Greenleaf, Graham --- "Reporting privacy complaints Pt 1: A proposal for systematic reporting of complaints in Asia-Pacific jurisdictions" [2002] PrivLawPRpr 30; (2002) 9(3) Privacy Law and Policy Reporter 41

Reporting privacy complaints Pt 1: A proposal for systematic reporting of complaints in Asia-Pacific jurisdictions

Graham Greenleaf

This article is based on a paper prepared for a workshop at the International Conference of Privacy and Data Protection Commissioners, Cardiff, UK, September 2002.

Privacy Commissioners in Asia-Pacific jurisdictions that have information privacy laws have widely differing practices in how (or whether) they report the results of the complaints they investigate. This article compares these practices in the jurisdictions of Hong Kong, New Zealand, the Australian jurisdictions (Federal, New South Wales and Victoria) and the Canadian jurisdictions (Federal, British Columbia, Ontario and Quebec). Other Australian and Canadian jurisdictions receive brief mention.

The first part of this article puts forward proposals for the systematic reporting of complaints investigated which could provide a basis for a more uniform approach, and would result in improvements to various practices. The second part of the article is a critical description of the existing practices in each jurisdiction ,on which the proposals are based.

Why reporting is needed

In those Asia-Pacific jurisdictions that have information privacy laws, provision is usually made for complaints about breaches of the law to be made to a statutory official,[1] most commonly known as a Privacy Commissioner.

Few cases under information privacy laws ever reach the courts, whether in Asia-Pacific or European jurisdictions.[2] The reasons vary between jurisdictions, and in some cases include the lack of sufficient rights to appeal or to seek judicial review.[3] Whatever the reasons, the result is that the overwhelming majority of complaints ,of breach of privacy laws are resolved by Privacy Commissioners, whether by mediation or by exercise of binding dispute resolution powers where they have them. Since only a tiny number of issues requiring legislative interpretation will ever reach the courts, on most points the law is in effect what the Privacy Commissioner says it is.

If details of these complaint resolutions by Privacy Commissioners are not effectively available to the interested public, the consequences are generally adverse. Some adverse consequences are as follows.

• Potential complainants or respondents (or their professional advisors) have precious little information about how the law is interpreted, and little idea of what arguments they need to raise. It ,is irrelevant that the Commissioner’s decisions do not constitute legal precedents binding on himself or herself or others.
• Potential parties know little about the remedies which have been granted in the past, and so have little guide as to whether a complaint is worth pursuing, or what might be a sensible stance to take in settlement negotiations. There is always a ‘going rate’ for any type ,of injury.
• Privacy remains a Cinderella area of legal practice as it does not have even ,a vestige of the most important aspect of ‘real’ law, that is, decisions.[4]
• Scholars are hampered in the development of a privacy jurisprudence as they have no basis for a critical analysis of how the Commissioner ,is interpreting the relevant Act.
• The press, consumer organisations ,and privacy advocates are impeded in keeping watch on the adequacy or fairness of Privacy Commissioners’ decisions and remedies.
• The deficiences of the laws being administered by Commissioners are not convincingly illustrated. As a result, few examples of those deficiencies can be cited by those pressing for law reform.
• Non-publication allows Privacy Commissioners to ‘bury their mistakes’, so that any misinterp-retations of the law, and any failures ,to insist that government agencies and business interests provide adequate remedies in individual cases, are less likely to come to light.
• Even if a Privacy Commissioner succeeds in resolving all complaints fairly and legally, the deterrent effect ,of publishing examples of what constitutes breaches (and the remedies that may follow) is lost. In this sense, valuable educative resources are squandered.
• Even if justice is being done, it is not seen as being done.
• Privacy Commissioners are increasingly considering co-operating in the resolution of complaints with cross-border elements. To do so they will need to better understand each other’s complaint resolution practices.

Of course, there are countervailing factors. Publication of complaint resolutions is only one aspect of the transparency and educational role of a Privacy Commissioner, and different views can be taken of where Privacy Commissioners, who often have inadequate resources, should place their priorities. Some Commissioners with a very effective record in other forms of public communication are very poor at reporting complaints, but we should not over-emphasise this since it is much easier and less contentious to publish ‘feel good’ information exhorting compliance with an Act than it is to identify those who fail to comply.

