection visa or a protection-related bridging visa, or the name of a person whose protection visa or a protection-related bridging visa has been cancelled.60

Conclusion For the reasons explained above, privacy has not featured prominently as a basis for anonymity orders made by Australian judges, although concern for privacy protection appears to underlie many of the legislative prohibitions on identifying persons who become embroiled in speciic types of legal proceedings. While in most cases it will be appropriate that open justice should trump privacy, the fact that persons involved in legal proceedings generally do not have privacy rights that they can assert means that Australian courts are not able to take into account all germane factors in the process of reaching a decision regarding anonymity. his is in stark contrast to the UK position, described in the second section of this chapter.

Privacy and anonymity orders in judicial proceedings in the United Kingdom he impact of the European Convention on Human Rights Prior to adopting the ECHR into its domestic law via the Human Rights Act 1998 (UK) (HRA), the position in the UK regarding anonymity orders was similar to that which prevails in Australia. However, since the commencement of the HRA in October 2000, UK judges have developed the common law ‘in light of the Convention and its jurisprudence’.61

59 60 61

(1997) FLC 92–756; I. McCall, Publicity in Family Law Cases: Proposals for Amendments to the Family Law Act s. 121, (Report to the Commonwealth Attorney-General, Canberra: Attorney-General’s Department, 1997). See, e.g., Mental Health Act 2007 (NSW) s. 162; Mental Health Act 2000 (Qld) s. 526. Migration Act 1958 (Cth) s. 91X. Report of the Committee on Super Injunctions, above n. 23, [1.4]. S. 6 of the HRA requires the court, as a public authority, to act compatibly with Convention rights and s. 1(1) of that Act requires the courts to take into account judgments of the European Court of Human Rights.

386

Sharon Rodrick

hree rights enshrined in the ECHR are typically at stake when an application for an anonymity order is made. he irst is Article 6, which confers on litigants a right to a fair and public hearing in the determination of their civil rights or obligations or criminal charges brought against them. Moreover, judgment must be pronounced publicly. However, Article 6 goes on to provide that: the press and public may be excluded from all or part of the trial in the interest of morals, public order or national security in a democratic society, where the interests of juveniles or the protection of the private life of the parties so require, or to the extent strictly necessary in the opinion of the court in special circumstances where publicity would prejudice the interests of justice.

he second is Article 8, which protects the applicant’s ‘right to respect for his private and family life, his home and his correspondence’.62 he third is Article 10, which confers a right to freedom of expression, which is expressed to include ‘the freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers’. Article 10 is relevant because an anonymity order prevents information from being published and thus impinges on the freedom of expression of those who are bound by it. It is important to note that these Articles do not automatically come into play merely because a party asserts this to be the case. Whether a Convention right is enlivened in a particular case is ultimately a matter for the court to decide on the evidence. hus it is incumbent on the person seeking to protect their privacy through an anonymity order to demonstrate that Article 8 is engaged. his requires the applicant to adduce cogent evidence of how (s)he anticipates that his or her private and family life would be afected if (s)he were identiied. A similar observation can be made in respect of a party asserting rights under Article 10. When Articles 8 and 10 are both in play, neither enjoys automatic priority, nor is there a presumption in favour of one over the other.63 Rather, where the values under the two Articles are at loggerheads, the court must balance the competing claims against each other and make a decision as to their comparative importance by asking: to what extent is it ‘necessary 62

63

An applicant for an anonymity order may be seeking protection of Convention rights other than the right to privacy in Art. 8. hey include the right to life (protected in Art. 2) and the right not to be subjected to degrading treatment or punishment (protected in Art. 3). In view of the fact that this chapter is concerned with privacy, it will focus on Art. 8. Campbell v. MGN Ltd [2004] UKHL 22, [2004] 2 AC 457, [55]; Re S (A Child), above n. 15, [17].

Open justice, privacy and suppressing identity

387

to qualify the one right in order to protect the underlying value which is protected by the other’.64 he reception of Article 8 of the ECHR into domestic law has had numerous consequences, both for substantive law and for how cases are reported. First, it has been held that the courts’ power to make anonymity orders addressed to other people must exist, as it is one means by which the UK can fulil its obligation under Article 8 to ensure that others respect an individual’s rights to privacy.65 In the UK, this jurisdiction now derives from rights under the ECHR and the HRA, not from the court’s inherent jurisdiction.66 Accordingly, any uncertainty that may have existed at common law regarding the existence and scope of the courts’ inherent jurisdiction to make such orders need not be resolved. his is not the case in Australia, where doubts linger as to whether a court’s inherent or implied powers support the making of anonymity orders that purport to bind persons outside the courtroom.67 Second, Article 8 of the ECHR has been the catalyst for the judicial transformation of the traditional action for breach of conidence into an action for misuse of private information. Such cases frequently come before the courts in the irst instance as applications for an interim injunction to prevent the threatened misuse of private information. hey are oten accompanied by a request for an anonymity order, which is argued to be a necessary means of preserving the subject matter of the proceeding. However, an anonymity order may be sought for reasons other than as a means of protecting legally enforceable rights to privacy and conidentiality. A party to a civil or criminal case may seek to invoke his or her rights under Article 8 as a basis for obtaining a court order restraining the publication of normally reportable details about a case, including their identity. An example is a medical negligence action that involves health information that the plaintif wishes to keep private. In such cases, however, the plaintif ’s privacy interests under Article 8 will be less likely to outweigh Articles 6 and 10 than in proceedings where privacy is necessary to preserve the subject matter of the action. hird, the consequence of incorporating the ECHR into domestic law is that the process of evaluating applications for anonymity orders is now 64 65

66

Campbell v. MGN Ltd, ibid, [55]. Guardian News, above n. 3, [29]–[30]. If a court was only concerned to prevent itself from unlawfully infringing a person’s Art. 8 rights, it could discharge that responsibility by anonymising its judgments and need not make orders addressed to other people, including the media: [28]–[29]. Re S (A Child), above n. 15, [23]. 67 See above n. 2.

388

Sharon Rodrick

quite diferent to the process undertaken by Australian courts, as this ‘rights based’ approach has brought a diferent focus and methodology to the inquiry. Owing to the fact that Article 8 confers a right to respect for privacy, potential or actual litigants in the UK who seek anonymity are in a much stronger position to argue from a privacy perspective than litigants in Australia. he presence of Article 10 gives media organisations (normally the ones contesting an application for name suppression) the right to assert their own entitlement to freedom of expression;68 they are not merely a vehicle or instrument through which the administration of justice is enhanced. he media can also argue, on the public’s behalf, that the public have a right to know what courts are doing, since courts control legislative and executive actions.69 hus open justice is regarded as a ‘vigorous manifestation of the principle of freedom of expression’.70 his is not the case in Australia, where courts regard open justice as an aspect of the administration of justice, but not, generally, as an aspect of free speech. he most overt statement to this efect was made in John Fairfax Publications Pty Ltd v. Ryde Local Court71 where Spigelman CJ said: the principle [of open justice] has purposes related to the operation of the legal system. Its purposes do not extend to encompass issues of freedom of speech and freedom of the press.72

Accordingly, in Australia courts tend to focus on the media’s role in giving substance to the disciplining efect that open justice has on the participants in a judicial proceeding, since this is regarded as the primary purpose of the principle.73 Open justice is not a ‘right’ of the media. Whether the employment of this diferent methodology by UK courts is likely to produce diferent outcomes depends on what factors would cause them to ind that an applicant’s right to privacy justiies derogation from open justice and outweighs the right of the media and the public to 68

69

70 71

72

73

he ‘right to know’ under Art. 10 embraces to the right to receive information as well as a right to impart it. R (on the application of Mohamed) v. Secretary of State for Foreign and Commonwealth Afairs [2010] EWCA Civ 65, [2011] QB 218, [39]–[40]. Ibid., [39]. John Fairfax Publications Pty Ltd v. Ryde Local Court [2005] NSWCA 101, (2005) 62 NSWLR 512, [60]. Eric Barendt has observed that the importance of fairness of legal procedure (which includes open justice) was enshrined in the common law ‘well before it attached any signiicance to freedom of expression’: E. Barendt, Freedom of Speech, 2nd edn (Oxford University Press, 2005), p. 312. In similar vein, the public’s knowledge, typically gained through media reports, is valued because of the disciplining efect it exerts on the participants in the proceeding.

Open justice, privacy and suppressing identity

389

freedom of expression. his can only be resolved on a case-by-case basis. Indeed, by their very nature these issues are ‘case-sensitive’.74 Finally, it should be noted that, as in Australia, speciic statutory provisions and rules of court in the UK require or permit anonymity in speciic types of proceedings.75 he following section will discuss anonymity orders that are sought in conjunction with interim injunctions to prevent the threatened misuse of private information, as it is this scenario that has brought privacy issues to the forefront of the court’s attention and has dominated recent UK jurisprudence on name suppression orders.

Interim injunctions to prevent the threatened misuse of private information Obtaining an interim injunction As stated above, parties in UK cases oten request anonymity when seeking an interim injunction to restrain a threatened misuse of private information. A typical scenario is where a person (‘the respondent’) is intending to publish certain information about a high-proi le igure, oten an actor, television presenter, sportsperson or politician (‘the applicant’). he information oten concerns some kind of sexual indiscretion committed by the applicant, such as an extra-marital afair or an encounter with a prostitute.76 he threatened publication might be a forthcoming book, article or interview with a media organisation. he applicant comes to court seeking an interim injunction to stop the respondent from publishing the information pending conclusion of the trial. Since interim injunctions are ‘procedural remedies ancillary to substantive law’, they cannot be granted unless a substantive legal right exists.77 If granted, they simply maintain the status quo until trial, when rights are determined.78 74 75

76

77

78

Report of the Committee on Super-Injunctions, above n. 23, [1.30]. See, for example, Court of Protection Rules 2007 (UK) r. 90, 91 discussed in W (by her litigation friend) v. M (by her litigation friend the Oicial Solicitor) [2011] EWHC 1197, [2011] 4 All ER 1295; Administration of Justice Act 1960 (UK) s. 12; Children and Young Persons Act 1933 (UK) s. 39; Children Act 1989 (UK) s. 97; Civil Procedure Rules 1998 (UK) Pt. 39.2(4); Sexual Ofences (Amendment) Act 1992 (UK) s. 1. But note that the applicant might not always be seeking to protect information covered by Art. 8. An applicant might be seeking to protect a trade secret or to protect his or her right to life under Art. 2. Report of the Committee on Super-Injunctions, above n. 23, [1.8]. On the postulated scenario, the substantive right is the action for breach of conidence or misuse of private information. Report of the Committee on Super-Injunctions, above n. 23, [2.5].

390

Sharon Rodrick

Since the application seeks to restrict the publication of information, Article 10 ECHR is engaged. In cases where the grant of interim relief by a court might afect the exercise of the Convention right to freedom of expression, s. 12 of the HRA is enlivened. his provision aims to safeguard freedom of expression at the interlocutory stage by providing that interim relief is not to be granted where the respondent is neither present nor represented, unless the court is satisied that the applicant has taken all practicable steps to notify the respondent or there are compelling reasons why the respondent should not be notiied.79 Ex parte orders of this nature are rare and, where made, are usually limited in duration. Moreover, no interim relief restraining publication before trial can be granted unless the court is satisied that the applicant is likely to establish that publication should not be allowed. his means that the onus is on the applicant to prove that it is more likely than not that (s)he will succeed at trial.80 An interim injunction binds those to whom it is addressed and third parties who have notice of it (the latter is known as the Spycatcher principle).81 Notifying third parties of the application or the injunction has the efect of bringing them within the contempt jurisdiction of the court,82 which efectively prevents them from publishing the information.83 79

80

81

82 83

S. 12 of the HRA also protects ‘any non-parties whom the applicant intends, at the time the application is made, to bring within the terms of any order granted’: Report of the Committee on Super-Injunctions, above n. 23, [3.22]; Master of the Rolls, Practice Guidance: Interim Non-Disclosure Orders (2011), (1) Guidance [19]. Accordingly, these non-parties are entitled to advance notice of the application. However, Guidance [24] stipulates that where an applicant is obliged to provide advance notice of an application to a non-party or notiies a non-party of an order, any ‘material supplied to the non-party by the applicant shall be supplied upon the applicant receiving an irrevocable written undertaking to the court that the material and the information contained within it, or derived from such material or information, will only be used for the purpose of the proceedings’. Cream Holdings Ltd v. Banerjee [2004] UKHL 44, [2005] 1 AC 253, [22], [23]. Lord Nicholls noted, however, that this is just a general threshold; there may be cases where ‘a lesser degree of likelihood will suice as a prerequisite’, such as where the consequences of disclosure are ‘particularly grave’: [22]. See also: ASG v. GSA [2009] EWCA Civ 1574, [4]. Attorney-General v. Newspaper Publishing plc [1988] 1 Ch 333. A media organisation might be a party to the proceedings, and thus would be directly bound by any injunction issued by the court, or it might be a third party to whom the injunction is notiied. Report of the Committee on Super-Injunctions, above n. 23, [2.6], [2.10]. he position is diferent where a permanent injunction has been issued, either at the end of a trial or by the consent of the parties. At this point, the Spycatcher principle is exhausted. h is creates the unusual situation that an applicant is granted a permanent injunction against the respondent but his or her rights are not protected vis-à-vis third parties who are not parties to the litigation: Jockey Club v. Buham [2002] EWHC 1866 (QB), [2003] QB 462. his has created reluctance on the part of applicants to see proceedings through

Open justice, privacy and suppressing identity

391

Obtaining an anonymity order in conjunction with an interim injunction – general propositions While it is possible that an interim injunction restraining the disclosure of private information might be obtained without any ancillary reporting restrictions, such as an anonymity order,84 there will frequently be an ‘obvious diiculty in at the same time complying with the principle of open justice and giving an efective remedy for threatened misuse of private information’.85 Since it would be futile for the courts to issue an interim injunction to prevent misuse of the applicant’s private information and then proceed to undermine this protection by the way in which the application is processed,86 courts are regularly called upon to determine ‘the precise extent of what can be reported about the proceedings themselves’.87 his has been described as ‘every bit as fact-sensitive as the anterior exercise of deciding whether to make an order restraining publication of the private information in the irst place’.88 he applicant for the injunction will frequently seek an anonymity order regarding any court documents lodged in the application89 and in any report of the proceedings, on the basis that to disclose his or her identity would destroy the very purpose and intent of the action. he application for anonymity might be coupled with other requests, which, if granted, would involve additional derogations from open justice. hey include: that the application for the interim injunction be heard in private and/or that the injunction should prohibit the publication of the very existence of the orders and proceeding (known colloquially as a ‘super-injunction’).90 While the focus of this chapter is on

84 85 86

87 88 89

90

to the end. But see OPQ v. BJM [2011] EWHC 1059 (QB), [2011] EMLR 23 where, in order to overcome this problem, Eady J granted an injunction contra mundum – an injunction binding the whole world – in a privacy case involving blackmail allegations. See: Report of the Committee on Super-Injunctions, above n. 23, [1.14]. Terry (formerly LNS) v. Persons Unknown [2010] EWHC 119 (QB), [2010] EMLR 16, [108]. Master of the Rolls, Practice Guidance: Interim Non-Disclosure Orders , (1) Guidance [14]. JIH v. News Group Newspapers Ltd [2011] EWCA Civ 42, [2011] 2 All ER 324 ( JIH ), [5]. Ibid. Civil procedure rules ordinarily require identifying particulars to be included in documents lodged with the court. An order that the application be heard ex parte and/or that the injunction take the form of a super-injunction might be made out of concern that if the respondent is tipped of about the application, (s)he could frustrate the order before it is made or before (s)he can be served with it (such as by disclosing the information or by destroying evidence that would identify the respondent as the source of the leak of the information) and in so doing avoid being in contempt of court: Terry (formerly LNS) v. Persons Unknown,

392

Sharon Rodrick

anonymity orders, in reality it is oten not possible to unravel these other related applications,91 as they are all aimed at providing ‘practical solutions to the inevitable danger that the application itself will result in what is said to be private information becoming public’.92 A number of general propositions regarding applications for anonymity and other restraints on the publication of details about a case are contained in the judgment of the Master of the Rolls in JIH v. News Group Newspapers Ltd ( JIH ). hese propositions are reiterated in the conclusions and recommendations of the Report of the Committee on Super-Injunctions. hey also appear in the Practice Guidance: Interim Non-Disclosure Orders, issued by the Master of the Rolls on 1 August 2011, which sets out recommended practice regarding applications for interim injunctive relief in civil proceedings to restrain the publication of information. he starting point is that an anonymity order is ‘a derogation from the principle of open justice’93 and ‘an interference with the Article 10 rights of the public at large’.94 Accordingly, the general rule, even in cases where private matters are in issue, is that the names of the parties to an action are included in the orders and judgments of the court.95 Second, an order for anonymity or other reporting restrictions should not be made simply because the parties consent, because parties cannot waive the rights of the public.96 hird, public igures are not accorded any special treatment in this respect; they are entitled to the same protection as others.97 Fourth, in considering whether to make an anonymity order on the grounds of Article 8 ECHR, the court should examine the application and evidence intensely and ask ‘whether there is suicient general, public interest in

91 92 93

94 96 97

above n. 85, [138]. hus the order is made to facilitate efective service of the injunction. See also: Goldsmith & Khan v. BCD [2011] EWHC 674 (QB). A super-injunction may also be made to prevent ‘jigsaw identiication’ of the applicant. h is occurs where a media organisation reports the making of the order, adding fragments of identifying information that are then supplemented by partial revelations published in other media or on the Internet: DFT v. TFD [2010] EWHC 2335 (QB), [29]–[32]. However, super-injunctions are extremely rare and, where made, are inevitably expressed to expire on the return date. AMM v. HXW [2010] EWHC 2457 (QB), [43]. DFT v. TFD, above n. 90, [9]. JIH, above n. 87, [21] point 3. he Report of the Committee on Super-Injunctions, above n. 23 at [1.32], stated that the principle of open justice applies equally to applications for interim non-disclosure orders as it does to trials, observing that this takes the common law further than the Strasbourg jurisprudence expounded in cases such as Micallef v. Malta [2009] ECHR 1571, [75]. See also: ABC Ltd v. Y [2010] EWHC 3176 (Ch), [2012] 1 WLR 532, [33]. JIH, above n. 87, [21] point 3. 95 JIH, above n. 87, [21] points 1 and 2. JIH, above n. 87, [21] point 7; Gray v. UVW [2010] EWHC 2367 (QB), [33]. JIH, above n. 87, [21] point 6.

