Title : The Ministry of Truth Redefined: A : Consideration of Privacy and Data Protection Law : with Specific Consideration of the Role of : International Human Rights Law Author : Jamie H. Lyford (jlyford@cleo.murdoch.edu.au), : (100242.1630@CompuServe.Com) Organisation : School of Law, Murdoch University Keywords : Privacy; data protection; international law; : human rights; Australia Card; Tax file number Abstract : This paper looks at the issue of privacy in : light of the information age. Particular : emphasis is made in the Australian context. : National and international laws are also : examined. Contact Name : The Editors, E Law Contact Address: Murdoch University Law School, PO Box 1014, : Canning Vale, Western Australia, 6155 Contact Phone : +61 09 360 2976 Contact Email : elaw-editors@csuvax1.murdoch.edu.au Last Verified : 24 August, 1994 Last Updated : 29 August, 1994 Creation Date : 26 October, 1993 File Name : lyford.txt File Size : 81K File Type : Document File Format : ASCII Publication Status: Final ISSN: 1321-8247 COPYRIGHT POLICY : Material appearing in E Law is accepted on the basis that the material is the original, uncopied work of the author or authors. Authors agree to indemnify E Law for all damages, fines and costs associated with a finding of copyright infringement by the author or by E Law in disseminating the author's material. In almost all cases material appearing in E Law will attract copyright protection under the Australian _Copyright Act 1968_ and the laws of countries which are member states of the _Berne Convention_, _Universal Copyright Convention_ or have bi-lateral copyright agreements with Australia. Ownership of such copyright will vest by operation of law in the authors and/or E Law. E Law and its authors grant a license to those accessing E Law to call up copyright materials onto their screens and to print out a single copy for their own personal non-commercial use subject to proper attribution of E Law and/or the authors. URL: gopher://infolib.murdoch.edu.au:70/00/.ftp/pub/subj/law/jnl/elaw/comment/ lyford.txt ftp://infolib.murdoch.edu.au/pub/subj/law/jnl/elaw/comment/lyford.txt ________________________________________________________________ THE MINISTRY OF TRUTH REDEFINED: A CONSIDERATION OF PRIVACY AND DATA PROTECTION LAW WITH SPECIFIC CONSIDERATION OF THE ROLE OF INTERNATIONAL HUMAN RIGHTS LAW by Jamie H. Lyford WAR IS PEACE FREEDOM IS SLAVERY IGNORANCE IS STRENGTH 1. Introduction 1984 has long since passed, however The Ministry of Truth has finally arrived! The Ministry, however, is not quite the same as that encountered by Winston in George Orwells fictional account of 1949. It is bigger and arguably more pervasive. It doesn't 'control' the individuals of just one country or even a continent, it can control nearly all individuals, but no individual or organisation can control it. Simultaneous to the thawing of the Cold War and the disintegration and reintegration of European states the Worlds network of databases have slowly come on line. These networked databases contain information pertaining to nearly all individuals on the planet. The Thought Police in the new Ministry are inconceivably numerous, the users of the information range from government organisations ranging from: local government who use details from your car license plates to fine you for double parking; to international agencies set up to stop money laundering through national banks; or to restrict you entry to a certain country because of your political or religious beliefs stored electronically elsewhere. The Thought Police also include private corporations using individual personal information to restrict their credit or even sack their own employees for not typing the required number of words per week on their word processor. The Thought Police even extend down to individuals such as doctors refusing medical treatment because a patient's record shows HIV or some other dangerous or infectious disease. It should be pointed out that this information, at present is available only to the scrutiny of the powerful few and to those individuals and organisations that know how to get it, this however is changing with each passing day. The role of this paper is to consider some of these problems and in particular to focus on the role International Law has to play in protecting the rights of *privacy* of the individual from the expanding Big Brother that is potentially watching all of them. 2. A Definition of Privacy Why do we need Privacy? The invasion of privacy lessens the dignity and ultimately the identity of the individual. The exposure to methods of data collection, particularly those that intrude upon his solitude, reduce him as a person and ultimately may be psychologically destructive.[1] Despite criticisms by some writers that most people would not consider the collection and storage and later dissemination of personal information as a breach of privacy,[2] the following discussion will show the need to further increase concerns raised by the new world in which we live. Winston although aware of the breach of his rights to privacy through the omnipresence of the telescreen, was unable to do anything to protect himself. Protection begins with this *recognition* of a right to privacy but in order to do this a working definition of *privacy* is required in order to place the concept in the terms of the international legal system.[3] Benn[4] writes that the importance attached to the privacy of the person is one aspect of the Western European post-Renaissance liberal stress on individuality, on the moral responsibility of the normally rational individual, and his responsibility for what he is and does. Basic to this view of man is the idea of the natural person as a chooser, conscious of himself as able to make a difference to the way the world goes, by deciding to do this rather than that, having projects, therefore, of his own, whose life experience may consequently be understood, not simply as a chronicle of events, but as an enterprise, on which he puts his own construction. Moreover she recognises other men and women as persons, and hence choosers like herself. The difficulty has been to devise a definition which is sufficiently comprehensive to cover all those areas of privacy with which the law might be concerned, but which is not so broad as to be useless in a legal context. Most early definitions consider privacy in a way that doesn't contemplate the use of the term as applied to modern networked databases. Hence a balance must be found between a sufficiently wide definition and a definition that is not so wide as to make the concept unworkable. The most famous definition of all is that of Judge Cooley who called it "the right to be let alone."[5] As Storey[6] notes, although this is compelling in its stark simplicity it is not a realistic statement of a legal right. It ignores the fact that no person who is a member of a community has an absolute right to be let alone. Indeed any person who chooses to live in a community must accept the restraints and intrusions upon her life occasioned by the social organisation necessary to enable the community to function effectively.[7] In 1970 the Justice Committee[8] incorporated this idea into its use of the word. It said that privacy is: "that area of a man's life which in any given circumstances, a reasonable man with an understanding of the legitimate needs of the community would think it wrong to invade" Warren and Brandeis[9] considered the right to privacy as being part of a more general right to the immunity of the person - the right to one's personality. This would seem to be a more fundamental and overriding principle than even that of privacy. Westin[10] has defined a right of privacy as: "the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others". However this definition has been criticised on the basis of its impossible breadth.[11] A further definition has been provided by Miller[12] who says that the: "...basic attribute of an effective right of privacy is the individual's ability to control the circulation of information relating to him." The Morison Report[13] of 1973 stated: Privacy may be regarded as the condition of an individual when he is free from interference with his intimate personal interests by others. It is not implied that complete freedom in this respect is anyone's moral right or that he has a legitimate claim that such complete freedom should be his legal right. Tucker[14] correctly accepts that privacy is inherently difficult to define. The problem he feels stems from its sociological and cultural underpinning's. He feels that whilst it is clear that the concept embraces generally freedom from physical or electronic intrusions and publication of intimate details of one's private life, there are many fringe areas which may be regarded as being on the periphery of privacy. The Australian Law Reform Commission in its major report took the term in its use as an "ordinary language concept"[15]. It is significant to note though, that no all encompassing definition has yet been created to include all forms of privacy concern[16]. This however may be unnecessary as the predominant accumulation of information about individuals including photographic[17] and other traditionally non-data type material such as voice recordings and fingerprints is being included on modern networked databases. I submit that a definition which is sufficient to encompass all electronic accumulation and dissemination systems will adequately encompass most typically non-data type invasions. However, the kind of privacy that will be considered in this paper is that of *personal information privacy*[18] and by combining some of the elements of earlier definitions a suitably updated definition can be created. A revised definition could be worded in terms such as: Privacy may be regarded as the condition of an individual when s/he is free from interference with his/her intimate personal interests by others. A basic attribute of this is the individual's ability to control the accumulation and circulation of information relating to him/her. It is not implied that complete freedom in this respect is anyone's moral right or that s/he has a legitimate claim that such complete freedom should be his/her legal right, it would include however that area of a person's life, which in any given circumstances, a reasonable person with an understanding of the legitimate needs of the community would think it wrong to invade. 