The need for complaint reporting is also sometimes difficult to reconcile ,with the desire to mediate a settlement between the parties, but this can usually be dealt with by anonymisation. Where ,it cannot, it should be a matter of case ,by case assessment, not a general reason for non-publication. This is discussed later.

This article suggests improvements to the reporting practices of some Privacy Commissioners who already implement many good practices. In other instances ,it is more critical. However, it should ,be borne in mind that current Commissioners may have inherited practices from their predecessors, and ,not yet had adequate opportunity, or resources, to remedy them.

A neglected issue

There have been occasional calls for more effective reporting of complaints ,by Commissioners, but this issue has not yet commanded the attention it deserves. I have occasionally raised the matter.[5] The problems caused by lack of sufficient reporting have been noted ,in relation to other jurisdictions by Bygrave,[6] who gives details of the inadequacies of Norwegian reporting practices. He calls for more extensive reporting as a solution, but does not provide details of what this requires. ,The need for greater disclosure and transparency in the handling of ,decisions was also raised at the launch ,of the Australian Federal Privacy Commissioner’s public opinion research, and illustrated by demands from Canadian lawyers to the Canadian Privacy Commissioner.[7]

Factors needing further consideration

This article focuses on current practices in the publication of decisions. There are three related issues touched ,on in passing at various points, the comprehensive coverage of which ,would require separate papers.

Publication requirements ,and prohibitions

The first factor is the extent to which privacy legislation in the various jurisdictions either requires or prohibits the publication of decisions, or prohibits certain aspects of publication such as the identification of one or both parties. These matters are discussed at various points, but comprehensive discussion would require another article. However, it may be stated that in general there are relatively few legislative requirements one way or the other, except in some cases relating to identification of complainants. The scope and nature ,of publication is left to a large extent ,to the discretion of Commissioners.

Access to legislation and ,delegated legislation

Another related issue is the extent to which Privacy Commissioners publish ,or make accessible the legislation under which they operate. This includes not only the primary legislation (which is almost always available), but more importantly the delegated legislation that affects them, whether it is made by governments (for example, regulations) or is made by the Privacy Commissioner in the form of guidelines, determinations, codes, exemptions and the like. A separate study would be required to compare these publication practices and their adequacy.

Legal effects of Commissioner’s decisions

Unlike some courts, administrative officials like Privacy Commissioners ,are not bound to follow their own previous decisions (nor, of course, ,those of Commissioners in any other jurisdiction). On the other hand, it is unlikely that Privacy Commissioners would be prohibited from considering how they had dealt with previous complaints similar to the one before them, or how other Commissioners had dealt with similar complaints, if only to inform themselves of the range of issues that had been taken into account on previous occasions and that it might ,be relevant for them to consider.

However, to go beyond such simple propositions is difficult because of differences in the administrative law of the 10 or so Asia-Pacific jurisdictions that have Privacy Commissioners. Laws may differ concerning such matters as what constitutes:

• relevant or irrelevant considerations that administrators may or may not take into account;
• requirements of consistency in administrative actions;
• requirements of administrators to adhere to announced policies; and
• the conditions under which judicial review of administrative action is available.

These matters are beyond the scope ,of this article.

Irrespective of these administrative law differences, we can generalise to say that the publication of Commissioners’ decisions increases the likelihood that apparently inconsistent decisions by Commissioners will be subjected to judicial review, and that Commissioners would feel more constrained (irrespective of the legal position) to act consistently if inconsistencies will be pointed out to them by dissatisfied parties, critics and others. These effects are generally desirable.

Complaint reporting practices of Asia-Pacific Commissioners

The complaint reporting practices in each of the major jurisdictions in the Asia-Pacific that have information privacy laws will be outlined in Pt 2 ,of this article. They are assessed ,against two main criteria.

1. Do they help all interested parties understand how the Privacy Commissioner is interpreting the privacy law(s) of the jurisdiction?

2. Do they help all relevant parties understand the range of outcomes reached in individual complaints and whether those outcomes provide reasonable redress for the complainants, and only impose reasonable burdens ,on the respondents?

Terminology has been simplified in order to make comparisons easier. Although the officials responsible for privacy have different names in different jurisdictions, ‘Privacy Commissioner’ is used most frequently and I have used that as the generic. Similarly, the expression ‘IPP’ is used generically to refer not only to ‘Information Privacy Principles’, but also ‘National Privacy Principles’, ‘Data Protection Principles’, ‘Privacy Protection Principles’ and the like.