Open justice, privacy and suppressing identity

393

publishing a report of the proceedings which identiies a party and/or the normally reportable details to justify any resulting curtailment of his right and his family’s right to respect for their private and family life’.98 Courts should also consider whether there is any less restrictive or more acceptable alternative than that which is sought, since derogations must be kept to an absolute minimum.99 Any decision to grant the order is not regarded as an exercise of the court’s discretion, but as the discharge of an obligation.100 Fit h, where a judge makes an anonymity order at the interlocutory stage of an injunction application, the order must be reviewed at the return date101 and throughout the proceedings;102 it does not subsist for the duration of the proceedings.103 Finally, even when an anonymity order or an order restraining publication of normally reportable details is made, ‘then, at least where a judgment is or would ordinarily be given, a publicly available judgment should normally be given, and a copy of the consequential court order should also be publicly available, although some editing of the judgment or order may be necessary’.104

Circumstances in which anonymity orders are likely to be made in conjunction with interim injunctions Despite the tenor of these propositions, it is not uncommon for anonymity orders to be made in conjunction with interim injunctions on the ground that they are needed to protect the applicant’s right to respect for privacy and family life under Article 8 ECHR. he ensuing paragraphs explain why this is so. If the case involves the revelation of sexual information (as many of these cases do), the applicant can usually show that his or her Article 8 rights are enlivened, since marital secrets and other sexual conduct is clearly information in respect of which the claimant has a reasonable 98

99

100 101

102 103

JIH, above n. 87, [21] point 5. See also: Secretary of State for the Home Department v. AP (No. 2) [2010] UKSC 26, [2010] 1 WLR 1652, [7]. JIH, above n. 87, [21] point 4. See also: Ntuli v. Donald [2010] EWCA Civ 1276, [2011] 1 WLR 294, [54]; Ambrosiadou v. Coward [2011] EWCA Civ 409, [52]; Report of the Committee on Super-Injunctions, above n. 23, [1.29]. AMM v. HXW, above n. 91, [34]–[35]. A return date is the date on which the injunction ceases to have efect unless it is renewed. A return date must be set by the judge. At this time, the respondent has an opportunity to contest the making of the interim order(s). he court would also consider submissions made by third parties afected by the order. he same applies to other types of orders that restrain publication. JIH, above n. 87, [21] point 8. 104 JIH, above n. 87, [21] point 9.

394

Sharon Rodrick

expectation of privacy.105 his is especially so if revelation of the applicant’s identity would likely lead to large-scale media intrusion into his or her life. For its part, the respondent can usually satisfy the court that its Article 10 ECHR rights are enlivened – since the application is to suppress the publication of information – but, depending on the circumstances, these rights may be very weak. As noted earlier, the court must then determine whether there is suicient general, public interest in publishing a report of the proceedings that identiies the applicant to justify any resulting curtailment of his or her Article 8 rights.106 his is unlikely to be the case where the information concerns sexual conduct, as such conduct is intensely private and there is ordinarily no public interest in its disclosure, merely public prurience.107 How do courts weigh an applicant’s claim to respect for privacy under Article 8 against the orthodox approach to open justice? In Ntuli v. Donald, which involved an application for an anonymity order, it was argued that the strict common law test of necessity outlined in the irst section of this chapter should be diluted on the basis that it preceded the HRA, ‘which, in providing for competing qualiied rights (private life and freedom of expression), requires a more nuanced approach’.108 However, Lord Kay, with whom the other judges agreed, conirmed the common law necessity test laid down in the seminal case of Scott v. Scott109 and reiterated in Article 6 ECHR: [I]t is signiicant that Article 6 of the ECHR itself prescribes a test of strict necessity in the context of publicity being permitted to be restricted in the interests of justice. However, as part of its consideration of all the circumstances of a case, a court will have regard to the respective and sometimes competing Convention rights of the parties.110 105

106 107

108 109 110

Argyll v. Argyll [1967] Ch 302; Stephens v. Avery [1988] 1 Ch 449; Mosley v. News Group Newspapers [2008] EWHC 1777 (QB), [2008] EMLR 20; BUQ v. HRE [2012] EWHC 774 (QB), [35]. One exception might be where the claimant has waived his or her privacy rights or where the sexual activity is abusive or amounts to harassment: BUQ v. HRE, [61]. Secretary of State for the Home Department v. AP (No. 2), above n. 98, [7]. here may be circumstances where the public do have a legitimate interest in being informed of a person’s sexual misconduct, but this countervailing public interest would need to be very weighty to justify disclosure. Ntuli v. Donald, above n. 99, [51]. Scott v. Scott, above n. 16. Ntuli v. Donald, above n. 99, [52]. See also: Gray v. UVW, above n. 96, [6]–[8]. he Report of the Committee on Super-Injunctions ai rmed that derogations from open justice must be ‘necessary’ in order not to undermine the court’s ability to do justice both as between the parties and also in future cases, and when allowed, can go no further than what is ‘necessary’: Report of the Committee on Super-Injunctions, above n. 23, [1.17]– [1.19], [1.25].

Open justice, privacy and suppressing identity

395

When UK courts have found that an interim anonymity order is necessary in the interests of the administration of justice in a given case, they have generally done so because they have determined that the order is necessary to avoid the ‘danger that the application itself will result in what is said to be private information becoming public’.111 h is is an orthodox conclusion under the common law’s strict necessity test, quite apart from Articles 6, 8 and 10, as derogations from open justice have always been permissible where they are necessary to preserve the subject matter of the action or, in this case, to prevent publicity from defeating the object of the application. It is just that the expansion of the action for breach of conidence to encompass the misuse of private information, coupled with the UK tabloid press’s insatiable appetite for scandal, has meant that such derogations are now more commonly sought. However, it is the right being protected that is novel, not the request for anonymity. Australian courts have not extended the action for breach of conidence to the same extent,112 although the absence of an equivalent of Article 8 in Australian domestic law does not prevent the courts from doing so. In many of the applications made to the UK courts in these contexts, the applicant has asserted that the respondent has threatened to publish the private information unless hush money is paid. In DFT v. TFD Sharp J described the Article 10 expression rights of blackmailers as ‘extremely weak (if they are engaged at all)’.113 However, in AMM v. HXW Tugendhat J noted that there might be scenarios where a blackmailer is actually under a duty to disclose the information;114 even so, the making of unwarranted monetary demands was held to be relevant to determining the existence and strength of their Article 10 rights.115 As explained earlier in this chapter, suppressing the identity of a blackmail victim is orthodox 111 112

113

114

115

DFT v. TFD, above n. 90, [9]. Australian courts have, however, widened the requirement that the information in question must have been imparted in circumstances importing an obligation of conidence. See, e.g., Franklin v. Giddins [1978] Qd R 72; Australian Broadcasting Corporation v. Lenah Game Meats Pty Ltd, above n. 8, [301] per Callinan J. DFT v. TFD, above n. 90, [23]. Where an applicant is the subject of a blackmail attempt, this may also furnish him or her with a reason for making the application for an injunction without giving notice to the respondent: ASG v. GSA above n. 80; POI v. he Person Known as Lina [2011] EWHC 25 (QB); QWE v. SDF [2011] EWHC 3121 (QB). AMM v. HXW, above n. 91, [24], [38], citing horne v. Motor Trade Association [1937] AC 797, 817. his may be the case if the information in question relates to the commission of a crime. AMM v. HXW, above n. 91, [38].

396

Sharon Rodrick

common law principle.116 But whereas at common law the courts’ motive was to serve the public interest in exposing and punishing blackmail in the courts, today the anonymity order may also be made to protect the Article 8 rights of the blackmailee.117 As observed above, it is not inevitable that an anonymity order will be ‘necessary in the interests of justice’ where interim relief is being sought to prevent a misuse of private information. his is because there are circumstances in which it may be possible to identify the applicant without creating a serious risk that the private information will emerge as a result and defeat the purpose of the proceedings. For example, an anonymity order will not be necessary where the information in question can be described in general terms without disclosing the details that the applicant wishes to keep private. An example is where an applicant seeks an injunction to prevent a former spouse from publishing certain details of their life together.118 he court can usually cast its judgment and orders in such terms that they do not disclose those intimate details.119 Another example is where the applicant seeks an order prohibiting the publication of video images or photographs taken without permission. In this case, the order can usually name the applicant without disclosing the subject matter of the action.120 However, more oten than not the court is faced with a choice between disclosing the identity of the applicant and disclosing details of the nature of the injuncted information; to do both would destroy the action. Where this is the case, the court will usually opt to restrict identity and allow more speciic information about the subject matter of the action to be published, on the basis that this permits the public to gain a greater insight into the proceeding and ‘why the court acted as it did’.121 he court’s choice may depend on how the purpose of open 116

117 118 119

120

121

R v. Socialist Worker Printers and Publishers Ltd; Ex parte Attorney-General, above n. 24, is the seminal case on this issue. KJH v. HGF [2010] EWHC 3064 (QB), [11]. See, for example, Hirschield v. McGrath [2011] EWHC 249 (QB). he fact that the applicant and the former spouse were once married is not private information; it is only the details of their relationship that are private. POI v. he Person Known as Lina , above n. 113, [7]. In that particular case, however, an anonymity order was deemed necessary. See also Murray v. Express Newspapers plc [2008] EWCA Civ 446, [2009] 1 Ch 481. JIH, above n. 87, [35]. See also: Hirschield v. McGrath, above n. 118, [11]; SKA v. CRH [2012] EWHC 766, [39]. his option is discussed in greater detail below. Anonymisation also has the advantage of keeping the court’s options open in the event that the case proceeds, as ‘naming a claimant at the interim stage may produce an undesirable restriction on what could be said in a subsequent judgment, including a fully reasoned public judgment ater a trial’: XJA v. News Group Newspapers Ltd [2010] EWHC 3174 (QB), [14].

Open justice, privacy and suppressing identity

397

justice is perceived. If its purpose is to facilitate oversight of the judges to ensure that they apply the law in a fair manner, then it is preferable for the court to grant anonymity orders and permit greater reporting of the subject matter of the action. However, from a free speech perspective there may be instances where the public interest encompasses the identity of the person who is invoking the court’s jurisdiction. Unless the court has issued a super-injunction, judgments are cast in such a way that they can be reported.122 Orders oten prohibit the disclosure of any information concerning the subject matter of the proceedings or any information identifying or tending to identify the applicant save for that contained in the order and in any public judgment of the court,123 thereby minimising the risk of jigsaw identiication and the need for a superinjunction.124 Finally, it is possible that anonymity orders might be continued even ater an interim privacy injunction has been discharged.125

Conclusion he enactment of the HRA has had a signiicant impact on the courts’ approach to anonymity orders. he incorporation of Article 8 ECHR into UK domestic law means that courts are obliged to entertain the possibility that the privacy rights of applicants will provide a basis for making such orders. his is tempered by Article 6 of the ECHR, which enshrines open justice, and by the UK courts’ insistence that derogations from open justice will be made only when necessary,126 with the result that, in most cases, the privacy interests of litigants in the UK can be expected to yield to open justice. However, although there is ‘no general exception to open justice where privacy or conidentiality is in issue’,127 anonymity orders are frequently made where they are deemed ‘necessary’ in order not to defeat the purpose of the proceedings. Due to the fact that UK courts have transformed the cause of action for breach of conidence into a privacy tort, anonymisation as a means of preserving the subject matter 122 123

124

125 126

127

Master of the Rolls, Practice Guidance: Interim Non-Disclosure Orders, above n. 79, [45]. Oten there is a qualiication that any information already in the public domain can be published. A model order is recommended in Master of the Rolls, Practice Guidance: Interim NonDisclosure Orders, above n. 79. JIH, above n. 87. Art. 8 is also tempered by the rights of the defendant, the media and the general public to freedom of expression, recognised in Art. 10. Master of the Rolls, Practice Guidance: Interim Non-Disclosure Orders, above n. 79, [12]. See also: JIH, above n. 87, [21] point 2.

398

Sharon Rodrick

of the proceedings now occurs to a far greater extent in the UK than in Australia.128 his is particularly the case in relation to applications for interim injunctions to prohibit the publication of private information.

he pros and cons of anonymity his section relects on the pros and cons of anonymity from a more theoretical perspective. It asks: ‘what’s in a name?’ and considers whether anonymity would ‘smell as sweet’. Of course, there is no veriiable answer to this question: one’s response will depend on one’s view as to the relative importance of open justice, freedom of expression and privacy, and this will undoubtedly vary from case to case.129 However, it will be argued that, in most cases, the balance tilts in favour of publication. It should be noted that there is limited scope for many of the pros and cons outlined below to be aired in Australian courts when anonymity orders are being sought and/or resisted. It has already been explained that, in Australia, an applicant for an anonymity order who is relying on a judge’s common law powers must demonstrate that the order is necessary in the interests of the administration of justice and has no opportunity to raise arguments that have no bearing on that issue. In contrast, the existence of Article 8 ECHR, which confers privacy rights, and the requirement that courts balance this right against other rights, such as those protected by Articles 6 and 10 ECHR, means that there is greater opportunity for such arguments to be pressed in UK courts.

Arguments in favour of suppressing identity here is no doubt that people can sufer distress, embarrassment, shame, physical, psychological and inancial harm, loss of reputation, harassment and loss of privacy through being identiied in the context of legal proceedings. Many would take the view that courts should be prepared to minimise this harm and that this can generally be done without causing injury to the administration of justice, the courts as institutions, the public and the media, and may even confer beneits. hus, those whose sympathies lie with name suppression are likely to maintain that there is ‘not much’ in a name and that anonymity will oten ‘smell as sweet’. 128

129

h is was acknowledged in the Report of the Committee on Super-Injunctions, above n. 23, [1.14]. For example, as noted throughout this chapter, where the reporting of a name would jeopardise the subject matter of the action, privacy is likely to prevail.

Open justice, privacy and suppressing identity

399

Regarding the administration of justice, advocates of name suppression are likely to argue that it does not matter if names are anonymised and identities concealed, since the media remain free to publish all other information about the case. While name suppression derogates from open justice, the curb is minor and none of the purposes of the principle are signiicantly compromised: the judges remain accountable; the media can publish a fair and accurate report about the details, process and outcome of a case and can still scrutinise and critique the quality of justice meted out to the litigants. Indeed, courts oten cite this as a justiication for making an anonymity order rather than closing the court or suppressing the publication of other information about the proceedings.130 here are two reasons why anonymity orders have the potential to beneit the courts as institutions. First, it might be argued that more people would take legal action if they were assured of anonymity, especially people with public proi les. hus anonymity would encourage resort to the courts as dispute resolution forums. his would enhance the standing of the courts in the community. Second, although open justice (including names) has always been taken to create conidence in the courts and in the administration of justice in a way that secrecy and suppression cannot, it is arguable that this is not always the case in respect of names and other identiiers. If, as expected, technological advancements continue to generate new ways of invading privacy, then privacy is likely to become an increasingly valued entitlement. his may give rise to an expectation within the community that the courts should modify their practices to accommodate the increased premium placed on privacy, and courts that fail to do so may sufer a decline in public trust and conidence. Although the public’s ‘right to know’ is habitually touted by the media as the reason why an anonymity order should not be made, the right to know is a broad, overarching concept and will not oten stand up to 130

R v. Socialist Worker Printers and Publishers Ltd; Ex parte Attorney-General, above n. 24; Taylor v. Attorney-General (NZ), above n. 27, 680; Re Application by Former Oicer of Australian Security Intelligence Organisation [1987] VR 875, 876; ABC v. D1; Ex parte Herald & Weekly Times Ltd, above n. 31, [35]–[36]; West Australian Newspapers Ltd , above n. 14, [35]. See also JIH, above n. 87, where the Master of the Rolls explained that where a name is not suppressed, ‘it is hard to envisage circumstances where that would not mean that signiicantly less other information about the proceedings could be published than if the proceedings were anonymised’: [25]. By contrast, ‘the obvious corollary is that, if the claimant is accorded anonymisation, it will almost always be appropriate to permit more details of the proceedings to be published than if the claimant is identiied’: [25]. Adopting the latter course is preferable as it means that the public have a better idea of the court’s doings than if the former course was adopted.