2.1 What Information is to be Kept Private? In addition to the problem of a definition of Privacy a consideration of the information that should be kept private should be included. The OECD have provided guidelines for this, they suggest that purchasing patterns, data relating to sexual preferences, religious and political beliefs, medical records, police records, financial information; which relate to an identifiable individual or individuals.[19] The OECD recognise that certain classes of data may be more sensitive than others and hence should be treated accordingly. 2.2 A Historical Perspective on the Law of Privacy One of the earliest recognitions of a legal right to privacy was that of the Michigan Supreme Court in 1881 in the United States. That court in the case of _DeMay v Roberts_[20] decided that the plaintiff, who had been observed while giving birth by the defendant passing themselves off as a physician's assistant was allowed recovery on the basis of an unwarranted intrusion upon her *physical privacy*. The law of privacy began to be recognised as a distinct component of law in 1890 with the work of Samuel Warren and Louis Brandeis of Harvard. In this locus classicus statement on the law of privacy of the time they state what we now perceive as the problem of data protection[21] as being: "...numerous mechanical devices threaten[ing] to make good the prediction that 'what is whispered in the closet shall be proclaimed from the house-tops'." Their idea of privacy evolved from a number of specific areas which were individually considered by courts to have some element requiring protection of the individual (such as the breach of some property right or an action in defamation). Warren and Brandeis' work has been said to have in fact led to the foundation of the tort of *breach of privacy* in the US. It is important to note however that the incidents prompting, and reported in the article had nothing at all to do with breaches of *information privacy*.[22] The American courts since 1890 have had difficulty coming to terms with the introduction of the nebulous concept of privacy into their domestic law. The US' courts decisions were reviewed in 1960 by Prosser[23] who concluded on a review of the cases, that the *tort of privacy* fell into four seperate categories: 1) Intrusion upon the plaintiff's seclusion, or solitude or into his private affairs. 2) Public disclosure or embarrassing private facts about the plaintiff. 3) Publicity which places the plaintiff in a false light in the public eye. 4) Appropriation, for the defendant's advantage of the plaintiff's name or likeness.[24] Nevertheless, there has not been a clear recognition of privacy rights in respect of *personal information* as a distinct category,[25] at the domestic level in any State. It is important to note that current literature has made the conceptual shift in terminology from *privacy* to *data protection*.[26] A consideration of privacy with respect to things other than *personal information* or *data protection* is beyond the scope of this paper and as such will not be considered further.[27] 3. Privacy as a Human Right Articles 55 and 56 of the *UN Charter* impose on UN members legal obligations to "promote" respect for and observance of human rights. Enforcement of breaches of human rights have occurred largely through the UN Commission on Human Rights which has established procedures to consider allegations of human rights violations by particular states and by the more recent addition of a thematic approach. As to allegations of particular states, in 1967, ECOSOC (the UN Economic and Social Council), produced its Resolution 1235[28] authorised the Commission to "examine information relevant to gross violations of human rights" and to "make a thorough study of situations which reveal a consistent pattern of violations of human rights". Arguably a breach or invasion of privacy could only fall into the latter category. Therefore a consistent record of a country interfering itself or allowing interferences into its citizens information privacy may fall under the UN's obligations. This agreement however provides the least substantial evidence of a right of privacy at International Law. Clearer evidence of such a right can be found in the *Universal Declaration of Human Rights* adopted by the United Nations on 10 December 1948. This provides[29] that: "No one shall be subjected to arbitrary interference with his privacy, family home, or correspondence, nor to attacks upon his honour or reputation. Everyone has the right to protection of law against such interference or attacks". Arising out of this *Declaration* came two further international instruments. First, the *European Convention on Human Rights* of 1950 which provides[30] inter alia: "Everyone has the right to respect for his private and family life, his home and his correspondence." Of the international instruments governing human rights, the *European Convention on Human Rights* alone confers protection of privacy in absolute terms, listing in paragraph 2 eight specific grounds on which public authorities may, under domestic law, interfere with the exercise of the protected right. The other instruments protect only against interference with privacy or family which is 'arbitrary'[31], 'abusive'[32], or 'unlawful.'[33] Secondly, the *International Covenant on Civil and Political Rights* of 1966 provides that: 1) No one shall be subjected to arbitrary and unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. 2) Everyone has the right to protection of the law against such interference or attacks.[34] The *European Convention* has been followed by another convention, drafted by the Council of Europe, which specifically deals with data protection. This is considered below.[35] The *Proclamation of Teheran*, adopted by the International Conference on Human Rights on 13 May 1968, contains the following paragraph 18: "While recent scientific discoveries and technological advances have opened vast prospects for economic, social and cultural progress, such developments may nevertheless endanger the rights and freedoms of individuals and will require continuing attention."[37] On 19 December 1968, The General Assembly invited the Secretary- General to undertake a study of the problems in connection with human rights arising from developments in science and technology[38], including one on the uses of electronics which might affect the rights of the person and the limits which should be placed on such uses in a democratic society. (see _Appendix A_ - for a discussion of this) This study the first part of which is concerned with computerised personal data systems, was presented to the UN Commission on Human Rights at its 1974 session.[39] The principles recognised were later adopted by the General Assembly, at its 1975 session in the *Declaration on the Use of Scientific and Technological Progress in the Interests of Peace and for the Benefit of Mankind*, in which it proclaimed that: "...All states shall take appropriate measures to prevent the use of scientific and technological developments, particularly by the state organs, to limit or interfere with the enjoyment of the human rights and fundamental freedoms of the individual as enshrined in the Universal Declaration of Human Rights, the International Covenants on Human Rights and other relevant international instruments..." A sub-commission of the Commission on Human Rights at its 1980 session[40], noted[41] that one of the consequences of the use of computers was the increasingly frequent recourse to computerised personal files; that the concentration of personal particulars in such files entailed grave risks of interference with the privacy of individuals and the exercise of their freedoms; and that apart from States, international, Intergovernmental and regional organisations were keeping an increasing number of computerised personal files. With this increasing concern in mind and the change in terminology from Privacy to Data Protection the international treaty based Law has proceeded in this direction also. On 28 January 1981 the *European Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data* was adopted by the Council of Europe's Council of Ministers. And on 23 September 1981 the OECD Council of Ministers adopted a recommendation which provided similar guidelines (See _Appendix A_ for a complete discussion of the guidelines adopted). The OECD guidelines have been followed substantially in Australia's *Privacy Act 1988*. Since 1981 a strong push has been made in Europe for unified data protection laws that work across the EEC. Current laws in Europe place restrictions on whether one can trade data with foreign countries, requiring that those countries have "adequate" data protection laws. Taking this even further advocates are now pushing that this be changed to a requirement for "equivalent" laws.[42] The idea being ,that countries that are not offering the same or very similar protection of personal information will not be allowed to trade data or allow so called *transborder data flows* to occur with the EEC countries.[43] It has been suggested that with differences in each country's laws, individuals concerned about their privacy in an international information marketplace may be unable to get true legislative solutions because they can't affect the laws of other nations.[44] Although this may be true at the domestic level, with all of the existing domestic statutory law and International Treaties that seem to imply a right to privacy the question arises of whether privacy as a human right has now passed into Customary International Law? 4. Has a Custom Developed at International Law Any answer to this can be nothing more than mere speculation as the International Court of Justice (ICJ) has not had the opportunity to consider such an issue before. However, arguably a clear custom could be found by looking at: 1) The actions of the many states that have signed treaties to recognise data protection as being a valid cause for concern of the loss of the human right of privacy. 2) Very many states have instigated municipal laws to provide for both non-data privacy and information protection especially with respect to trans border data flow. The acceptance and adoption of the treaties by many states may be enough to satisfy custom[45]: 3) Recognition of *opinio juris* as expressed in the extensive collection of writings from legal writers worldwide. Additionally, the wide acceptance of treaty law would indicate a collective conscience intending to be bound by a custom if it arose.