In order to make sense of the different types of reporting practices between jurisdictions, we must distinguish between four broad categories:

• mediated complaints — where a Privacy Commissioner investigates a complaint and mediates to obtain a resolution accepted by both parties, so that no binding determination is made (whether or not it could be made);
• determined complaints — where a Privacy Commissioner has power to make decisions to resolve a complaint and these are binding on the parties,[8] subject to any right of appeal which may exist;
• appeals against and reviews of a Privacy Commissioner’s decisions; and
• other privacy decisions — decisions outside the scope of a Privacy Commissioner’s functions, such as where an Act gives only a court the power to award damages or an injunction.

Comprehensive reporting practices require all four types to be addressed.

Reporting of decisions ,about Commissioners ,and privacy Acts

Although this article focuses on the reporting of dispute resolutions by Privacy Commissioners (the first two categories above), the responsibilities ,of Privacy Commissioners should ,also extend to making accessible the decisions of courts and tribunals about Privacy Commissioners and the legislation they administer (the third ,and fourth category above).

The availability of decisions of tribunals or courts in appeals against, ,or judicial review of, Privacy Commissioners’ decisions varies a ,great deal between jurisdictions.

In Australia, once decisions on privacy complaints go beyond Commissioners by way of judicial review or appeal,[9] all Australian jurisdictions provide accessible reports of the decisions of the succeeding levels of dispute resolution. The decisions of the relevant Australian appellate tribunals and courts[10] are ,all included on AustLII.[11] There is therefore no theoretical issue concerning the availability of these decisions in Australia,[12] and no practical issue ,for those who know where to look. However, most businesses, some complainants, and even inexperienced advisors, would not know how to find these decisions. It is highly desirable, and takes little effort, for the websites of Australian Privacy Commissioners to provide links to these decisions. The Federal Commissioner’s site does not provide this as yet.[13] (As to NSW, see below).

In contrast, decisions of the Administrative Appeals Board in Hong Kong, which hears appeals against the Privacy Commissioner’s decisions, are not yet available on the internet, and their existence and content is only known to a small group of people in government and at the Bar. Similarly, the pathetic state of internet access to case law of New Zealand courts and tribunals means that there is little effective public access to the decisions of some of the bodies that review decisions of the Privacy Commissioner. Under these circumstances, the best ,that can be expected of Privacy Commissioners is that their websites identify those decisions that have reviewed the Privacy Commissioner’s decisions and (if possible) provide a brief summary of the decision. The ,NZ Commissioner does this, but the HK Commissioner does not.

Similarly, some privacy legislation provides rights that can only be pursued before a court or tribunal, and the Privacy Commissioner is not necessarily involved in these decisions. Examples are s 66 of the Hong Kong Personal Data (Privacy) Ordinance,[14] which requires court proceedings if a complainant wishes to obtain compensation, and s 98 of the Privacy Act 1988 (Cth),[15] which allows any person to seek an injunction against breaches of the Act. If there are cases interpreting these provisions (there is one in Hong Kong, but none in Australia), then it would be very desirable for the Commissioners’ websites to provide links to them. Neither does so. The NSW Commissioner’s site does provide such links to Administrative Decision Tribunal (ADT) decisions on appeals against agency decisions,[16] and furthermore publishes summaries ,of ADT decisions in print and on its website as part of a ‘Newsletter for Privacy Contact Officers’.[17]

A proposal for systematic complaint reporting

Informed by the above review, this discussion now sets out under eight headings the elements that need to be included in a comprehensive complaint reporting system.

It appears that there is nothing to prevent Privacy Commissioners at least publishing anonymised reports of complaints determined or mediated, but the position concerning identification differs between jurisdictions. As set out in the introduction to this article, there are very strong public interest reasons for systematic publication of such reports.

Choice of complaints reported

It is unrealistic and unnecessary to expect Commissioners’ offices to prepare for reporting details of the outcomes of every complaint they resolve: many will be trivial or repetitive of settled matters and only of statistical interest (which is a separate question).

It is sufficient if ‘significant’ complaints are reported, but it is not ,a simple matter to define what is ‘significant’, and there are no clear standards in the existing practices. ,Some suggested factors are as follows.