400

Sharon Rodrick

scrutiny when applied to a name itself. In other words, in most cases there is no speciic public interest in knowing the name of a particular litigant or witness. When weighed against the invasion of privacy that might low from identiication, it could be argued that, in certain cases, privacy should trump open justice. Finally, advocates of name suppression might contend that anonymity enhances the quality of media output, since it forces the media to focus attention on the legal issues raised in the case rather than on the personalities of those involved; that is, anonymity ensures that it is the issue, not the person, that attracts media coverage. he media remain free to convey information about the subject matter of the case and the issues raised therein and can profer opinions on its outcome, but cannot engage in sensationalistic, prurient journalism that simply panders to public curiosity about the litigants or witnesses. By contrast, freedom to publish names is a spur to the media to act irresponsibly and they may well do so. Indeed, there is no shortage of examples of inappropriate media behaviour in the reporting of court cases, especially in respect of the tabloid press: the media might follow and harass a person as they go to and from the court, or assemble and remain outside a person’s house for extended periods of time, or telephone or email a person seeking a response and so on. Prohibitions on publishing identifying information would remove any incentive to employ these tactics.

Arguments in favour of naming Proponents of naming would refute the aforementioned arguments and claim that there is ‘lots’ in a name. As far as the public is concerned, those who support naming would argue that it is unnecessary to identify a precise public interest in knowing a person’s name. In Australia, the onus is on the person seeking anonymity to demonstrate to the court why their name should not be able to be reported.131 he circumstances in which the consequences of naming are too dire are already catered for in the common law exceptions and in the legislative prohibitions.132 here is no need for any broader concessions to be made to privacy in the form of anonymity. 131

132

At common law this means satisfying the court that suppression is necessary in the interests of the administration of justice. If the application for suppression is asking the court to make an anonymity order pursuant to legislative power conferred on it by Parliament, the test may be somewhat diferent. Proponents of naming might argue that some of the legislative prohibitions go too far.

Open justice, privacy and suppressing identity

401

In any event, although those who wish to publish the names of persons involved in legal proceedings do not, and should not, bear an onus of proof, there will be cases where there is a demonstrable public interest in knowing the identity of a particular litigant or witness. Examples include: • where suppressing a name gives the person a greater opportunity to reofend or where knowledge of a person’s identity is necessary in order to protect public safety. Dangerous sex ofenders are the most topical and signiicant example.133 here are justiiable reasons why people should know the names of sex ofenders: it alerts them to the need for vigilance and enables them to take speciic measures to protect themselves or their children. Other examples include the perpetrator of a fraudulent scheme who targets unwitting consumers and the names of doctors, lawyers and other professionals found guilty of crimes, negligence or professional misconduct in respect of their treatment of their patients or clients; • where anonymity is likely to throw suspicion on others and invite speculation;134 • where unknown witnesses are less likely to come forward if identities are concealed, as they may not recognise the case as concerning events which they have witnessed;135 • where the public needs to know the identity of the parties or witnesses in order to be able to comprehend the true import of the evidence or to assess the outcome of the case. A good example of this is to be found in the Guardian News case.136 he appellant M was designated 133

134

135

136

he Victorian Parliament has recently amended the Serious Sex Ofenders (Detention and Supervision) Act 2009 (Vic) to require judges to take into account the protection of children, families and the community, the ofender’s compliance with any orders made under the Act and the location of the ofender’s residential address when deciding whether to suppress an ofender’s name and whereabouts. It is expected that these amendments will lead to a greater incidence of naming of sex ofenders: he Hon. A. McIntosh MP, ‘New Emphasis on Child Safety in Sex Ofender Laws’ (Media Release, 21 April 2012), www.premier.vic.gov.au/images/stories/documents/mediareleases/2012/120421_McIntosh_-_New_emphasis_on_child_safety_in_sex_ofender_ laws.pdf (accessed 5 November 2013). J v. L & A, above n. 14, 47 per Fitzgerald P and Lee JA. In JIH, above n. 87, [38], the Court acknowledged that an anonymity order ‘runs the risk of unintentionally encouraging suspicion and gossip in relation to innocent third parties’. he prospect of unknown witnesses coming forward is strongest when the crime is initially reported. By the time judicial proceedings commence, most witnesses would presumably have been located. Guardian News, above n. 3.

402

Sharon Rodrick

a suspected terrorist under the Terrorism (United Nations Measures) Order 2006 and the Terrorism (United Nations Measures) Order 2009. hese orders indicated that the Treasury suspected, on what it regarded as reasonable grounds, that M facilitates, or may facilitate, terrorism. As a result, M’s assets were automatically frozen. M challenged the freezing orders and sought anonymity on the basis that publication of his name would infringe his Article 8 ECHR rights in a number of speciied ways, including that he would face the risk of physical harm. he UK Supreme Court held that Article 8 was engaged, but so was Article 10. Since both were enlivened, the Court had to determine which one should prevail. Ultimately, the Court held that Article 10 should trump Article 8. Aside from the fact that the evidence pertaining to the efect on M’s private and family life was general and not particularly compelling, one factor that signiicantly inluenced the Court was that M had challenged the freezing order system through a press release issued by his solicitors, which listed the detrimental efects that the freezing order had had on M’s life and alleged that the UK government had dishonoured its pledge of accountability and oversight through Parliament. he Court was struck by the fact that M had taken the unusual course of coming to court and asserting the need for the press to respect his Article 8 rights by not reporting his identity, but at the same time had invited the press to report his version of the impact of the freezing order on his private life. he Court observed that the public could not make an informed assessment of M’s arguments if they were prevented from knowing his identity. hus it concluded that publication of M’s identity would make a material contribution to a debate of public interest and should be permitted. he principle of open justice has also been venerated because it is nondiscriminatory. By contrast, as observed by Fitzgerald P and Lee JJA in J v. L & A Services Pty Ltd (No. 2): exceptions to the principle of open justice deny equal rights to the disputing litigants and provide a beneit to some litigants which is unavailable to members of the general public.137

137

J v. L & A, above n. 14, 45. See also R v. Legal Aid Board ex parte Kaim Todner, above n. 13, 979. It must be conceded, however, that the efect of open justice may be quite uneven. Information that comes to light in one type of court case may have little impact on one litigant, but result in detrimental consequences for another.

Open justice, privacy and suppressing identity

403

While this reasoning does not support an unswerving application of open justice in all cases, it needs to be borne in mind when anonymity orders are sought. Regarding the courts, proponents of naming would emphasise that the courts are public institutions. People who institute civil legal proceedings have chosen to use a public forum to resolve their dispute and forfeit their privacy in doing so. People who do not want publicity are free to pursue other methods of dispute resolution that do not involve exposure of their identities, including mediation and arbitration. Of course this reasoning has no application to those who are being sued, but if defendants value their privacy greatly enough, they may elect to settle the case out of court and make conidentiality a term of the settlement, rather than defend the allegations in a public forum. Crimes are public wrongs and there is a legitimate and weighty community interest in knowing the identities of those who commit them, not only so that people can take steps to protect their own safety, but also because prosecutions are conducted by the state on behalf of the public using taxpayers’ money. On a more pragmatic level, it is very expensive to contest an application for anonymity. Indeed, the cost of opposing an application may be prohibitive for smaller media outlets. Identiication prohibitions have to be backed up by the redaction of information from court documents, orders and judgments. Redacting personal information involves a signiicant inancial cost, especially if it has to be done on a large scale.138 his cost comes out of court budgets. Finally, media organisations would argue that in order to encourage reporting of cases and stimulate public debate about the doings of the courts, it is necessary that they be able to name the participants, since naming (and any accompanying visuals) gives a human face to the story, which is an essential ingredient in journalism. Interestingly, UK courts have been attracted to this argument. For example, in Re S (A Child) (Identiication: Restrictions on Publication)139 Lord Steyn acknowledged that: From a newspaper’s point of view a report of a sensational trial without revealing the identity of the defendant would be a very much disembodied trial. If the newspapers choose not to contest such an injunction, they are less likely to give prominence to reports of the trial. Certainly, readers

138

139

It is understood that the Family Court employs a number of people to anonymise court documents and judgments. Re S (A Child), above n. 15, [34].

404

Sharon Rodrick will be less interested and editors will act accordingly. Informed debate about criminal justice will sufer.

More recently, in Guardian News140 the United Kingdom Supreme Court, ater posing the question that forms the title of this chapter – ‘what’s in a name?’ – responded: ‘A lot’, the press would answer. h is is because stories about particular individuals are simply much more attractive to readers than stories about unidentiied people. It is just human nature. And this is why, of course, even when reporting major disasters, journalists usually look for a story about how particular individuals are afected. Writing stories which capture the attention of readers is a matter of reporting technique, and the European Court holds that article 10 protects not only the substance of ideas and information but also the form in which they are conveyed … More succinctly, Lord Hof mann observed in Campbell v. MGN Ltd [2004] 2 AC 457, 474, [59], ‘judges are not newspaper editors’ … h is is not just a matter of deference to editorial independence. he judges are recognising that editors know best how to present material in a way that will interest the readers of their particular publication and so help them to absorb the information. A requirement to report it in some austere, abstract form, devoid of much of its human interest, could well mean that the report would not be read and the information would not be passed on. Ultimately, such an approach could threaten the viability of newspapers and magazines, which can only inform the public if they attract enough readers and make enough money to survive.141

here are two further reasons that, while they are not positive arguments in favour of naming, operate to weaken some of the arguments in favour of anonymity. First, anonymity orders are sometimes sought on the ground that the public would draw adverse inferences about the person seeking the order if their identity were made public. he most obvious example is that the public will assume the named person is guilty before this has been proven beyond reasonable doubt. Nevertheless, courts proceed on the assumption that people understand that a person is innocent until proven guilty, even though it is undoubtedly the case that signiicant and irreparable damage can be caused to a person’s reputation even if they are ultimately acquitted. Moreover, the media should not be precluded from publishing true information for fear that readers or viewers 140 141

Guardian News, above n. 3, [63]. he emphasis on the media’s right to publish is attributable to the fact that in these cases the media organisations were relying on their rights under Art. 10 and the courts were obliged to consider the issue of naming from the perspective of the media’s right to freedom of expression, not just as part of its role in securing the beneits of open justice.

Open justice, privacy and suppressing identity

405

will misinterpret what is said or draw unjust or unwarranted inferences. As noted earlier, courts should be entitled to proceed on the basis that the public understands the diference between an accusation of guilt and a inding of the same. Accused persons whose names are not suppressed might be tempted to use the media to press their innocence, but must be careful not to infringe the law of sub judice contempt. Second, the existence and pervasiveness of social media can operate to undermine anonymity orders and statutory prohibitions on naming. his is due to the likelihood that suppressed names will be disclosed on social media such as Facebook, Twitter and YouTube or on blogs. Whether or not this constitutes a breach of the prohibition on naming will depend on the precise wording of the anonymity order (if the prohibition is made by court order) or on the width of the deinition of ‘publish’ (if the prohibition is enshrined in legislation) and on the extent to which the information is foisted on a person who visits a site.142 If posting the name on social media does not constitute a breach of a prohibition, the law has created a distinction between social media and mainstream media, which the latter would argue is unprincipled. Conversely, if posting the prohibited name on the Internet does breach the law, there remains the issue of whether there will be an incentive to prosecute those responsible. If the information has gone ‘viral’, those guilty of breaching the order may be so numerous that it would not be feasible to prosecute them all and not fair to selectively prosecute some. While the pursuit of bloggers for breach of anonymity orders is not unknown,143 it is far easier to pursue mainstream media organisations that have breached an anonymity order or legislative prohibition, as they are ‘readily identiiable for legal action’.144 Any discrepancy in the state’s preparedness to prosecute a breach creates a practical (though not a legal) divide between mainstream and social media. hus the enforcement of naming restrictions may create unfairness on an applied level.145

Conclusion he paucity of privacy protection in Australia, due in large measure to the absence of a human rights framework such as that which exists in the UK, means that privacy considerations have very little impact on judicial 142

143 145

For comments on the latter see: News Digital Media Pty Ltd v. Mokbel [2010] VSCA 51, (2010) 30 VR 248, [60]–[97]. Slater v. Police [2011] NZHC 722. 144 Barrett, ‘Open Justice or Open Season?’, above n. 36, 16. his problem pervades many areas of the law, not just reporting restrictions.

406

Sharon Rodrick

decisions regarding anonymity orders, although many of the legislative prohibitions on naming persons involved in legal proceedings appear to be enacted out of deference to privacy or interests that come under the rubric of privacy.146 Privacy issues feature more prominently in the UK, where applications for anonymity orders oten require courts to pit the applicant’s privacy rights against other competing rights, namely, open justice and the media and the public’s right to freedom of expression. While meritorious arguments can be made in favour of preserving an applicant’s anonymity, it is suggested that, in most cases, the arguments in favour of allowing publication of identities will be more compelling. Nevertheless, it is desirable that privacy issues should be able to be articulated by an applicant, irrespective of whether this ultimately results in an anonymity order being made, as it obliges the court to have regard to the efect of the revelation of identity on the applicant, thereby engaging it in a more well-rounded consideration of all the issues at stake.

146

But see above n. 52.

17 Interim injunctions for invasions of privacy: challenging the rule in Bonnard v. Perryman? Normann Witzleb Introduction he United Kingdom law on the protection of personal privacy has changed beyond recognition since the enactment of the Human Rights Act 1998 (UK) (HRA). Over the course of a decade, the UK has developed from a laggard in privacy protection to a jurisdiction that not only matches European standards but can now also claim to have the most vigorous public and legal discourse on privacy rights. he courts have had the central role in developing the new law. hey quite keenly embraced the task given to them by Parliament of bringing UK law into line with the requirements of the European Convention on Human Rights (ECHR or Convention). Despite occasionally quite strong media opposition, the courts have developed a well-balanced and increasingly mature jurisprudence on privacy. he leading decision remains the judgment in Campbell v. MGN Ltd,1 in which the House of Lords recognised a distinct cause of action for the ‘misuse of personal information’. his decision has removed the protection of privacy from the shackles of the equitable doctrine of breach of conidence and efectively created a common law right to privacy. Also of particular signiicance is the decision of the European Court of Human Rights in Von Hannover v. Germany,2 which was handed down only a few weeks ater Campbell and provided further guidance on a range of issues, including the privacy protection of public persons and when publications can be justiied by the public interest. While the judicial approaches appear now mostly well established, there continues to be a broad political and social debate about the value and proper limits of privacy. here have been a number of oicial inquiries to 1 2

Campbell v. MGN Ltd [2004] UKHL 22, [2004] 2 AC 457 (Campbell ). Von Hannover v. Germany (Application no. 59320/00) [2004] ECHR 294, (2005) 40 EHRR 1 (Von Hannover).

407

408

Normann Witzleb

investigate whether the law of privacy is suiciently efective to maintain proper media standards.3 he telephone hacking scandal that engulfed and ultimately brought down the News of the World was the most vivid demonstration that respect for privacy is not embraced in all quarters of the media. It prompted a public inquiry, chaired by Lord Justice Leveson, into the culture, practices and ethics of the press.4 he Leveson inquiry recommended legislation for a new self-regulatory regime, in which an independent body maintains regulatory oversight of press standards.5 A further inquiry, by the Joint Committee on Privacy and Injunctions, sought to provide further guidance on how the appropriate balance between privacy and freedom of expression should be struck, and on issues relating to media regulation in this context.6

Structure of the chapter his chapter deals with a remedial aspect of privacy protection, namely, the principles applying to the grant of interlocutory injunctions for privacy invasions. he importance of this remedy in privacy cases is diicult to overstate. Injunctions have been described as the ‘most important recourse’ for claimants7 and as ‘vital in privacy cases, far more so than in defamation’.8 he next part of this chapter will consider the principles that guide courts in determining applications to grant interim relief for privacy invasions. In essence, privacy (protected by Article 8 of the ECHR) and freedom of expression (Article 10 of the ECHR) enjoy presumptive equality, so that decisions on interlocutory relief require a balancing process that calls for an ‘intense focus’9 on the individual circumstances. Where a claimant’s privacy interest is likely at trial to outweigh other interests and an interlocutory injunction will be the only efective remedy, the court 3

4

5 6

7

8

9

E.g., Select Committee on Culture, Media and Sport, Press Standards, Privacy and Libel, House of Commons Paper no. 362-I, Session 2009–10 (2010). Lord Justice Leveson, An Inquiry into the Culture, Practices and Ethics of the Press, House of Commons Paper no. 780 (London: he Stationery Oice, 2012). Ibid., pt. K, ch. 7. Joint Committee on Privacy and Injunctions, Privacy and Injunctions, House of Lords Paper no. 273, House of Commons Paper no. 1443, Session 2010–12 (2012). NSW Law Reform Commission, Invasion of Privacy, Consultation Paper no. 1 (2007), [8.34]. H. Fenwick and G. Phillipson, Media Freedom under the Human Rights Act (Oxford University Press, 2006), p. 807. In Re S (A Child) [2004] UKHL 47, [2005] 1 AC 593, [17].