[46] 4) The long history of recognition. The history of the concern of intrusions to privacy by mechanical means can be traced to 1890 in the work of Warren and Brandeis.[47] The ICJ could be forced to indicate its position if a State or States seek an advisory opinion of the Court. Although not binding, this may prove persuasive in the event of a State breaching the expanding obligations of international bodies. International Treaty Law if taken as providing protection as a human right, the view to which I subscribe, would suggest that any interference with an individual or a groups privacy would be in breach of the *International Covenant on Civil and Political Rights*, the *Universal Declaration of Human Rights* and various other Human Rights agreements. The remedy that an individual or state could seek is not clear. Most writers and legislators have focused on developing the principles that should be upheld in International Law. Additionally the shift in emphasis to the problems associated with transborder data flows has in effect shifted the focus to controls or sanctions that can be used on states not complying with the conventions to this specific problem. So the broader issue of privacy as a human right seems to have no solution even if it could in fact be raised as a norm of international law. 5. Privacy in Domestic Law 5.1 As Recognised Internationally Most recently France[48] recognised such a right when it said in *SA Locunivers v Hospices de Lyon*[49] that everybody is entitled in law to refuse to reveal his address or place of domicile, particularly where he is doing it to escape his past indiscretions, and his wish ought in principle to be respected by others. But the position is otherwise where his design in keeping his address secret is to wriggle out of his proper obligations or to escape his creditors and such a person cannot use the right to respect for his private life provision contained in Art. 8 of the European Convention on Human Rights in order to conceal salient facts from his creditors. Also a recent UK law has required that all databases of information about people be registered with the Data Protection Agency. Flaherty[50] has criticised this proclaiming that currrently nothing more than registration is required, but already, simply handling the registration applications requires a large staff that is already behind in its work. He points out that opponents of data protection laws point to this as an example of the sort of "database police" bureaucracies that may be created by poorly thought-out data protection legislation. 5.2 As Recognised by the High Court of Australia In addition to the possibility of a right to privacy arising with respect to non-data privacy intrusions such as the *breach of privacy tort*, the recent High Court decisions of *Australian Capital Television Pty Ltd v The Commonwealth*[51] (the *Political Broadcasting Case*) and *Nationwide News v Wills*[52] raise the issue of freedom of expression and communications[53] in the context of media bans on political advertising and media criticism of the Industrial Relations Commission respectively. Both decisions consider the constitutional position regarding any implied right of communications or free speech. Some of the judgments support an implied right of this nature, looking upon it as a *sine qua non* of the representative government regime laid down in the Constitution.[54] In essence, this idea runs contrary to the development of a right of privacy as they support the competing notion of freedom of expression and communication. The decisions themselves could be said to raise the general issue of whether there is a need for more certainty in the protection of fundamental human rights in Australia's domestic law. Tucker[55] believes that the cases, though not in any way decisive, are helpful in generating debate about whether it is appropriate that the judiciary, on a case by case basis, imply these into Australia's Constitution. Tucker feels that these cases may be the harbinger of the development of a right of privacy in Australia. He also considers the role they may play in shaping a Bill of Rights for Australia. 6. Problems with the International Law His Honour Mr Justice Michael Kirby[56] who is presently chairing the OECD Expert Group on Security of Information Systems believes that all of society is at risk not so much from the systems themselves or their misuse but from the "international community and the representative democratic process to keep pace with the social implications of technology"[57] Justice Kirby provides a list of problems that the Expert Group recognises stands in the way of a truly effective international response to the issues of information security. These problems are: 1) Whilst the technology of informatics is universal, the institutions for social regulation of problems such as data security, remain resolutely national or even local; 2) Whilst there have been many moves towards international institutions to serve the global community of the 20th century, such global institutions have tended to be weak and vulnerable to strongly felt national and local concerns. The economically weak may be noisy in the institutions of the world. But, when the chips are down, it is the economically and politically powerful who will generally make the vital decisions. They will usually do so by reference to their perceived national interests. Altruism is rare. True internationalism is exceptional. Kirby states that this is understood by all players; 3) The international institutions engage a parade of visiting politicians and bureaucrats. They, in turn, are served by contingents of civil servants striving to accommodate often conflicting instructions and (not unreasonably) to assure their own survival. The larger and more diverse the institution, the more numerous and contradictory will be the interests to which the participants give voice. Kirby points out that the average duration in office of a minister in a developing country is less than a year. Thus the drama of international agencies is played out by a huge team of constantly changing actors, of greatly varying capacity and interest, usually with large egos and, sadly, often with little real commitment to the substantive international business which is temporarily in their charge; 4) Kirby states that political leaders must respond to increasingly pervasive democratic pressures. We hear much loose talk today of the triumph of democracy over autocracy in the world. Yet reality falls sadly short of these proud boasts. Political leaders are, all too often, chosen not by the people, or even their elected representatives, but by powerful vested interests. They are beholden to those interests which, in turn, are hapless captives of the necessity to raise funds for their political parties. Election campaigns are waged in terms of grossly superficial slogans. Image has all too often replaced substance. This is itself, in part, a product of the information technology of mass communications. It is in this way, that the "democratic revolution" is increasingly debased. The kinds of players who are interested in that particular game are, all too often, uninterested in the tedious business of dealing with complex technological, economic and sociological phenomena; 5) The political process both nationally and internationally, is frequently responsive to passing fads and fancies, to prejudice and local, parochial concerns. There are occasions when the world holds its breath as important issues of principle are asserted and upheld. Kuwait was an example. But these are truly exceptional circumstances. For the most part the political leaders of our nations have little if any international vision. The very political process which spawns them domestically usually contracts their minds to provincial concerns. Not for them the urgencies of responding to the global necessities of effective international data protection law and policy. Much more likely is it that they will respond to the passions of old, ethnic and cultural tribalism which is the feature of our world today and in which some votes may be found; 6) If initiatives can be stimulated in an international agency to deal with a global problem such as information security, the pace is all too often glacial. In part, this is an inescapable function of the costs of bringing together representatives of many nations. In part, it reflects the wholly proper obligation to consult the numerous departments, agencies and interests back home before offering a commitment to any global approach. In part, it may reflect constitutional obligations. The history of this century was profoundly affected by that requirement of the United States Constitution which obliges the President to have the advice and consent of the Senate to the ratification of treaties; 7) There is also the language and cultural barrier through which we must deal with each other in resolving problems which are global in character. In addition to the difficulty of language International institutions bear the mark of their Anglo-American forefathers and do not necessarily meet the perspectives or needs of the changing world including the Third World the Muslim World and the Occidental world. 8) Finally there is the impediment that Kirby identifies as the rich and poor of any country. He feels that it now presents itself in a new aspect: the technologically rich and poor. It can be seen between states and communities, between the different language of the technologist and the law maker. Finally Kirby notes that lawyers and law makers spend time crafting words to come to terms with the law and by the time this is completed the technology has changed requiring new words. In addition to these problems a new range of *technosocial* influences are emerging which will affect the world in which we live and the international law that maintains our world. Some of these issues are considered later. 7 Specific Problems - Identity Cards, Numbers and the Problem of Data Matching The English jurist and philosopher Jeremy Bentham developed the idea of a *panopticon*, an innovation for the easy and efficient exercise of power by those in authority to solve the problem of surveillance whereby each individual, knowing that he is under observation, 'will end by interiorising to the point that he is his own overseer, each individual thus exercising this surveillance against himself'. A superb formula: power exercised continuously and for what turns out to be a minimal cost[58]. Ware[59] believes that the Australia Card if actuated will result in such an omnipresent method of control. This panopticon idea can further be extended to the Tax File Number. 