• If a complaint involves the exercise ,of enforcement powers by a Commiss-ioner (where a Commissioner has such powers) then this is a strong indicator that it is significant unless ,it is merely repetitive of many other complaints. If the numbers are small, all such complaints should be reported to avoid any need for selection.
• Although a complaint is dismissed (because it does not involve a breach of IPPs or an Act or for another reason), it is still significant if its dismissal involved a new interpretation of the law (or its application in a significant new context). It may also be significant in demonstrating that certain practices of public bodies and companies do not breach privacy laws (which may or may not be controversial).
• Although a complaint is settled to the satisfaction of the parties, it is still significant if it involves a new interpretation of the law (or its application in a significant new context). Mediation may involve conditions being imposed on what can be reported, and requirements ,of anonymity, but is not in itself a reason for non-reporting.
• If a case involves a different example or a remedy, or the provision of a remedy on a scale which is new, it is significant even if no new interp-retation of the facts is involved.
• Even if a complaint involves no new interpretation of law, or no new or greater remedy, repeated examples ,of very important types of complaint are worthwhile.
• Findings that are contested by one ,of the parties to the complaint are usually worth reporting, as they may indicate both significant areas of disagreement within the community (and so areas where law reform might be desirable), or areas where the Commissioner’s interpretation of the law could be questioned.
• The criteria of ‘seriousness’ will change over time, with illustrative complaints being more valuable in the early years of administration of new legislation, even if no significant interpretations ,or remedies are involved.

Commissioners should state publicly the criteria on which they report complaint resolutions.

In the absence of agreement on a standard of significance, Commissioners should report matters that they consider significant, and explain their criteria. ,If and when a standard emerges it ,can be applied prospectively.

Naming of respondents ,and complainants

Naming of either respondents ,or complainants in the reports of complaints is not essential for a valuable reporting system, but naming of both may be valuable in some situations (as proposed below). The Privacy Acts in each jurisdiction may also impose limitations on identified reporting, but not on de-identified reporting. This must be considered separately in each jurisdiction.

In default, the complainant should not be named because the nature of privacy complaints is such that to do ,so would exacerbate the harm to or interference with privacy. However, some complainants may prefer to be named, as this helps to provide public vindication of the complainant. A reporting system should allow a complainant to elect to be named, except where this is inconsistent with ,a mediated settlement.

In relation to public sector respondents, the default position is that they should be named as is the practice in most jurisdictions considered. Where disclosure of the respondent would prejudice the position of a successful complainant (for example an employee of a small public agency who could be identified if the agency was named), the agency should not be named. It is undesirable for public bodies to attempt to hide their breaches of the law behind settlements requiring that they not be named (or Commissioners’ practices to this effect). Within their powers, Commissioners should insist that public body respondents be named, unless the agency provides a compelling public interest reason not be to named (which should be disclosed, as far as possible, in the report). All complaints where agencies raise non-naming demands should automatically be reported, as that is itself an issue of significance.

In relation to private sector respondents, the practice of Commissioners seems to be to recognise that there are often good reasons not to name them, but different standards are applied as to when they should be named. Good reasons for non-naming include the following.

• The complaint was not substantiated (unless the respondent prefers public vindication).
• Non-disclosure of the respondent’s identity is essential to a mediated settlement, and the complainant desires this.
• The respondent’s conduct is only likely to have affected the complainant, and not others, and is not a very serious breach of the law.
• The respondent is a small organisation and the affect of adverse publicity would be disproportionate to any public benefit.
• There is a legislative requirement for non-naming in some jurisdictions.

Subject to what is allowed by law, any of the following should be sufficient reason for identifying a private sector respondent.

• The respondent’s conduct is likely to have affected persons other than the complainant, and cannot be remedied in relation to those other persons by the respondent.
• There has been a single very serious breach of the law, or repeated lesser breaches which have been brought ,to the respondent’s attention.
• The respondent may have demonstrated unwillingness to ,comply with the law (as distinct from expressing a bona fide disagreement over the meaning of the law).
• There may be other situations where the public interest would benefit from identification of respondents, due to its deterrent effect or otherwise.

In relation to private sector respondents, these proposals could be interpreted as a default position of non-identification, coupled with a readiness to identify where the interests of the complainant, others who may have been harmed by the conduct, or the public interest, justify identification, and subject to any strong objections which would make identification unfair in ,the particular case.