Interim injuctions for invasions of privacy

409

tends to grant an injunction. his approach stands in marked contrast to the law of defamation, where the courts continue to follow a long-standing rule against prior restraint, the so-called rule in Bonnard v. Perryman.10 Under this rule, which will be examined in the third part of this chapter, injunctive relief against defamation is exceedingly diicult to obtain. It will be denied unless it is clear to the court that the defendant’s action cannot be defended. he fourth part of this chapter will explain the diiculties that arise where a claimant could proceed both under privacy and defamation. Until now, it has been unclear how cases that straddle both causes of action should be dealt with. Some courts have held that it may amount to an abuse of process for applicants to ‘dress up’ an action to protect their reputation as a privacy claim in order to circumvent the rule against prior restraint.11 On the other hand, commentators have suggested that the Convention requires the courts to engage in the balancing process between Article 8 and Article 10 rights, regardless of whether the claim could also be framed as defamation.12 he it h part of this chapter will evaluate the conlicting arguments and conclude that it is likely to be incompatible with the Convention to apply the current inlexible rule to threatened publications that afect the claimant’s private life, notwithstanding the fact that they may be defamatory. Apart from this reason of principle, a lexible approach also has policy arguments on its side. he rationales usually advanced for the rule in Bonnard v. Perryman do not require that it be extended to cases where privacy and defamation overlap. Lastly, there are pragmatic reasons why the court should respect the claimant’s choice of cause of action, namely that it is unlikely that this approach would lead to diferent outcomes in many cases and that it would remove unnecessary uncertainty from interim proceedings.

Interim injunctions to protect privacy in the UK he enactment of the HRA proved to be a watershed moment for the development of privacy protection in the UK. By incorporating the ECHR into domestic law, the UK Parliament required all public authorities to act compatibly with every individual’s right to respect for his or her private 10 11

12

Bonnard v. Perryman [1891] 2 Ch 269 (Bonnard ). Terry (formerly LNS) v. Persons Unknown [2010] EWHC 119 (QB), [2010] EMLR 16 (Terry). R. Clayton and H. Tomlinson, he Law of Human Rights, 2nd edn (Oxford University Press, 2009), [15.28].

410

Normann Witzleb

life (s. 6(1) of the HRA in connection with Article 8 of the ECHR). Even where the privacy dispute concerns two private parties, the courts are under an obligation to decide this dispute compatibly with Convention rights (s. 6(3) of the HRA), and in doing so to have regard to the case law of the European Court of Human Rights (s. 2(1) of the HRA), which imposes a positive obligation on states to protect family and private life also as between private parties.13

Misuse of personal information In fuli lment of these obligations, the UK courts decided to provide claimants with a direct right of redress if the publication of personal information constituted an undue interference with their private lives. In Campbell v. MGN Ltd Lord Nicholls suggested that this new jurisprudence should no longer be regarded as an extension of the breach of conidence doctrine but as a separate cause of action that he described as the ‘misuse of personal information’.14 Subsequent cases have largely adopted this analysis.15 Unhappy about these newly imposed restraints, some media representatives argued that this amounted to judicial legislation.16 However, the debates on the Human Rights Bill leave little doubt that the UK Parliament was acutely aware that the Bill would efectively introduce a right to privacy, and thereby impact on media practices.17 he new methodology examines a privacy claim in two steps. At trial, the claimant must irst establish that he or she has a reasonable expectation of privacy in relation to the information at issue. If there is such a reasonable expectation, the claimant’s rights under Article 8 of the ECHR are engaged and there is a prima facie right to protection of the 13 15

16

17

Von Hannover, above n. 2. 14 Campbell, above n. 1, [14] (Lord Nicholls). Murray v. Express Newspapers plc [2008] EWCA Civ 446, [2009] Ch 481; McKennitt v. Ash [2006] EWCA Civ 1714, [2008] QB 73 (McKennitt); Lord Browne of Madingley v. Associated Newspapers Ltd [2007] EWCA Civ 295, [2008] QB 103. h is argument was most forcefully put by Paul Dacre (editor of the Daily Mail ). See, e.g., his evidence to the House of Lords Select Committee on the Constitution, Relations between the Executive, the Judiciary and Parliament, House of Lords Paper no. 151, Session 2006–07 (2007) 73 (Q349). A similar note was struck by Prime Minister David Cameron in relation to super-injunctions: O. Bowcott, ‘Privacy Law Should be Made by MPs, not Judges, says David Cameron’, Guardian (Online), 22 April 2011, www.guardian.co.uk/ media/2011/apr/21/cameron-superinjunctions-parliament-should-decide-law (accessed 5 November 2013). On the legislative history, see H. Rogers and H. Tomlinson, ‘Privacy and Expression: Convention Rights and Interim Injunctions’ (2003) European Human Rights Law Review (Special Issue: Privacy) 37, 41–3.

Interim injuctions for invasions of privacy

411

information. he court will then move to the second stage and examine justiications for the interference with the claimant’s privacy (Article 8(2) of the ECHR). Where the complaint concerns a publication, the major concern at the second stage will be the defendant’s right to freedom of expression (as protected by Article 10 of the ECHR), the public interest in receiving information (also protected by Article 10 of the ECHR) and other public interests. Any conlict between both fundamental rights is now generally resolved with reference to the four propositions which Lord Steyn In Re S (A Child) extracted from the opinions in Campbell v. MGN Ltd: First, neither article has as such precedence over the other. Secondly, where the values under the two articles are in conl ict, an intense focus on the comparative importance of the speciic rights being claimed in the individual case is necessary. hirdly, the justiications for interfering with or restricting each right must be taken into account. Finally, the proportionality test must be applied to each. For convenience I will call this the ultimate balancing test.18

In contrast to the traditional action for breach of conidence, a claimant now no longer needs to prove that the defendant received the information in circumstances importing an obligation of conidence. It is the quality of the information as private, rather than the character of the relationship between the parties, that is now determinative. However, the existence of a prior relationship has been held to have ‘considerable potential importance’ for the inquiry into whether there was a reasonable expectation of privacy19 and into how the rights under Articles 8 and 10 should be balanced. Furthermore, ‘old-fashioned breach of conidence’20 continues to be available where the parties had a prior relationship of conidentiality.

he signiicance of interim relief Injunctive relief to prevent the publication of private information will be the primary concern for most claimants. Most applications for interim injunctions are made quia timet, that is because publication is feared. 18 19 20

In Re S (A Child), above n. 9, [17]. Lord Browne of Madingley v. Associated Newspapers Ltd, above n. 15, [26] and [29]. Donald v. Ntuli [2010] EWCA Civ 1276, [2011] EMLR 10, [8] (Eady J); see also HRH Prince of Wales v. Associated Newspapers Ltd [2006] EWCA Civ 1776, [2008] Ch 57; McKennitt, above n. 15. It remains available also where the information is not private, e.g., a trade secret.

412

Normann Witzleb

If granted before publication, it will protect the information from being disclosed and thereby preserve the claimant’s privacy. If disclosure has already occurred, the claimant will be concerned to ensure that publication will not be allowed to continue or be repeated.21 If there has already been some disclosure, courts will scrutinise whether the information is still suiciently private and only intervene where the injunction can still prevent further damage to the claimant’s privacy interests. If information has reached the public domain to such an extent that a court order would be futile, an injunction will not be granted.22 he UK courts have developed a substantial body of case law on the availability of interim relief to protect privacy. Apart from the tort of misuse of personal information, interim relief is also available for the other causes of action at general law that protect privacy interests incidentally, such as breach of conidence, defamation, breach of contract and malicious falsehood. Statutory causes of action that may provide a basis for injunctive relief are available for breaches of data protection law,23 harassment24 and copyright infringements.25 Before the HRA came into force, privacy claimants most oten had to rely on breach of conidence as the relevant cause of action. Where a breach of conidence was threatened, injunctive relief preserved the status quo until trial. Defendants could successfully resist an injunction where their interest in publication, supported by freedom of expression, outweighed the claimant’s conidentiality interest, particularly in cases in which there was a public interest in disclosure, for example to expose ‘iniquity’26 (serious misconduct) or to prevent the public from being misled.27 However, because conidentiality, once lost, cannot be regained, the balance of convenience oten favoured the claimants in applications for interim relief. 21 22

23

24

25 26

27

E.g. Mosley v. News Group Newspapers Ltd [2008] EWHC 687 (QB). See further, N. Witzleb, ‘“Equity Does Not Act in Vain”: An Analysis of Futility Arguments in Claims for Injunctions’ (2010) 32 Sydney Law Review 503. Data Protection Act 1998 (UK) s. 32. See, e.g., Sunderland Housing Company Ltd v. Baines [2006] EWHC 2359 (QB). Protection from Harassment Act 1997 (UK) ss. 1 and 4. See, e.g., ZAM v. CFW [2011] EWHC 476 (QB); Sunderland Housing Company Ltd v. Baines. Copyright, Designs and Patents Act 1988 (UK) s. 96(2). British Steel v. Granada [1980] 3 WLR 774; Francome v. Mirror Group Newspapers Ltd [1984] 1 WLR 892 (CA); Lion Laboratories v. Evans [1985] QB 526 (CA); A-G v. Guardian Newspapers (No. 2) [1990] 1 AC 109 (Spycatcher). Initial Services Ltd v. Putterill [1968] 1 QB 396; Woodward v. Hutchins [1977] 1 WLR 760; Hyde Park Residences Ltd v. Yelland [2000] EWCA Civ 37, [2001] Ch 143 (copyright).

Interim injuctions for invasions of privacy

413

Section 12 of the Human Rights Act 1998 (UK) To assuage media fears about the impact of the HRA on their work, s. 12 of the HRA erects additional hurdles to obtaining a remedy that could afect freedom of expression. Applying to inal remedies as well as to interim orders, s. 12(4) stipulates that when considering whether to grant relief that, if granted, might afect the exercise of the Convention right to freedom of expression, the court must have particular regard to the importance of that right. his formulation of ‘particular regard’ is somewhat curious as the ECHR is based on presumptive equality of all Convention rights. However, it appears to have been chosen to signal to the courts that publication interests should be given more weight than under existing jurisprudence relating to breach of conidence, rather than constituting a direction that freedom of expression be given more weight than other Convention rights. Section 12(3) provides that ‘no … relief is to be granted so as to restrain publication before trial unless the court is satisied that the applicant is likely to establish that publication should not be allowed’. his was a deliberate deviation from the general approach governing applications for interim injunctions established in American Cyanamid v. Ethicon Ltd,28 which regarded it as outside the court’s functions at that stage to decide issues of conlicting evidence or diicult questions of law.29 he approach in American Cyanamid requires the applicant to establish merely that there is a ‘serious question to be tried’ before the court will examine whether the ‘balance of convenience’ lies in granting or denying interim relief. Under the higher threshold in s. 12(3), the court must consider the likely outcome of the trial before examining the balance of convenience. When introducing the Human Rights Bill into Parliament, the (then) Home Secretary, Jack Straw, explained that the function of s. 12(3) was: that the courts should consider the merits of an application when it is made and should not grant an interim injunction simply to preserve the status quo ante between the parties.30

Section 12(3) was authoritatively discussed in Cream Holdings Ltd v. Banerjee.31 he case concerned an interim injunction to restrain the disclosure of conidential information relating to allegedly illegal conduct of the 28 29 30

31

American Cyanamid v. Ethicon Ltd [1975] AC 396 (HL). Ibid., 408. United Kingdom, Parliamentary Debates, House of Commons, 2 July 1998, vol. 315, col. 536 (Jack Straw). Cream Holdings Ltd v. Banerjee [2004] UKHL 44, [2005] 1 AC 253.

414

Normann Witzleb

claimant companies. Applying the American Cyanamid test, the trial judge granted, and the Court of Appeal upheld, an injunction. On further appeal, the House of Lords rejected this general test as incompatible with s. 12(3) and outlined a new approach. Interpreting the words ‘likely to establish’ in s. 12(3), Lord Nicholls suggested in the leading speech that the applicant must establish that his or her prospects of success at trial are ‘suiciently favourable’ to justify an interim restraint order.32 Lord Nicholls suggested as a general approach to the required degree of likelihood that it must be ‘more likely than not’ that the applicant’s claim will succeed at trial.33 his means that, in a standard case, the burden of proof rests with the applicant to establish the likelihood of his or her prospects of success at trial and, if he or she fails to do so, that publication will generally not be restrained.34

Likelihood of success at trial To gauge the likelihood of success at trial, the court needs to consider whether the claimant will be able to establish a reasonable expectation of privacy and, if so, whether the defendant will be able to succeed with a defence, in particular whether his or her Article 10 rights are likely to prevail in the ultimate balancing test. A prognosis of the likely outcome at trial is diicult at the interim stage because it is, by necessity, based on incomplete and untested evidence, particularly when the claimant applies for ex parte relief.35 In Cream Holdings Ltd v. Banerjee, the trial judge had fallen into error when he failed to consider that the intended publication concerned matters of serious public interest and that the claimant’s success at trial was not suiciently likely to justify the curtailment of the defendant’s freedom of expression before trial. his relatively stricter approach to the grant of interim injunction can be supported by the jurisprudence of the European Court of Human Rights, in particular its well-known warning that: [t]he dangers inherent in prior restraint are such that they call for the most careful scrutiny on part of the court. h is is especially so as far as 32 34

35

Ibid., [22]. 33 Ibid. he House of Lords accepted that a lesser degree of likelihood may be suicient in some exceptional cases, e.g. in the period before a decision on whether to grant interlocutory relief can be made (i.e. short-term emergency injunctions) or where the disclosure might have extremely serious consequence for the claimant, such as the threat of serious personal injury: ibid. Section 12(2) of the HRA deals with the circumstances in which ex parte relief should be granted.

Interim injuctions for invasions of privacy

415

the press is concerned, for news is a perishable commodity and to delay its publication, even for a short period may well deprive it of all its value and interest.36

In Mosley v. UK the European Court of Human Rights airmed this statement but added that: [p]rior restraints may be more readily justiied in cases which demonstrate no pressing need for immediate publication and in which there is no obvious contribution to a debate of general interest.37

he reference to the issue of whether the publication makes a contribution to a debate of general interest picks up a distinction that the Court made in the Von Hannover case, where the contribution of the information to a debate of general interest (if any) was described as the ‘decisive factor’ in balancing the protection of private life against freedom of expression.38 he contribution that the published information would make to a debate of general interest has also been held to be the decisive factor in a number of UK cases, including the recent decision of the Court of Appeal in ETK v. News Group Newspapers Ltd.39 Where a claimant has in the past used private information about herself to create a certain public image, this may afect her ‘reasonable expectation of privacy’ in relation to information of that kind or afect the scope of defences, in particular the public interest in freedom of expression. In particular, if the media can establish that the image created was misleading and the information they intend to publish would ‘put the record straight’, they may be able to justify the publication in the public interest, provided it is not unnecessarily intrusive.40

Balance of convenience Once the claimant establishes his or her likelihood of success at trial, he or she will further need to satisfy the court that the ‘balance of convenience’ comes down in favour of an injunction. he balance of convenience test is 36

37

38 39

40

Observer and Guardian v. he United Kingdom (Application no. 13585/88) [1991] ECHR 49, (1991) 14 EHHR 153, [60]. Mosley v. he United Kingdom (Application no. 48009/08) [2011] ECHR 774, (2011) 53 EHRR 30, [117]. Von Hannover, above n. 2, [76]. ETK v. News Group Newspapers Ltd [2011] EWCA Civ 439, [2011] 1 WLR 1827. See also Ferdinand v. MGN Ltd [2011] EWHC 2454 (QB), [62] (Nicol J). Campbell, above n. 1; Ferdinand v. MGN Ltd. See also Axel Springer AG v. Germany (Application no. 39954/08) [2012] ECHR 227, (2012) 55 EHRR 6 (GC).

416

Normann Witzleb

concerned with the issue of who will sufer the greater irreparable harm if the interim decision turns out at trial to have been wrongly made. he court will compare the harm likely to be sufered by the defendant if an interim injunction is granted but no inal order is made at trial, with the harm likely to be sufered by the claimant if an interim injunction is denied but the trial establishes that publication should not have been allowed. he court is concerned here with ‘irreparable harm’, that is harm that cannot be repaired through its orders ater trial. On the side of the claimant, it will frequently be a straightforward matter to demonstrate that irreparable harm will follow. Privacy is an intangible interest that, once lost, cannot be restored through a remedy at trial. Respect for private life allows the ‘development, without outside interference, of the personality of each individual in his relations with other human beings’.41 his intangible interest is most efectively protected by preserving privacy, not by allowing its invasion and subsequently awarding damages. A sum of money in compensation will generally not be adequate to cure the injury sufered by the claimant, whereas an injunction can minimise or altogether prevent any injury. However, damages may be an adequate remedy where the primary concern of the claimant, with regards to preventing publication, is not to protect herself against emotional distress but to preserve economic interests. his question arises mostly in cases in which claimants have commercialised their privacy interest. However, even the paradigmatic Douglas v. Hello! litigation shows that it should not be too readily assumed that a claimant who puts private information to commercial use thereby forfeits any claim to an interim injunction. Even when commercial interests dominate, a damages claim may not be adequate to protect the claimant, for example because damages are diicult to calculate or because a defendant may be unable to pay damages. Lord Phillips MR pointed out in the second Court of Appeal decision of Douglas v. Hello!42 that the Court’s earlier decision43 to discharge the interim injunction was wrong, in light of the principles laid down in the later decisions in Campbell and Von Hannover. His Lordship considered that the damages awarded to the Douglases (£14,600) did ‘not represent an adequate remedy’.44 he Court of Appeal further regarded it as a relevant

41 42 43 44

Von Hannover, above n. 2, [50]. Douglas v. Hello! (No. 3) [2005] EWCA Civ 595, [2006] QB 125. Douglas v. Hello! [2000] EWCA Civ 353, [2001] QB 967. Ibid., [256]. Somewhat dialectically, the Court suggested that this characterisation is not intended to indicate that a greater level of damages should have been awarded.