'Big Brother' in Orwell's account did not actually exist it was just the perception created in the minds of the individuals as a result of the propaganda of the state in order to maintain this same form of Benthamist internalised control. The TFN in Australia could serve the same function. 7.1 The Australia Card The Australia Card ID system was abandoned in 1987 by the Federal Government principally because of the opposition it drew from a wide section of the Australian community. The original function of the card was to replace existing government ID systems and to provide the Australian Taxation Office with access to a wider range of information in respect of income sources.[60] 7.2 The Tax File Number Following the demise of the Australia Card the Federal Government in 1988 introduced the Tax File Number (TFN) system which although designed for the purpose of stopping tax evasion[61] has already been extended widely. Within 2 years despite the Government's statements at the time the system has been extended to Austudy, obtaining unemployment or sickness benefits and other social security. 7.3 Law Enforcement Access Network (LEAN) This database gives law enforcement agencies, the ATO and the department of defence, and DEET 'centralised access' to the records of the Australian Security Commission and the land data systems in the States and Territories[62]. The government maintains that the information used is already publicly available however people concerned with privacy issues say that it is not the availability that is the problem, it is the combining of individual publicly available files or data matching that is the concern[63] (The TFN providing the perfect search key.). This will result in the ability of agencies with a law enforcement function to 'fish' around without any suspicion of wrongdoing. It has been suggested that further linkages will occur into databases containing electoral roll information and motor vehicle registration. A particular concern about LEAN is that may not be subject to the *Privacy Act 1988* (Cth) Information Principles because it does not process or generate records within the meaning of the Information Principles[64] and is hence outside of the scope of the International Law on this. 7.4 The Problem of Data Matching The danger with extensive use of identification numbers is that enormous amounts of personal data gained via countless harmless transactions and activities can be permanently stored and correlated with information held in other data bases.[65] It is not difficult to see the potential this information would create for more manipulative efforts by a new breed of government and marketing researchers. Nolan[66] suggests that the principle of an ID system by its very nature is designed not merely to facilitate the positive identification of data subjects within an administrative structure, but to assist in the linkage of files relating to individual subjects outside that structure. Nolan also points out that it is a fundamental principle of privacy that data gathered for one purpose ought not be used for another without the consent of the data subject.[67] The concept of a national identification system offends this principle as it allows government agencies without the consent to access information given to other organisations or departments for specific purposes (eg credit information supplied to banks for loan purposes. See _Appendix C_ for a consideration of this). In the US the Social Security Number has been used by Federal agencies and State authorities since 1961 as the search key in more than 500 computer matching programs.[68] The main problems with the ability to link data files in this way are identified as being: * Because information is taken from different sources information can be taken out of its original context when combined. * Historical records can be obtained which may not be representative of the current situation and may include a lifetime of information such as prior traffic offences, credit difficulties in the past and health problems, which may not reflect on the current situation at all. Also the early information may be incorrect and the individual may not even be aware of this. * The individual will be forced to always defend any and all legal actions against them whether they can afford to or not because of the concern that they will be recorded and the record will persist. For instance a long record of parking fines may indicate unreliability and may affect employment prospects so by defending all, the defence will be recorded. * The Black Economy is likely to expand to avoid transactions being recorded so that the Tax authorities cannot get to all activities. In Sweden where a Personal Identification Number has been used since 1947, it is not uncommon for medical treatment or legal advice being exchanged for house painting or plumbing. Bartering for goods is common also.[69] * Issuance of ID cards will be dependent upon the production of a birth certificate or drivers licence. Both of which may be forged with ease or obtained unlawfully. In some states birth certificates do not indicate whether the subject has in fact died, making it simple to obtain the birth certificate of a deceased person. The width of the problem can be seen by the fact that the Australian Law Reform Commission has likened data matching to a "modern version of the general warrant".[70] Whilst the Privacy Commissioner, Kevin O'Connor,[71] calls it the "privacy equivalent of drift-net fishing". The Privacy Commissioner released a survey[72] of the five key Commonwealth agencies (Tax, Social Security, Veterans Affairs, Education and Immigration), which identified 24 different matching programs between those 5 agencies and other agencies (including the electoral office, Health Insurance commission and State Registrar Generals Offices) and organisations (employers, insurers, universities etc). Data matching between most agencies is illegal unless it comes within one of the exceptions to Information Privacy Principle 11 of the *Privacy Act* 1988 (Cth). The tenuous legal basis of some of the existing matching schemes is hinted at by the Commissioner when he says: "...many of the programs have originated in response to administrative demands or as cost saving measures rather than as a use of personal information specifically authorised by law." More recently to overcome this, the Federal Parliament enacted the *Data Matching Progam (Assistance and Tax) Act* 1990 (Cth), which establishes and controls one new data matching scheme. This act when combined with the *Taxation Laws Amendment (Tax File Numbers) Act* 1988 has been described as being the "Australia Card by the back door", with the essential purpose of getting around the Information Privacy Principles contained in the *Privacy Act 1988*[73] The main problem identified with this matching is that under ss. 10 and 11 of the DMP(A&T)A the organisations matching can reverse the onus of proof onto the individual that provides incorrect or out of date information to one agency and when it doesn't match with the searching agencies records, they are asked to "show cause" why action should not be taken against them.[74] 8. Recent Social and Economic Developments Affecting Privacy 8.2 Privacy in the Modern Workplace The privacy pressures that technology places on individuals and groups within the modern work environment are significant to say the least. With each day new technologies are being developed that further decay the fabric of what individuals once cherished as private. Recent technologies of this kind include Telepresence, Electronic Mail (E-mail) and Collaborative Computing (for a discussion of the dangers of these see _Appendix B_). But of particular concern is employee monitoring which I consider below. 8.2 Employee Monitoring At the Pacific Southwest Airlines office in California, the central computer records exactly how long each of the 400 reservation clerks spends on every call and how long they take to pick up their next call. Workers earn negative points if they spend more than the regulation 109 seconds on each call, or if they spend more than 12 minutes a day going to the rest room outside of lunch and coffee breaks. If employees accrue more than 37 points over the year they can be dismissed[75]. Big Brothers' Ministry of Truth without the telescreen. According to a report tabled to the US Congress between 25 and 30 percent of clerical employees in the US (or around 6 million people) are now under surveillance. Forester[76] suggests that apart from service workers computer monitoring is also spreading to salespeople, nurses, hotel workers and even professionals like stock brokers and lawyers. Monitoring can take the form of 'silent monitoring' of phone calls and actual counting of keystrokes performed by word processor operators or data-entry clerks. Arguments put forward in support of monitoring include: * it can be useful for coaching new employees who deal with the public. * it can provide clear and accurate performance measures. * it enables the right people to be promoted. * it helps to reduce employee theft, industrial espionage and acts of sabotage which are more costly with the growing sophistication of manufacturing and office systems. Critics argue that monitoring represents an intolerable invasion of privacy and a blatant disregard of human rights. It undermines trust, reduces autonomy and generally turns workers into 'battery hens'. They maintain that the practice itself causes stress and ill-health. A recent University of Wisconsin study[77] of 762 telephone operators found monitored employees were more likely to suffer from headaches, back pain, fatigue, anxiety, stiff shoulders and sore wrists. Additionally monitoring is actually counter-productive because employee morale declines, and with it productivity. Further, work not measured is not considered important and is neglected by monitored employees hence the quality of work actually falls in preference to a higher quantity.[78] Gary Marx, professor of sociology at Melbourne Institute of Technology whilst not suggesting employee monitoring should be banned has proposed a code of ethics merely to ensure accuracy of information and relevance of information to the job.