Level of detail in reports

In a nutshell, the level of detail needed is that which is sufficient for interested parties to obtain a full understanding of the legal issues involved and the essential steps in the Commissioner’s reasoning leading to their resolution. Sufficient factual circumstances should be included ,for the adequacy of the remedy ,to be understood in relation to ,the seriousness of effect on the complainant, and to allow comparison with potentially comparable complaints (subject to the privacy interests of the complainant).

One touchstone (at least in the Australian context) is the administrative law requirement in most Australian jurisdictions that a person can request an official to give a statement of reasons for a decision, along the lines of a statement which sets out the findings on material questions of fact, referring to the evidence or other material on which those findings were based and give the reasons for the decision.[18] Although ,the mediation of a complaint may sometimes not technically involve ,the making of a ‘decision’,[19] this nevertheless should be the standard ,that Commissioners aim to meet.

Existing reporting practices of Commissioners are very variable in this respect, even where Commissioners make a conscientious effort to publish complaint resolutions.

Good examples of the standard of reporting that can be achieved are those of the Canadian Federal Commissioner (for PIPEDA complaints), the Ontario Commissioner (for IPP complaints) and (to a slightly lesser extent) the NZ Commissioner.

In Australia and in Canada, the best examples of quality reporting are in reports of access and correction complaints by the Ontario and British Columbia Information and Privacy Commissioners, and the Queensland and Western Australian Information Commissioners. As mentioned earlier, ,it is hard to see why questions of collection, disclosure, security and ,use are so much harder to document than access and correction decisions. Perhaps the discipline of having to write determinations on FOI matters makes such offices more effective than others in documenting privacy complaints.

Indexing

Various forms of indexing of reported complaints make them much more accessible, but indexing is always labour intensive and difficult to do well. Indexing by addition of catchwords or lists of sections/IPPs considered, and/or by creation of consolidated indexes of complaints based on either method, has been undertaken by the Ontario and NZ Commissioners.

To some extent, the need for such intellectual indexing is reduced if a good search engine is available to search the text of decisions, but it is always the case in information retrieval that accessibility is maximised by providing a combination of both.

Whether either or both methods ,are used, or even more primitive preliminaries such as locating all ,reports in the one location ordered by date to start with, the point is that Commissioners must consider the accessibility of the whole set of complaint data they produce, and the likely research uses of the collection.

Regularity of reporting

The best practice, both from the perspective of the Commissioners’ offices and the needs of the recipients, ,is for complaints to be reported and disseminated as they are completed, rather than in periodic batches such ,as in annual reports.

The benefits of public reporting ,of complaint resolutions are to a significant extent diminished in proportion to the delay in public availability. Potential complainants and their advisers, and potential critics, need to be aware of practices as soon as possible so in order to respond to ,them. Those preparing secondary reports of complaints for publication (newsletters, journals, newspapers ,and so on) are usually not able to deal with large batches of them, but would prefer to receive them regularly, and ,as soon as possible after they are ,dealt with (while they are still ,‘news’).

A Commissioner should have a publicly stated standard that complaint reports will be prepared within a fixed time of a complaint being finalised. A month would seem ,a desirable standard, but this matter ,is of course subject to the resources available in a Commissioner’s office. An alternative view put forward by ,the NZ Commissioner’s Office is ,that about three months between completion and reporting is a safeguard against the likelihood of inadvertent identification, and against complaints that revive after being thought to be completed.[20]

Good practices in regular reporting are found in the practices of the Ontario, Canada (federal), and New Zealand Commissioners.

Reporting of decisions about Commissioners’ decisions

Privacy Commissioners should report on their own websites at least minimal details of appeals and judicial review of their own decisions to enable interested parties to obtain further details. A Commissioner’s Office is in the best position of anyone in a jurisdiction ,to know of all case law affecting the Commissioner and the legislation, as they must know this to carry out their own duties.

Publication of this information puts the publication of the Commissioner’s own decisions in context and prevents them being misleading because of lack of reference to decisions overturning or affirming positions the Commissioner has taken. Providing references to all decisions in a jurisdiction affecting the privacy legislation is also an important part of a Commissioner’s educational responsibilities and an efficient use ,of scarce resources. Many people interested in privacy law in a jurisdiction will only know to look ,at the website of their Privacy Commissioner, and so a ‘one stop ,shop’ for information about decisions ,is very valuable to them.