Interim injuctions for invasions of privacy

417

consideration that the sum was too small to provide ‘any real deterrent to a newspaper or magazine, with a large circulation’.45 In this sense, the decision between damages and injunction needs to take into account the Convention requirement of providing an ‘efective remedy’ (Article 13 of the ECHR). What is in the balance on the part of the publishers? he media will generally argue that publication should be allowed in the public interest, so the court needs to assess to what extent the publisher and the public would be afected if publication was restrained until trial. In principle, most media operate for proit. Where the injunction prohibits the publication of private information, this may spoil a story and therefore lead to a loss of revenue. his loss will very oten be compensable through a money payment, in particular where the claimant, as is typical, provides an undertaking as to damages. However, the courts do not limit themselves to considering the commercial interests of the media but take into account their public function. In that respect, the right to free expression also forms an essential part of the considerations. News media in particular will usually point to the fact that information is a perishable commodity that may lose its value if publication is temporarily restrained. here may be other intangible forms of harm to the public interest if a free discussion of matters of public concern is delayed. While the balance of convenience inquiry is concerned with comparing the potential injury caused to each party by unjustly providing or withholding the remedy until trial, in many cases an interim decision will have more signiicance than this. It is well known that the cost of highly contested privacy cases can reach six-digit igures,46 thereby easily eclipsing the level commonly awarded as damages.47 he majority of high-proile privacy cases has been brought by well-resourced claimants, but there are a substantial number of privacy claimants who would not be in a position to aford a trial. Success or defeat at the interim stage, combined with the time and cost needed to overturn this decision, will oten pre-empt any trial of the action and practically dispose of the matter altogether. For these 45 46

47

Ibid., [257]. See, e.g., Joint Committee on Privacy and Injunctions, Privacy and Injunctions, above n. 6, [135]–[137]. For example, Ms Campbell’s action was brought under a Conditional Fee Agreement, with a cost bill served on the defendant in excess of £1,000,000: Campbell v. MGN Ltd (No. 2) [2005] UKHL 61, [2005] 1 WLR 3394. However, this type of agreement can, and in this case did, violate the defendant’s rights under Art. 10: MGN Ltd v. he United Kingdom (Application no. 39401/04) [2011] ECHR 919, (2011) 53 EHRR 5. he cost rules are therefore currently under reform.

418

Normann Witzleb

claimants, the denial of an interim injunction, despite them having established that they would ‘more likely than not’ succeed at trial, may amount to a denial of an ‘efective remedy’. Accordingly, it would be appropriate for courts to also consider whether a trial remains a realistic option for a party before denying relief at the ‘balance of convenience’ stage.

Conclusion For the most part, the basic principles discussed in the preceding section are now ‘well settled’.48 he jurisprudence is based on s. 12 of the HRA and has particular regard to the case law of the European Court of Human Rights. On this basis, the conlicting rights in Articles 8 and 10 of the ECHR, and the efect of giving or withholding relief on both parties, must be carefully balanced by reference to the evidence available at that stage of the proceedings. he relative generality of the principles can mean, however, that judges may attribute diferent weight to individual factors or differ in their approaches to dealing with the uncertainty of the evidence.

Prior restraint in defamation cases: the rule in Bonnard v. Perryman Cases in which both actions overlap raise the question of which test should apply to the grant of an interim injunction. Interlocutory injunctions against the threatened publication of a defamation are notoriously diicult to obtain. he so-called ‘rule against prior restraint’ dates back to the decision of the Court of Appeal in Bonnard v. Perryman in 1891. Under this rule, injunctions will generally be denied where the defendant declares an intention to defend the publication, in particular through establishing a defence such as justiication, fair comment or privilege.49 Exceptions are made only ‘in the clearest cases, where any jury would say that the matter complained of was libellous, and where, if the jury did not so ind, the Court would set aside the verdict as unreasonable’.50 he main points of distinction between the approach in cases of misuse of private information and defamation are: 48

49

50

Ntuli v. Donald [2010] EWCA Civ 1276, [2011] EMLR 10; ETK v. News Group Newspapers, above n. 39 [10]. In ZAM v. CFW, above n. 24, an interim injunction was granted because the defendants did not submit that they had a defence. William Coulson & Sons v. James Coulson & Co (1887) 3 TLR 846 (Lord Esher MR), approved in Bonnard, above n. 10.

Interim injuctions for invasions of privacy

419

• Under the rule in Bonnard v. Perryman the claimant has a much higher threshold to surmount because he or she needs to satisfy the court that the defendant will not succeed at trial, rather than that the defendant will be ‘less likely than not’ to succeed at trial. • he rule in Bonnard v. Perryman is inlexible and easy to apply. In defamation cases the court merely has a ‘residual discretion’51 to grant relief in exceptional circumstances. • here is no balancing of the competing interests of claimant and defendant in defamation cases; if the defendant relies on justiication, the public interest in allowing the (alleged) truth to be published is, in all but exceptional cases, a ‘trump card’.

he rationale of the rule against prior restraint he rule in Bonnard v. Perryman has been relied upon in many cases but has never been the subject of a decision of the House of Lords. here are usually three interrelated justiications given for the continued existence of this rule that limits interim injunctions to cases in which it is plain that no defence will succeed at trial. he main justiication given is the particular value attached by the courts to freedom of expression.52 In Bonnard v. Perryman the reasons against prior restraint have been expressed as follows: he right of free speech is one which it is for the public interest that individuals should possess and, indeed, that they should exercise without impediment, so long as no wrongful act is done; and unless an alleged libel is untrue there is no wrong committed.53

he second rationale shows that the reluctance to exercise prior restraint actually goes back much further than Bonnard v. Perryman. A court that grants an injunction in interlocutory proceedings may prejudice a decision normally reserved for the jury.54 he right to have a defamation tried before a jury55 was an important constitutional achievement of eighteenth-century Britain. Fox’s Libel Act 1792, which created this right for the crime of seditious libel, was intended to protect critics of the king and government from prosecution. Subsequently also applied to civil trials, the right to a jury was based on the consideration that a jury of peers 51 52 54

55

Holley v. Smyth [1998] QB 726. Herbage v. Pressdram Ltd [1984] 1 WLR 1160. 53 Bonnard, above n. 10, 284. William Coulson & Sons v. James Coulson & Co, 846, above n. 50; Fraser v. Evans [1969] 1 QB 349. Senior Courts Act 1981 (UK) s. 69.

420

Normann Witzleb

is the best arbiter of whether the plaintif ’s reputation has been harmed and whether the defendant has established a defence such as truth, honest opinion or fair reporting.56 Because juries are seen as important bulwarks for ensuring an appropriate balance between reputation and freedom of expression, jury trials continued in defamation cases while they were all but abandoned in most other areas of private law. However, the Defamation Act 2013 (UK) has now abolished the presumption of jury trials also for libel and slander.57 In Australia, the right to elect a jury trial has been maintained under the Defamation Acts 2005–06 in the majority of jurisdictions;58 but the role of the jury has been curtailed.59 his shows that this second rationale is weaker now than it was in the past. h ird, the rule has also been justiied with the consideration that, until the trial, the court ‘cannot safely proceed on the basis that what the defendants wish to say is not true’60 or that ‘one cannot speak sensibly of the violation of the right [to a fair reputation] until it is established at trial’.61 his argument raises the issue of how the court is to deal with the factual uncertainty that is inherent in interim proceedings. Brooke LJ explained in Greene v. Associated Newspapers Ltd62 that it is more dificult in defamation cases than others to assess the likely outcome of the proceedings. In particular, where the defendant seeks to establish the defence of justiication, it is said that this will oten depend on the credibility of witnesses and the detailed consideration of documents.63

he rule in Bonnard v. Perryman and the Human Rights Act 1998 he HRA has had no discernible efect on the rule in Bonnard v. Perryman. Section 12 of the HRA was intended to bolster freedom of expression in cases other than defamation. It was inserted against the background of 56

57 58

59

60 61 63

See, e.g., Justice S. Rares, ‘he Jury in Defamation Trials’ (Speech at the Defamation & Media Law Conference, Sydney, 25 March 2010), www.fedcourt.gov.au/publications/ judges-speeches/justice-rares (accessed 5 November 2013). Defamation Act 2013 (UK) s. 11. Defamation Act 2005 ss. 21–22 as adopted in NSW, Queensland, Victoria, Tasmania and Western Australia. Jury trials have been abolished in the ACT, the Northern Territory and South Australia. See further, Australian Broadcasting Corporation v. O’Neill [2006] HCA 46, (2006) 227 CLR 57, [217]–[242] (Heydon J, dissenting). Greene v. Associated Newspapers Ltd [2004] EWCA Civ 1462, [2005] QB 72, [57]. Ibid., [76]. 62 Ibid. Ibid., [77] referring to P. Milmo and W. V. H. Rogers (eds.), Gatley on Libel and Slander, 10th edn (London: Sweet and Maxwell, 2004), [25.19]. More fundamentally, it may still be unclear what in fact the defendant is actually proposing to say about the claimant.

Interim injuctions for invasions of privacy

421

breach of conidence jurisprudence, which allowed injunctions more generously on the basis that conidentiality, once lost, cannot be regained. As explained above, it did have the intended efect of creating a more demanding test than the general American Cyanamid test. Initial doubts that s. 12 of the HRA may have also had an unintended efect of lowering the threshold in defamation applications were laid to rest with the decision in Greene v. Associated Newspapers. In that case, the Court of Appeal reairmed that the rule in Bonnard v. Perryman continued to apply to defamation actions. In Greene v. Associated Newspapers Ltd, the Court referred to common law principles of statutory interpretation and held that nothing in the language and legislative purpose of s. 12 of the HRA suggested that Parliament intended to abrogate the rule in Bonnard v. Perryman by a ‘side wind’.64 he Court then considered s. 6 of the HRA and its obligation to act compatibly with Convention rights, and accepted that the right to reputation is an interest to be protected under Article 8 of the ECHR. It concluded, however, that the ‘damage that may on occasion be done by refusing an injunction where a less strict rule would facilitate its grant pales into insigniicance compared with the damage which would be done to freedom of expression and the freedom of the press if the rule in Bonnard v. Perryman was relaxed’.65 What makes this decision problematic is that the Court of Appeal compared the impact that a change in the law on interim injunctions would have on both interests at an abstract, institutional level (‘on occasion’) but not with reference to the circumstances of the case. he Court did not assess what it would mean for the reputation of the claimant, Ms Greene, to allow the Daily Mail to publish an article alleging that she had knowingly had business dealings with a convicted and deported fraudster, and to what extent damages awarded at trial could vindicate Ms Greene if these allegations could not be proven. Nor did the Court engage in the ‘parallel analysis’ of assessing the injury to the Daily Mail and the public interest if these allegations were lawful but could not be made public until ater trial. In other words, the Court applied the rule against prior restraint mechanically rather than with ‘an intense focus on the comparative importance of the speciic rights being claimed in the individual case’,66 as courts are now required to do in cases involving a conlict between Article 8 and Article 10 rights. It has rightly been questioned whether this approach 64 65

Greene v. Associated Newspapers Ltd, above n. 60, [64]. Ibid., [78]. 66 In Re S (A Child), above n. 9.

422

Normann Witzleb

continues to be correct in light of the modern human rights jurisprudence in the UK and in Strasbourg.67

he overlap between privacy and defamation he question of how to resolve the tension between these two diferent tests arises most acutely where a threatened publication concerns information that is not only of a private character but also has the potential to damage the applicant’s reputation. In these circumstances claimants have potentially two causes of action: an action for misuse of personal information and an action for defamation. he two causes of action are not mutually exclusive. In particular, the fact that some of the private information is, or may be, false does not stand in the way of a claim for misuse of personal information. his was put beyond doubt by Longmore LJ in McKennitt v. Ash: he question in a case of misuse of private information is whether the information is private not whether it is true or false. he truth or falsity of the information is an irrelevant inquiry in deciding whether information is entitled to be protected and judges should be chary of becoming sidetracked into that irrelevant inquiry.68

he relevant case law oten concerns so-called ‘kiss-and-tell’ stories, in which applicants seek protection against the revelations of indiscretions by their former spouses, lovers, partners, associates or friends.69 Applicants are usually motivated by a desire to avoid embarrassment, the breakdown of relationships, stress on members of their family or the loss of employment and so on. At the interim stage there may oten be disagreement between the parties as to whether the information is true, or the claimant may not wish to conirm or deny the truth. If the defendant were able to establish the truth at trial, the action in defamation would fail. he privacy claim, on the other hand, would only fail if the publication could be justiied as being in the public interest. In the typical ‘kissand-tell’ story there is oten no discernible public interest in disclosure because the ‘intellectual, artistic or personal development of members of 67

68 69

Sir D. Eady, ‘Protecting Free Speech in the Context of the European Convention of Human Rights‘ (Lecture at City University, London, 10 March 2010), p. 12, http://inforrm.i les. wordpress.com/2010/03/justice-eady-speech-v2-city-university-london-10-march-2010. doc (accessed 5 November 2013). McKennitt, above n. 15, [83]. Lord Browne of Madingley v. Associated Newspapers Ltd, above n. 15; ETK v. News Group Newspapers Ltd; above n. 39.

Interim injuctions for invasions of privacy

423

society is not stunted by ignorance of the sexual frolics of igures known to the public’.70 Applicants typically rely on the tort of misuse of personal information and seek to establish, in line with the test in Cream Holdings Ltd v. Banerjee, that it is more likely than not that they will win at trial. he question is whether this test should also govern the case where the publication raises issues of reputation, even though injunctive relief is, under the rule of Bonnard v. Perryman, generally unavailable for threatened defamation.

Terry (formerly LNS) v. Persons Unknown he most detailed judicial consideration of the issue has been provided by Tugendhat J in the now notorious litigation71 brought by professional soccer player and (then) captain of the English soccer team, John Terry.72 Terry, who is married, sought interim injunctions to prevent the publications concerning the (apparently untrue)73 rumour that he had had a four-month sexual relationship with Vanessa Perroncel, an ex-girlfriend of a Chelsea teammate. Relying on breach of conidence and misuse of personal information, Terry sought to prohibit the publication of information and documents concerning their rumoured relationship, details of the relationship, information leading to the identiication of Terry or Perroncel, and any photographs evidencing or relating to the fact or details of the relationship. Ater making an urgent order on the day of the hearing, Tugendhat J lited the order one week later when he had prepared his judgment. Relevantly, His Honour was not satisied that Terry was likely to establish that there had been a breach of conidence because there was insuicient 70 71

72

73

ETK v. News Group Newspapers Ltd, ibid, [21] (Ward LJ). Terry did not give notice of the application to any respondent or any other person and also sought ancillary orders to protect his anonymity, including a private hearing, an anonymity order and the sealing of the entire court i le. hese extensive derogations from the principle of open justice, which if granted are commonly referred to as a ‘superinjunctions’, caused a media outcry that also reverberated into the wider community. his chapter will not deal with that facet of the case. Terry, above n. 11. he issue was also relevant in RST v. UVW [2009] EWHC 2448 (QB), [2009] EMLR 13. he two newspapers involved subsequently acknowledged that the publications were untrue and apologised to Ms Perroncel for any distress caused: see R. Greenslade, ‘Two Newspapers Apologise to Vanessa Perroncel for Breaching Her Privacy ’, Guardian (Online), 7 October 2010, www.guardian.co.uk/media/greenslade/2010/oct/07/newsot heworld-john-terry (accessed 5 November 2013).

424

Normann Witzleb

evidence as to what Terry and Perroncel told one another or others about the relationship. In relation to misuse of personal information, Tugendhat J was not satisied that Terry was likely to succeed in establishing that publication of the fact of the relationship should not be allowed and, in relation to intrusive details and photographs, he was not satisied that there was a real threat of publication. Tugendhat J also considered whether the facts should be considered as constituting a cause of action in defamation. He reached the view that ‘it is likely that the nub of [Terry’s] complaint is the protection of reputation, and not of any other aspect of [his] private life’.74 Tugendhat J arrived at this conclusion because the application made no mention of any personal distress; because Terry appeared to have a ‘very robust personality’; and because the evidence underlying much of the application, including a conidentiality agreement with Perroncel, had been assembled by business partners, not his solicitors.75 He formed the view that the real basis for Terry’s application was the ‘impact of any adverse publicity upon the business of earning sponsorship and similar income’.76 Tugendhat J expressed the view that it was ‘a matter for the court to decide whether the principle of free speech prevails or not, and that it does not depend solely on the choice of claimant as to his cause of action’.77 On that basis, he decided that, in accordance with the rule in Bonnard v. Perryman, no injunction should be granted.78

Consequences where the ‘nub of claim’ is reputation It remains a little unclear what consequences follow if the action, though framed as a misuse of private information by the claimant, is held by the court to be a suit for defamation ‘in disguise’.79 In particular, it is unclear whether a inding that the real issue at stake is reputation has consequences only for the test to be applied to interim relief or also for the availability of privacy as a cause of action at trial. If the issue was merely which test applies, the claimant would not be allowed to ‘circumvent’ the restrictive rule in Bonnard v. Perryman. Rather than the test under Cream Holdings Ltd v. Banerjee of whether the claimant is more likely than not to succeed, the issue would be whether 74 76 79

Terry, above n. 11, [95]. 75 Ibid. Ibid. 77 Ibid., [88]. 78 Ibid., [123]. E.g., Tillery Valley Foods v. Channel Four Television [2004] EWHC 1075 (Ch), [21] (Mann J).