[79] 8.3 The Knowledge Value Revolution Japanese philosopher and economist Taichi Sakaiya[80] has theorised that the world has reached the end of the Industrial Revolution[81] and has almost passed through the Information Revolution to emerge in what he terms the Knowledge Value Revolution[82]. This last step requires the transition from the Information Economy to the Knowledge Economy, where the Information Economy is the shift in the composition of goods traded, from matter to information. Already so called 'financial trading' exceeds the trading in actual commodities by 26 to 1. The Knowledge Economy as he sees it requires a further extension of this where information is seen as the commodity itself and can be combined into products as a new form of value added. He likens the high fashion industry's ability to price its goods way beyond their actual component value by way of their individualism or distinctiveness. So too goods and services will be able to attract a higher market price by incorporating greater knowledge value. This new phase in history revolves around the idea that man now seeks the most individualistic and purpose built products and services, hence a restructuring in the way global business is carried out will be required in order to satisfy the world economy's needs. The problem arising from this new use of information will be that privacy will be further exposed to attack in preference to satisfying global economic needs. The individual may be sold out by world governments in preference to maintaining the free flow of information in the Knowledge Economy. Already the International Law's attempt to adequately control transborder data flows has proved unsuccessful, in order to protect individual privacy in this new age is going to require a very concentrated effort worldwide with International Law making bodies at the lead of such an enterprise. 8.4 Electronic Frontier Foundation An organisation formed in 1990 in the United States[83] devoted to the use of technology for the good of mankind, they are concerned specifically with the preservation of individual rights on the Electronic Frontier[84], they hope to extend "...society's highest traditions of the free and open flow of information and communication". They hold the idea that the networks are themselves the frontier of a new global free land and hence should be free for all users or 'citizens' within this new realm. Such NGO's may prove essential as a means of checking on and lobbying international governments and bodies as has occurred in the environmental protection movement.[85] 8.5 Global Electronic Democracy (GED) There has been growing suggestion[86] that with the advent of the merging of computer and communications technologies and the falling prices of such technology the new West and eventually the Third World nations will opt for the cost effective method of government by computer network. This idea is already feasible and has been tested on a small scale in towns in both France and the US where homes were provided with telephones that combined video, telephone and computer technology so that the user could vote or take part in a referendum on their personal telephone in the comfort of their own home on a daily basis. If applied on a countrywide basis or global basis the Ancient Greek ideal of pure democracy will have been reached after more than 2000 years since it was suggested. The problems that the GED may pose to individual privacy are unimaginable - perhaps this will be the full blown version of the Telescreen and Big Brother envisioned by Orwell. On the other hand, the globalisation of the system with the users providing their own checks and balances will be enough to ensure a degree of electronic privacy. Additional concerns arising are, that under such a regime the Separation of Powers Doctrine may die off with a merging of the three functions of power falling into the hands of all individuals carrying out all of the functions of legislature, executive and judiciary. The Rule of Law itself may even be affected with such a major upheaval of known legal and legislative structures. 9. Conclusion Professor Cowen often concluded his lectures "The Private Man"[88] with the comment that "we cannot assume that privacy will survive simply because man has a psychological or social need for it". Now, more than ever, this is the case. Without realising it, each day we interact with humanity we are being in some way recorded. This recording is leading to the expansion of the files on each person and is hence eroding our privacy and exposing our private lives to others, we have no choice in this. The choice that we do have however, is to control how much is recorded and to a lesser extent how the information is used. Similarly it cannot be assumed that domestic law such as Australia's *Privacy Act 1988* (Cth) will be adequate to maintain any degree of privacy for individuals. Whilst International Law may provide only limited hope of placing some restrictions on the growth of data matching across international networks. In essence this paper amounts to a warning to all that the omnipresent Ministry of Truth is watching and taking note of individuals with every transaction and interaction with modern civilisation that they make. The individuals should be educated to the dangers of this and be held responsible in part for the information they provide. Privacy starts with the individual, what the individual does not want going outside into the public sphere should not be distributed by them unless absolutely necessary, they should be careful that the information they provide is correct, up to date, and when providing information to private organisations to confirm that the information is not going to be made available to other private or public agencies or be open to access indirectly by such groups. Flaherty[89] suggests that the best protection against abuse of data use comes from both stopping the collection of data and requiring its destruction after it has been used. Data that has never been collected, or which is reliably destroyed is unlikely to be used to invade privacy down the road. Data that is kept secret only by legislation is far less secure. In conclusion the international (and domestic) legal communities are, I submit, limited in what they can do with respect to law making. Justice Kirby[90] the chair of the OECD Expert Group recognises the inability of law making bodies to keep pace with developments in technology (This does not of course mean that they should give up without trying). However, such bodies may better serve humanity by: 1) actively participating in this education program of alerting individuals to the dangers to their own privacy and instructing them on how to better interact with the burgeoning data collection systems of the modern world and; 2) by focusing their efforts on looking at the social impact of technology, and trying to forecast the direction technology is taking in shaping the social environment of tomorrow, rather than making laws or rules to control the use or misuse of the actual technology as and when it becomes available. Finally, whilst in Australia always remember: Your Tax File Number is Watching You! Appendix A OECD Council of Ministers Guidelines - for the Protection of Individuals with Regard to Automatic Processing of Personal Data: [Extracted from Lawson, *Encyclopaedia of Human Rights* p 1230] As a result of the concern of the sub-commission a request was made to the chairman to designate one of its members to undertake a study of guidelines to be adopted in this area. Mrs Nicole Questiaux (France) was designated for the task on the understanding that it would be carried out by her alternate, Mr Louis Joinet. Mr Joinet who in the meantime replaced Mrs Questiaux as a member of the sub-commission, submitted an interim report in 1981 and the final report.[91] In the report, Mr Joinet noted that, as early as 1966, the Nordic Council, a regional Organization comprising the Scandinavian countries had become an effective organ for cooperation among the national bodies responsible for the supervision of data files. Further he noted that the council of Europe and the Organization for Economic Cooperation and Development (OECD) had proposed for adoption by their member states- in the form of resolutions, recommendations, and even a convention - minimum rules, commonly known as the "hard core", which governments should take into account in the rules they were drafting. In particular, the Council of Europe's Council of Ministers adopted, on 28 January 1981, the European Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, and the OECD Council of Ministers adopted, on 23 September 1980, a recommendation concerning guidelines on the protection of privacy and transborder flows of personal data, and the OECD Council of Ministers adopted, on 23 September 1980, a recommendation concerning guidelines on the protection of privacy and transborder flows of personal data. On the basis of these precedents and other materials available to him, Mr Joinet concluded his study with two main proposals, the first relating to the promotion of human rights in domestic law (para 136-148) and the second relating to the files of international organisations and agencies (para 149-152) as follows: A The Promotion of Human Rights in Domestic Law: In order, firstly to encourage States to promote protective regulations in their legislation, and secondly, to avoid excessive discrepancies between one legislation and another, guidelines should be proposed for adoption by the competent United Nations bodies, possibly in the form of a recommendation, which might be along the following lines: States should take steps to give effect to the following basic principles in their domestic legislation: 1) Principle of Fairness: information about persons should not be collected or processed in unfair or unlawful ways. 2) Principle of Accuracy: persons responsible for data files should be obliged to check the accuracy of the data recorded and to ensure that they are kept up to date. 3) Principle of Purpose Specification: the main purpose which a file is to serve should be known before it is established in order to make it possible subsequently to check whether: (a) the personal data collected and recorded are relevant to the purpose to be served; (b) the personal data are not used for purposes other than those for which the file was intended; and (c) the period for which the personal data are kept does not exceed that which would enable the objective for which they were recorded to be achieved. 