Examples from various jurisdictions of where such reporting is important, particularly given the poor availability of case law on the internet in some jurisdictions, have been given above.

Good practices in this regard have already been instituted by the Commissioners in New South Wales, Canada (federal), Ontario and (at least in print) New Zealand. However, none are as thorough or as informative as they could be with only a little more effort.

Provision of all of the following elements should be considered in relation to cases of appeal, judicial review or interpretation of privacy legislation:

• names of all cases;
• citations of any cases reported in print reports;
• links to the internet addresses (URLs) of any cases available on free access websites (or commercial ones, if known); and
• a statement of at least the outcome of any cases not accessible via the web, preferably with a brief summary.

Methods of publication

Two aspects need to be considered: self-publication by Commissioners, and secondary publication by others.

Self-publication

Self-publication of complaint resolutions via the web has significant advantages over print publication. It allows economical publication in greater detail, and of larger numbers of complaints. It can occur more rapidly and frequently. It allows complaint reports to be accumulated over time in one location (as opposed to scattered through annual reports), opening up the possibility of comprehensive searching using a search engine, or indexing (cataloguing). The Ontario Commissioner’s website is one that illustrates many of these virtues.

Print publication is, however, a valuable complement, in that it helps ,to avoid exclusion of those without internet access or familiarity, it can be used to reach different audiences, and it can be used as a means of archiving.

Self-publication can take various forms.

• The Commissioners’ own websites (some without search engines) are ,the logical point of first publication, given that all Commissioners have extensive websites.
• A Commissioner could maintain an email distribution service (as do the BC and WA Commissioners, and many courts and tribunals) to email out electronic versions to those interested enough to subscribe (which would include all secondary publishers).
• Selected summaries may continue to appear in the annual reports and newsletters published by Commissioners.

Secondary publishers

Commissioners should encourage ,republication of their complaint resolutions, or commentaries on them, as one of the most effective ways to improve knowledge of privacy law in ,a jurisdiction. The most valuable steps that they can take are to:

• give a general licence for republication of complaint reports with proper acknowledgment, subject to revocation if inappropriate (for example salacious) use is made; and
• provide the data electronically to anyone who wishes to republish, as efficiently and in as clean a format as possible (for example by an email list), and on the same terms as other publishers.[21]

Various forms of secondary publication are desirable and should ,be facilitated.

• ‘Headnotes’ or summaries of significant decisions, and probably ,the full text of selected decisions, are published by secondary publishers in various formats such as looseleaf services or periodicals.[22]
• Commercial legal publishers may ,be interested in publishing selected decisions in their online services.
• It would be possible for free access non-commercial legal websites (that is, Legal Information Institutes or LLIs) that cover all of the various Commissioners jurisdictions in the Asia-Pacific[23] to republish separate databases of each Commissioner’s decisions (as AustLII already does with the WA and Queensland Information Commissioners’ decisions), and to provide search facilities allowing each set of decisions to be searched both separately and jointly with other sets of decisions. These LIIs already publish the decisions of most of the courts and tribunals that hear appeals and judicial reviews of the Commissioners’ decisions.

If a relatively consistent form of publication could be developed, this would facilitate Commissioners, scholars and others developing a unified Asia-Pacific privacy jurisprudence, based on the similarity and inter-connectedness of our privacy legislation.

Official citations for complaints

It should be possible for all those ,who wish to refer to a complaint report to do so by an official citation that unambiguously refers to the same report and has an accepted designator for the Privacy Commissioner or other body publishing the report. It diminishes the benefit of publication of complaint outcomes if those who wish to refer to them cannot do so in an unambiguous and convenient way.

Some Privacy Commissioners, such as those in Ontario and New Zealand, ,have adopted numbering systems for complaint reports, but these are not full citation systems in that they do not have a consistent way of referring to the Commissioner as the decision making body. For example, NZ casenotes have names like ‘CASE NOTE: 19740’; Ontario reports have names like ‘Privacy Complaint PC-010015-1 Ministry Of Finance’ and ‘Investigation I94-084P The Ministry Of Housing’; and Hong Kong reports have names like ‘Case No: ar9798-13 Access request to employment-related personal data’. These are essentially internal identifiers which, taken out of context, give the reader little idea of which Privacy Commissioner made the decision (or issued the report), or when, or (in some cases) in relation ,to which types of parties.