Interim injuctions for invasions of privacy

425

the defendant is bound to fail. However, in evaluating the claimant’s prospects of success, the court would leave the claimant to pursue the action of their choice and enquire whether the claimant is likely to succeed in his or her claim for misuse of personal information. his will, as in defamation, oten turn on available defences. he decisive issue will oten be whether the intended publication makes such a contribution to public debate that it should not be delayed despite the damage it may cause to the claimant’s legitimate expectation of privacy. he alternative approach would go further than raising the threshold for an interim injunction. It would deny the claimant the opportunity to shoehorn a claim that is ‘in reality’ about defamation into the cause of action for misuse of personal information. his appears to be the approach taken by Tugendhat J in Terry (formerly LNS) v. Persons Unknown because His Honour denied injunctive relief with the consideration that whatever publication may result in the circumstances, it would be ‘likely to be capable of being defended in accordance with the law of defamation’.80 his latter approach goes much further than merely preserving the rule in Bonnard v. Perryman for interim proceedings in cases that raise both privacy and reputation interests. It creates, in efect, a priority for defamation as the appropriate cause of action. It is likely that this approach swings the pendulum too far in favour of freedom of speech because it allows a defendant to rely on the defences available for defamation, including truth, even where the subject-matter is private. his would deprive the claimant of an efective protection of private life because the court categorised the ‘nub of the claim’ to be about reputation. However, where a claimant seeks to protect both her privacy and reputation, she should not be barred from doing so even if the gravamen of the complaint concerns reputation.

What rule should apply in the overlap? his section of the chapter will examine whether the court’s approach of seeking to determine the ‘nub’ of the claim and then subordinating applications for interim relief that are ‘dressed up’ as privacy claims to the rule in Bonnard v. Perryman is satisfactory. he relevant arguments can be classiied into three categories. First, as a question of principle, the jurisprudence of the European Court of Human Rights on the relationship of privacy and reputation may stand in the way of prioritising defamation 80

Ibid., [123].

426

Normann Witzleb

as the applicable cause of action. Second, as a matter of policy, whether the rationale of the rule in Bonnard v. Perryman is really undermined if courts allow cases in the overlap between defamation and privacy to be governed by the approach accepted for privacy claims will be examined. hird, as an issue of pragmatism, it is argued that the search for the ‘nub’ of the claim is likely to bring considerable uncertainty into this ield; conversely, an approach that accepts the claimant’s choice of cause of action is unlikely to lead to a radical change in the law. Each of these issues will be dealt with in turn.

Principle: the human rights dimension he irst argument against the subordination of privacy claims is that giving priority to the stricter approach in defamation law is diicult to reconcile with the ECHR and the jurisprudence of the European Court of Human Rights. he core of this argument is that it should not afect the categorisation of information as private whether it also happens to be defamatory. Once Article 8 ECHR is engaged, the court comes under an obligation to protect the claimant’s private life efectively. Where a case raises competing Convention rights, that is also the defendant’s free speech interests under Article 10 ECHR, these rights need to be carefully balanced against each other with reference to the facts of each case. Outside the ield of prior restraint, UK domestic law follows this approach whenever the publication of private information raises a conlict between rights under Articles 8 and 10.81 In contrast, the inlexible rule in Bonnard v. Perryman does not allow the court to give any weight to the efects that allowing the publication would have on the claimant. Instead, it assumes that the efect on the claimant’s private life of allowing a defamatory publication can generally be remedied through an award of damages at trial. To the extent that the rule in Bonnard v. Perryman prevents the balancing of the competing interests, it may lead to outcomes that are not compliant with the Convention. his will be the case in particular where a defamation is of such gravity or character that allowing its publication is disproportionate to the aim of protecting the defendant’s entitlements to free expression under Article 10. It seems paradoxical and counterintuitive that a claimant who seeks to prevent the publication of information that is not only private but also defamatory should be in a worse position than another claimant who 81

Re Guardian News and Media Ltd [2010] UKSC 1, [2010] 2 AC 697, [51].

Interim injuctions for invasions of privacy

427

seeks to prevent the publication of information that is merely private but not damaging to their reputation. For example, a couple who seek to enjoin a newspaper from disseminating rumours that their marriage is ‘on the rocks’ may be able to sue for invasion of privacy.82 However, if the same newspaper article included an allegation that the marriage broke down because of the husband’s inidelity, the publication would also raise issues of reputation and therefore be subject to a stricter test. A further argument against the segregation of defamation and privacy is that the interest in reputation may itself be protected by Article 8. While Article 8 does not explicitly mention reputation, several recent decisions of the Strasbourg Court airm that the right to protection of reputation is an element of private life, and as such falls within the scope of Article 8.83 In Pfeifer v. Austria the Court held: he guarantee aforded by Article 8 is intended to ensure the development without outside interference of the personality of each individual in his relations with others … A person’s reputation, even if that person is criticised in the context of a public debate, forms part of his or her personal identity and psychological integrity and therefore also falls within the scope of his or her private life under Article 8.84

Unfortunately, the case law of the European Court of Human Rights on this issue has not been consistent. In particular, the subsequent decision of Karako v. Hungary85 adopted a more cautious stance and only went as far as suggesting that reputation may be protected under Article 8. Karako, a Hungarian politician, had unsuccessfully pursued criminal libel 82

83

84

85

On 12 September 2004 the News of the World published an article headlined ‘Posh and Becks on the Rocks’, which contained allegations about the couple’s marriage made by their former nanny, Abbie Gibson. he couple sued Gibson for breach of a conidentiality agreement, and the newspaper in defamation, because the article suggested that the marriage was a sham and the only reason the couple were still together was because of sponsorship deals that depended on them appearing to be a happy family. Both proceedings were settled: Julia Day, ‘Beckhams Drop NoW Libel Case’, Guardian (Online), 9 March 2006, www.guardian.co.uk/media/2006/mar/09/pressandpublishing.sport (accessed 5 November 2013). See also Standard Verlags GmbH v. Austria (No. 2) (Application no. 21277/05) [2009] ECHR 853 (report on rumours about marital problems of the Austrian president). Petrina v. Romania (Application no. 78060/01) [2009] ECHR 2252; see also Petrenco v. Moldova (Application no. 20928/05) [2010] ECHR 419, [52]. his has also been acknowledged in domestic decisions: e.g., Flood v. Times Newspapers Ltd [2010] EWCA Civ 804, [2011] 1 WLR 153. Pfeifer v. Austria (Application no. 12556/03) [2007] ECHR 935, (2007) 48 EHRR 175, [33], [35]. Karako v. Hungary (Application no. 39311/05) [2009] ECHR 712.

428

Normann Witzleb

proceedings against an opponent for comments made during an election campaign. He argued that the decision of a Hungarian Court to dismiss the proceedings failed to protect his rights under Article 8. In considering the scope of Article 8, the European Court of Human Rights referred to its earlier jurisprudence, including the Von Hannover case, and conirmed that Article 8 protected ‘personal identity’ as well as ‘personal integrity’.86 Distancing itself from decisions such as Pfeifer, however, it found ‘that reputation has only been deemed to be an independent right [protected under Article 8] sporadically’,87 mainly in cases where the attack had an ‘inevitable direct efect on the applicant’s private life’. he Court held that the applicant had failed to show that the alleged defamation was a ‘serious interference with his private life as to undermine his personal integrity’. he subsequent case of A v. Norway88 appears to reconcile the conlicting lines of authority as follows: Article 8 … unlike Article 12 of the 1948 Universal Declaration of Human Rights and Article 17 of the 1966 International Covenant on Civil and Political Rights of the United Nations, does not expressly provide for a right to protection against attacks on a person’s ‘honour and reputation’. However, as the Court has stated on previous occasions, the concept of ‘private life’ is a broad term not susceptible to exhaustive dei nition. It covers the physical and psychological or moral integrity of a person and can sometimes embrace aspects of an individual’s physical and social identity. In more recent cases decided under Article 8 of the Convention, the Court has recognised reputation and also honour as part of the right to respect for private life … In order for Article 8 to come into play, the attack on personal honour and reputation must attain a certain level of gravity and in a manner causing prejudice to personal enjoyment of the right to respect for private life.

his position has now been conirmed by the Grand Chamber decision in Axel Springer AG v. Germany.89 On that basis, it appears that reputation is not, as such, an interest protected under the Convention, but that Article 8 is engaged at least when there is a serious attack on reputation that afects a person’s identity and feeling of self-worth. 86 87

88

89

Ibid., [21]. Referring to Petrina v. Romania and Armonien ė v. Lithuania (Application no. 36919/02 [2008] ECHR 1526, [2009] EHRR 53. A v. Norway (Application no. 28070/06) [2009] ECHR 580. But the later decision in Petrenco v. Moldova adopts the broader approach of Petrina v. Romania. Axel Springer AG v. Germany (Application no. 39954/08) [2012] ECHR 227 (GC), (2012) 55 EHRR 6, [83].

Interim injuctions for invasions of privacy

429

his jurisprudence suggests that there are two situations where a publication can simultaneously afect the claimant’s private life and reputation. First, it may be that the subject matter of the defamation concerns the claimant’s private life. Second, a defamation may be grave and, for that reason, afect the claimant’s enjoyment of private life. he English cases that ring-fence defamation and seek to protect it from encroachment by claims for misuse of personal information appear to be based on a misconception of the relationship between privacy and reputation in the human rights era. When a publication concerns a matter of private life, the courts need to balance the rights under Articles 8 and 10, regardless of whether the publication is also defamatory. his means that claimants can choose to rely on privacy even though the interference also afects their reputation. In the context of interim injunctions, the test developed for privacy cases should prevail over the more limited protection provided by defamation law. It is the scope of the claimant’s Article 8 rights that needs to be protected from encroachment by the stricter approach applying to defamation claims, rather than the other way round. he existing judicial approach may be explained by the historic development of the common law, which recognised defamation before it recognised privacy, but it appears diicult to reconcile with the Convention. Clayton and Tomlinson therefore correctly criticised the analysis in Greene as ‘unsatisfactory and … inconsistent with the modern jurisprudence of the Court of Human Rights’.90

Policy: the relationship of defamation and misuse of personal information he second argument in favour of subjecting cases in the overlap between defamation and misuse of personal information to the restrictive rule in Bonnard v. Perryman suggests that the policy considerations underlying this rule also apply in privacy cases. Eady J cautioned in Lord Browne of Madingley v. Associated Newspapers Ltd91 that the ‘policy underlying 90

91

Clayton and Tomlinson, above n. 12, [15.28]; but see D. Rolph, ‘Irreconcilable Diferences? Interlocutory Injunctions for Defamation and Privacy ’ (2012) 17 Media and Arts Law Review 170, who argues in relation to Australian law that, in the absence of a comparable human rights framework, coherence of the law should be achieved by following the strict approach to injunctive relief for defamations in the context of privacy invasions. Lord Browne of Madingley v. Associated Newspapers Ltd [2007] EWHC 202 (QB). h is matter was not raised before the Court of Appeal: [2007] EWCA Civ 295, [2008] QB 103, [56]. See also Terry, above n. 11, [88].

430

Normann Witzleb

Bonnard v. Perryman should not be undermined too readily by claimants opting for other causes of action’.92 Some decisions even suggest that it may constitute an abuse of process to bring a privacy action ‘where the nub of the case was a complaint about falsity of the allegations, and that was done in order to avoid the rules of the tort of defamation’.93 In Hunter v. Chief Constable of the West Midlands Police94 Lord Diplock described an abuse of process as ‘misuse of [the court’s] procedure in a way which, although not inconsistent with the literal application of its procedural rules, would nevertheless be manifestly unfair to a party to litigation before it, or would otherwise bring the administration of justice into disrepute among right-thinking people’.95 In light of this, it may be asked whether it is indeed appropriate to categorise the question as one of ‘process’, or whether it is more satisfactory to consider the demarcation between the two causes of action as an issue of substantive law. Generally, where conduct falls under more than one cause of action, the claimant is free to choose which cause of action to pursue, and there is no requirement to proceed with only the most ‘appropriate’ one. It is common for claimants in making their choice to be guided by tactical considerations and to seek a juridical advantage. his is well recognised where there are concurrent claims in contract and tort,96 but also where there are overlapping torts. Usually each tort is independent of any other, in particular where torts are aimed at protecting diferent interests. he diversity of the law of torts makes generalised statements as to the relationship of various torts very diicult. It is therefore better to focus speciically on the relationship of the tort of defamation and other causes of action. here are a number of authorities that pre-date the HRA, in which the issue was considered. In Joyce v. Sengupta the defendant argued that the plaintif ’s choice to proceed in malicious falsehood rather than defamation, so as to avail herself of legal aid, amounted to an abuse of process. Rejecting this argument, Sir Donald Nicholls VC airmed that the claimant is free to choose the cause of action: When more than one cause of action is available to him, a plaintif may choose which he will pursue. Usually he pursues all available causes of 92 93

94 95 96

Lord Browne of Madingley v. Associated Newspapers Ltd [2007] EWHC 202 (QB), [28]. McKennitt, above n. 15, [79]. But it is worth noting that this comment was obiter and made in the context of rejecting an argument by the defendant that there is no conidence in untrue statements. Hunter v. Chief Constable of the West Midlands Police [1982] AC 529, 536. Ibid., 536. Henderson v. Merrett Syndicates Ltd [1995] 2 AC 145 (professional duty of care).

Interim injuctions for invasions of privacy

431

action, but he is not obliged to do so. He may pursue one to the exclusion of another, even though a defence available in one cause of action is not available in another. Indeed, the availability of a defence in one cause of action but not another may be the very reason why a plaintif eschews the one and prefers the other … I have never heard it suggested before that a plaintif is not entitled to proceed in this way, and take full advantage of the various remedies English law provides for the wrong of which he complains. I have never heard it suggested that he must pursue the most appropriate remedy, and if he does not do so he is at risk of having his proceedings struck out as a misuse of the court’s procedures.97

In English law, a claimant has concurrent claims in defamation and negligence where a negligent publication of a defamatory misstatement causes economic loss. In Spring v. Guardian Assurance Plc98 the claimant, an insurance representative, sufered economic loss because the defendant, his former employer, negligently provided an employment reference that questioned his honesty. He successfully recovered damages in negligence. Both his claims in defamation and injurious falsehood failed because he was unable to establish malice.99 Lord Woolf, for the majority, stated: I can see no justiication for erecting a fence around the whole of the ield to which defamation can apply and treating any other tort, which can beneicially from the point of view of justice enter into part of that ield, as a trespasser if it does so. he conclusive answer in the present context to applying the approach of the President is that it will, here, result in real injustice. It would mean that a plaintif who would otherwise be entitled to succeed in an action for negligence would go away empty-handed because he could not succeed in an action for defamation. his cannot be a desirable result.100

he cases suggest that there is no automatic priority for the law of defamation but that considerations of ‘justice’ determine whether a claimant is able to bring a cause of action other than defamation where the complaint also involves a lowering of reputation. Indeed, arguably it is unfair to the claimant if the question of whether injunctive relief was available turned on the distinction between private information that is non-defamatory and private information that is also defamatory.101 97 98

99 100 101

Joyce v. Sengupta [1993] 1 All ER 897, 902. Spring v. Guardian Assurance Plc [1995] 2 AC 296. But cf. Sullivan v. Moody [2001] HCA 59, (2001) 207 CLR 562. he provision of an employment reference is a situation of qualiied privilege. Spring v. Guardian Assurance Plc [1995] 2 AC 296, 351. G. Busuttil, ‘Preventing Publication of Private Information – When You Can and When You Cannot’ (Free Speech v Privacy – he Big Debate: JUSTICE/Sweet & Maxwell

432

Normann Witzleb

It is submitted that this policy decision should be made with due regard to the rationale underlying the ‘rule against prior restraint’ and the extent to which it is applicable in the overlap of privacy and defamation.

Re-examining the rationale of the rule in Bonnard v. Perryman ‘he truth should out’ he usual rationale for denying interim relief is that the court does not want to restrain the publication of defamatory material that the publisher maintains is true, as this would unduly restrict the publisher’s freedom of expression. For example, Lord Denning identiied as the principal reason for the rule against prior restraint ‘the importance in the public interest that the truth should out’.102 However, this rationale does not carry weight where the information is private, as truth is evidently not a defence to a privacy invasion, and the action is brought for the very reason that a truthful but private matter should not reach the public domain. In cases involving claims for privacy the action is not framed to frustrate the rule applying in defamation cases but to protect the information from disclosure. In that sense, it cannot really be said that the privacy action constitutes an abuse of process, certainly not in the sense of seeking a ‘collateral advantage that it would be unjust for [the claimant] to retain’.103 It is submitted that a less problematic solution consists in allowing the claimant to proceed with the cause of action of their choice. If the defendant can establish that the allegations about the claimant’s private life are true and that there is a suicient public interest in airing them, the claimant will be unsuccessful at trial. If it is already apparent at the interim stage that it is unlikely that the claimant will succeed, no injunction will issue. Usurping the role of the jury While there is little doubt that the jury had historically great signiicance in the determination of defamation trials, its role has been greatly curtailed in contemporary law. In the UK, jury trials have become quite uncommon. his is, in part, because the disadvantages of jury trials have gained greater prominence, including that they tend to be longer and

102 103

Conference, 2 December 2008), p. 9–10, www.5rb.com/article/preventing-publicationof-private-information---when-you-can-and-when-you-cannot (accessed 5 November 2013). Fraser v. Evans [1969] 1 QB 349, 360–1. Castanho v. Brown and Root (UK) Ltd [1981] AC 557, 571 (Lord Scarman).