4) Principle of Openness: measures should be taken to ensure that any person may be in a position to know of the existence of a personal data file. 5) Principle of Individual Access: any person irrespective of nationality or place of residence, should have the right: (1) to know whether information concerning him is being processed; (2) if the need arises, to have such information communicated to him in an intelligible form, without excessive delay or expense; (3) to have appropriate rectification or erasures made in the case of erroneous, unlawful or inaccurate entries. 6) Principle of Security: appropriate measures should be taken to ensure the essential security of data files and of access to restricted information. Departures from the application of one or other of these principles might be admitted in regulations concerning security files (police, defence, courts, intelligence) medical records, scientific and statistical data, and press files, provided that the limits of the exceptions were specified and they were embodied in laws or special regulations promulgated in accordance with the juridical system of each State. Information on racial origin, sexual proclivities, political opinions, religious or philosophical convictions, or trade-union membership should not be recorded. Departures from these prohibitions should not be authorised except by law and should be subject to more rigorous safeguards. A Supervisory body should be established with adequate guarantees of impartiality both for the purpose of advising the persons affected by these new legislative measures and in order to ensure that the above principles are complied with. The above principles and rules should at the very least, be applied to public or private computerised files containing data relating to natural persons. Particular provision might be made to extend the application of these provisions to manual data systems. B. The Files of International Organisations and Agencies. The international organisations and agencies using computerised personnel files should be recommended to take appropriate protective measures unless they accept local jurisdiction where such exists. The internal statutes and rules of international organisations and agencies should make provision, as concerns their own files, for the application of the aforementioned principles of fairness, accuracy, purpose specification, openness, individual access and security. A supervisory authority, either of a collegiate or "ombudsman" type, set up under a procedure offering adequate guarantees of impartiality, should be appointed within each Organization or agency. Its task would be to advise those responsible for the operation of data files and to ensure effective enforcement of internal regulations. Mr Joinet recommended that the sub-commission prepare a resolution embodying in some appropriate way the twofold proposal above, for the submission to the Commission on Human Rights. At the same time, he suggested that, as an immediate step, as far as United Nations computerised files are concerned, one member, one member of the sub-commission should be appointed to study draft internal regulations with the assistance of the Secretariat. *Guidelines concerning Computerised Personal Data Files* In the Study of the Relevant Guidelines in the Field of Computerised Personnel Files[92] prepared for the Sub-Commission on Prevention of Discrimination and Protection of Minorities by its special rapporteur, Mr Louis Joinet (France), the author elaborated a series of provisional draft guidelines on the use of such files with a view to encouraging States to adopt the regulations necessary to ensure the right to privacy. At the request of the sub-commission, the Secretary-General transmitted the provisional draft guidelines to member states and interested international organisations with a request that they submit their comments. The guidelines were revised in the light of the comments received and presented to the sub-commission at its 1988 session.[93] On 1 September 1988, the sub-commission, expressing its satisfaction with the revised draft guidelines, forwarded them through the commission on Human Rights and the Economic and Social Council to the General Assembly with a recommendation for their adoption.[94] The assembly after examining them, invited the special rapporteur to submit to the commission, at its 1990 session a revised version[95] taking into account the comments and suggestions submitted by the eight governments. The special rapporteur accordingly submitted a revised text of the "Guidelines concerning computerised Personal Data Files", reproduced below, to the commission at its 1990 session[96]: The procedures for implementing regulations concerning computerised personal data files are left to the initiative of each State subject to the following orientations: A. Principles concerning the Minimum Guarantees that Should Be Provided in National Legislations 1) Principle of Lawfulness and Fairness. Information about persons should not be collected or processed in unfair or unlawful ways, nor should it be used for ends contrary to the purposes and principles of the charter of the United Nations. 2) Principle of Accuracy. Persons responsible for the compilation of files or those responsible for keeping them have an obligation to conduct regular checks on the accuracy and relevance of the data recorded and to ensure that they are kept up to date regularly or when the information contained in a file is used, as long as they are being processed. 3) Principle of the Purpose Specification. The purpose which a file is to serve and its utilisation in terms of that purpose should be specified, legitimate and when it is established, receive a certain amount of publicity or be brought to the attention of the person concerned, in order to make it possible subsequently to ensure that: (a) all the personal data collected and recorded remain relevant and adequate to the purposes to be specified; (b) none of the said personal data is used or disclosed, except with the consent of the person concerned, for purposes incompatible with those specified; (c) the period for which the personal data are kept does not exceed that which would enable the achievement of the purpose so specified. 4) Principle of Interested Person Access. Everyone who offers proof of identity has the right to know whether information concerning him is being processed and to obtain it in an intelligible form, without undue delay or expense, and to have the appropriate rectifications or erasures made in the case of unlawful, unnecessary or inaccurate entries, and when it is being communicated, to be informed of the addresses. Provision should be made for a remedy, if need be with the supervisory authority specified in principle 8 below. The cost of any rectification shall be borne by the person responsible for the file. It is desirable that the provisions of this principle should apply to everyone, irrespective of nationality or place of residence. 5) Principle of Non-Discrimination. Subject to cases of exceptions restrictively envisaged under principle 6, data likely to give rise to unlawful or arbitrary discrimination, including information on racial or ethnic origin, colour, sex life, political opinions, religious, philosophical or other beliefs as well as membership of an association or trade union, should not be compiled. 6) Power to Make Exceptions. Departures from principles 1 to 4 may be authorised only if they are necessary to protect national security, public order, public order, public health or morality, as well as inter alia, the rights and freedoms of others, especially persons being persecuted (humanitarian clause) provided that such departures are expressly states their limits and sets forth appropriate safeguards. 7) Exceptions to principle 5 relating to the prohibition of discrimination, in addition to being subject to the same safeguards as those prescribed for exceptions to principles 1 and 4, may be authorised only within the limits prescribed by the International bill of Human Rights and the other relevant instruments in the field of protection of human rights and the prevention of discrimination. 8) Principle of Security. Appropriate measures should be taken to protect the files against both natural dangers, such as accidental loss or destruction and human dangers, such as an unauthorised access, fraudulent misuse of data or contamination by computer viruses. 9) Supervision and Sanctions. The laws of every country shall designate the authority which, in accordance with its domestic legal system, is to be responsible for supervising observance of the principles set forth above. This authority shall offer guarantees of impartiality, independence vis-a-vis persons or agencies responsible for processing and establishing data, and technical competence. In the event of violation of the provisions of the national law implementing the aforementioned principles, criminal or other penalties should be envisaged together with the appropriate individual remedies. 10) Transborder Data Flows. When the legislation of two or more countries concerned by a transborder data flow offers comparable safeguards for the protection of privacy demands. 11) Field of Application. The present principles should be made applicable; in the first instance, to all public and private computerised files as well as, by means of optional extension and subject to appropriate adjustments, to manual files. Special provision, also optional, might be made to extend all or part of the principles to files on legal persons particularly when they contain some information on individuals. Application of the Guidelines to Personal Data Files Kept by Governmental International Organisations The present guidelines should apply to personal data files kept by governmental international organisations, subject to any adjustments required to take account of any differences that might exist between files for internal purposes such as those that concern personnel management and files for external purposes concerning third parties having relations with the Organization. Each Organization should designate the authority statutorily competent to supervise the observance of these guidelines. Humanitarian clause: a derogation from these principles may be specifically provided for when the purpose of the file is the protection of human rights and fundamental freedoms of the individual concerned or humanitarian assistance. A similar derogation should be provided in national legalisation for governmental international organisations whose headquarters agreement does not preclude the implementation of the said national legislation as well as for non-governmental international organisations to which this law as applicable. Appendix B Privacy in the Modern Workplace Electronic Mail Electronic Mail or E-mail has been around for about 15 years. However, the idea of sending personal messages and not so personal messages through a computer with the vain hope that they will show up on the intended parties screen or E-mailbox has met with mixed success until now. The use of E-mail has now exploded, business organisations and governments now happily use such systems internally to send memos quickly and cheaply and this year AT&T is releasing its own E-mail system for all telephone users in the US called MagicMail . The threats to privacy arising from such technology have already been legislated for in the US in the *Electronic Communications Privacy Act 1986* however the experience so far in the US has been that the act has proved totally inadequate and certain Bulletin Board Services (BBS's) have been shut down, the equipment used to run such services including all personal electronic files and messages contained on the storage devices confiscated by the US Secret Service all without any indictments for any illegal activity.