A consistent system of ‘court designated citation’ has now been adopted by most Australian courts and tribunals, and implemented most extensively by the databases on AustLII. CanLII and HKLII are also working toward the adoption of consistent ‘court designated’ citation systems in their jurisdictions. Examples of citations for decisions of the Federal Court of Australia, Federal Court of Canada, Hong Kong Court of Appeal, Queensland and WA Information Commissioners, NSWADT, and VCAT (all relevant to decisions of Privacy Commissioners) are:

• Eloujenko v Minister for Immigration & Multicultural Affairs [2001] FCA 980;
• Sauve v Canada, 2002 FCT 721;
• HKSAR v CHAN TAT WAH [2001] HKCA 351;
• Antony and Griffith University [2001] QICmr 3;
• Re Gordon Wallis INGLIS and Channel 31 Community Educational Television Ltd [2001] WAICmr 25;
• Holbert v Minister for Fisheries [2001] NSWADT 94; and
• Stergiopoulos v TAC [2001] VCAT 1563.

Adopting the naming convention used for other courts and tribunals, the citation for the first decision for 2001 of each of the Australian, NSW and Hong Kong Privacy Commissioners, and the Ontario IPC would be in the form:[24]

• Decker and Tyrell Corporation Ltd [2001] PCmrA 1;
• Zamyatin and Department of External Affairs [2001] NSWPCmr 1;
• Orwell and Ministry for Truth [2001] HKPCmr 1; and
• Investigation — The Ministry Of Housing [2001] OntIPC 1.

The problem of providing meaningful citations for Privacy Commissioner’s decisions is exacerbated by the need to anonymise the complainant (in most cases) and the respondent (in many cases). The above citations would then become something like:

• A and Biometrics company B [2001] PCmrA 1; and
• C and Department of External Affairs [2001] NSWPCmr 1;
• D and a Government Department [2001] HKPCmr 1; and
• Investigation — The Ministry Of Housing [2001] OntIPC 1.

It would be workable to use numbers instead of any names of parties (for example, along the lines of PC14235), but it is informative to at least include the name of a government respondent. Numbers are better kept for the citation, not the party names.

Developing an acceptable method ,of citation is not simple, but it would provide many benefits.

Reporting under codes ,of conduct

Co-regulatory codes which include dispute resolution mechanisms, such ,as those under the Australian federal legislation, should impose the same reporting requirements as are complied with by a Privacy Commissioner.

Further, all reporting on code compliance body websites should be at least linked, and preferably searchable, from the Privacy Commissioner’s website, to ensure that users may obtain comprehensive information about how IPPs or other provisions are being interpreted.

Desirable outcomes

If Privacy Commissioners took these proposals seriously, what would be ,the desirable outcomes?

The most obvious benefit would be for Privacy Commissioners in individual jurisdictions separately to improve their reporting practices, along the lines outlined (or even differently, but having thought all the issues through for their jurisdiction).

More substantial benefits would ,flow from all the Asia-Pacific Privacy Commissioners implementing a consistent set of reforms (preferably along the lines suggested). This would be a big step toward encouraging the development of a regional jurisprudence of privacy in the jurisdictions that have adopted an ‘Asia-Pacific model’ of privacy legislation, as Nigel Waters ,has described it.[25] It would provide ,a compelling model for complaint reporting in jurisdictions with new Privacy Commissioners. It would be ,a small practical step toward the emergence of an Asia-Pacific privacy Convention[26] and the development ,of minimum standard privacy laws across the region.

Part II of this paper, ‘Complaint reporting practices of Asia-Pacific Privacy Commissioners’, will appear ,in a subsequent issue of PLPR.

Graham Greenleaf, General Editor.

For valuable suggestions on drafts of this paper, thanks to Anna Johnston, Greg Keeling, Lee Bygrave, Jill Matthews, Blair Stewart, Roger Clarke, Dan Svantesson, John Corker, ,Carolyn Bond and Tim Dixon. The responsibility for final content remains with me. This research is supported ,by the UNSW University Research Support Program in 2001 and 2002.,Declaration of interest: I have various interests in the publication of decisions on privacy. I am a Co-Editor of the Privacy Law & Policy Reporter, and Co-Director of AustLII, HKLII and WorldLII, free access internet law services which are University based.