Interim injuctions for invasions of privacy

433

more costly,104 that juries may have diiculty understanding complex legal or factual matters, and that jury verdicts lack transparency and are not reviewable. he Defamation Act 2013 (UK) responds to these criticisms by removing the presumption in favour of a jury trial in defamation cases.105 he main argument for this radical step is that juries impede a core concern of the reform, namely the early and cost-efective resolution of issues.106 he fact that considerations of expediency can carry such weight demonstrates that the right to a jury no longer has the signiicance it once did.107 his new environment, which puts a premium on eicient resolution of disputes, makes the conventional argument – that judges should not grant interim relief because to do so would usurp the constitutional function of the jury – increasingly diicult to reconcile with the modern practice and exigencies of defamation law.

Courts should not intervene without knowing the claimant’s rights A further rationale provided for the rule against prior restraint in defamation cases is that the court cannot know whether the plaintif has a right to his reputation until the trial has shown where the truth lies.108 his argument seems to be somewhat beside the point; it is never a condition of interim relief that a court must ‘know’ the claimant’s rights or must be able to ‘safely proceed on the basis that’109 the defendant will not be able to establish a defence. It is inherent in interim proceedings that the court is asked to intervene on incomplete and untested evidence. here is no requirement on claimants in privacy proceedings to establish fully that their Article 8 rights will outweigh the Article 10 rights of a defendant any more than, say, there is a requirement that a claimant in a nuisance case must establish that the defendant’s actions amount to an unreasonable interference with the claimant’s quiet enjoyment of land. All that is required is that there is a suicient likelihood or even that there is a serious question to be tried. It is not immediately apparent why defamation law dictates that claimants must establish their right to protection with 104

105 106

107 108 109

In Spiller v. Joseph [2010] UKSC 53, [2011] 1 AC 852, Lord Phillips P questioned the continued desirability of trial by jury because it ‘simply invites expensive interlocutory battles’ on what issues should go before the jury: [116]. Defamation Act 2013 (UK) s. 11 c. 26. Joint Committee on the Drat Defamation Bill, Drat Defamation Bill, House of Lords Paper 203, House of Commons Paper 930-I, Session 2010–2012 (2012), [24]. See also Heydon J in Australian Broadcasting Corporation v. O’Neill, above n. 59, [229]–[239]. Sir John Donaldson MR in Kashoggi v. IPC Magazines Ltd [1986] 1 WLR 1412. Greene v. Associated Newspapers Ltd, above n. 60, [57].

434

Normann Witzleb

certainty in interim proceedings. If it were argued that it is the interest in freedom of speech that places defamation in a category of its own, then this pragmatic argument would merely be another way of saying that freedom of speech should prevail in cases of uncertainty. his argument, and its limits in light of modern human rights jurisprudence, have already been considered above.

Pragmatism: evaluating consequences of allowing claimant choice for ‘privacy’ Limited efect A further argument for allowing all claims that afect the claimant’s private life to be governed by the general principle under s. 12 of the HRA is that this would be unlikely to involve a dramatic shit towards the availability of interim relief. First, the issue of overlap becomes relevant only in a proportion of all cases. Tugendhat J suggested in Terry (formerly LNS) v. Persons Unknown that there are four diferent groups of cases. he irst is where there is no overlap between privacy and defamation because the private matter is not defamatory. In the second group, which concerns private matters that are involuntary (e.g. sufering from a particular disease), defamation is unlikely to be the nub of the claim. In the third group are cases of overlap but no inconsistency. his category concerns conduct that is voluntary but seriously unlawful. Here a claimant is unlikely to succeed under either cause of action, because there will be a public interest in publication. his leaves the fourth category, where there is an overlap and potential inconsistency because the information ‘relates to conduct which is voluntary, discreditable and personal (e.g. sexual or inancial) but not unlawful (or not seriously so)’.110 Only in this last category would it make a diference if the claimant could, through their choice, determine the cause of action and hence a diferent test was applied to the granting of interim injunctions. Second, the proposed change – that interim relief for each cause of action should be governed by the test accepted for that cause of action – would involve merely lowering the threshold for an injunction in some cases. It would not mean that an injunction will necessarily be granted. Lowering the threshold would beneit those applicants for interim relief who, in line with the test for privacy claims, can establish that they are 110

Ibid., [96].

Interim injuctions for invasions of privacy

435

likely to succeed at trial but are unable to pass the stricter test for defamation claims, that is that the defendant is bound to fail at trial. However, even passing this lower threshold is not suicient to obtain an injunction, as a court would consider, in a second step, whether damages at trial would be adequate. his raises the issue of whether the claimant or the defendant will sufer the greater irreparable harm if the decision made in the interim turns out, at trial, to have been wrong. In defamation proceedings courts generally assume that damages at trial constitute suicient vindication for the claimant, whereas a defendant will oten be able to show that enjoining a publication, even for the limited time until trial, causes harm that cannot subsequently be repaired.111 In privacy claims it is easier for the claimant to show that irreparable harm will result if the status quo is not maintained until trial. In privacy claims non-tangible interests will frequently dominate. hese are, by their nature, not readily compensable. Once the ‘cat is out of the bag’, privacy is lost and a trial will oten only lead to further publicity and embarrassment. his does not mean, however, that the only efective remedy for breaches of privacy lies in an injunction. his has become clear in the recent discussion of whether UK law should establish a pre-notiication requirement, that is an obligation on journalists to warn the subject of any proposed intrusion on privacy prior to publication.112 his requirement was said to be justiied by the consideration that, in many cases, victims of privacy invasions will only become aware of the invasion when it is already too late. However, the European Court of Human Rights decided that the Convention did not require a pre-notiication requirement in UK law.113 It airmed that member states have a broad margin of appreciation and that the current UK regime provides for protections that are suiciently efective. his decision shows that an award of damages may well be a suicient remedy. Where a privacy claim also raises the issue of reputation, the balance of convenience may be even more likely to favour the defendant. his can be illustrated with the paradigm case of Terry (formerly LNS) v. Persons Unknown. According to Tugendhat J, the claimant was mainly motivated by the desire to protect his valuable sponsorship contract. If this was the case, then the usual concerns about the irreparability of privacy harms 111

112

113

As discussed, it may be doubted whether defamation damages do, indeed, suiciently repair harm to reputation. See, e.g., G. Phillipson, ‘Max Mosley Goes to Strasbourg: Article 8, Claimant Notiication and Interim Injunctions’ (2009) 1 Journal of Media Law 73; A. Scott, ‘Prior Notiication in Privacy Cases: a Reply to Professor Phillipson’ (2010) 2 Journal of Media Law 49. Mosley v. he United Kingdom, above n. 37.

436

Normann Witzleb

are less apposite than the considerations normally applicable to defamation claims. he Court of Appeal in Greene v. Associated Newspapers stressed the distinction between defamation claims and cases that raise issues of privacy or conidentiality. he rationale of providing interim relief more generously in cases involving conidential or private information is that conidentiality and privacy will be lost completely and irretrievably if an injunction against disclosure is denied. Damages at trial are unable to restore privacy or conidentiality but merely compensate the claimant for the loss sufered as a consequence. In defamation a judgment in the claimant’s favour can have a more salutary impact on the situation because it contains the implicit inding that the defamatory allegations were untrue. A successful defamation trial therefore goes some way towards restoring reputation. his was already noted in William Blackstone’s Commentaries, which state that ‘a civil action for a libel … not only afords a reparation for the injury sustained, but is a full vindication of the innocence of the person traduced’.114 he idea that a judgment and compensatory damages provide suicient vindication for the claimant continues to pervade the jurisprudence on defamation.115 However, efective vindication depends on a reversal of the efect the disparaging allegations have had on the claimant’s standing in the community. A defamation verdict for damages ater lengthy proceedings may achieve little in this regard.116 As stated by the Supreme Court of Canada: A defamatory statement can seep into the crevasses of the subconscious and lurk there ever ready to spring forth and spread its cancerous evil. he unfortunate impression let by a libel may last a lifetime. Seldom does the defamed person have the opportunity of replying and correcting the record in a manner that will truly remedy the situation.117 114

115

116

117

W. Blackstone, Commentaries on the Laws of England: Book the hird, E. Christian and J. F. Archbold (eds.), (Philadelphia: Robert S. Small, 1825), p. 126 (notes). Uren v. John Fairfax & Sons (1966) 117 CLR 118, 150; approved in Broome v. Cassell & Co Ltd [1972] AC 1027, 1071 (Lord Hailsham LC). Empirical evidence conirms that victims of defamation, immediately ater publication, are most interested in achieving a swit correction of the public record to restore their reputation: F. Schauer, ‘Social Foundations of the Law of Defamation: a Comparative Analysis’ (1981) 1 Journal of Media Law and Practice 1; R. P. Bezanson, G. Cranberg and J. Soloski, ‘Libel Law and the Press: Setting the Record Straight’ (1985) 27 Iowa Law Review 215, 220. Hill v. Church of Scientology of Toronto [1995] 2 SCR 1130, [166] (La Forest, L’Heureux– Dubé, Gonthier, Cory, McLachlin, Iacobucci and Major JJ).

Interim injuctions for invasions of privacy

437

here may be cases in which a successful defamation verdict may have so little efect in restoring the claimant’s reputation that only interim relief against an (impending) publication would protect the claimant’s right to reputation efectively. For this reason, it may be necessary to reconsider the court’s approach to defamation remedies in light of the Convention requirement for an ‘efective remedy’. he answer to the question of whether damages will be an adequate remedy difers from case to case. Neither in cases of defamation nor invasion of privacy can it be assumed that vindication through damages will be suicient for the efective protection of the plaintif ’s rights. he more lexible approach under s. 12(3) of the HRA allows for a consideration of the relevant factors. here is no reason why a court should not have regard to the fact that the claimant is predominantly concerned with the protection of reputation, even though the claim is brought under misuse of personal information. However, the ‘nub of the claim’ should be relevant only in the exercise of the court’s discretion whether an award of damages is an adequate remedy, rather than lead to the application of the rule in Bonnard v. Perryman to cases of misuse of personal information. his would ensure that the restrictive rule against prior restraint would not create a bar to injunctions in the overlap of privacy and defamation, but at the same time allow for the concerns underlying the rule in Bonnard v. Perryman to be taken into account where reputational interests outweigh privacy interests.

Avoiding uncertainty Another pragmatic argument against the approach proposed in Terry (formerly LNS) v. Persons Unknown is that it increases legal uncertainty. It will oten be diicult to decide whether a claim is ‘properly regarded’118 to be a claim for privacy, or whether it was in reality brought to protect reputation. In some cases, the claimant’s conduct of the proceedings may make this decision easier, for example where a claimant initiates defamation proceedings but, when faced with diiculties of obtaining injunctive relief, replaces this claim with, or adds, a claim in privacy.119 However, where there are no such extrinsic indicia, no clear criteria exist to determine whether the ‘nub of the claim’ is about privacy or reputation. he distinction between privacy and reputation is elusive because 118 119

RST v. UVW [2009] EWHC 2448 (QB), [2009] EMLR 13. E.g., Service Corporation International plc v. Channel Four Television [1999] EMLR 83, 89.

438

Normann Witzleb

the two concepts overlap, as they both concern dignitary interests and the personality of the claimant. It is made all the harder because neither defamation nor privacy have clearly deined contours. he diiculty of deining privacy is notorious and has oten been cited as the main reason why privacy should not be recognised as a directly enforceable legal interest.120 Recent scholarship into reputation points out that this interest similarly combines multiple aspects and that its scope depends on context and viewpoint.121 While reputation can be said to be more concerned with the public persona and privacy to be more concerned with the private persona, this distinction is not suiciently precise to serve as a basis for categorising a claim. Requiring a court to divine what interest the claimant is ‘really’ seeking to protect puts a ‘premium on … clever drating’122 and invites ‘undue – perhaps untenable – speculation’.123 he preferable solution, in particular in interim proceedings where the evidence, by deinition, is scant, is to adopt an approach that avoids unnecessary uncertainty. Until the diferent tests for privacy and defamation injunctions have been revisited and reconciled, courts should decide on interim relief by reference to the accepted test for each cause of action. his does not mean that a court would be prevented from taking into account why an action has been brought. Where the protection of reputation is the dominant purpose, a court may exercise its discretion to deny an interim injunction on the basis that vindication through damages at trial is a suicient remedy.

Conclusion Obtaining interim relief for alleged invasions of privacy is critical for many claimants. If an injunction is granted, freedom of expression is 120

121

122

123

R. Gavison, ‘Privacy and the Limits of Law’ (1980) 89 Yale Law Journal 421, 424; R. Wacks, ‘Why there Will never Be an English Common Law Privacy Tort’ in A. Kenyon and M. Richardson (eds.), New Dimensions in Privacy Law: International and Comparative Perspectives (Cambridge University Press, 2006), p. 154. E.g., D. Rolph, Reputation, Celebrity and Defamation (Aldershot: Ashgate, 2008); L. McNamara, Reputation and Defamation (Oxford University Press, 2007); R. Post, ‘he Social Foundations of Defamation Law: Reputation and the Constitution’ (1986) 74 California Law Review 691. G. Busuttil and P. McCaferty, ‘Interim Injunctions and the Overlap between Privacy and Libel ’ (2010) 2 Journal of Media Law 1, 8. A. Scott in A. Mullis and C. Doley (eds.), Carter-Ruck on Libel and Privacy, 11th edn (London: LexisNexis, 2010), [21.32].

Interim injuctions for invasions of privacy

439

curtailed and a media organisation will oten lose interest in ighting the ban and pursuing the story. If an injunction is withheld, private information may irretrievably reach the public domain and a claimant will be let with the imperfect remedy of damages. Privacy and defamation are related interests, but they difer as far as the availability of injunctive relief is concerned. he established practice in defamation law has been that interim relief will be granted only in the clearest of cases, where the defendant is bound to fail with any defences. he potential injury to the claimant’s reputation is regarded as the price to pay for a free public debate and damages for loss of reputation are seen as a suicient vindication. he rise of privacy as a legal interest has cast doubt on this orthodoxy, described as the rule against prior restraint. While s. 12 of the HRA imposes higher hurdles on injunctions against alleged invasions of privacy than for other legal wrongs not involving the defendant’s freedom of expression, the hurdles are still lower than in defamation law. Under the interpretation given to s. 12(3) of the HRA, the applicant will usually need to demonstrate that they are ‘more likely than not’ to succeed at trial. his assessment will require the court to balance the competing interests in private life (protected in Article 8 of the ECHR) and freedom of expression (protected in Article 10 of the ECHR) in each case. his leaves little room for generalised principles, such as the rule against prior restraint in defamation, that disregard the impact of granting or withholding interim relief on both parties’ respective human rights. Some recent cases, in particular Terry (formerly LNS) v. Persons Unknown, have highlighted the tensions that exist between both tests. hese tensions need to be resolved in the diicult cases where a claimant could proceed both under privacy and defamation. his chapter has discussed what test should apply to the grant of interim injunctions in such cases. Some courts have expressed the view that it may amount to an abuse of process to circumvent the rule against prior restraint by relying on privacy where the ‘nub’ of the complaint is about reputation. Commentators have objected to this approach because it has the potential to undermine the protection of private life and creates unnecessary uncertainty. Ater evaluating the conlicting arguments, this chapter concludes that principle, policy and pragmatism point to allowing the claimant to choose the cause of action to rely on and for the court to respect this choice in proceedings for interim relief. he availability of injunctive relief should be examined by reference to the established rules for each cause of action. If the claimant brings an action in misuse of personal information, the

440

Normann Witzleb

court should decide on the availability of interim relief by employing the approach prescribed by s. 12 of the HRA, which the House of Lords interpreted as a requirement, in most cases, for the claimant to establish that it is ‘more likely than not’ that he or she will succeed at trial. In terms of principle, the ECHR requires the courts to provide efective redress for invasions into private life. his obligation is not diminished when the information is not only private but also defamatory. It would be paradoxical if a claimant in those cases would be in a worse position than another claimant who seeks to prevent the publication of matter that is merely private but does not damage reputation. It therefore does not constitute an abuse of process if the claimant relies on misuse of private information (or breach of conidence) even though the matter also raises issues of reputation. As far as policy is concerned, there is no reason why the rule in Bonnard v. Perryman (‘defamation injunction only where the defendant is bound to fail’) should enjoy priority over the approach under Cream Holdings Ltd v. Banerjee (‘privacy injunction where claimant is likely to win’), where both causes of action overlap. he rationales of the orthodox rule against prior restraint (signiicance of freedom of expression, protecting the right to a jury trial, the diiculty of deciding who will win at trial) do not require that this rule also govern cases in the overlap between defamation and privacy. Indeed, the jurisprudence of the European Court of Human Rights and the Defamation Act 2013 (UK) may require that the judicial approach to interim injunctions also be re-evaluated in standard defamation cases. here are also pragmatic reasons for respecting the claimant’s choice of cause of action. Interim proceedings should not be complicated by imposing on courts the slippery task of determining whether the application was motivated by a desire to protect privacy or reputation. Both interests frequently overlap and are, in any event, not so clearly demarcated that this distinction can be easily made. his is even harder before trial, when evidence is, by necessity, scant and diicult to evaluate. However, where a reputational interest dominates a privacy claim, a court is not prevented from having regard to this in the exercise of its discretion that damages at trial would be an adequate remedy so that an interim injunction would not be justiied.