[97] Arguably, protection may exist in another form, that of Intellectual Property Law where the idea that the information placed into or onto a network in the form of a message is the intellectual property of the author of that work. Collaborative Computing Collaborative computing and groupware is the concept that individual employees in organisations can participate in group projects across networks, the technology for this is already widely available and poses privacy threats to individuals the group and the organisation that the group is a part of. Such privacy threats arise because of the problems of the human users. Some users may be careful in maintaining system integrity, and hence the confidential information contained on the network, whilst others will show blatant disregard for such security, exposing themselves, and their fellow workers to breaches of individual privacy and their employers to breaches of commercial privacy and even industrial espionage. Telepresence Telepresence[98] a combination of the much talked about Virtual Reality and the ordinary telephone based computer network. People around the world will be able to 'virtually' participate in activities such as architects simultaneously walking Japanese and Australian joint venture clients through building designs that they can 'see and feel' when all of the parties involved are on different continents.[99] This technology as it becomes readily available is predicted as being a new, faster and more purpose oriented method of accessing databases as the user will be able to 'see' more effectively the information that they seek and 'reach out and grab it'. The privacy issues raised by this technology are unknown. However, it would be safe to suggest that such technology can only act to further reduce control of individual privacy, and hence will require careful consideration by international legislators. Appendix C Credit Reporting in Australia The *Privacy Act 1988* (Cth) Pt IIIA - Credit Reporting (ss 18c-18v) deal specifically with the reporting of credit information pertaining to individuals and to commercial credit transactions. This part of the legislation is perhaps the most privacy oriented legislation to be introduced into Australia as it places a restriction on credit providers not to provide credit standing information to anyone without the consent of the individual concerned and a breach can result in a fine of up to $15000.[100] Additionally, information described as "positive reporting", that is, the reporting of all credit transactions other than just defaults, is banned. Hence the provisions have come under criticism by the Credit Reference Association of Australia as being the most restrictive credit reference laws in the Western World.[101] However as Greenleaf[102] points out this is not necessarily true as the act itself fails to cover "publicly available information" so that any private organisation can disseminate information about matters such as default judgements or bankruptcy without providing even the most basic of privacy rights such as access and correction. Bibliography: Articles BARRY J. V. , An End to Privacy, 1959-60 2 Melbourne University Law Review 443-453 BAYNE, Peter. Freedom of information and access for privacy purposes. AUSTRALIAN LAW JOURNAL 64 (3) March 1990 : 142-146 BENN, S., The Protection and Limitation of Privacy, 1978 52 ALJ 601 BIG brother information fears. LAW INSTITUTE JOURNAL 66 (4) April 1992 : 250 BURKERT, Herbert., Public Sector Information: Towards a More Comprehensive Approach in Information Law?, 1992 v3 n1 Journal of Law and Information Science 47-62. COLE K., Opinion - 'Just Tell Me Your Name, Bank and Tax File Number', 1992 17 Alternative L. J. 52 at 70. DANCER Helen, Interview with Taichi Sakaiya, Jan 1993 Australian Personal Computer 129-134 at 130. European Current Law - generally. FLAHERTY D., CFP-2: International privacy law a mixed bag, extract from speech at the second conference on Computers, Freedom and Privacy, Newsbytes March 27 1992, Ref # A12002694. FORESTER, Spying on Employees, Australian and New Zealand PC User, Sept 1993, p106. GAVISON Ruth, Privacy and the Limits of the Law, Jan 1980 v89 n3 Yale Law Journal 421-471. GRAINGER, Chris. The long arm of privacy law : new procedures for credit providers. LAW SOCIETY JOURNAL 30 (3) April 1992 : 54-56 GREENLEAF, Graham. 'The most restrictive credit reference laws in the Western World'? AUSTRALIAN LAW JOURNAL 66 (10) October 1992 : 672-674 GREENLEAF, Graham. Can the data matching epidemic be controlled? AUSTRALIAN LAW JOURNAL 65 (4) April 1991 : 220-223 GREENLEAF, Graham. No confidence in the Commonwealth privacy bill. AUSTRALIAN LAW JOURNAL 62 (1) January 1988 : 78-81 GREENLEAF, Graham. The Privacy Act 1988 : half a loaf and other matters. AUSTRALIAN LAW JOURNAL 63 (3) March 1989 : 116-118 HUGHES, Gordon. The regulation of database privacy. AUSTRALIAN ACCOUNTANT 57 (6) July 1987 : 32-36 HUGHES, Gordon. Data protection at common law. LAW INSTITUTE JOURNAL 62 (10) October 1988 : 971-973 HUGHES, Gordon. An overview of data protection in Australia. MELBOURNE UNIVERSITY LAW REVIEW 18 (1) June 1991 : 83-120 HUGHES, Gordon, (ed.) The Development of Personal Data Protection Laws in Australia, essay in Essays on Computer Law, Longman Professional, Melbourne 1990. International legal protection of privacy and controls over transnational data flow. AUSTRALIAN LAW JOURNAL 55 (3) March 1981: 163-165 KAPOR M and BARLOW J P, Free Speech and Privacy Online, Real Time Conference - General Electric Network for Information Interchange (GEnie) 1991, compiled in v3 n3.18 Computer Underground Digest May 28 1991 KIRBY, Michael., The Computer, the Individual and the Law, 1981 55 ALJ 443-457 KIRBY, Michael. Informatics, transborder data flows and law - the new challenges. NEW ZEALAND LAW JOURNAL November 1988 : 381-388 KIRBY, M. D. Information security: OECD initiatives. Journal of Law and Information Science, v.3, no.1 1992 KIRBY, M. D. Legal aspects of informatics and transborder data flows. In: Essays on Computer Law (1990): (197)-214 KIRBY, Michael. Legal aspects of transborder data flows. INTERNATIONAL COMPUTER LAW ADVISER 5 (5) February 1991 : 4-10 MITCHELL D., Being here and there, April 1993 Australian Personal Computer 186. NOLAN , ID Cards Who Needs Them?, 1985 Legal Service Bulletin 165. O'CONNOR, Kevin. Information privacy : an overview. AUSTRALIAN DIRECTOR May-June 1989 : 33-36 O'CONNOR, Kevin. Information privacy : explicit civil remedies provided. LAW SOCIETY JOURNAL 28 (2) March 1990 : 38-41 PEARSE, Ray. The Privacy Act - its impact on credit reporting practice. AUSTRALIAN BANKER 106 (3) June 1992 : 153-156 Section Action Administrative Law, Parliament told of network privacy concerns, Mar 1993 v67 n3 Law Institute Journal 170. Section Action Administrative Law, Big Brother Information Fears, 1992 v66 n4 Law Institute Journal 250. STOLJAR S., A Re-Examination of Privacy, Legal Studies 67. STOREY, Infringement of Privacy and its Remedies, 1973 47 ALJ 498 TAPPER, Colin, New European Directions in Data Protection, 1992 v3 n1 Journal of Law and Information Science, 7-24. TUCKER, G., Frontiers of Information Privacy in Australia, (1992) Journal of Law and Information Science 63 TUCKER, Greg and Michael GRONOW. Is big brother watching? - the proposed Law Enforcement Access Network. LAW INSTITUTE JOURNAL 66 (11) November 1992 : 993-994 TUCKER, Greg Restrictions on the transborder flows of personal data. Australian Law Journal, v.65, no.9, Sept 1991 : 560-562 TUCKER, Greg., Frontiers of Information Privacy in Australia, 1992 v3 n1 Journal of Law and Information Science 63-81. TUCKER, Greg Privacy protection and transborder data flows: international legal notes. Australian Law Journal, v.65, no.6, June 1991 : 354-356 TUCKER, Greg. Privacy protection and transborder data flows. AUSTRALIAN LAW JOURNAL 65 (6) June 1991 : 354-356 TUCKER, Greg. Restrictions on the transborder flows of personal data. AUSTRALIAN LAW JOURNAL 65 (9) September 1991 : 560-562 WACKS, R.., The Poverty of Privacy, Jan 1980, 96 Law Quarterly Review 73-89 at 87-8. WARE D, Bentham's Panopticon Downunder, The Australia Card Program, October 1986 Legal Service Bulletin 198. WARREN and BRANDEIS, The Right to Privacy, 1890 5 Harvard. L. Rev 193. YANG T.L., Privacy: A Comparative Study of English and American Law, Jan 1966 15 International and Comparative Law Quarterly, 175-198 Texts/Reference Books: HUGHES, Gordon, Data Protection in Australia, Law Book Company, NSW 1991. LAWSON E., Encyclopaedia of Human Rights, Taylor & Francis, 1989, UK and USA, at p 1230. POULLET Y., Privacy Protection and Transborder Data Flow; Recent Legal Issues, article in Advanced Topics of Law and Information Technology, Kluwer Law and Taxation Publishers, Deventer Netherlands, 1989. REED, Chris (ed.), (WALDEN, Ian and Chris EDWARDS, Chapter 10: Data Protection), Computer Law, Blackstone Press, London 1990. ROSTOKER, Michael and Robert RINES, Computer Jurisprudence: Legal Responses to the Information Revolution, Oceana Publications Inc, New York, 1986. SAKAIYA T, The Knowledge Value Revolution, Kodansha 1991. TAPPER Colin, Computer Law, 4th ed. Longman, London 1989. TUCKER Greg, Information Privacy Law in Australia Notes: [1] Gordon Hughes, Preface to *Data Protection in Australia*, Law Book Company, NSW 1991. [2] Storey at 501. [3] esp Wacks R., *The Poverty of Privacy*, Jan 1980, 96 Law Quarterly Review 73-89 at 87-8. [4] Accepting the monist approach of International