[1] The most notable exception is the US Federal Privacy Act (which allows direct recourse to the Courts instead), but Taiwan’s privacy law shares this characteristic.

[2] Bygrave L ‘Where have all the judges gone? Reflections on judicial involvement in developing data protection law’ Part 1 (2000) 7(1) PLPR 11 and Part II (2000) 7(2) PLPR 33.

[3] Greenleaf G, ‘“Tabula rasa”: Ten reasons why Australian privacy law does not exist’ (2001) UNSWLJ 4. See <www.austlii.edu.au/au/journals/UNSWLJ/2001/4.html>.

[4] See Bygrave above note 2.

[5] Problems caused by the lack of reporting are discussed in Greenleaf G, ‘Enforcement of the Privacy Act: Problems and potential’ Privacy Law 2001 Conference, IIR Conferences, Sydney (May 2001). See <www2.austlii.edu.au/~graham/publications/2001/enforcement.html>. However this paper does not include sufficient discussion ,of s 40 of the Privacy Act 1988 (Cth).

[6] Above note 2.

[7] Introductory remarks by Susanna Lobez (ABC Law Report/Law Matters), 31 July 2001.

[8] This could include situations such as those under the Australian Federal law where a Commissioner or complainant has to seek the aid of a court in order to enforce his or her decision, but the Commissioner’s findings are treated as a rebuttable presumption.

[9] There may be questions of the adequacy of the rights of appeal and judicial review (as there are in the case of the Australian and NSW Commissioners), but that is a separate issue.

[10] For example, Federal Court, Federal Magistrates Court, Victorian Civil and Administrative Tribunal (VCAT) and NSW Administrative Decisions Tribunal (NSWADT).

[11] Australasian Legal Information Institute <www.austlii.org/>.

[12] There are issues of privacy (as distinct from access) that can arise from the publication of any court or tribunal decisions. See the discussion under ‘Naming of respondents and complainants’.

[13] This is not a big omission as ,yet. The few Federal Court decisions referring to the Act are not all that important.

[14] See <www.hklii.org/hk/legis/ord/pdo275/s66.html>.

[15] See <www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s98.html>.

[16] In NSW the appealable privacy decisions are those made by agencies. The Privacy Commissioner only mediates, and there are no examples ,yet of judicial review of his actions.

[17] See <www.lawlink.nsw.gov.au/pc.nsf/2cd7fe7a3db5eff44a2565f500263a91/3c11e9b948941a08ca256be4000ced42>.

[18] This suggestion was made by John Corker.

[19] This is apparently so under the NSW Act.

[20] Private communication.

[21] The decisions would then be part of a ‘commons’ in the terminology popularised by Lawrence Lessig in relation to the internet. For arguments since 1995 that essential legal information should be part of the commons (that is, the ‘public space in cyberspace’) of internet content, see ,our various articles about AustLII.

[22] In the Asia-Pacific there are as yet few secondary publishers of privacy case law and complaints. They include the Privacy Law & Policy Reporter (PLPR).

[23] See AustLII <www.austlii.org>, CanLII <www.canlii.org> and HKLII <www.hklii.org>. See also WorldLII <www.worldlii.org> which they ,co-operatively provide.

[24] The practice has been adopted ,in Australia that citations of Federal bodies end with ‘A’ for ‘Australia’ (for example ‘FCA’, ‘HCA’) whereas those for State and Territory bodies start with the abbreviation for the State. ‘Cmr’ is used for ‘Commissioner’, whereas ‘Comm’ is used for ‘Commission’. This may be slightly inconsistent, but it is now the settled practice.

[25] Waters N ‘Re-thinking information privacy — a third way in data protection?’ Proceedings of International Data Protection and Privacy Commissioners Conference Hong Kong, 1999. See <www.pco.org.hk/english/infocentre/files/waters-paper.doc>.

[26] See Greenleaf G ‘Global protection of privacy in cyberspace ,— implications for the Asia-Pacific’ Internet Law Symposium Science & Technology Law Center, Taiwan, June 1998, available at <www2.austlii.edu.au/itlaw/articles/TaiwanSTLC.,html>. This paper was also the basis ,of a presentation to the Asia-Pacific Privacy Commissioners at the International Privacy and Data Protection Commissioners Conference, Hong Kong, 1999.