INDEX

anonymity pros and cons, 398–405 social media, issues with, 405 young people, 229–30 anonymity orders Australia, 26, 373–85 interim injunctions in conjunction with, 26, 391–8 United Kingdom, 26, 385–98 Anti-Social Behaviour Orders (ASBOs) characteristics, 233–7 privacy issues, 20 publicity issues, 237–57 use of surveillance technologies, 20 APEC Cross-border Privacy Enforcement Arrangement, 6, 12, 43, 134 appeals against decision of Privacy Commissioner, 54–5 ASBOs, see Anti-Social Behaviour Orders Asia Pacific Privacy Authorities (APPA) Forum, 42 Australia anonymity orders, 26, 373–85 credit reporting rules, 53 determinations, 37–8, 54–5 direct marketing use of personal information, 52–3 Do Not Call Register Act 2006, 57–8 exemptions from the Privacy Act 1988, 55 health privacy-negative initiatives, 56–7 identity management initiatives, 57

notification of data breaches, 39–40, 59 online privacy, 346–51 Privacy Act 1988 (Cth), 6, 31, 33, 45, 210–11, 344–7 Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), 6, 24, 31, 34–5 Privacy Commissioner, 6, 7–8, 35, 37, 49, 51, 53–5 privacy law reform process, 7–8, 24, 33–41, 50–5, 344–8 privacy standards, 4 Prohibited Behaviour Orders (PBOs), 20, 236–7, 241 Spam Act 2003 (Cth), 57–8 statutory cause of action for serious invasion of privacy, 44–5, 58 surveillance regulations, 19, 208–12 voluntary privacy codes, 53 body searches, 78 Brandeis, Louis D., 31–2, 160–1, 338–9 breach of confidence privacy distinct from confidentiality, 17, 174–8 privacy law in the UK, 221–3, 411, 412 Canada data protection laws, 343–4 human rights legislation, 3 Caroline, Princess privacy case, 10–11, 83–4 CCTV, 204, 219, 225–6

441

442

Index

celebrities English privacy law, 182–3 Leveson Report on press conduct, 189–95, 197–8 children, see also Anti-Social Behaviour Orders English privacy law, 186–8 identity suppression, 383–4 Leveson Report on treatment by the press, 192 China pressure to comply with Convention 108, 137 ChoicePoint, 36 cloud computing EU and German data privacy law, 24–5, 356–66 European rules, 357–66 legal challenges, 355–6, 366–8 terminology and characteristics, 354–5 communication privacy notices, 47–8 privacy policies, 42 protection under Art. 7 of the EU Charter, 87–8 complaints determinations in Australia, 37–8, 54–5 computer hacking unwanted access to personal documents and fi les, 147–8 Computer Misuse Act 1990 (UK), 148 confidentiality, see also breach of confidence privacy distinct from, 174–8 Convention for the Protection of Human Rights and Fundamental Freedoms, 3, see European Convention on Human Rights (ECHR) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108), 12–14 accession by non-European states, 101–20, 127–8 accession process, 107–10 Additional Protocol, 12, 95–101

advantages for European states in non-European accessions, 118–19 background, 92–4 compared with other international instruments, 94–5 cross-border issues, 98–9, 110–12, 129–35 enforcement shortcomings, 99–101 European Court of Human Rights (ECtHR) remedy not available, 100, 116 future of, 135–9 globalisation time frame, 119–20 history, 95–6 implications and advantages of accession for non-European states, 117–18 issues with interoperability and mutual recognition of agreements and standards, 133–5 modernisation, 120–9 Morocco accession request, 105–7 standards, 97–8, 124–6 status, 96–7, 129 unresolved accession issues, 112–17 Uruguay accession, 104–5 correspondence protection under ECHR art. 8, 87–8 Council of Europe, 62, see also Conventions court proceedings anonymity orders, 26, 373–98, 403 injunctive relief and privacy and defamation actions overlap, 27, 422–38 credit reporting determination of complaint against agency, 37–8 rules in Australia, 53 Criminal Justice and Police Act 2001, 147 damages level of compensation in England, 188–9 Leveson Report, 195–7 versus interim injunctions, 416–17 data breaches notification in Australia, 39–40, 59

Index reputational damage, 42 Sony PlayStation Network, 6, 36–7 Telstra Corporation Ltd investigation, 38–9 USA and UK, 36–7 data controller, 48–9, 152–3, 333 proposed EU Regulation, 333 data processing, 48–9, 151–5 household exemption in proposed EU Regulation, 324–6 data protection, see also personal data; physical privacy; privacy protection; right to be forgotten debate common law jurisdictions, 158 cross-border issues, 6, 9, 13, 43–4, 49, 70, 98–9, 110–12, 129–35 EU privacy law reform process, 8–10, 65–71 European Convention on Human Rights (ECHR), 4, 8, 10, 80–2 Data Protection Act 1998 (UK), 14, 151–5, 218–21 data security breaches USA and UK, 36–7 challenges, 41–2 defamation actions Bonnard v. Perryman rule, 418–22 effect of Human Rights Act 1998 (UK), 420–2 misuse of private information distinct from, 418–19 overlap with privacy actions regarding injunctive relief, 27, 422–38 determinations Australia, 37–8, 54–5 Diana, Princess, 77 direct marketing use of personal information in Australia, 52–3 DNA samples legal decisions on retention, 81–2 doorstepping offence, 147 emails protection under Art. 7 of the EU Charter, 87–8

443

enforcement of privacy laws Australia, 6, 7–8, 35, 37–8, 49, 51, 53–5 Convention 108, 99–101 importance of, 9–10 proposed EU Regulation to emphasise, 69–70 regulator effectiveness, 59–60 USA and UK, 36–7 equity treating privacy as a right in equity, 17, 174–8 ethics of the press, see also Leveson Report cloud computing data privacy law, 24–5 online privacy compared with US, 24, 280–2 European Charter of Fundamental Rights, 8, 10, 64–6 communication, 87–8 European Union Data Protection Directive 95/46/EC, 8, 64, 65, 82, 260, 267–71, 275–6, 300–2, 308–16, 357–60 Data Retention Directive, 361–2 Directive on Privacy and Electronic Communications, 360–1 E-commerce Directive, 330–1 General Data Protection Regulation (GDPR), 8–9, 25, 66–71, 274–7, 288–9, 290–3, 311–31, 362–4 European Convention on Human Rights (ECHR), 3, 4, 8, 10, 62, 75–6, 385–8, 426–9 Art. 8 as a qualified right, 88–9 correspondence, 87–8 family life, 8 home, 86–7 positive obligations, 88–9 European Court of Human Rights (ECtHR), see also European Convention on Human Rights European Union cloud computing data privacy law, 356–66 data privacy law reform process, 8–10, 65–71 development, 63

444

Index

European Union (cont.) online privacy compared with US, 341–3 online privacy rules, 357–66 Facebook, 1, 14, 24, 138, 342–3 penalty for privacy misconduct, 36 family life protection under ECHR art. 8, 85–6 fi lming unwanted watching and/or visual recording, 145–7, 155–6, 221–3 fingerprints legal decisions on retention, 81–2 freedom of expression online, 299–302 freedom of speech/press media organisations in actions for privacy breaches and defamation, 27, 417 Princess Caroline case, 10–11, 83–4 Section 12 Human Rights Act 1988, 413–14 versus privacy protection, 17–19 Gellman, Robert, 1 Germany cloud computing data privacy law, 24–5, 356–7, 364–6 human rights protection in constitution, 3 Princess Caroline privacy case, 10–11, 83–4 Global Privacy Enforcement Network, 6, 43, 70 Google, 1, 14, 24, 138 inquiries into data breaches, 343 privacy policy, 42–3 GPS technologies, 204–5 harassment, 147, 149–51, 198 health privacy, 56–7 home protection under ECHR art. 8, 86–7 Hong Kong Data Protection Ordinance, 344 HSBC Bank, 36 human rights, see also European Charter of Fundamental Rights; European Convention on Human

Rights (ECHR), International Covenant on Civil and Political Rights (ICCPR) constitutional protection, 3 legislation, 3–4 privacy recognised as, 3–5, 8, 10, 15, 32–3, 76–8 treaties and conventions, 3–5, 8 Human Rights Act 1998 (UK), 3–4, 26, 385, 409–10, 420–2 Section 12, 413–14 identity, see also anonymity ambiguity concerning IP address, 21, 266–7, 274–5, 283–7 Individual Health Identifiers (IHIs) in Australia, 56–7 legislative prohibitions in Australia, 383–5 management initiatives in Australia, 57 pros and cons of anonymity, 398–405 right to protection, 78–9 information privacy Data Protection Act 1998 (UK), 14, 151–5, 218–21 Germany, 356–7 Privacy Act 1988 (Cth), see Privacy Act 1988 (Cth) injunctions, interim, see interim injunctions integrity right to protection, 78–9 interim injunctions application for, 389–90 balance of convenience test, 415–18 gauging likelihood of success at trial, 414–15 implications of Section 12 Human Rights Act 1988 (UK), 413–14 in conjunction with anonymity orders, 26, 391–8 John Terry case, 423–4 media organisations, 413–14, 417 overlap between privacy and defamation actions, 27, 422–38 significance of, 411–12 versus damages remedies, 416–17

Index International Covenant on Civil and Political Rights (ICCPR), 3, 32–3, 116 Internet, see also cloud computing; online privacy application of data privacy terminology, 21–2, 262–71 intermediaries, 330–1, 333–7 Leveson Report response to press arguments regarding material already on the Net, 194–5 surveillance, 283–7 tensions between ‘open’ logic and data privacy law, 22, 271–90 US data privacy policy, 277–82 Internet Service Provider (ISP) Data Retention Directive, 361–2 whether IP address amounts to personal data, 21, 266–7, 274–5, 283–7 intrusion on seclusion, see also physical privacy; privacy protection manner of protection, 14–16 UK laws, 14–16 investigations privacy breaches, 38–9 Telstra Corporation Ltd, 38–9 letters protection under Art. 7 of the EU Charter, 87–8 Leveson Report, 141–2 background, 180–1 damages, 195–7 impact on privacy law, 18–19, 197–9 treatment of privacy, 189–92 treatment of the press arguments, 192–5 Lisbon Treaty, 8, 10, 64–6 litigants anonymity, 26, 398–405 Malaysia Personal Data Protection Act, 344 marketing Australian action on unsolicited, 57–8

445

mass media declining standards, 3 media anonymity orders, 26, 403–4 freedom of speech issues, 27 interim injunctions, 413–14, 417 Leveson Report, 18–19, 141–2, 180–1, 189–95 Princess Caroline case, 10–11, 83–4 protection of privacy legal cases, 10–11 surveillance in Australia, the UK and the US, 224–5 medical records violation of Art. 8 ECHR case, 90 misuse of personal information action overlap with defamation, 27, 422–38 defamation actions distinct from, 418–19 Leveson Report, 18–19, 141–2, 180–1, 189–95 UK court decisions, 410–11 Morocco request for accession to Convention 108, 105–7 naming, see anonymity; identity national security, 81 ECHR Art. 8 as a qualified right, 88–9 New Zealand data protection laws, 343–4 human rights legislation, 3 notification data breaches in Australia, 39–40, 59 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 12, 45, 63, 134 online privacy Australia, 346–51 cross-border issues, 9, 49, 70 Europe and USA compared, 24, 280–2, 341–3 European rules, 357–66 freedom of expression, 299–302 social media, 2–3, 22–3, 312–13, 323–31, 333–7

446

Index

penalties data breaches USA and UK, 36–7 personal data, see also Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108); data breaches; data protection; misuse of personal information; physical privacy; right to be forgotten debate ambiguity concerning IP address, 21, 266–7, 274–5, 283–7 cloud data rules in the EU and Germany, 24–5, 356–66 definition, 218–19 online sources, 7 persistent online data debate, 22–3, 293–6, 312–13, 323–31, 333–7 processor’s obligations, 151–5 protection by European Charter of Fundamental Rights, 10, 65–6 protection under ECHR, 80–2 right to erasure, 306–11 social media privacy issues, 2–3 unwanted access to personal documents and fi les, 147–8 use in direct marketing in Australia, 52–3 Personal Data Protection Act 2012, 344 phone calls, see also telecommunications bugging, 87–9, 144–5, 156, 208, 217–18 protection under Art. 7 of the EU Charter, 87–8 photography ECtHR cases, 11, 83–4 Leveson Report on press intrusion, 191–2, 194 unwanted visual recording, 145–7, 221–3 physical privacy, 78–9, see also surveillance harassment, 147, 149–51, 198 international developments, 142 United Kingdom legislation, 143–51 unwanted access to personal documents and fi les, 147–8

unwanted access to private space or belongings, 148–9 unwanted listening and/or audio recording, 87–9, 144–5, 156, 208, 217–18 unwanted watching and/or visual recording, 145–7, 204, 221–3 press, see also mass media; media Leveson Report, 18–19, 141–2, 180–1, 189–95 privacy distinct from confidentiality, 17, 174–8, 412 human right, 3–5, 8, 10, 15, 32–3, 76–8 invasive technologies, 1–3, 19–20, 31–2, 204–5, 208–10, 295–6 meaning, 1–3, 15–16 Privacy Act 1988 (Cth) exemptions, 6, 55, 344 privacy codes Australia, 53 privacy notices, 47–8 privacy policies, 42 Google, 42–3 privacy protection, see also data protection; injunctions; intrusion on seclusion; personal data; physical privacy challenges, 46–9 common law jurisdictions, 157–60 English common law of privacy, 181–9, 221–3 interaction with competing rights, 17–19 Princess Caroline case, 10–11, 83–4 statutory cause of action, 17, 44–5, 58, 179 tort law, 15, 16–17, 160–74 versus freedom of speech, 17–19 private life concept of, 76–8 ECHR Art. 8, 10, 11, 76–84, 426–9 Princess Caroline case, 10–11, 83–4 sexual behaviour, 78–9 social aspects, 79–80 Protection from Harassment Act 1997 (UK), 147, 149–51, 198

Index public figures English privacy law, 183–6 Leveson Report on press conduct, 189–95, 197–8 Regulation of Investigatory Powers Act 2000 (UK), 144–5, 146, 147–8, 217–18 responsibility proposed EU Regulation to emphasise, 68–9 retention of data Data Retention Directive, 361–2 right to be forgotten debate, 281–2, 293–6 internet intermediaries, 333–7 legal case for, 296–9 reform proposals, 290–3, 311–31 right to erasure distinct from, 306–11 right to oblivion distinct from, 302–5 social media, 22–3, 312–13, 323–31, 333–7 security, see data security; national security sexual behaviour privacy rights, 78–9 Sexual Offences Act 2003 (UK), 145–6 Singapore Personal Data Protection Act 2012, 344 small businesses exemptions from Privacy Act 1988 (Cth), 6, 344 Snowden, Edward, 1–2 social aspects of private life, 79–80 social media anonymity issues, 405 household exemption in proposed EU Regulation, 324–6 privacy issues, 2–3 right to be forgotten debate, 22–3, 312–13, 323–31, 333–7 Sony PlayStation Network personal data breaches, 6, 36–7 sports personalities English privacy law, 184–6

447

Leveson Report on press conduct, 189–95, 197–8 John Terry case, 423–4 supervision of data protection proposed EU Regulation to emphasise, 69–70 surveillance Australian regulation, 19, 208–12 interference with right under ECHR Art. 8, 88–9 Internet, 283–7 media organisations in Australia, the UK and the US, 224–5 regulation, 206–7 significance in public places, 201–5 types, 225–6 UK regulation, 19, 217–23 unwanted watching and/or visual recording, 145–7, 221–3 US regulation, 19, 212–17 surveillance technologies, 19–20, 204–5, 208–10, 295–6 Anti-Social Behaviour Orders (ASBOs), 20 technology, see also surveillance technology privacy-invasive, 1–3, 19–20, 31–2, 204–5, 208–10, 295–6 telecommunications, see also phone calls interception, 87–9, 144–5, 147–8, 156, 208, 217–18 privacy-negative initiatives in Australia, 55–6 Telstra Corporation Ltd investigation, 38–9 tort law privacy protection, 15, 16–17, 160–74, 410–1 trespass unwanted access to private space or belongings, 148–9 United Kingdom anonymity orders, 26, 385–98 common law of privacy, 181–9, 221–3, 410–1

448

Index

United Kingdom (cont.) data breaches, 36–7 Human Rights Act 1998 (UK), 3–4, 26, 385, 409–10, 413–14, 420–2 physical privacy legislation, 143–51 surveillance regulations, 19, 217–23 United States data breaches, 36 human rights protection in constitution, 3, 4 internet data privacy policy, 277–82 issues with interoperability and mutual recognition of data protection agreements, 133–5

online privacy compared with Europe, 24, 280–2, 341–3 pressure to comply with Convention 108, 137 surveillance regulations, 19, 212–17 Uruguay accession to Convention 108, 104–5 US National Security Agency (NSA) Operation PRISM, 1–2 user control proposed EU Regulation to enhance, 68 Warren, Samuel D., 31–2, 160–1, 338–9