Law. [5] Benn S., *The Protection and Limitation of Privacy*, (1978) 52 ALJ 601. [6] Cooley, *Torts*, 2nd Ed, p1888 cited in Storey at 499. [7] The Hon H Storey, M.L.C., *Infringement of Privacy and it's Remedies*, 47 ALJ 498. [8] This recognition of an individuals interaction with the community is shown in the Australian Law Reform Commissions report which has emphasized the extent to which information about citizens is required by the Commonwealth: For most Australians, the process of recording their life histories begins with the opening prior to birth of a health record and is and is continued throughout their lives ... The typical Australian will most probably become the subject of an extensive education record, employment record, taxation record, banking record, insurance record and credit record. (ALRC Privacy Report 22 (1983)) In addition, most people will be the subject of information stored in public records and registries (for example, marriage, property ownership and litigation records) and indirectly statistical data. (ALRC 12 (1979) "Privacy and the Census" para 10 and in 14: "the fact that a collection of information is for statistical purposes rather than administrative ones is not itself a gaurantee that privacy interests will be adequately protected") [9] *Privacy and the Law, A Report by Justice (The British Section of the International Commission of Jurists)* 1970, p5 cited in Storey at 499. [10] (1890) 5 Harvard L. Rev. 193. [11] Westin, *Privacy and Freedom*, (1967) cited in Storey at 499. [12] Lusky, "Invasion of Privacy: a clarification of concepts", 87 Pol. Sc. Q. 192 at 195 cited in Storey at 499. [13] Miller, The Assault on Privacy (1971), p25 cited in Storey at 499. [14] Report on the Law of Privacy to the Standing Committee of Cth and State Attorneys - General No. 170/1973, p3. cited in Tucker G, *Frontiers of Information Privacy in Australia*, (1992) Journal of Law and Information Science 63. [15] Tucker G, *Frontiers* p63. [16] ALRC, Report on Privacy No. 22/1983, para 20. [17] See Tucker at 64. [18] Warren and Brandeis' prime concern in 1890. [19] Now widely referred to as Data Protection, these terms will be used interchangeably. [20] OECD *Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data*, Paris, 1980 para 1. Also: *Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data*, 108/1981, article 2. [21] 46 Mich. 160, 9 N.W. 146 (1881) cited in Rostoker at 233. [22] Note: they were referring to the collection of scenes and sounds, however these properties are open to recording along with all other forms of information on computer files. [23] Tucker at 12. Information Privacy Law in Australia. [24] Prosser W.L., "Privacy", 48 Cal.L.Rev. 383. [25] Identified by Tucker at page 13. [26] although arguably categories 1 and 2 overlap into this area. [27] Tapper C., *Computer Law*, 4th ed., Longman, London 1989 at p 331. [28] A good discussion of Privacy as a tort, or the equitable area of confidentiality of information can be found in: Warren and Brandeis, *The Right to Privacy*, 1890 5 Harvard. L. Rev 193.; Storey, *Infringement of Privacy and its Remedies*, 1973 47 ALJ 498,; T.L. Yang, *Privacy: AComparative Study of English and American Law*, Jan 1966 15 International and Comparitive Law Quarterly, 175-198; Stoljar S., *A Re-Examination of Privacy*, Legal Studies 67.; Benn S., *The Protection and Limitation of Privacy*, 1978 52 ALJ 601.; A good discussion of the social aspects of privacy as a right at law can be found in Gavison Ruth, *Privacy and the Limits of the Law*, Jan 1980 v89 n3 Yale Law Journal 421-471.; A consideration of the law of privacu with respect to telephone tapping and bugging can be found in Justice J. V. Barry, *An End to Privacy*, 1959-60 2 Melbourne University Law Review 443-453. [29] E.S.C.O.R. 42nd Sess., Supp. 1 (1967) cited in Harris at 603. [30] Article 12. [31] per Article 8. [32] *Universal Declaration of Human Rights*, *International Covenant on Civil and Political Rights* and the *American Convention on Human Rights*. [33] *American Declaration of the Rights and Duties of Man* and *American Convention on Human Rights*. [34] *International Covenant on Civil and Political Rights*. [35] Article 17, which follows closely Article 12 of the Declaration. [36] *European Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data*. [37] Lawson E., *Encyclopaedia of Human Rights*, Taylor & Francis, 1989, UK and USA, at p 1230. [38] UN Resolution 2450 [XXIII], cited in Lawson. [39] UN Doc. E/CN.4/1142 and Corr. 1, and Add. 1 and 2., cited in Lawson. [40] In 1977, after the Commission on Human Rights was able to consider the sub-commission's study, it called upon the sub- commission to examine this and other studies in the light of the provisions of the declaration and to submit its recommendations for further action (UN Resolution 10 B [XXXIII]), cited in Lawson. [41] resolution 12 [XXXIII]. [42] Flaherty D., *CFP-2: International privacy law a mixed bag*, extract from speech at the second conference on Computers, Freedom and Privacy, Newsbytes March 27 1992, Ref # A12002694. [43] see below with respect to the consideration of the emerging Knowledge Value Revolution. [44] Flaherty at 2. [45] *Nicaragua v USA* where the ICJ noted that states had entered into treaties containing the obligations of customary international law which in itself was evidence of that custom. [46] *Nicaragua v USA*. [47] (1890) 5 Harvard L. Rev. 193. [48] France seems to be leading Europe in the recognition of Privacy as a Human Right: In *Ordre des Experts-Comptables et Comptables Agrees v X*. (C.A., Paris, May 31, 1991) [1992] Dalloz Jur. 253. cited in European Current Law, July 1992 at 66 - where France found that a person leaves himself open to criminal proceedings for breach of Act 78-17 on the keeping of information dossiers and the freedom of the individual when, without making the necessary declaration to the Civil Liberties Council, he compiles at his home computer records of personal information about individuals and companies with which he has contacts by way of business which concern in particular the employees of such contacts. [49] (Cass., March 19, 1991) [1991] Dalloz 568, cited in European Current Law, Feb 1992 at 78. [50] Flaherty David, lecturer in privacy University of Western Ontario Canada and author of *Protecting Privacy in Surveillance Societies*, U. of N. Carolina Press. [51] (1992) 108 ALR 577. [52] (1992) 108 ALR 681. [53] these issues are often raised in parallel with privacy, however they are issues beyond the scope of this paper a good discussion can be found in: [54] Tucker G., *Privacy Protection and the High Court*, Jan/Feb 1993, v67 n1&2 Law Institute Journal 69. [55] Tucker G at 69. [56] President of the New South Wales Court of Appeal. [57] Kirby at 26. [58] Gordon C.(ed.), *Power/Knowledge-Selected Interviews and Other Writings*, 1972-77 - Michel Foucault, cited in Ware at 198. [59] Ware D, *Bentham's Panopticon Downunder, The Australia Card Program*, October 1986 Legal Service Bulletin 198. [60] For a comprehensive look at the problems with the Australia Card see: Ware supra note 41; Nolan supra note 44. [61] as in the Australia card. [62] Section Action Administrative Law, Parliament told of network privacy concerns, Mar 1993 v67 n3 Law Institute Journal 170. [63] Section Action Adminstrative Law, *Big Brother Information Fears*, 1992 v66 n4 Law Institute Journal 250. [64] Cole K., *Opinion - 'Just Tell Me Your Name, Bank and Tax File Number'*, 1992 17 Alternative L. J. 52 at 70. [65] Nolan at 166. [66] Nolan ,* ID Cards Who Needs Them?*, 1985 Legal Service Bulletin 165. [67] Nolan at 165. [68] Nolan at 165. [69] Nolan at 166. [70] ALRC 22, 1983. [71] of the time. [72] *Data Matching in Commonwealth Administration* (1990) cited in Greenleaf at 220. [73] per ss 5 and 6. [74] Greenleaf G., *Information Technology and the Law - Can the Data Matching Epidemic be Controlled?*, 1991 65 ALJ 220 at 221. [75] Forester, *Spying on Employees*, Australian and New Zealand PC User, Sept 1993, p106. [76] Forester at p 106. [77] Forester at p 106. [78] Forester at 106. [79] Forester at 106. [80] recently translated to English, Sakaiya T, *The Knowledge Value Revolution*, Kodansha 1991. [81] Sakaiya notes that socialism as originally theorised is based on the assumption that if a man has enough information and is in a situation where he can make clear-headed judgements, we can expect him to make objective rational choices as to what economic step will be the most advantageous. Karl Marx called this man 'Homo economicus'. Sakaiya points out that Marx also made the assumption that there is one single rational correct solution to every need, this one solution sufficing for every person. This concept fitted into the constraints and cost efficiencies of modern manufacturing and hence was the basis of the industrial society. [82] Helen Dancer, *Interview with Taichi Sakaiya*, Jan 1993 Australian Personal Computer 129-134 at 130. [83] Kapor M and Barlow J P, *Free Speech and Privacy Online*, Real Time Conference - General Electric Network for Information Interchange (GEnie) 1991, compiled in v3 n3.18 Computer Underground Digest May 28 1991. [84] According to the EFF, electronic mail and computer conferencing enable us to build online communities, "the first settlements on an electronic frontier". [85] most succesfully evidenced in Rio in 1992. [86] Prof Hickling, *Reflections on the Monarchy*, Darwin Australia October 1993. [87] discussed on 'Beyond 2000' (formally 'Towards 2000')during 1989. [88] Cowen, *"The Private Man", the Boyer Lectures* 1969, cited in Storey at 515. [89] Flaherty D., *CFP-2: International privacy law a mixed bag*, extract from speech at the second conference on Computers, Freedom and Privacy, Newsbytes March 27 1992, Ref # A12002694. [90] Kirby at 26. [91] (UN Doc. E/CN.4/Sub.2/1983/18) in 1983. [92] UN Doc. E/CN.4/Sub.2/1983/18. [93] UN Doc. E/CN.4/Sub.2/1988/22. [94] Resolution 1988/29. [95] Resolution 44/132. [96] UN Dco.E/CN.4/1990/72. [97] *Steve Jackson Games Case* and *Sun Devil Raids Case* discussed in Kapor M and Barlow J P. [98] Mitchell D., *Being here and there*, April 1993 Australian Personal Computer 186. [99] At present such technology starts at about AUD$131,000 per user however it is predicted that the technology will be commercially available at a mass market price by the end of 1994. [100] s18N [101] Greenleaf G., *Information Technology and the Law - The most restrictive credit reference laws in the Western World?*, Oct 1991 . [102] Greenleaf G 66 ALJ 672 at 673.